testssl.sh/etc/README.md


### Certificate stores

The certificate trust stores were retrieved from

* **Linux:** Copied from an up-to-date Debian Linux machine
* **Mozilla:** https://curl.haxx.se/docs/caextract.html
* **Java:** extracted (``keytool -list -rfc -keystore lib/security/cacerts | grep -E -v '^$|^\*\*\*\*\*|^Entry |^Creation |^Alias '``) from a JDK 15 from https://jdk.java.net/. (use dos2unix).
* **Microsoft:** Following command pulls all certificates from Windows Update services: ``CertUtil -syncWithWU -f -f . `` (see also http://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions).
* **Apple:**
    1. __System:__ from Apple OS X keychain app.  Open Keychain Access utility, i.e.
  In the Finder window, under Favorites --> "Applications" --> "Utilities"
  (OR perform a Spotlight Search for Keychain Access)
  --> "Keychain Access" (2 click). In that window --> "Keychains" --> "System"
  --> "Category" --> "All Items"
  Select all CA certificates except for Developer ID Certification Authority,  "File" --> "Export Items"
    2. __Internet:__ Pick the latest subdir (=highest number) from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension. Download them with ``wget --level=1 --cut-dirs=5 --mirror --convert-links --adjust-extension --page-requisites --no-parent https://opensource.apple.com/source/security_certificates/security_certificates-*/certificates/roots/``


Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.

If you want to check trust against e.g. a company internal CA you need to use ``./testssl.sh --add-ca companyCA1.pem,companyCA2.pem <further_cmds>`` or ``ADDTL_CA_FILES=companyCA1.pem,companyCA2.pem ./testssl.sh <further_cmds>``.


#### Further files

* ``tls_data.txt`` contains lists of cipher suites and private keys for sockets-based tests

* ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS

* ``curves-mapping.txt`` contains information about all of the elliptic curves defined by IANA

* ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. Use
   ``~/utils/create_ca_hashes.sh`` for an update

* ``common-primes.txt`` is used for LOGJAM and the PFS section

* ``client-simulation.txt`` / ``client-simulation.wiresharked.txt`` are as the names indicate data for the client simulation.
  The first one is derived from ``~/utils/update_client_sim_data.pl``, and manually edited to sort and label those we don't want.
  The second file provides more client data retrieved from wireshark captures and some instructions how to do that yourself.
- updated, see #317 2016-03-13 20:38:06 +01:00
Updated Trust Stores, Java added This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store. 2018-12-14 10:00:23 +01:00			`### Certificate stores`
- updated, see #317 2016-03-13 20:38:06 +01:00
Updated Trust Stores, Java added This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store. 2018-12-14 10:00:23 +01:00			`The certificate trust stores were retrieved from`
- updated, see #317 2016-03-13 20:38:06 +01:00
Updated Trust Stores, Java added This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store. 2018-12-14 10:00:23 +01:00			`* Linux: Copied from an up-to-date Debian Linux machine`
			`* Mozilla: https://curl.haxx.se/docs/caextract.html`
Update remaining: Apple / Java / Microsoft * also ca_hashes.txt * Used Java SDK 15 instead of JRE 8 * Used Windows 20H2 * Java Keystore has added 5 certificates (90 --> 95) Updated Readme and make it more reproducible 2020-11-13 22:01:17 +01:00			* Java: extracted (``keytool -list -rfc -keystore lib/security/cacerts \| grep -E -v '^$\|^\\\\\*\|^Entry \|^Creation \|^Alias '``) from a JDK 15 from https://jdk.java.net/. (use dos2unix).
Updated Trust Stores, Java added This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store. 2018-12-14 10:00:23 +01:00			* Microsoft: Following command pulls all certificates from Windows Update services: ``CertUtil -syncWithWU -f -f . `` (see also http://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions).
			`* Apple:`
			`1. __System:__ from Apple OS X keychain app. Open Keychain Access utility, i.e.`
			`In the Finder window, under Favorites --> "Applications" --> "Utilities"`
Update README.md 2017-09-18 23:32:35 +02:00			`(OR perform a Spotlight Search for Keychain Access)`
- polishing 2016-03-25 11:52:23 +01:00			`--> "Keychain Access" (2 click). In that window --> "Keychains" --> "System"`
			`--> "Category" --> "All Items"`
Update README.md 2017-09-18 23:32:35 +02:00			`Select all CA certificates except for Developer ID Certification Authority, "File" --> "Export Items"`
Trim excess whitespace 2021-09-03 23:32:24 +02:00			2. __Internet:__ Pick the latest subdir (=highest number) from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension. Download them with ``wget --level=1 --cut-dirs=5 --mirror --convert-links --adjust-extension --page-requisites --no-parent https://opensource.apple.com/source/security_certificates/security_certificates-*/certificates/roots/``
Update remaining: Apple / Java / Microsoft * also ca_hashes.txt * Used Java SDK 15 instead of JRE 8 * Used Windows 20H2 * Java Keystore has added 5 certificates (90 --> 95) Updated Readme and make it more reproducible 2020-11-13 22:01:17 +01:00
- updated, see #317 2016-03-13 20:38:06 +01:00
Updated Trust Stores, Java added This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store. 2018-12-14 10:00:23 +01:00			`Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.`

Update documentation (ADDITIONAL_CA_FILES -> ADDTL_CA_FILES) which happened in d44a643fab6be6755a917f85ed491c38990d15ae in testssl.sh . This fixes it in the related files. See also #1581 2020-04-23 11:20:46 +02:00			If you want to check trust against e.g. a company internal CA you need to use ``./testssl.sh --add-ca companyCA1.pem,companyCA2.pem <further_cmds>`` or ``ADDTL_CA_FILES=companyCA1.pem,companyCA2.pem ./testssl.sh <further_cmds>``.
Updated Trust Stores, Java added This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store. 2018-12-14 10:00:23 +01:00

			`#### Further files`
- updated, see #317 2016-03-13 20:38:06 +01:00
typo 2017-08-13 11:32:24 +02:00			* ``tls_data.txt`` contains lists of cipher suites and private keys for sockets-based tests
Update README.md for etc directory 2017-08-04 15:10:41 +02:00
			* ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS
Update README.md 2017-02-24 17:55:20 +01:00
Typos found by codespell Run codespell in CI 2021-09-14 11:05:48 +02:00			* ``curves-mapping.txt`` contains information about all of the elliptic curves defined by IANA
Adding a hex2curves util. 2020-11-28 14:04:00 +01:00
relect what to do for updtaing ca_hashes.txt 2017-09-18 14:20:56 +02:00			* ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. Use
Update README.md 2017-09-18 23:32:35 +02:00			``~/utils/create_ca_hashes.sh`` for an update
Update README.md 2017-02-24 17:55:20 +01:00
Updated Trust Stores, Java added This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store. 2018-12-14 10:00:23 +01:00			* ``common-primes.txt`` is used for LOGJAM and the PFS section
Update README.md 2017-02-24 17:55:20 +01:00
Clarify client sim data 2019-04-23 10:26:30 +02:00			* ``client-simulation.txt`` / ``client-simulation.wiresharked.txt`` are as the names indicate data for the client simulation.
			The first one is derived from ``~/utils/update_client_sim_data.pl``, and manually edited to sort and label those we don't want.
			`The second file provides more client data retrieved from wireshark captures and some instructions how to do that yourself.`