From f7d9f7db2bb70822023389cb01f72e13c432f5ab Mon Sep 17 00:00:00 2001 From: Gardouille Date: Fri, 20 Nov 2015 09:32:20 +0100 Subject: [PATCH] Add test_ssl3 script to check if an LDAP server support SSLv3. --- README.md | 8 ++++++++ test_ssl3 | 39 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100755 test_ssl3 diff --git a/README.md b/README.md index 947d9a9..ae963b4 100644 --- a/README.md +++ b/README.md @@ -50,3 +50,11 @@ Then the script will: * I can display my current task and it's timer wherever i want (tmux, herbstluftwm, …) * Written to work with /bin/sh +## Test_ssl3 +Redhat's script to test if an LDAP server support SSLv3. + +You could also use a nmap command: +```sh +nmap --script ssl-enum-ciphers -p 443 ldap.tld.org | grep "SSLv3: No supported ciphers found" +``` + diff --git a/test_ssl3 b/test_ssl3 new file mode 100755 index 0000000..9311675 --- /dev/null +++ b/test_ssl3 @@ -0,0 +1,39 @@ +#!/bin/bash +# +# Copyright (C) 2014 by Dan Varga +# dvarga@redhat.com +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. + +host=$1 +port=$2 + +if [ "$2" == "" ] +then + port=443 +fi + +out="`echo x | timeout 5 openssl s_client -ssl3 -connect ${host}:${port} 2>/dev/null`" +ret=$? + +if [ $ret -eq 0 ] +then + echo "VULNERABLE! SSLv3 detected." + exit +elif [ $ret -eq 1 ] +then + out=`echo $out | perl -pe 's|.*Cipher is (.*?) .*|$1|'` + if [ "$out" == "0000" ] || [ "$out" == "(NONE)" ] + then + echo "Not Vulnerable. We detected that this server does not support SSLv3" + exit + fi +elif [ $ret -eq 124 ] +then + echo "error: timeout connecting to host $host:$port" + exit +fi +echo "Final error: Unable to connect to host $host:$port"