thrift/test/features/nosslv3.sh

#!/bin/bash

#
# Checks to make sure SSLv3 is not allowed by a server.
#

THRIFTHOST=localhost
THRIFTPORT=9090

while [[ $# -ge 1 ]]; do
  arg="$1"
  argIN=(${arg//=/ })

  case ${argIN[0]} in
    -h|--host)
    THRIFTHOST=${argIN[1]}
    shift # past argument
    ;;
    -p|--port)
    THRIFTPORT=${argIN[1]}
    shift # past argument
    ;;
    *)
          # unknown option ignored
    ;;
  esac

  shift   # past argument or value
done

function nosslv3
{
  local nego
  local negodenied
  local opensslv

  opensslv=$(openssl version | cut -d' ' -f2)
  if [[ $opensslv > "1.0" ]]; then
    echo "[pass] OpenSSL 1.1 or later - no need to check ssl3"
    return 0
  fi

  # echo "openssl s_client -connect $THRIFTHOST:$THRIFTPORT -CAfile ../keys/CA.pem -ssl3 2>&1 < /dev/null"
  nego=$(openssl s_client -connect $THRIFTHOST:$THRIFTPORT -CAfile ../keys/CA.pem -ssl3 2>&1 < /dev/null)
  negodenied=$?

  if [[ $negodenied -ne 0 ]]; then
    echo "[pass] SSLv3 negotiation disabled"
    echo $nego
    return 0
  fi

  echo "[fail] SSLv3 negotiation enabled!  stdout:"
  echo $nego
  return 1
}

nosslv3
exit $?
THRIFT-4084: Add a SSL/TLS negotiation check to crossfeature to verify SSLv3 is not active and that at least one of TLSv1.0 through 1.2 are accepted. Client: csharp, d, go, nodejs, perl This closes #1197 2017-02-20 13:52:11 +00:00			`#!/bin/bash`

			`#`
			`# Checks to make sure SSLv3 is not allowed by a server.`
			`#`

			`THRIFTHOST=localhost`
			`THRIFTPORT=9090`

			`while [[ $# -ge 1 ]]; do`
			`arg="$1"`
			`argIN=(${arg//=/ })`

			`case ${argIN[0]} in`
			`-h\|--host)`
			`THRIFTHOST=${argIN[1]}`
			`shift # past argument`
			`;;`
			`-p\|--port)`
			`THRIFTPORT=${argIN[1]}`
			`shift # past argument`
			`;;`
			`*)`
			`# unknown option ignored`
			`;;`
			`esac`

			`shift # past argument or value`
			`done`

			`function nosslv3`
			`{`
			`local nego`
			`local negodenied`
THRIFT-4579: Move up to Ubuntu Bionic for CI builds make dlang library compatible with openssl-1.1 for Ubuntu Bionic Requires an upstream deimos update to be compatible. 2018-06-08 03:37:55 +00:00			`local opensslv`

			`opensslv=$(openssl version \| cut -d' ' -f2)`
			`if [[ $opensslv > "1.0" ]]; then`
			`echo "[pass] OpenSSL 1.1 or later - no need to check ssl3"`
			`return 0`
			`fi`
THRIFT-4084: Add a SSL/TLS negotiation check to crossfeature to verify SSLv3 is not active and that at least one of TLSv1.0 through 1.2 are accepted. Client: csharp, d, go, nodejs, perl This closes #1197 2017-02-20 13:52:11 +00:00
			`# echo "openssl s_client -connect $THRIFTHOST:$THRIFTPORT -CAfile ../keys/CA.pem -ssl3 2>&1 < /dev/null"`
			`nego=$(openssl s_client -connect $THRIFTHOST:$THRIFTPORT -CAfile ../keys/CA.pem -ssl3 2>&1 < /dev/null)`
			`negodenied=$?`

			`if [[ $negodenied -ne 0 ]]; then`
			`echo "[pass] SSLv3 negotiation disabled"`
			`echo $nego`
			`return 0`
			`fi`

			`echo "[fail] SSLv3 negotiation enabled! stdout:"`
			`echo $nego`
			`return 1`
			`}`

			`nosslv3`
			`exit $?`