diff --git a/docker/include/bin/start_faux b/docker/include/bin/start_faux index 84401f84cf..53242aad42 100755 --- a/docker/include/bin/start_faux +++ b/docker/include/bin/start_faux @@ -227,8 +227,9 @@ elif [ -n "${options[expiredtls]}" ]; then echo Starting expired tls server on port 443 https. mv /root/nginx/nginxfail.conf /etc/nginx/nginx.conf service nginx start - python tlsfaux/client.py 1.2 google.com & - python tlsfaux/client.py 1.3 google.com & + DEFAULT_ROUTE=$(ip route show default | awk '/default/ {print $3}') + python tlsfaux/client.py 1.2 $DEFAULT_ROUTE & + python tlsfaux/client.py 1.3 $DEFAULT_ROUTE & fi if [ -n "${options[pubber]}" ]; then diff --git a/docker/include/network/scripts/start_networking b/docker/include/network/scripts/start_networking index 2bf23ccc4a..37f06b7e7e 100755 --- a/docker/include/network/scripts/start_networking +++ b/docker/include/network/scripts/start_networking @@ -68,5 +68,10 @@ if [ -f $GCP_CRED_FILE ]; then ) & fi +# Setup a bad SSL Server for TLS client tests +echo Starting expired tls server on port 443 https. +mv /root/nginx/nginxfail.conf /etc/nginx/nginx.conf +service nginx start + echo Blocking for all eternity. ./autorestart_dnsmasq diff --git a/docker/modules/Dockerfile.networking b/docker/modules/Dockerfile.networking index f400609a23..3fa3ca1c07 100644 --- a/docker/modules/Dockerfile.networking +++ b/docker/modules/Dockerfile.networking @@ -5,7 +5,10 @@ FROM daqf/aardvark:latest -RUN $AG update && $AG install apt-transport-https ca-certificates curl gnupg2 +RUN $AG update && $AG install apt-transport-https ca-certificates curl gnupg2 + +RUN $AG update && $AG install -y nginx + RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" \ | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list RUN curl https://packages.cloud.google.com/apt/doc/apt-key.gpg \ @@ -25,4 +28,9 @@ COPY udmi/ udmi/ # Weird workaround for problem running tcdump in a privlidged container. RUN mv /usr/sbin/tcpdump /usr/bin/tcpdump +#HTTPS Bad Server depdnency +COPY docker/include/security/nginxfail.conf /root/nginx/ +COPY docker/include/security/nginx-site /var/www/nginx-site +COPY docker/include/security/tlsfaux tlsfaux/ + ENTRYPOINT ["./start_networking"] diff --git a/subset/security/tlstest/src/main/java/Client.java b/subset/security/tlstest/src/main/java/Client.java index 2382891a69..60299ff7a7 100644 --- a/subset/security/tlstest/src/main/java/Client.java +++ b/subset/security/tlstest/src/main/java/Client.java @@ -3,336 +3,485 @@ import com.google.gson.JsonParser; import java.io.*; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Arrays; import java.util.LinkedList; import java.util.List; public class Client { - private final String clientIpAddress; - private final int[] ports; - private final String[] tlsVersion; - private String captureFile = "/scans/test_tls.pcap"; - private String clientReport = ""; - private int totalScans = 0; - private int maxScans = 10; + private final String clientIpAddress; + private final int[] ports; + private final String[] tlsVersion; + private String captureFile = "/scans/test_tls.pcap"; + private String clientReport = ""; + private int totalScans = 0; + private int maxScans = 10; - public Client(String clientIpAddress, int[] ports,String[] tlsVersion) { - this.clientIpAddress = clientIpAddress; - this.ports = ports; - this.tlsVersion = tlsVersion; - } + public Client(String clientIpAddress, int[] ports, String[] tlsVersion) { + this.clientIpAddress = clientIpAddress; + this.ports = ports; + this.tlsVersion = tlsVersion; + } - /** - * Scan the provided capture file and validate it's results. - * @param captureFile Capture file to scan and validate - * @return True indicates file contained expected traffic and could be validated. False indicates no - * traffic could be detected to validate. - */ - private boolean validateCaptureFile(String captureFile,String tlsVersion){ - System.out.println("Scanning Capture File: " + captureFile); - this.captureFile = captureFile; - //Check all servers that have been contacted by the DUT to see - //if they have completed a SSL/TLS handshake - List serverList = getServers(tlsVersion); - if(serverList.size()>0){ - boolean handshakeComplete = serverList.stream().anyMatch(serverIp -> isHandshakeCompleted(serverIp,tlsVersion)); - boolean cipherValid = checkClientCiphers(); - passClient(handshakeComplete, cipherValid,tlsVersion); - return true; - } - else{ - System.out.println("No client initiated TLS communication detected in capture file: " + captureFile); - return false; - } - } + public Client(String clientIpAddress, int[] ports, String[] tlsVersion, String captureFile) { + this.clientIpAddress = clientIpAddress; + this.ports = ports; + this.tlsVersion = tlsVersion; + this.captureFile = captureFile; + } - /** - * Validate all versions of TLS requested for client side communications. - * Scan the capture file a maximum of 10 times between all versions - * which equates to 5 minutes total wait time. Any longer can cause - * a module timeout. - * @return - */ - public String validate(){ - System.out.println("Validating Client TLS Versions..."); - for(int i = 0;i serverList = getServers(tlsVersion); + if (serverList.size() > 0) { + boolean handshakeComplete = + serverList.stream().anyMatch(serverIp -> isHandshakeCompleted(serverIp, tlsVersion)); + if (handshakeComplete) { + if (tlsVersion.equals("1.2")) { + serverCertsValid = validateServerCertificates(); + } else { + serverCertsValid = true; } - return clientReport; + } + boolean cipherValid = checkClientCiphers(); + passClient(handshakeComplete, serverCertsValid, cipherValid, tlsVersion); + return true; + } else { + System.out.println( + "No client initiated TLS communication detected in capture file: " + captureFile); + return false; } + } - public String validate(String tlsVersion) { - String tlsVersionReport = ""; + public boolean validateServerCertificates() { + System.out.println("Validating Server Certificates..."); + X509Certificate[] certs = getServerCerts(); + System.out.println("Detected " + certs.length + " Server Certificates"); + boolean serverCertsValid = false; + if (certs.length > 0) { + serverCertsValid = true; + for (int i = 0; i < certs.length; ++i) { try { - tlsVersionReport += "\nGathering TLS Client " + clientIpAddress +" Information...."; - System.out.println("Validating Client TLS: " + clientIpAddress); - //Make sure our capture file is available before even attempting this test - File f = new File(captureFile); - if(f.exists()) { - System.out.println("Capture File Available: " + captureFile); - //Scan file over a max of 5 minutes to check for valid traffic - boolean validated = false; - while(totalScans ciphers = getClientCiphers(); - boolean ecdh = isCipherSupported(ciphers,"ECDH"); - boolean ecdsa = isCipherSupported(ciphers,"ECDSA"); - if(ecdh) { - System.out.println("ECDH Client Cipher Detected: " + ecdh); + /** + * Validate all versions of TLS requested for client side communications. Scan the capture file a + * maximum of 10 times between all versions which equates to 5 minutes total wait time. Any longer + * can cause a module timeout. + * + * @return + */ + public String validate() { + System.out.println("Validating Client TLS Versions..."); + for (int i = 0; i < tlsVersion.length; ++i) { + System.out.println("Checking Client TLS Version: " + tlsVersion[i]); + String tlsVersionReport = validate(tlsVersion[i]); + clientReport += tlsVersionReport; + } + return clientReport; + } + + public String validate(String tlsVersion) { + String tlsVersionReport = ""; + try { + tlsVersionReport += "\nGathering TLS Client " + clientIpAddress + " Information...."; + System.out.println("Validating Client TLS: " + clientIpAddress); + // Make sure our capture file is available before even attempting this test + File f = new File(captureFile); + if (f.exists()) { + System.out.println("Capture File Available: " + captureFile); + // Scan file over a max of 5 minutes to check for valid traffic + boolean validated = false; + while (totalScans < maxScans && !validated) { + ++totalScans; + System.out.println("Capture File Scan Attempt: " + totalScans); + Thread.sleep(30000); // Pause 30 seconds between scans + validated = validateCaptureFile(captureFile, tlsVersion); } - if(ecdh) { - System.out.println("ECDSA Client Cipher Detected: " + ecdsa); + if (!validated) { + skipClient("No client initiated TLS communication detected", tlsVersion); } - return ecdh && ecdsa; + } else { + skipClient( + "Capture file required for TLS validation not present: " + captureFile, tlsVersion); + } + } catch (Exception e) { + e.printStackTrace(); + } finally { + tlsVersionReport += "\nTLS Client Information Complete."; + return tlsVersionReport; + } + } + + private boolean checkClientCiphers() { + if (tlsVersion.equals("1.3")) { + System.out.println("No Cipher check required for TLS 1.3"); + return true; } + List ciphers = getClientCiphers(); + boolean ecdh = isCipherSupported(ciphers, "ECDH"); + boolean ecdsa = isCipherSupported(ciphers, "ECDSA"); + if (ecdh) { + System.out.println("ECDH Client Cipher Detected: " + ecdh); + } + if (ecdh) { + System.out.println("ECDSA Client Cipher Detected: " + ecdsa); + } + return ecdh && ecdsa; + } - /** - * Inspect the capture file for all hello messages from the client device (DUT) - * @return List List of all client Hello packets resolved - */ - private List getClientCiphers(){ - String[] command = new String[]{"tshark", "-r", captureFile,"-Vx", - "-Y", "ssl.handshake.ciphersuites and ip.src=="+clientIpAddress+""}; - String procRes = runCommand(command,true); - String[] lines = procRes.split("\n"); - System.out.println("Cipher Resp Size: " + lines.length); - List cipherList = new ArrayList(); - Arrays.stream(lines).forEach(line->{ - if(line.contains("Cipher Suite:")){ + /** + * Inspect the capture file for all hello messages from the client device (DUT) + * + * @return List List of all client Hello packets resolved + */ + private List getClientCiphers() { + String[] command = + new String[] { + "tshark", + "-r", + captureFile, + "-Vx", + "-Y", + "ssl.handshake.ciphersuites and ip.src==" + clientIpAddress + "" + }; + String procRes = runCommand(command, true); + String[] lines = procRes.split("\n"); + System.out.println("Cipher Resp Size: " + lines.length); + List cipherList = new ArrayList(); + Arrays.stream(lines) + .forEach( + line -> { + if (line.contains("Cipher Suite:")) { line = line.trim(); - if(!cipherList.contains(line)){ - System.out.println("Unique Cipher: " + line); - cipherList.add(line); + if (!cipherList.contains(line)) { + System.out.println("Unique Cipher: " + line); + cipherList.add(line); } - } - }); - return cipherList; - } + } + }); + return cipherList; + } - /** - * Resolve all the servers that the DUT has reached out to over SSL/TLS - * @return List of IP addresses of all the servers resolved - */ - private List getServers(String tlsVersion){ - JsonArray clientHelloPackets = getClientHelloPackets(tlsVersion); - System.out.println("Client Hello Messages Resolved: " + clientHelloPackets.size()); - List serverList = new ArrayList(); - for (int i = 0; i < clientHelloPackets.size(); ++i) { - String serverIp = clientHelloPackets.get(i).getAsJsonObject() - .getAsJsonObject("_source") - .getAsJsonObject("layers") - .getAsJsonObject("ip") - .getAsJsonPrimitive("ip.dst").getAsString(); - if (!serverList.contains(serverIp) && !serverIp.equals(clientIpAddress)) { - serverList.add(serverIp); - System.out.println("Unique Server IP Detected: " + serverIp); - } - } - return serverList; + /** + * Resolve all the servers that the DUT has reached out to over SSL/TLS + * + * @return List of IP addresses of all the servers resolved + */ + private List getServers(String tlsVersion) { + JsonArray clientHelloPackets = getClientHelloPackets(tlsVersion); + System.out.println("Client Hello Messages Resolved: " + clientHelloPackets.size()); + List serverList = new ArrayList(); + for (int i = 0; i < clientHelloPackets.size(); ++i) { + String serverIp = + clientHelloPackets + .get(i) + .getAsJsonObject() + .getAsJsonObject("_source") + .getAsJsonObject("layers") + .getAsJsonObject("ip") + .getAsJsonPrimitive("ip.dst") + .getAsString(); + if (!serverList.contains(serverIp) && !serverIp.equals(clientIpAddress)) { + serverList.add(serverIp); + System.out.println("Unique Server IP Detected: " + serverIp); + } } + return serverList; + } - /** - * Inspect the capture file for all hello messages from the client device (DUT) - * on specified port. - * 0x0303 -> TLS 1.2 - * 0x0304 -> TLS 1.3 - * @return JsonArray of all client Hello packets resolved - */ - private JsonArray getClientHelloPackets(String tlsVersion){ - List commands = new LinkedList(); - commands.add("tshark"); - commands.add("-r"); - commands.add(captureFile); - commands.add("-T"); - commands.add("json"); - commands.add("ssl.handshake.type==1"); - commands.add("and"); - commands.add("ip.src=="+clientIpAddress); - commands.add("and"); - commands.add(getPortsFilter()); - commands.add("and"); - if(tlsVersion == "1.2"){ - commands.add("ssl.handshake.version==0x0303"); - } - else{ - commands.add("tls.handshake.extensions.supported_version==0x0304"); - } - String procRes = runCommand(commands.toArray(new String[0]),false); - //The process can potentially get run as root so account for - //possible nuisance warning messages that mess up the json packet - procRes = procRes.substring(procRes.indexOf('[')); - JsonElement e = JsonParser.parseString(procRes); - return e.getAsJsonArray(); + /** + * Inspect the capture file for all hello messages from the client device (DUT) on specified port. + * 0x0303 -> TLS 1.2 0x0304 -> TLS 1.3 + * + * @return JsonArray of all client Hello packets resolved + */ + private JsonArray getClientHelloPackets(String tlsVersion) { + List commands = new LinkedList(); + commands.add("tshark"); + commands.add("-r"); + commands.add(captureFile); + commands.add("-T"); + commands.add("json"); + commands.add("ssl.handshake.type==1"); + commands.add("and"); + commands.add("ip.src==" + clientIpAddress); + commands.add("and"); + commands.add(getPortsFilter()); + commands.add("and"); + if (tlsVersion == "1.2") { + commands.add("ssl.handshake.version==0x0303"); + } else { + commands.add("tls.handshake.extensions.supported_version==0x0304"); } + String procRes = runCommand(commands.toArray(new String[0]), false); + // The process can potentially get run as root so account for + // possible nuisance warning messages that mess up the json packet + procRes = procRes.substring(procRes.indexOf('[')); + JsonElement e = JsonParser.parseString(procRes); + return e.getAsJsonArray(); + } - private String getPortsFilter(){ - StringBuilder sb = new StringBuilder(); - sb.append("("); - for(int i = 0;i0?" or ":""); - sb.append("tcp.port=="+ports[i]); - } - sb.append(")"); - return sb.toString(); + private String getPortsFilter() { + StringBuilder sb = new StringBuilder(); + sb.append("("); + for (int i = 0; i < ports.length; ++i) { + sb.append(i > 0 ? " or " : ""); + sb.append("tcp.port==" + ports[i]); } + sb.append(")"); + return sb.toString(); + } - /** - * Inspect the capture file for completed client/server SSL/TLS handshakes - * ssl.handshake.type==14 -> ServerHelloDone indicating handshake has completed for TLS 1.2 - * ssl.handshake.type==2 -> ServerHello indicating handshake has completed for TLS 1.3 - * - * @param serverIp IP address for the server side of the connection - * @return True when a completed handshake can be detected for the server and client - */ - private boolean isHandshakeCompleted(String serverIp,String tlsVersion){ - System.out.println("Checking handshake completion for: " + serverIp+"->"+clientIpAddress); - String[] command; - if(tlsVersion.equals("1.2")){ - command = handshakeCompleteMessageTls1_2(serverIp); - } - else{ - command = handshakeCompleteMessageTls1_3(serverIp); - } - boolean completed = runCommand(command,false).length()>0; - if(completed){ - System.out.println("Handshake Completed for: " + serverIp + "->" + clientIpAddress); - } - else{ - System.out.println("Handshake not completed for: " + serverIp + "->" + clientIpAddress); - } - return completed; + /** + * Inspect the capture file for completed client/server SSL/TLS handshakes ssl.handshake.type==14 + * -> ServerHelloDone indicating handshake has completed for TLS 1.2 ssl.handshake.type==2 -> + * ServerHello indicating handshake has completed for TLS 1.3 + * + * @param serverIp IP address for the server side of the connection + * @return True when a completed handshake can be detected for the server and client + */ + private boolean isHandshakeCompleted(String serverIp, String tlsVersion) { + System.out.println("Checking handshake completion for: " + serverIp + "->" + clientIpAddress); + String[] command; + if (tlsVersion.equals("1.2")) { + command = handshakeCompleteMessageTls1_2(serverIp); + } else { + command = handshakeCompleteMessageTls1_3(serverIp); } - - /** - * Create the wireshark filter needed to find completed TLS 1.2 handshakes - * - * ssl.handshake.type==14 -> ServerHelloDone indicating handshake has completed for TLS 1.2 - * @param serverIp IP address for the server side of the connection - * @return - */ - private String[] handshakeCompleteMessageTls1_2(String serverIp){ - return new String[]{"tshark", - "-r", - captureFile, - "ssl.handshake.type==14", - "and", - "ip.src=="+serverIp, - " and ", - "ip.dst=="+clientIpAddress, - "and", - getPortsFilter() - }; + boolean completed = runCommand(command, false).length() > 0; + if (completed) { + System.out.println("Handshake Completed for: " + serverIp + "->" + clientIpAddress); + } else { + System.out.println("Handshake not completed for: " + serverIp + "->" + clientIpAddress); } + return completed; + } - /** - * Create the wireshark filter needed to find completed TLS 1.3 handshakes - * - * ssl.handshake.type==2 -> ServerHello indicating handshake has completed for TLS 1.3 - * @param serverIp IP address for the server side of the connection - * @return - */ - private String[] handshakeCompleteMessageTls1_3(String serverIp){ - return new String[]{"tshark", - "-r", - captureFile, - "ssl.handshake.type==2", - "and", - "ip.src=="+serverIp, - " and ", - "ip.dst=="+clientIpAddress, - "and", - getPortsFilter() + private X509Certificate[] getServerCerts() { + String[] getCertsCommand = + new String[] { + "tshark", + "-r", + captureFile, + "-Y", + "ssl.handshake.certificate and ssl.handshake.type==14 and ssl.handshake.version==0x0303", + "-T", + "json" }; + + String rawCertResp = runCommand(getCertsCommand, false); + // The process can potentially get run as root so account for + // possible nuisance warning messages that mess up the json packet + rawCertResp = rawCertResp.substring(rawCertResp.indexOf('[')); + return getServerCerts(rawCertResp).toArray(new X509Certificate[0]); + } + + /** + * Raw JSON provided by tshark are not actually valid json as it has potential to repeat the same + * keys that will override previous keys so we need to do some manual extraction of the raw data + * without being able to use builtin json object methods + * + * @param tsharkJson + * @return + */ + public List getServerCerts(String tsharkJson) { + List certList = new LinkedList(); + String certString = "\"tls.handshake.certificate\":"; + while (tsharkJson.indexOf(certString) > 0) { + int certIxStart = tsharkJson.indexOf(certString); + int certIxEnd = tsharkJson.indexOf(",", certIxStart); + String certRecord = tsharkJson.substring(certIxStart, certIxEnd); + certRecord = certRecord.substring(certString.length()); + certRecord = certRecord.substring(certRecord.indexOf('"') + 1, certRecord.lastIndexOf('"')); + certList.add(hexStringtoCert(certRecord)); + tsharkJson = tsharkJson.substring(certIxEnd); } + return certList; + } + + /** + * Convenience method to resolve a valid X.509 certificates from a string representation of the + * raw byte array + * + * @param hexString String representation of a hex value + * @return + */ + public X509Certificate hexStringtoCert(String hexString) { + byte[] bytes = hexStringToByteArray(hexString); + return byteArrayToX509Cert(bytes); + } - private boolean isCipherSupported(List cipherList, String cipher ){ - return cipherList.stream().anyMatch(s -> s.contains(cipher)); + /** + * Generate an X.509 certificate from raw bytes + * + * @param bytes + * @return + */ + public X509Certificate byteArrayToX509Cert(byte[] bytes) { + try { + CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); + InputStream in = new ByteArrayInputStream(bytes); + X509Certificate cert = (X509Certificate) certFactory.generateCertificate(in); + return cert; + } catch (Exception e) { + e.printStackTrace(); } + return null; + } - private void passClient(boolean handshake,boolean cipherValid,String tlsVersion) { - if (handshake && cipherValid) { - clientReport += - "\nRESULT pass security.tls.v" - + tlsVersion.replace(".","_") - + "_client" - + " Client/Server completed handshake and ECDH/ECDSA supported ciphers."; - } else { - clientReport += - "\nRESULT fail security.tls.v" - + tlsVersion.replace(".","_") - + "_client"; - clientReport+=handshake?"":" No completed SSL/TLS handshake detected."; - clientReport+=cipherValid?"":" Cipher could not be validated."; - } + /** + * Takes in a string representation of a hex string to be converted into a byte array, example: + * 01:4d + * + * @param hexString String representation of a hex value + * @return + */ + private byte[] hexStringToByteArray(String hexString) { + String[] rawHex = hexString.split(":"); + byte[] bytes = new byte[rawHex.length]; + for (int i = 0; i < bytes.length; ++i) { + int val = Integer.parseInt(rawHex[i], 16); + bytes[i] = (byte) val; } + return bytes; + } - private void skipClient(String skipMessage,String tlsVersion) { + /** + * Create the wireshark filter needed to find completed TLS 1.2 handshakes + * + *

ssl.handshake.type==14 -> ServerHelloDone indicating handshake has completed for TLS 1.2 + * + * @param serverIp IP address for the server side of the connection + * @return + */ + private String[] handshakeCompleteMessageTls1_2(String serverIp) { + return new String[] { + "tshark", + "-r", + captureFile, + "ssl.handshake.type==14", + "and", + "ip.src==" + serverIp, + " and ", + "ip.dst==" + clientIpAddress, + "and", + getPortsFilter() + }; + } + + /** + * Create the wireshark filter needed to find completed TLS 1.3 handshakes + * + *

ssl.handshake.type==2 -> ServerHello indicating handshake has completed for TLS 1.3 + * + * @param serverIp IP address for the server side of the connection + * @return + */ + private String[] handshakeCompleteMessageTls1_3(String serverIp) { + return new String[] { + "tshark", + "-r", + captureFile, + "ssl.handshake.type==2", + "and", + "tls.handshake.extensions.supported_version == 0x0304", + "and", + "ip.src==" + serverIp, + " and ", + "ip.dst==" + clientIpAddress, + "and", + getPortsFilter() + }; + } + + private boolean isCipherSupported(List cipherList, String cipher) { + return cipherList.stream().anyMatch(s -> s.contains(cipher)); + } + + private void passClient( + boolean handshake, boolean serverCertsValid, boolean cipherValid, String tlsVersion) { + if (handshake && cipherValid && serverCertsValid) { + clientReport += + "\nRESULT pass security.tls.v" + + tlsVersion.replace(".", "_") + + "_client" + + " Client/Server completed handshake."; + if (tlsVersion.equals("1.2")) { + clientReport += " ECDH/ECDSA supported ciphers. Server Certificates Valid."; + } + + } else { + clientReport += "\nRESULT fail security.tls.v" + tlsVersion.replace(".", "_") + "_client"; + clientReport += handshake ? "" : " No completed SSL/TLS handshake detected."; + if (tlsVersion.equals("1.2")) { clientReport += - "\nRESULT skip security.tls.v" - + tlsVersion.replace(".","_") - + "_client " - + skipMessage; + handshake & !serverCertsValid ? " Server Certificates Could not be validated." : ""; + clientReport += cipherValid ? "" : " Cipher could not be validated."; + } } + } - private static String runCommand(String[] command, boolean useRawData){ - ProcessBuilder processBuilder = new ProcessBuilder(); - processBuilder.command(command); - try { - processBuilder.redirectErrorStream(true); - Process process = processBuilder.start(); + private void skipClient(String skipMessage, String tlsVersion) { + clientReport += + "\nRESULT skip security.tls.v" + tlsVersion.replace(".", "_") + "_client " + skipMessage; + } - BufferedReader reader = - new BufferedReader(new InputStreamReader(process.getInputStream())); - StringBuffer sb = new StringBuffer(); - String line; - while ((line = reader.readLine()) != null) { - if(useRawData){ - if(sb.length()>0){ - sb.append("\n"); - } - sb.append(line); - } - else{ - sb.append(line.trim()); - } - } - process.waitFor(); - String result = sb.toString(); - return result; - } catch (IOException e) { - e.printStackTrace(); - } catch (InterruptedException e) { - e.printStackTrace(); + private static String runCommand(String[] command, boolean useRawData) { + ProcessBuilder processBuilder = new ProcessBuilder(); + processBuilder.command(command); + try { + processBuilder.redirectErrorStream(true); + Process process = processBuilder.start(); + + BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream())); + StringBuffer sb = new StringBuffer(); + String line; + while ((line = reader.readLine()) != null) { + if (useRawData) { + if (sb.length() > 0) { + sb.append("\n"); + } + sb.append(line); + } else { + sb.append(line.trim()); } - return ""; + } + process.waitFor(); + String result = sb.toString(); + return result; + } catch (IOException e) { + e.printStackTrace(); + } catch (InterruptedException e) { + e.printStackTrace(); } + return ""; + } } + diff --git a/testing/test_aux.out b/testing/test_aux.out index a34f90be51..edcb524443 100644 --- a/testing/test_aux.out +++ b/testing/test_aux.out @@ -26,14 +26,14 @@ RESULT skip security.tls.v1_2_server IOException unable to connect to server. RESULT skip security.tls.v1_3_client No client initiated TLS communication detected RESULT skip security.tls.v1_3_server IOException unable to connect to server. RESULT skip security.tls.v1_server IOException unable to connect to server. -RESULT pass security.tls.v1_2_client Client/Server completed handshake and ECDH/ECDSA supported ciphers. +RESULT fail security.tls.v1_2_client Server Certificates Could not be validated. RESULT fail security.tls.v1_2_server Certificate is expired. Certificate has not been signed by a CA. -RESULT pass security.tls.v1_3_client Client/Server completed handshake and ECDH/ECDSA supported ciphers. +RESULT pass security.tls.v1_3_client Client/Server completed handshake. RESULT fail security.tls.v1_3_server Certificate is expired. Certificate has not been signed by a CA. RESULT fail security.tls.v1_server Certificate is expired. Certificate has not been signed by a CA. -RESULT pass security.tls.v1_2_client Client/Server completed handshake and ECDH/ECDSA supported ciphers. +RESULT pass security.tls.v1_2_client Client/Server completed handshake. ECDH/ECDSA supported ciphers. Server Certificates Valid. RESULT fail security.tls.v1_2_server Certificate has not been signed by a CA. Cipher Valid. -RESULT pass security.tls.v1_3_client Client/Server completed handshake and ECDH/ECDSA supported ciphers. +RESULT pass security.tls.v1_3_client Client/Server completed handshake. RESULT fail security.tls.v1_3_server Certificate has not been signed by a CA. RESULT fail security.tls.v1_server Certificate has not been signed by a CA. Cipher Valid. RESULT skip security.password.http Port 80 not open on target device.