Cannot run on OSX

[jrobertsz66]

Hi,

When I run the latest script (dowloaded today) on OSX Mavericks - it just hangs. If I run the same script on Ubuntu server 14, it runs fine. Here is the output and then it just hangs after that.

No mapping file found

testssl.sh       2.6 from https://testssl.sh/
(1.379B 2015/09/25 12:35:41)

  This program is free software. Distribution and
         modification under GPLv2 permitted.
  USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

   Please file bugs @ https://testssl.sh/bugs/

Using "OpenSSL 1.0.2f 28 Jan 2016" [~138 ciphers] on
C02ML9L4FXYZ:/usr/local/opt/openssl/bin/openssl
(built: "reproducible build, date unspecified", platform: "darwin64-x86_64-cc")

Testing now (2016-02-04 18:14) ---> 192.168.1.95:8181 (192.168.1.95) <---

rDNS (192.168.1.95): C02ML9L4FXYZ.

[bknowles]

I'm running on Mavericks and 2.7dev works fine for me. Can you give a specific example of something that fails that we can test against?

[jrobertsz66]

it just hangs forever at the last line

rDNS (192.168.1.95): C02ML9L4FXYZ

I actually have to kill the program / script because it will stay there forever (no errors).

[jrobertsz66]

This is how I run it: ./testssl.sh 192.168.1.95:8181

[jrobertsz66]

If I run it the same way from an Ubuntu VM using the same IP and port, it works. Just on Mac it hangs. Here is my OS info:

ProductName: Mac OS X
ProductVersion: 10.10.4
BuildVersion: 14E46

[jrobertsz66]

BTW - I run with the command --debug=2 and it produced a directory with some debug files:

~/dev$ cat /tmp/ssltester.ZNlOEY/errorfile.txt
depth=0 C = US, ST = California, L = Santa Clara, O = Oracle Corporation, OU = GlassFish, CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = Santa Clara, O = Oracle Corporation, OU = GlassFish, CN = localhost
verify return:1
read:errno=0

~/dev$ cat /tmp/ssltester.ZNlOEY/environment.txt

CVS_REL: 1.379B 2015/09/25 12:35:41
GIT_REL:

PID: 89278
bash version: 3.2.57
status: release
machine: x86_64-apple-darwin14
operating system: Darwin
shellopts: braceexpand:hashall:interactive-comments

/usr/local/opt/openssl/bin/openssl version -a:
OpenSSL 1.0.2f 28 Jan 2016
built on: reproducible build, date unspecified
platform: darwin64-x86_64-cc
options: bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: clang -I. -I.. -I../include -fPIC -fno-common -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/etc/openssl"
OSSL_VER_MAJOR: 1
OSSL_VER_MINOR: 0.2
OSSL_VER_APPENDIX: f
OSSL_BUILD_DATE: "reproducible build, date unspecified"
OSSL_VER_PLATFORM: "darwin64-x86_64-cc"

OPENSSL_CONF: /tmp/ssltester.ZNlOEY/gost.conf

PATH: /usr/local/opt/openssl:/usr/local/Library/ENV/4.3:/usr/local/opt/openssl/bin:/usr/bin:/bin:/usr/sbin:/sbin
PROG_NAME: testssl.sh
INSTALL_DIR:
RUN_DIR: /usr/local/Cellar/testssl/2.6/libexec/bin
MAPPING_FILE_RFC:

CAPATH: /etc/ssl/certs/
ECHO:
COLOR: 2
TERM_DWITH: 90
HAS_GNUDATE: false
HAS_SED_E: true

SHOW_EACH_C: 0
SSL_NATIVE: false
ASSUMING_HTTP false
SNEAKY: false

DEBUG: 2

HSTS_MIN: 179
HPKP_MIN: 30
CLIENT_MIN_PFS: 5
DAYS2WARN1: 60
DAYS2WARN2: 30

HEADER_MAXSLEEP: 5
MAX_WAITSOCK: 10
HEARTBLEED_MAX_WAITSOCK: 8
CCS_MAX_WAITSOCK: 5
USLEEP_SND 0.1
USLEEP_REC 0.2

LANG="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_CTYPE="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_ALL=

[jrobertsz66]

BTW - here is the command and it now shows one additional line before it hangs when I use debug=2:

~/dev$ testssl.sh --debug=2 192.168.1.95:8181

No mapping file found

###########################################################
testssl.sh 2.6 from https://testssl.sh/
(1.379B 2015/09/25 12:35:41)

  This program is free software. Distribution and
         modification under GPLv2 permitted.
  USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

   Please file bugs @ https://testssl.sh/bugs/

###########################################################

Using "OpenSSL 1.0.2f 28 Jan 2016" [~138 ciphers] on
C02ML9L4FD57:/usr/local/opt/openssl/bin/openssl
(built: "reproducible build, date unspecified", platform: "darwin64-x86_64-cc")

192.168.1.95:8181
/
Testing now (2016-02-05 01:05) ---> 192.168.1.95:8181 (192.168.1.95) <---

rDNS (192.168.1.95): C02ML9L4FD57.
OPTIMAL_PROTO:

[bknowles]

If I run that exact same command, it executes fine:

$ testssl.sh --debug=2 192.168.1.95:8181

No mapping file found

###########################################################
    testssl.sh       2.7dev from https://testssl.sh/dev/
    (1.458 2016/02/01 21:05:44)

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2f-dev)" [~183 ciphers]
 on frobgaiju:/usr/local/ssl/bin/openssl
 (built: "reproducible build, date unspecified", platform: "darwin-i386-cc")


192.168.1.95:8181
/
/Users/brad/bin/testssl.sh: connect: Network is unreachable
/Users/brad/bin/testssl.sh: line 3659: /dev/tcp/192.168.1.95/8181: Network is unreachable

Unable to open a socket to 192.168.1.95:8181. Fatal error: Can't connect to "192.168.1.95:8181"
Make sure a firewall is not between you and your scanning target!

DEBUG (level 2): see files in /tmp/ssltester.H5JVLu

Of course, I don't have anything sitting on that IP address.

[bknowles]

Trying that exact same command on an IP:port that I do have something listening on, I get way too much detail to show here. So, I will instead provide the output of the normal command without the "--debug=2" option:

$ testssl.sh 172.16.1.27:5001

No mapping file found

###########################################################
    testssl.sh       2.7dev from https://testssl.sh/dev/
    (1.458 2016/02/01 21:05:44)

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2f-dev)" [~183 ciphers]
 on frobgaiju:/usr/local/ssl/bin/openssl
 (built: "reproducible build, date unspecified", platform: "darwin-i386-cc")


 Start 2016-02-05 00:26:14    -->> 172.16.1.27:5001 (172.16.1.27) <<--

 rDNS (172.16.1.27):      --
 Service detected:       HTTP


 Testing protocols (via sockets except TLS 1.2 and SPDY/HTTP2) 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 SPDY/NPN   spdy/3, spdy/2, http/1.1, x-mod-spdy/0.9.4.2-3a57358 (advertised)
 HTTP2/ALPN not offered

 Testing ~standard cipher lists 

 Null Ciphers                 not offered (OK)
 Anonymous NULL Ciphers       not offered (OK)
 Anonymous DH Ciphers         not offered (OK)
 40 Bit encryption            not offered (OK)
 56 Bit encryption            not offered (OK)
 Export Ciphers (general)     not offered (OK)
 Low (<=64 Bit)               not offered (OK)
 DES Ciphers                  not offered (OK)
 Medium grade encryption      not offered (OK)
 Triple DES Ciphers           offered (NOT ok)
 High grade encryption        offered (OK)


 Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here 

 PFS is offered (OK)  ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES128-SHA 


 Testing server preferences 

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH
 Cipher order
     TLSv1:     ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA DES-CBC3-SHA 
     TLSv1.1:   ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA DES-CBC3-SHA 
     TLSv1.2:   ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA DES-CBC3-SHA 
     spdy/3:    ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA DES-CBC3-SHA 
     spdy/2:    ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA DES-CBC3-SHA 
     http/1.1:  ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA DES-CBC3-SHA 
     x-mod-spdy/0.9.4.2-3a57358: ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA DES-CBC3-SHA 


 Testing server defaults (Server Hello) 

 TLS server extensions (std)  "renegotiation info" "EC point formats" "session ticket" "heartbeat" "next protocol"
 Session Tickets RFC 5077     300 seconds (PFS requires session ticket keys to be rotated <= daily)
 SSL Session ID support       yes
 TLS clock skew               random values, no fingerprinting possible 
 Server key size              1024 bit
 Signature Algorithm          SHA256 with RSA
 Fingerprint / Serial         SHA1 54B8FB155255B2330C0184D205D3C87DA84FE418 / 1398543699A331
                              SHA256 C6E65F28D24A870246B2B461F22AD1030CDB469EEA99C0AAE1738DEB57E95554
 Common Name (CN)             "synology.com" (CN in response to request w/o SNI: "synology.com")
 subjectAltName (SAN)         -- 
 Issuer                       "Synology Inc. CA" ("Synology Inc." from "TW")
 EV cert (experimental)       no 
 Certificate Expiration       7198 >= 60 days (2016-02-03 09:11 --> 2035-10-21 10:11 -0500)
 # of certificates provided   1
 Chain of trust (experim.)    "/etc/*.pem" cannot be found / not readable
 Certificate Revocation List  --
 OCSP URI                     --
 OCSP stapling                not offered


 Testing HTTP header response @ "/" 

 HTTP Status Code             301 Moved Permanently, redirecting to "https://172.16.1.27/webman/index.cgi"
 HTTP clock skew              +28 sec from localtime
 IPv4 address in header       Location: https://172.16.1.27/webman/index.cgi
                              (check if it's your IP address or e.g. a cluster IP)
 Strict Transport Security    --
 Public Key Pinning           --
 Server banner                Apache
 Application banner           --
 Cookie(s)                    (none issued at "/")
 Security headers             X-Frame-Options: SAMEORIGIN
 Reverse Proxy banner         --


 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK) (timed out)
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size
 BEAST (CVE-2011-3389)                     TLS1: DES-CBC3-SHA AES128-SHA
                                                 DHE-RSA-AES128-SHA AES256-SHA DHE-RSA-AES256-SHA
                                                 CAMELLIA128-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA256-SHA
                                                 DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA
                                           VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Testing all 183 locally available ciphers against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits
-------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH 256   AESGCM     256          
 xc028   ECDHE-RSA-AES256-SHA384        ECDH 256   AES        256          
 xc014   ECDHE-RSA-AES256-SHA           ECDH 256   AES        256          
 x9f     DHE-RSA-AES256-GCM-SHA384      DH 1024    AESGCM     256          
 x6b     DHE-RSA-AES256-SHA256          DH 1024    AES        256          
 x39     DHE-RSA-AES256-SHA             DH 1024    AES        256          
 x88     DHE-RSA-CAMELLIA256-SHA        DH 1024    Camellia   256          
 x9d     AES256-GCM-SHA384              RSA        AESGCM     256          
 x3d     AES256-SHA256                  RSA        AES        256          
 x35     AES256-SHA                     RSA        AES        256          
 x84     CAMELLIA256-SHA                RSA        Camellia   256          
 xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH 256   AESGCM     128          
 xc027   ECDHE-RSA-AES128-SHA256        ECDH 256   AES        128          
 xc013   ECDHE-RSA-AES128-SHA           ECDH 256   AES        128          
 x9e     DHE-RSA-AES128-GCM-SHA256      DH 1024    AESGCM     128          
 x67     DHE-RSA-AES128-SHA256          DH 1024    AES        128          
 x33     DHE-RSA-AES128-SHA             DH 1024    AES        128          
 x45     DHE-RSA-CAMELLIA128-SHA        DH 1024    Camellia   128          
 x9c     AES128-GCM-SHA256              RSA        AESGCM     128          
 x3c     AES128-SHA256                  RSA        AES        128          
 x2f     AES128-SHA                     RSA        AES        128          
 x41     CAMELLIA128-SHA                RSA        Camellia   128          
 xc012   ECDHE-RSA-DES-CBC3-SHA         ECDH 256   3DES       168          
 x0a     DES-CBC3-SHA                   RSA        3DES       168          


 Running browser simulations (experimental) 

 Android 2.3.7                 TLSv1 DHE-RSA-AES128-SHA
 Android 4.0.4                 TLSv1 ECDHE-RSA-AES128-SHA
 Android 4.1.1                 TLSv1 ECDHE-RSA-AES128-SHA
 Android 4.2.2                 TLSv1 ECDHE-RSA-AES128-SHA
 Android 4.3                   TLSv1.0 ECDHE-RSA-AES128-SHA
 Android 4.4.2                 TLSv1.1 ECDHE-RSA-AES128-SHA
 Android 5.0.0                 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Baidu Jan 2015                TLSv1 ECDHE-RSA-AES128-SHA
 BingPreview Jan 2015          TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Chrome 47 / OSX               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Firefox 31.3.0ESR / Win7      TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Firefox 42 / OSX              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 GoogleBot Feb 2015            TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 IE6 / XP                      No connection
 IE7 / Vista                   TLSv1.0 ECDHE-RSA-AES128-SHA
 IE8 / XP                      TLSv1.0 DES-CBC3-SHA
 IE8-10 / Win7                 TLSv1.0 ECDHE-RSA-AES128-SHA
 IE11 / Win7                   TLSv1.2 DHE-RSA-AES128-GCM-SHA256
 IE11 / Win8.1                 TLSv1.2 DHE-RSA-AES128-GCM-SHA256
 IE10 / Win Phone 8.0          TLSv1.0 ECDHE-RSA-AES128-SHA
 IE11 / Win Phone 8.1          TLSv1.2 ECDHE-RSA-AES128-SHA256
 IE11 / Win Phone 8.1 Update   TLSv1.2 DHE-RSA-AES128-GCM-SHA256
 IE11 / Win10                  TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Edge 13 / Win10               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Edge 12 / Win Phone 10        TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Java 6u45                     TLSv1 DHE-RSA-AES128-SHA
 Java 7u25                     TLSv1 ECDHE-RSA-AES128-SHA
 Java 8u31                     TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 OpenSSL 0.9.8y                TLSv1 DHE-RSA-AES128-SHA
 OpenSSL 1.0.1l                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 OpenSSL 1.0.2                 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Safari 5.1.9/ OSX 10.6.8      TLSv1 ECDHE-RSA-AES128-SHA
 Safari 6 / iOS 6.0.1          TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 6.0.4/ OS X 10.8.4     TLSv1 ECDHE-RSA-AES128-SHA
 Safari 7 / iOS 7.1            TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 7 / OS X 10.9          TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 8 / iOS 8.4            TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 8 / OS X 10.10         TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 9 / iOS 9              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Safari 9 / OS X 10.11         TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256

 Done 2016-02-05 00:26:53    -->> 172.16.1.27:5001 (172.16.1.27) <<--

[bknowles]

So, it seems to me that your problem is likely to be the somewhat older version of testssl.sh that you have running, or something specific to your particular machine.

[jrobertsz66]

hmmm...ok...is there a way to see what the script is doing at the time it hangs, besides what we have already done? How do I get the same version of the script that you have? BTW, the script I am using runs fine on Ubuntu.

[jrobertsz66]

Running this command:

sudo testssl.sh --debug=6 --ip 192.168.1.95 192.168.1.95:8181

I get a few more lines at the end - It looks like it is hung after connecting:

192.168.1.95:8181
/
Testing now (2016-02-05 09:02) ---> 192.168.1.95:8181 (192.168.1.95) <---

rDNS (192.168.1.95): C02ML9L4FD57.
OPTIMAL_PROTO:
PID TT STAT TIME COMMAND
96372 s002 R+ 0:00.00 /usr/local/opt/openssl/bin/openssl s_client -quiet -connect 192.168.1.95

[bknowles]

You could edit the first line of the testssl.sh script, where it currently says:

 #!/usr/bin/env bash

And change that to be something more like:

 #!/usr/bin/env bash -vx

You get the latest development version of the testssl.sh script directly from this repo. See also the last paragraph of the section entitled "Longer read" at https://testssl.sh/

[bknowles]

Note that the last line of your output above shows the following:

/usr/local/opt/openssl/bin/openssl s_client -quiet -connect 192.168.1.95

So, that's most likely where the script is getting hung -- it is using openssl s_client to connect to that IP address, and it's waiting for a response. It shouldn't wait more than a couple of minutes before that connection attempt times out, and the script then continues with whatever the next line of code is.

[jrobertsz66]

OK - replacing the first line in the script with this: #!/usr/bin/env bash -vx

yielded this:

362> debugme(): [[ 6 -ge 2 ]]
362> debugme(): echo 'OPTIMAL_PROTO: '
OPTIMAL_PROTO:
4274> determine_optimal_proto(): [[ 1 -eq 0 ]]
4297> determine_service(): false
4299> determine_service(): ua='Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/19700101 Firefox/42.0'
4300> determine_service(): GET_REQ11='GET / HTTP/1.1\r\nHost: 192.168.1.95\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/19700101 Firefox/42.0\r\nConnection: Close\r\nAccept: text/\r\n\r\n'
4301> determine_service(): HEAD_REQ11='HEAD / HTTP/1.1\r\nHost: 192.168.1.95\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/19700101 Firefox/42.0\r\nAccept: text/\r\n\r\n'
4302> determine_service(): GET_REQ10='GET / HTTP/1.0\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/19700101 Firefox/42.0\r\nConnection: Close\r\nAccept: text/\r\n\r\n'
4303> determine_service(): HEAD_REQ10='HEAD / HTTP/1.0\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/19700101 Firefox/42.0\r\nAccept: text/\r\n\r\n'
4304> determine_service(): runs_HTTP
460> runs_HTTP(): wait_kill 9477 5
435> wait_kill(): local pid=9477
459> runs_HTTP(): printf 'GET / HTTP/1.1\r\nHost: 192.168.1.95\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/19700101 Firefox/42.0\r\nConnection: Close\r\nAccept: text/*\r\n\r\n'
436> wait_kill(): local maxsleep=5
438> wait_kill(): true
439> wait_kill(): [[ 6 -ge 6 ]]
439> wait_kill(): ps 9477
459> runs_HTTP(): /usr/bin/openssl s_client -quiet -connect 192.168.1.95:8181
PID TT STAT TIME COMMAND
9477 s002 R+ 0:00.00 /usr/bin/openssl s_client -quiet -connect 192.168.1.95
440> wait_kill(): ps 9477
443> wait_kill(): sleep 1
444> wait_kill(): maxsleep=4
445> wait_kill(): test 4 -le 0
438> wait_kill(): true
439> wait_kill(): [[ 6 -ge 6 ]]
439> wait_kill(): ps 9477

[jrobertsz66]

It hangs for over 10 minutes - still hanged

[jrobertsz66]

After about 30 minutes or so, I get this - I run the command as sudo:

439> wait_kill(): ps 10433

Failure calling sysctl: Operation not permitted
440> wait_kill(): ps 10433

[drwetter]

a) thx for everybody helping here
b) latest in the 2.6 branch is 1.379c from September 29, 2015
c) It seems hard to guess what's happening here as it's not an external IP
d) I am wondering whether it's worth to spend too much time for this (2.6 branch) as 2.7dev works.

[drwetter]

PS: If I use Linux and use an IP which is in use but a port which is not, it works ok (there seems to be an error for the banner as it says 2.7dev):

###########################################################
    testssl.sh       2.7dev from https://testssl.sh/dev/
    (4183d8e 2015-09-30 23:36:09 -- 1.396)

      This program is free software. Distribution and 
             modification under GPLv2 permitted. 
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2d-dev)" [~181 ciphers] on
 HOST:$PWD/bin/openssl.Linux.x86_64
 (built: "Jul  6 18:05:33 2015", platform: "linux-x86_64")


./testssl.sh: connect: No route to host
./testssl.sh: line 2406: /dev/tcp/192.168.211.147/8181: No route to host

Unable to open a socket to 192.168.211.147:8181. Fatal error: Can't connect to "192.168.211.147:8181"
Make sure a firewall is not between you and your scanning target!

Same for FreeBSD 9..3

[drwetter]

I am closing it as we would need an external IP to reproduce it.

[jrobertsz66]

I think the problem was missunderstood. I cannot connect to my local glassfish web server and run the script from my mac but i can connect to the same glassfish server from a linux vm running on my mac. Therefore you really shouldnt need my glassfish server. The issue does not seem related to the server. It seems related to the script not running on my mac

Sent from my iPhone

On Feb 20, 2016, at 5:17 AM, Dirk Wetter [email protected] wrote:

I am closing it as we would need an external IP to reproduce it.

—
Reply to this email directly or view it on GitHub.

[jrobertsz66]

If need anything else from my mac environment ill be glad to provide it. Btw, i also tried to connect to another server on my network from my mac and had the same problem on my mac but not from my linux vm.

Sent from my iPhone

On Feb 22, 2016, at 4:19 PM, Joe Roberts [email protected] wrote:

I think the problem was missunderstood. I cannot connect to my local glassfish web server and run the script from my mac but i can connect to the same glassfish server from a linux vm running on my mac. Therefore you really shouldnt need my glassfish server. The issue does not seem related to the server. It seems related to the script not running on my mac

Sent from my iPhone

On Feb 20, 2016, at 5:17 AM, Dirk Wetter [email protected] wrote:

I am closing it as we would need an external IP to reproduce it.

—
Reply to this email directly or view it on GitHub.

[drwetter]

I don't own a MAC and there are unfortunately no VMs, so that part I need a hand.

And this bug report is not complete yet. What I am missing from you is more input:

a) confirmation of the bug with the master from 2.7
b) using Mac OS X on the client side
c) a glassfish server to test against

Any special implementation of glassfish, what does the server banner say?

[drwetter]

I think the problem was missunderstood. I cannot connect to my local glassfish web server and run
the script from my mac

Let me come back to the question from @bknowles : what does /usr/bin/openssl s_client -quiet -connect 192.168.1.95:8181 do?

My humble guess is that your firewall is blocking it.

[drwetter]

@jrobertsz66 you please run /usr/bin/openssl s_client -quiet -connect 192.168.1.95:8181 and check whether it hangs?

[jrobertsz66]

It works:

~$ /usr/bin/openssl s_client -quiet -connect 192.168.1.95:8181
depth=0 C = US, ST = California, L = Santa Clara, O = Oracle Corporation, OU = GlassFish, CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = Santa Clara, O = Oracle Corporation, OU = GlassFish, CN = localhost
verify return:1

[jrobertsz66]

Well, please tell me if that is the correct output. It seems to work.

After 10 secs or so I get this additional line:

read:errno=0

The program then exits.

[jrobertsz66]

Also answers to previous questions:

a) I am running this version:

testssl.sh 2.7dev from https://testssl.sh/dev/
(1.464 2016/02/07 18:13:58)

b) Yes - using MAC OSX on the client side and se server side it hangs. If I run the same testssl.sh script from linux pointing to the same GF on the MAC it runs without hanging.

c) It is not any special implementation of GF and I don't think it is related to GF and here is why: I was able to reproduce the error talking to PHP server (NOT GF) from my MAC using your script. If I run the script again from Linux pointing to that PHP server, it works again from Linux.

Also, if I just take your script and run it from my MAC using www.google.com, it hangs again, but not when I run it from Linux.

[jrobertsz66]

Here is the output when it hangs when I use the Google URL:

~/dev$ ./security/scripts/testssl.sh www.google.com

No mapping file found

###########################################################
testssl.sh 2.7dev from https://testssl.sh/dev/
(1.464 2016/02/07 18:13:58)

  This program is free software. Distribution and
         modification under GPLv2 permitted.
  USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

   Please file bugs @ https://testssl.sh/bugs/

###########################################################

Using "OpenSSL 1.0.2d 9 Jul 2015" [~138 ciphers]
on C02ML9L4FD57:/usr/bin/openssl
(built: "reproducible build, date unspecified", platform: "darwin64-x86_64-cc")

Testing all IPv4 addresses (port 443): 74.125.22.106 74.125.22.104 74.125.22.103 74.125.22.99 74.125.22.147 74.125.22.105

Start 2016-02-29 12:42:57 -->> 74.125.22.106:443 (www.google.com) <<--

[jrobertsz66]

Could it be the OpenSSL version?

[drwetter]

@jrobertsz66 can't believe this. try to execute with bash -vx testssl.sh www.google.com and let me know where it hangs.

@ all: somebody with a Mac: can you pls try to verify/falsify this?

[logopk]

Tested on Yosemite with the 2.6 version and the Master with google.com and openssl 1.0.2h from macports.

No hang, 2.7 seemingly much slower than 2.6.

But: there seems to be a date format problem:

Certificate Expiration >= 60 daysFailed conversion of May 18 10:59:02 2016 GMT'' using format%b %d %T %Y %Z''
date: illegal time format
usage: date [-jnu] [-d dst] [-r seconds] [-t west] [-v[+|-]val[ymwdHMS]] ...
[-f fmt date | [[[mm]dd]HH]MM[[cc]yy][.ss]] [+format](--> 2016-08-10 12:46 +0200)

[drwetter]

@logopk : Thx for reporting.

2.6 is old, I am not going to fix that anymore (unless someone creates a PR). The illegal time format message: Was that 2.6? If I try this on 2.7dev on FreeBSD 9 it works perfectly but also v2.6. (1.379c 2015/09/29) works.

For the upcoming release a final polish for Darwin will be requested.

[logopk]

Dirk, the dateformat issue happened on 2.6 and 2.7dev on a German MacOS X Yosemite AND the 2.7dev docker-image of jumanjiman.

[drwetter]

@logopk : could you please do me the favor and open an new issue. If possible add the output of /tmp/ssltestter.*/environment.txt .

[drwetter]

@jrobertsz66:

1. Could you please run again bash -vx testssl.sh <target> until it hangs. No need to use sudo. The one @ Cannot run on OSX #284 (comment) wasn't done.

2. Also please provide the output from wget -S -q --no-check-certificate -O /dev/null <URL>.

Please try to be exact and careful description as otherwise we won't able to help you. One careful crafted reply suffices in the most cases.

It looks like the openssl command doesn't hang but getting the HTTP header does. But I do not understand why that is not being killed.

[logopk]

@drwetter: now if I check, the date format problem on the Mac happens only in 2.6 and it seems to be related to the missing LC_ALL=C. Fair enough if you don't change this anymore. I will file an issue for the docker version of 2.7dev.