testssl.sh/etc/README.md


### Certificate stores

The certificate trust stores were retrieved from

* **Linux:** Copied from an up-to-date Debian Linux machine
* **Mozilla:** https://curl.haxx.se/docs/caextract.html (MPL 2.0)
* **Java:** extracted (``keytool -list -rfc -keystore lib/security/cacerts | grep -E -v '^$|^\*\*\*\*\*|^Entry |^Creation |^Alias'``) from a JDK LTS version from https://jdk.java.net/. Use dos2unix for the store which you generated.
* **Microsoft:** Following command pulls all certificates from Windows Update services: ``CertUtil -syncWithWU -f -f . `` (see also https://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions). They are in DER format. Convert them like ``for f in *.crt; do echo $f >/dev/stderr; openssl x509 -in $f -inform DER -outform PEM ;done >/tmp/Microsoft.pem``.
* **Apple:**
    1. __System:__ from Apple OS X keychain app.  Open Keychain Access utility, i.e.
  In the Finder window, under Favorites --> "Applications" --> "Utilities"
  (OR perform a Spotlight Search for "Keychain Access")
  --> "Keychain Access" (2 click). In that window --> "Keychains" --> "System Root"
  --> "Category" --> "All Items"
  Select all CA certificates except for "Developer ID Certification Authority", omit expired ones,  "File" --> "Export Items"
    2. __Internet:__ Clone https://github.com/apple-oss-distributions/security_certificates.git, cd to ``security_certificates/certificates/roots``, ``for f in *.* do echo $f >/dev/stderr; openssl x509 -in $f -inform DER -outform PEM ;done >/tmp/Apple.pem``

Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.

**ATTENTION**: From each store you need to remove the _DST Root CA X3_ which is for your reference in this directory, see file ``DST Root CA X3.txt``. As of July 2024 this seemed to be needed only for the Microsoft CA store. Apple's file name in 2023 was ``IdenTrust_Root_X3.der``. For the Microsoft CA store you can identify the file beforehand like ``for f in *.crt; do  openssl x509 -in $f -inform DER -text -noout  | grep -q 'DST' && echo $f ;done`` or use a line from ``DST Root CA X3.txt`` and grep for that in the resulting ``Microsoft.pem``.

If you want to check trust against e.g. a company internal CA you need to use ``./testssl.sh --add-ca companyCA1.pem,companyCA2.pem <further_cmds>`` or ``ADDTL_CA_FILES=companyCA1.pem,companyCA2.pem ./testssl.sh <further_cmds>``.

IMPORTANT: After updating any of the CA root stores you have to invoke ``./utils/create_ca_hashes.sh`` to update ``~/etc/ca_hashes.txt``.


#### License

Please note that the licenses of the certificate stores might not be GPLv2 in all the cases. In general the root and intermediate certificates are free for use -- otherwise the Internet wouldn't work. Besides the certificate vendors also browsers use them. Apple and Microsoft however didn't list licenses for those certificates. Microsoft is (as Mozilla and Google) a member of the Common CA Database though, see https://www.ccadb.org/ .


#### Further files

* ``tls_data.txt`` contains lists of cipher suites and private keys for sockets-based tests

* ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS

* ``curves-mapping.txt`` contains information about all of the elliptic curves defined by IANA

* ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. You MUST
   use ``./utils/create_ca_hashes.sh`` for every Root CA store update, see above.

* ``common-primes.txt`` is used for LOGJAM and the PFS section

* ``client-simulation.txt`` / ``client-simulation.wiresharked.txt`` are -- as the names indicate -- data for the client simulation.
  The first one is derived from ``~/utils/update_client_sim_data.pl``, and manually edited to sort and label those we don't want.
  The second file provides more client data retrieved from wireshark captures and some instructions how to do that yourself.

* SSLSocketClient.java as the name indicates is a simple socket client in Java to generate a TLS/SSL handshake. It's taken from
  https://docs.oracle.com/javase/10/security/sample-code-illustrating-secure-socket-connection-client-and-server.htm . It's not
  ours and it's not GPLv2. There wasn't any license mentioned, it's only added for your convenience.
- updated, see #317 2016-03-13 20:38:06 +01:00
Updated Trust Stores, Java added This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store. 2018-12-14 10:00:23 +01:00			`### Certificate stores`
- updated, see #317 2016-03-13 20:38:06 +01:00
Updated Trust Stores, Java added This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store. 2018-12-14 10:00:23 +01:00			`The certificate trust stores were retrieved from`
- updated, see #317 2016-03-13 20:38:06 +01:00
Updated Trust Stores, Java added This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store. 2018-12-14 10:00:23 +01:00			`* Linux: Copied from an up-to-date Debian Linux machine`
Update of certificate stores Mozilla: 2023-08-22 Debian 10 JDK 22 Windows 10 22H2, Patched until 2023-10 Apple: 2023-10 2023-10-09 22:08:48 +02:00			`* Mozilla: https://curl.haxx.se/docs/caextract.html (MPL 2.0)`
			* Java: extracted (``keytool -list -rfc -keystore lib/security/cacerts \| grep -E -v '^$\|^\\\\\*\|^Entry \|^Creation \|^Alias'``) from a JDK LTS version from https://jdk.java.net/. Use dos2unix for the store which you generated.
update MS CA root store 2024-07-23 10:42:14 +02:00			* Microsoft: Following command pulls all certificates from Windows Update services: ``CertUtil -syncWithWU -f -f . `` (see also https://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions). They are in DER format. Convert them like ``for f in *.crt; do echo $f >/dev/stderr; openssl x509 -in $f -inform DER -outform PEM ;done >/tmp/Microsoft.pem``.
Updated Trust Stores, Java added This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store. 2018-12-14 10:00:23 +01:00			`* Apple:`
			`1. __System:__ from Apple OS X keychain app. Open Keychain Access utility, i.e.`
			`In the Finder window, under Favorites --> "Applications" --> "Utilities"`
fine tune instructions for Apple.pem 2022-07-01 21:45:02 +02:00			`(OR perform a Spotlight Search for "Keychain Access")`
			`--> "Keychain Access" (2 click). In that window --> "Keychains" --> "System Root"`
- polishing 2016-03-25 11:52:23 +01:00			`--> "Category" --> "All Items"`
fine tune instructions for Apple.pem 2022-07-01 21:45:02 +02:00			`Select all CA certificates except for "Developer ID Certification Authority", omit expired ones, "File" --> "Export Items"`
Update Apple CA store ...and modify readme to reflect that the certificates are better to retrieve from GH 2024-07-22 17:08:18 +02:00			2. __Internet:__ Clone https://github.com/apple-oss-distributions/security_certificates.git, cd to ``security_certificates/certificates/roots``, ``for f in . do echo $f >/dev/stderr; openssl x509 -in $f -inform DER -outform PEM ;done >/tmp/Apple.pem``
Update remaining: Apple / Java / Microsoft * also ca_hashes.txt * Used Java SDK 15 instead of JRE 8 * Used Windows 20H2 * Java Keystore has added 5 certificates (90 --> 95) Updated Readme and make it more reproducible 2020-11-13 22:01:17 +01:00
Updated Trust Stores, Java added This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store. 2018-12-14 10:00:23 +01:00			`Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.`

update MS CA root store 2024-07-23 10:42:14 +02:00			ATTENTION: From each store you need to remove the _DST Root CA X3_ which is for your reference in this directory, see file ``DST Root CA X3.txt``. As of July 2024 this seemed to be needed only for the Microsoft CA store. Apple's file name in 2023 was ``IdenTrust_Root_X3.der``. For the Microsoft CA store you can identify the file beforehand like ``for f in *.crt; do openssl x509 -in $f -inform DER -text -noout \| grep -q 'DST' && echo $f ;done`` or use a line from ``DST Root CA X3.txt`` and grep for that in the resulting ``Microsoft.pem``.

Update documentation (ADDITIONAL_CA_FILES -> ADDTL_CA_FILES) which happened in d44a643fab6be6755a917f85ed491c38990d15ae in testssl.sh . This fixes it in the related files. See also #1581 2020-04-23 11:20:46 +02:00			If you want to check trust against e.g. a company internal CA you need to use ``./testssl.sh --add-ca companyCA1.pem,companyCA2.pem <further_cmds>`` or ``ADDTL_CA_FILES=companyCA1.pem,companyCA2.pem ./testssl.sh <further_cmds>``.
Updated Trust Stores, Java added This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store. 2018-12-14 10:00:23 +01:00
need to update hashes needs to be earlier 2024-07-23 11:35:16 +02:00			IMPORTANT: After updating any of the CA root stores you have to invoke ``./utils/create_ca_hashes.sh`` to update ``~/etc/ca_hashes.txt``.

Updated Trust Stores, Java added This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store. 2018-12-14 10:00:23 +01:00
Update of certificate stores Mozilla: 2023-08-22 Debian 10 JDK 22 Windows 10 22H2, Patched until 2023-10 Apple: 2023-10 2023-10-09 22:08:48 +02:00			`#### License`

update MS CA root store 2024-07-23 10:42:14 +02:00			`Please note that the licenses of the certificate stores might not be GPLv2 in all the cases. In general the root and intermediate certificates are free for use -- otherwise the Internet wouldn't work. Besides the certificate vendors also browsers use them. Apple and Microsoft however didn't list licenses for those certificates. Microsoft is (as Mozilla and Google) a member of the Common CA Database though, see https://www.ccadb.org/ .`
Update of certificate stores Mozilla: 2023-08-22 Debian 10 JDK 22 Windows 10 22H2, Patched until 2023-10 Apple: 2023-10 2023-10-09 22:08:48 +02:00

Updated Trust Stores, Java added This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store. 2018-12-14 10:00:23 +01:00			`#### Further files`
- updated, see #317 2016-03-13 20:38:06 +01:00
typo 2017-08-13 11:32:24 +02:00			* ``tls_data.txt`` contains lists of cipher suites and private keys for sockets-based tests
Update README.md for etc directory 2017-08-04 15:10:41 +02:00
			* ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS
Update README.md 2017-02-24 17:55:20 +01:00
Typos found by codespell Run codespell in CI 2021-09-14 11:05:48 +02:00			* ``curves-mapping.txt`` contains information about all of the elliptic curves defined by IANA
Adding a hex2curves util. 2020-11-28 14:04:00 +01:00
MUST update hashes 2023-12-24 14:00:34 +01:00			* ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. You MUST
need to update hashes needs to be earlier 2024-07-23 11:35:16 +02:00			use ``./utils/create_ca_hashes.sh`` for every Root CA store update, see above.
Update README.md 2017-02-24 17:55:20 +01:00
Updated Trust Stores, Java added This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store. 2018-12-14 10:00:23 +01:00			* ``common-primes.txt`` is used for LOGJAM and the PFS section
Update README.md 2017-02-24 17:55:20 +01:00
updates docu to reflekt actual status 2023-03-17 18:05:24 +01:00			* ``client-simulation.txt`` / ``client-simulation.wiresharked.txt`` are -- as the names indicate -- data for the client simulation.
Clarify client sim data 2019-04-23 10:26:30 +02:00			The first one is derived from ``~/utils/update_client_sim_data.pl``, and manually edited to sort and label those we don't want.
			`The second file provides more client data retrieved from wireshark captures and some instructions how to do that yourself.`
Add Java 17 LTS plus * amend documentation * remove TLS 1.3 ciphers in ch_ciphers for consistency reasons 2022-05-04 15:46:36 +02:00
			`* SSLSocketClient.java as the name indicates is a simple socket client in Java to generate a TLS/SSL handshake. It's taken from`
			`https://docs.oracle.com/javase/10/security/sample-code-illustrating-secure-socket-connection-client-and-server.htm . It's not`
			`ours and it's not GPLv2. There wasn't any license mentioned, it's only added for your convenience.`
Update of certificate stores Mozilla: 2023-08-22 Debian 10 JDK 22 Windows 10 22H2, Patched until 2023-10 Apple: 2023-10 2023-10-09 22:08:48 +02:00