mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
Merge pull request #1882 from drwetter/epoch_180hsts_1879
Fix "off by one" error in HSTS
This commit is contained in:
commit
17ad3d70a4
@ -65,7 +65,7 @@
|
|||||||
"DH_groups","testssl.sh/81.169.166.184","443","OK","Unknown DH group (2048 bits)","",""
|
"DH_groups","testssl.sh/81.169.166.184","443","OK","Unknown DH group (2048 bits)","",""
|
||||||
"HTTP_status_code","testssl.sh/81.169.166.184","443","INFO","200 OK ('/')","",""
|
"HTTP_status_code","testssl.sh/81.169.166.184","443","INFO","200 OK ('/')","",""
|
||||||
"HTTP_clock_skew","testssl.sh/81.169.166.184","443","INFO","0 seconds from localtime","",""
|
"HTTP_clock_skew","testssl.sh/81.169.166.184","443","INFO","0 seconds from localtime","",""
|
||||||
"HSTS_time","testssl.sh/81.169.166.184","443","OK","362 days (=31337000 seconds) > 15465600 seconds","",""
|
"HSTS_time","testssl.sh/81.169.166.184","443","OK","362 days (=31337000 seconds) > 15552000 seconds","",""
|
||||||
"HSTS_subdomains","testssl.sh/81.169.166.184","443","INFO","only for this domain","",""
|
"HSTS_subdomains","testssl.sh/81.169.166.184","443","INFO","only for this domain","",""
|
||||||
"HSTS_preload","testssl.sh/81.169.166.184","443","INFO","domain is NOT marked for preloading","",""
|
"HSTS_preload","testssl.sh/81.169.166.184","443","INFO","domain is NOT marked for preloading","",""
|
||||||
"HPKP","testssl.sh/81.169.166.184","443","INFO","No support for HTTP Public Key Pinning","",""
|
"HPKP","testssl.sh/81.169.166.184","443","INFO","No support for HTTP Public Key Pinning","",""
|
||||||
@ -89,7 +89,7 @@
|
|||||||
"SWEET32","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2016-2183 CVE-2016-6329","CWE-327"
|
"SWEET32","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2016-2183 CVE-2016-6329","CWE-327"
|
||||||
"FREAK","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2015-0204","CWE-310"
|
"FREAK","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2015-0204","CWE-310"
|
||||||
"DROWN","testssl.sh/81.169.166.184","443","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310"
|
"DROWN","testssl.sh/81.169.166.184","443","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310"
|
||||||
"DROWN_hint","testssl.sh/81.169.166.184","443","INFO","Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://censys.io/ipv4?q=B95B85E87BA020CD25A95DF53CDD16C7DCEA96EFE7FEF9411529D511B39015B3","CVE-2016-0800 CVE-2016-0703","CWE-310"
|
"DROWN_hint","testssl.sh/81.169.166.184","443","INFO","Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://censys.io/ipv4?q=67808C62B3EE7649D556175A929075C93AC49A7DB8AEAF1EDEE2EE081FEEE4A2","CVE-2016-0800 CVE-2016-0703","CWE-310"
|
||||||
"LOGJAM","testssl.sh/81.169.166.184","443","OK","not vulnerable, no DH EXPORT ciphers,","CVE-2015-4000","CWE-310"
|
"LOGJAM","testssl.sh/81.169.166.184","443","OK","not vulnerable, no DH EXPORT ciphers,","CVE-2015-4000","CWE-310"
|
||||||
"LOGJAM-common_primes","testssl.sh/81.169.166.184","443","OK","--","CVE-2015-4000","CWE-310"
|
"LOGJAM-common_primes","testssl.sh/81.169.166.184","443","OK","--","CVE-2015-4000","CWE-310"
|
||||||
"BEAST_CBC_TLS1","testssl.sh/81.169.166.184","443","MEDIUM","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","CVE-2011-3389","CWE-20"
|
"BEAST_CBC_TLS1","testssl.sh/81.169.166.184","443","MEDIUM","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","CVE-2011-3389","CWE-20"
|
||||||
|
@ -208,7 +208,7 @@ STARTTLS_SLEEP=${STARTTLS_SLEEP:-10} # max time wait on a socket for STARTTLS
|
|||||||
FAST_STARTTLS=${FAST_STARTTLS:-true} # at the cost of reliability decrease the handshakes for STARTTLS
|
FAST_STARTTLS=${FAST_STARTTLS:-true} # at the cost of reliability decrease the handshakes for STARTTLS
|
||||||
USLEEP_SND=${USLEEP_SND:-0.1} # sleep time for general socket send
|
USLEEP_SND=${USLEEP_SND:-0.1} # sleep time for general socket send
|
||||||
USLEEP_REC=${USLEEP_REC:-0.2} # sleep time for general socket receive
|
USLEEP_REC=${USLEEP_REC:-0.2} # sleep time for general socket receive
|
||||||
HSTS_MIN=${HSTS_MIN:-179} # >179 days is ok for HSTS
|
HSTS_MIN=${HSTS_MIN:-180} # >=180 days is ok for HSTS
|
||||||
HSTS_MIN=$((HSTS_MIN * 86400)) # correct to seconds
|
HSTS_MIN=$((HSTS_MIN * 86400)) # correct to seconds
|
||||||
HPKP_MIN=${HPKP_MIN:-30} # >=30 days should be ok for HPKP_MIN, practical hints?
|
HPKP_MIN=${HPKP_MIN:-30} # >=30 days should be ok for HPKP_MIN, practical hints?
|
||||||
HPKP_MIN=$((HPKP_MIN * 86400)) # correct to seconds
|
HPKP_MIN=$((HPKP_MIN * 86400)) # correct to seconds
|
||||||
@ -2619,12 +2619,12 @@ run_hsts() {
|
|||||||
pr_svrty_low "HSTS max-age is set to 0. HSTS is disabled"
|
pr_svrty_low "HSTS max-age is set to 0. HSTS is disabled"
|
||||||
fileout "${jsonID}_time" "LOW" "0. HSTS is disabled"
|
fileout "${jsonID}_time" "LOW" "0. HSTS is disabled"
|
||||||
set_grade_cap "A" "HSTS is disabled"
|
set_grade_cap "A" "HSTS is disabled"
|
||||||
elif [[ $hsts_age_sec -gt $HSTS_MIN ]]; then
|
elif [[ $hsts_age_sec -ge $HSTS_MIN ]]; then
|
||||||
pr_svrty_good "$hsts_age_days days" ; out "=$hsts_age_sec s"
|
pr_svrty_good "$hsts_age_days days" ; out "=$hsts_age_sec s"
|
||||||
fileout "${jsonID}_time" "OK" "$hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN seconds"
|
fileout "${jsonID}_time" "OK" "$hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN seconds"
|
||||||
else
|
else
|
||||||
pr_svrty_medium "$hsts_age_sec s = $hsts_age_days days is too short ( > $HSTS_MIN seconds recommended)"
|
pr_svrty_medium "$hsts_age_sec s = $hsts_age_days days is too short ( >= $HSTS_MIN seconds recommended)"
|
||||||
fileout "${jsonID}_time" "MEDIUM" "max-age too short. $hsts_age_days days (=$hsts_age_sec seconds) <= $HSTS_MIN seconds"
|
fileout "${jsonID}_time" "MEDIUM" "max-age too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN seconds"
|
||||||
set_grade_cap "A" "HSTS max-age is too short"
|
set_grade_cap "A" "HSTS max-age is too short"
|
||||||
fi
|
fi
|
||||||
if includeSubDomains "$TMPFILE"; then
|
if includeSubDomains "$TMPFILE"; then
|
||||||
|
Loading…
Reference in New Issue
Block a user