Earlier this week I was faced with the challenge of remediating TLS vulnerabilities and I needed a way to easily test and verify if I correctly made the protocol change.
Below is the script I wrote that helped me accomplish this. (I’ve substituted the IP list tested, feel free to put your own when utilizing)
addressList=(127.0.0.1 10.0.0.1 192.168.1.1)
#protocolList=(ssl3 tls1 tls1_1)
protocolList=(tls1_2)for ADDRESS in “${addressList[@]}”
do
for PORT in “${portList[@]}”
do
FULL_ADDRESS=$ADDRESS:$PORT
#echo “Acquiring Hostname on $ADDRESS – $PORT”
DNS_NAME=”$(host $ADDRESS | sed ‘s/.*pointer //’ | sed -r ‘s/\.$//’)”for PROTOCOL in “${protocolList[@]}”
do
#echo “Acquiring TLS Status on $ADDRESS – $PORT – $TLS”
wat=”$(echo Q | openssl s_client -connect $FULL_ADDRESS -$PROTOCOL 2> /dev/null | grep -qi ‘Secure Renegotiation IS supported’ && echo “TRUE”)”
if [ “$wat” == “TRUE” ]; then
echo “$DNS_NAME – $PORT – $PROTOCOL is enabled”
#else
#echo “$DNS_NAME – $PORT – $PROTOCOL is NOT enabled”
fi
done
done
done
Cody's Blog 