From 952231dd948129d357d807035a42266d1a687fe8 Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 20 Jan 2020 21:37:02 +0100 Subject: [PATCH 1/7] Shortcuts for vulnerability tests Several vulnerability checks add a time penalty when the server side only support TLS 1.3 as The TLS 1.3 RFC 8446 and implementations known so far don't support the flaws being checked for. This PR adds "shortcut" checks for all TLS 1.3, assuming that the TLS 1.3 implementation is correct which seems at this time a valid assumpution. That either saves a TCP connect or at least some logic to be executed. Also in some cases a TLS 1.3 only server emitted unnecessary warnings, see #1444. If $DEBUG -eq 1 then it outputs information that a shortcut was used. It doesn't do that in other cases because the screen output seems too obtrusive. It also adds a shortcut for beast when SSL 3 or TLS 1.0 is is known not to be supported. This commit radds 747fb039edc329e759aa634fed8a256031808324 which was accidenially reverted in 45f28d816652be59f6d41e7b2200f3325bf04f3e. It fixes #1462. See also #1459. --- testssl.sh | 172 ++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 123 insertions(+), 49 deletions(-) diff --git a/testssl.sh b/testssl.sh index 407e0dc..f2ae525 100755 --- a/testssl.sh +++ b/testssl.sh @@ -12480,7 +12480,7 @@ parse_tls_serverhello() { # If the ClientHello included a supported_versions extension, then check that the # $DETECTED_TLS_VERSION appeared in the list offered in the ClientHello. - if [[ "${TLS_CLIENT_HELLO:0:2}" == "01" ]]; then + if [[ "${TLS_CLIENT_HELLO:0:2}" == 01 ]]; then # get position of cipher lists (just after session id) offset=78+2*$(hex2dec "${TLS_CLIENT_HELLO:76:2}") # get position of compression methods @@ -12496,7 +12496,7 @@ parse_tls_serverhello() { offset+=6 tls_protocol2="$(tolower "$tls_protocol2")" for (( j=0; j < extension_len-2; j=j+4 )); do - [[ "${TLS_CLIENT_HELLO:offset:4}" == "$tls_protocol2" ]] && break + [[ "${TLS_CLIENT_HELLO:offset:4}" == $tls_protocol2 ]] && break offset+=4 done if [[ $j -eq $extension_len-2 ]]; then @@ -14333,27 +14333,36 @@ run_renego() { pr_bold " Secure Renegotiation (RFC 5746) " jsonID="secure_renego" - # first fingerprint for the Line "Secure Renegotiation IS NOT" or "Secure Renegotiation IS " - $OPENSSL s_client $(s_client_options "$proto $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") 2>&1 $TMPFILE 2>$ERRFILE - if sclient_connect_successful $? $TMPFILE; then - grep -iaq "Secure Renegotiation IS NOT" $TMPFILE - sec_renego=$? # 0= Secure Renegotiation IS NOT supported - # grep -iaq "Secure Renegotiation IS supported" - #FIXME: didn't occur to me yet but why not also to check on "Secure Renegotiation IS supported" - case $sec_renego in - 0) prln_svrty_critical "Not supported / VULNERABLE (NOT ok)" - fileout "$jsonID" "CRITICAL" "VULNERABLE" "$cve" "$cwe" "$hint" - ;; - 1) prln_svrty_best "supported (OK)" - fileout "$jsonID" "OK" "supported" "$cve" "$cwe" - ;; - *) prln_warning "FIXME (bug): $sec_renego" - fileout "$jsonID" "WARN" "FIXME (bug) $sec_renego" "$cve" "$cwe" - ;; - esac + + if "$TLS13_ONLY"; then + # https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/ + pr_svrty_best "not vulnerable (OK)" + [[ $DEBUG -ge 1 ]] && out ", no renegotiation support in TLS 1.3 only servers" + outln + fileout "$jsonID" "OK" "TLS 1.3 only server" "$cve" "$cwe" else - prln_warning "OpenSSL handshake didn't succeed" - fileout "$jsonID" "WARN" "OpenSSL handshake didn't succeed" "$cve" "$cwe" + # first fingerprint for the Line "Secure Renegotiation IS NOT" or "Secure Renegotiation IS " + $OPENSSL s_client $(s_client_options "$proto $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") 2>&1 $TMPFILE 2>$ERRFILE + if sclient_connect_successful $? $TMPFILE; then + grep -iaq "Secure Renegotiation IS NOT" $TMPFILE + sec_renego=$? # 0= Secure Renegotiation IS NOT supported + # grep -iaq "Secure Renegotiation IS supported" + #FIXME: didn't occur to me yet but why not also to check on "Secure Renegotiation IS supported" + case $sec_renego in + 0) prln_svrty_critical "Not supported / VULNERABLE (NOT ok)" + fileout "$jsonID" "CRITICAL" "VULNERABLE" "$cve" "$cwe" "$hint" + ;; + 1) prln_svrty_best "supported (OK)" + fileout "$jsonID" "OK" "supported" "$cve" "$cwe" + ;; + *) prln_warning "FIXME (bug): $sec_renego" + fileout "$jsonID" "WARN" "FIXME (bug) $sec_renego" "$cve" "$cwe" + ;; + esac + else + prln_warning "OpenSSL handshake didn't succeed" + fileout "$jsonID" "WARN" "OpenSSL handshake didn't succeed" "$cve" "$cwe" + fi fi # FIXME: Basically this can be done with sockets and we might have that information already @@ -14368,7 +14377,8 @@ run_renego() { cve="CVE-2011-1473" # see: https://blog.qualys.com/ssllabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks # http://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html -- head/get doesn't seem to be needed though - # https://archive.fo/20130415224936/http://www.thc.org/thc-ssl-dos/, https://vincent.bernat.ch/en/blog/2011-ssl-dos-mitigation + # https://archive.fo/20130415224936/http://www.thc.org/thc-ssl-dos/ + # https://vincent.bernat.ch/en/blog/2011-ssl-dos-mitigation case "$OSSL_VER" in 0.9.8*) # we need this for Mac OSX unfortunately case "$OSSL_VER_APPENDIX" in @@ -14389,7 +14399,12 @@ run_renego() { esac - if "$CLIENT_AUTH"; then + if "$TLS13_ONLY"; then + pr_svrty_best "not vulnerable (OK)" + [[ $DEBUG -ge 1 ]] && out ", no renegotiation support in TLS 1.3 only servers" + outln + fileout "$jsonID" "OK" "not vulnerable, TLS 1.3 only" "$cve" "$cwe" + elif "$CLIENT_AUTH"; then prln_warning "client x509-based authentication prevents this from being tested" fileout "$jsonID" "WARN" "client x509-based authentication prevents this from being tested" sec_client_renego=1 @@ -14404,7 +14419,7 @@ run_renego() { sec_client_renego=1 else # second try in the foreground as we are sure now it won't hang - echo R | $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -msg -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>>$ERRFILE + echo R | $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>>$ERRFILE sec_client_renego=$? # 0=client is renegotiating & doesn't return an error --> vuln! case "$sec_client_renego" in 0) # We try again if server is HTTP. This could be either a node.js server or something else. @@ -14415,7 +14430,7 @@ run_renego() { fileout "$jsonID" "MEDIUM" "VULNERABLE, potential DoS threat" "$cve" "$cwe" "$hint" else (for i in {1..4}; do echo R; sleep 1; done) | \ - $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -msg -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>>$ERRFILE + $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>>$ERRFILE case $? in 0) pr_svrty_high "VULNERABLE (NOT ok)"; outln ", DoS threat" fileout "$jsonID" "HIGH" "VULNERABLE, DoS threat" "$cve" "$cwe" "$hint" @@ -14461,15 +14476,23 @@ run_crime() { local cwe="CWE-310" local hint="" - # in a nutshell: don't offer TLS/SPDY compression on the server side - # This tests for CRIME Vulnerability (www.ekoparty.org/2012/juliano-rizzo.php) on HTTPS, not SPDY (yet) - # Please note that it is an attack where you need client side control, so in regular situations this - # means anyway "game over", w/wo CRIME - # www.h-online.com/security/news/item/Vulnerability-in-SSL-encryption-is-barely-exploitable-1708604.html + # In a nutshell: don't offer TLS/SPDY compression. This tests for CRIME Vulnerability on HTTPS only, + # not SPDY or ALPN (yet). Please note that it is an attack where you need client side control, so in + # regular situations this # means anyway "game over", with or without CRIME. + # + # https://blog.qualys.com/ssllabs/2012/09/14/crime-information-leakage-attack-against-ssltls [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln pr_bold " CRIME, TLS " ; out "($cve) " + if "$TLS13_ONLY"; then + pr_svrty_best "not vulnerable (OK)" + [[ $DEBUG -ge 1 ]] && out ", no compression in TLS 1.3 only servers" + outln + fileout "$jsonID" "OK" "TLS 1.3 only server" "$cve" "$cwe" + return 0 + fi + if ! "$HAS_ZLIB"; then if "$SSL_NATIVE"; then prln_local_problem "$OPENSSL lacks zlib support" @@ -14488,20 +14511,21 @@ run_crime() { sclient_connect_successful $? $TMPFILE sclient_success=$? fi + if [[ $sclient_success -ne 0 ]]; then pr_warning "test failed (couldn't connect)" fileout "CRIME_TLS" "WARN" "Check failed, couldn't connect" "$cve" "$cwe" ret=1 elif grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then pr_svrty_good "not vulnerable (OK)" - if [[ $SERVICE != "HTTP" ]] && ! "$CLIENT_AUTH"; then + if [[ $SERVICE != HTTP ]] && ! "$CLIENT_AUTH"; then out " (not using HTTP anyway)" fileout "CRIME_TLS" "OK" "not vulnerable (not using HTTP anyway)" "$cve" "$cwe" else fileout "CRIME_TLS" "OK" "not vulnerable" "$cve" "$cwe" fi else - if [[ $SERVICE == "HTTP" ]] || "$CLIENT_AUTH"; then + if [[ $SERVICE == HTTP ]] || "$CLIENT_AUTH"; then pr_svrty_high "VULNERABLE (NOT ok)" fileout "CRIME_TLS" "HIGH" "VULNERABLE" "$cve" "$cwe" "$hint" else @@ -14646,13 +14670,21 @@ run_sweet32() { [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for SWEET32 (Birthday Attacks on 64-bit Block Ciphers) " && outln pr_bold " SWEET32"; out " (${cve// /, }) " + if "$TLS13_ONLY"; then + # Unfortunately there's no restriction using TLS 1.2 with $sweet32_ciphers + pr_svrty_best "not vulnerable (OK)" + [[ $DEBUG -ge 1 ]] && out ", TLS 1.3 doesn't offer such ciphers" + outln + fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe" + return 0 + fi + "$SSL_NATIVE" && using_sockets=false # The openssl binary distributed has almost everything we need (PSK, KRB5 ciphers and feff, ffe0 are typically missing). - # Measurements show that there's little impact whether we use sockets or TLS here, so the default is sockets here + # Measurements show that there's little impact whether we use sockets or TLS here, so the default is sockets here. if "$using_sockets"; then for proto in 03 02 01 00; do - "$FAST" && [[ "$proto" != 03 ]] && break - ! "$FAST" && [[ $(has_server_protocol "$proto") -eq 1 ]] && continue + [[ $(has_server_protocol "$proto") -eq 1 ]] && continue tls_sockets "$proto" "${sweet32_ciphers_hex}, 00,ff" sclient_success=$? [[ $sclient_success -eq 2 ]] && sclient_success=0 @@ -14766,6 +14798,15 @@ run_ssl_poodle() { [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for SSLv3 POODLE (Padding Oracle On Downgraded Legacy Encryption) " && outln pr_bold " POODLE, SSL"; out " ($cve) " + if "$TLS13_ONLY" || [[ $(has_server_protocol ssl3) -ne 0 ]]; then + # one condition should normally suffice but we don't know when run_poddle() was called + pr_svrty_best "not vulnerable (OK)" + [[ $DEBUG -ge 1 ]] && out ", no SSLv3 support" + outln + fileout "$jsonID" "OK" "not vulnerable, no SSLv3 support" "$cve" "$cwe" + return 0 + fi + "$SSL_NATIVE" && using_sockets=false # The openssl binary distributed has almost everything we need (PSK and KRB5 ciphers are typically missing). # Measurements show that there's little impact whether we use sockets or TLS here, so the default is sockets here @@ -14878,10 +14919,9 @@ run_tls_fallback_scsv() { return 0 ;; *) if [[ $(has_server_protocol tls1_3) -eq 0 ]]; then - # If the server supports TLS 1.3, and does not support TLS 1.2, TLS 1.1, - # or TLS 1, then assume it does not support SSLv3, even if SSLv3 cannot - # be tested. - prln_svrty_good "No fallback possible, TLS 1.3 is the only protocol (OK)" + # If the server supports TLS 1.3, and does not support TLS 1.2, TLS 1.1, or TLS 1, + # then assume it does not support SSLv3, even if SSLv3 cannot be tested. + pr_svrty_good "No fallback possible (OK)"; outln ", TLS 1.3 is the only protocol" fileout "$jsonID" "OK" "only TLS 1.3 supported" elif [[ $(has_server_protocol tls1_3) -eq 1 ]] && \ ( [[ $(has_server_protocol ssl3) -eq 1 ]] || "$HAS_SSL3" ); then @@ -14894,8 +14934,8 @@ run_tls_fallback_scsv() { # If the server does not support TLS 1.3, TLS 1.2, TLS 1.1, or TLS 1, and # support for SSLv3 cannot be tested, then treat it as HIGH severity, since # it is very likely that SSLv3 is the only supported protocol. - prln_svrty_high "No fallback possible, TLS 1.3, TLS 1.2, TLS 1.1, and TLS 1 not supported" - fileout "$jsonID" "HIGH" "TLS 1.3, TLS 1.2, TLS 1.1, and TLS 1 not supported" + pr_svrty_high "NOT ok, no fallback possible"; outln ", TLS 1.3, 1.2, 1.1 and 1.0 not supported" + fileout "$jsonID" "HIGH" "TLS 1.3, 1.2, 1.1, 1.0 not supported" else # TLS 1.2, TLS 1.1, and TLS 1 are not supported, but can't tell whether TLS 1.3 is supported. # This could be a TLS 1.3 only server, an SSLv3 only server (if SSLv3 support cannot be tested), @@ -14924,7 +14964,7 @@ run_tls_fallback_scsv() { if ! "$HAS_SSL3" && \ ( [[ "$low_proto" == ssl3 ]] || \ - ( [[ "$high_proto" == tls1 ]] && [[ $(has_server_protocol "ssl3") -eq 2 ]] ) ); then + ( [[ "$high_proto" == tls1 ]] && [[ $(has_server_protocol ssl3) -eq 2 ]] ) ); then # If the protocol that the server would fall back to is SSLv3, but $OPENSSL does # not support SSLv3, then the test cannot be performed. So, if $OPENSSL does not # support SSLv3 and it is known that SSLv3 is the fallback protocol ($low_proto), then @@ -14941,7 +14981,7 @@ run_tls_fallback_scsv() { if [[ -z "$low_proto" ]]; then case "$high_proto" in "tls1_2") - prln_svrty_good "No fallback possible, no protocol below $high_proto_str offered (OK)" + pr_svrty_good "No fallback possible (OK)"; outln ", no protocol below $high_proto_str offered" ;; *) outln "No fallback possible, no protocol below $high_proto_str offered (OK)" ;; @@ -15026,6 +15066,14 @@ run_freak() { [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for FREAK attack " && outln pr_bold " FREAK"; out " ($cve) " + if "$TLS13_ONLY"; then + pr_svrty_best "not vulnerable (OK)" + [[ $DEBUG -ge 1 ]] && out ", TLS 1.3 only server" + outln + fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe" + return 0 + fi + "$SSL_NATIVE" && using_sockets=false if "$using_sockets"; then nr_supported_ciphers=$(count_words "$exportrsa_tls_cipher_list_hex")+$(count_words "$exportrsa_ssl2_cipher_list_hex") @@ -15473,7 +15521,6 @@ run_beast(){ local hint="" local jsonID="BEAST" - "$SSL_NATIVE" && using_sockets=false if [[ $VULN_COUNT -le $VULN_THRESHLD ]]; then outln pr_headlineln " Testing for BEAST vulnerability " @@ -15481,8 +15528,17 @@ run_beast(){ fi pr_bold " BEAST"; out " ($cve) " + if "$TLS13_ONLY" || ( [[ $(has_server_protocol ssl3) -eq 1 ]] && [[ $(has_server_protocol tls1) -eq 1 ]] ); then + pr_svrty_good "not vulnerable (OK)" + [[ $DEBUG -ge 1 ]] && out ", no SSL3 or TLS1" + outln + fileout "$jsonID" "OK" "not vulnerable, no SSL3 or TLS1" "$cve" "$cwe" + return 0 + fi + + "$SSL_NATIVE" && using_sockets=false # $cbc_ciphers_hex has 126 ciphers, we omitted SRP-AES-256-CBC-SHA bc the trailing 00,ff below will pose - # a problem for ACE loadbalancers otherwise. So in case we know this is not true, we'll re-add it + # a problem for ACE loadbalancers otherwise. So in case we know this is not true, we'll re-add it ! "$SERVER_SIZE_LIMIT_BUG" & "$using_sockets" && cbc_ciphers_hex="$cbc_ciphers_hex, C0,20" [[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false @@ -15564,12 +15620,14 @@ run_beast(){ if [[ $sclient_success -ne 0 ]]; then # protocol supported? if "$continued"; then # second round: we hit TLS1 if "$HAS_SSL3" || "$using_sockets"; then - prln_svrty_good "no SSL3 or TLS1 (OK)" + pr_svrty_good "not vulnerable (OK)" ; out ", no SSL3 or TLS1" fileout "$jsonID" "OK" "not vulnerable, no SSL3 or TLS1" "$cve" "$cwe" else prln_svrty_good "no TLS1 (OK)" fileout "$jsonID" "OK" "not vulnerable, no TLS1" "$cve" "$cwe" fi +set +x +exit 0 return 0 else # protocol not succeeded but it's the first time continued=true @@ -15597,7 +15655,7 @@ run_beast(){ sigalg[nr_ciphers]="" done while true; do - [[ "$proto" == "ssl3" ]] && ! "$HAS_SSL3" && break + [[ "$proto" == ssl3 ]] && ! "$HAS_SSL3" && break ciphers_to_test="" for (( i=0; i < nr_ciphers; i++ )); do ! "${ciphers_found[i]}" && "${ossl_supported[i]}" && ciphers_to_test+=":${ciph[i]}" @@ -15695,7 +15753,7 @@ run_beast(){ detected_cbc_ciphers="" # empty for next round first=false else - [[ $proto == "tls1" ]] && ! $first && echo -n "$spaces " + [[ $proto == tls1 ]] && ! $first && echo -n "$spaces " prln_svrty_good "no CBC ciphers for $(toupper $proto) (OK)" first=false fi @@ -15762,6 +15820,14 @@ run_lucky13() { fi pr_bold " LUCKY13"; out " ($cve), experimental " + if "$TLS13_ONLY"; then + pr_svrty_best "not vulnerable (OK)" + [[ $DEBUG -ge 1 ]] && out ", no CBC ciphers in TLS 1.3 only servers" + outln + fileout "$jsonID" "OK" "not vulnerable, TLS 1.3 only" "$cve" "$cwe" + return 0 + fi + "$SSL_NATIVE" && using_sockets=false # The openssl binary distributed has almost everything we need (PSK, KRB5 ciphers and feff, ffe0 are typically missing). # Measurements show that there's little impact whether we use sockets or TLS here, so the default is sockets here @@ -15841,6 +15907,14 @@ run_rc4() { fi pr_bold " RC4"; out " (${cve// /, }) " + if "$TLS13_ONLY"; then + pr_svrty_best "not vulnerable (OK)" + [[ $DEBUG -ge 1 ]] && out ", no RC4 support in TLS 1.3 only servers" + outln + fileout "$jsonID" "OK" "not vulnerable, TLS 1.3 only" "$cve" "$cwe" + return 0 + fi + # get a list of all the cipher suites to test if "$using_sockets" || [[ $OSSL_VER_MAJOR -lt 1 ]]; then for (( i=0; i < TLS_NR_CIPHERS; i++ )); do From 26a8f23ec14e077f3dba91f20ad9c362a7da33a7 Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 21 Jan 2020 22:41:50 +0100 Subject: [PATCH 2/7] Shutup Travis ... by adding the formerly intruoced "DEBUG" statement as a filter. Note: "DEBUG" can now / should now be taken preferably for extra output on debug level 1. Replacing badssl.com by testssl.net. The former needed almost 5 min for a run, whereas one IP of testssl.net needs ~80 secs. With --fast even less. --- t/08_isHTML_valid.t | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/t/08_isHTML_valid.t b/t/08_isHTML_valid.t index 4642435..1cd1e88 100755 --- a/t/08_isHTML_valid.t +++ b/t/08_isHTML_valid.t @@ -9,12 +9,12 @@ use Data::Dumper; my $tests = 0; my $prg="./testssl.sh"; -my $uri="badssl.com"; +my $uri="testssl.net"; my $out=""; my $html=""; my $debughtml=""; my $edited_html=""; -my $check2run="--color 0 --htmlfile tmp.html"; +my $check2run="--fast --ip=one --color 0 --htmlfile tmp.html"; die "Unable to open $prg" unless -f $prg; @@ -22,7 +22,7 @@ printf "\n%s\n", "Doing HTML output checks"; unlink 'tmp.html'; #1 -printf "%s\n", " .. running $prg against $uri to create HTML and terminal outputs (may take 2~3 minutes)"; +printf "%s\n", " .. running $prg against \"$uri\" to create HTML and terminal outputs (may take ~2 minutes)"; # specify a TERM_WIDTH so that the two calls to testssl.sh don't create HTML files with different values of TERM_WIDTH $out = `TERM_WIDTH=120 $prg $check2run $uri`; $html = `cat tmp.html`; @@ -49,7 +49,7 @@ cmp_ok($edited_html, "eq", $out, "HTML file matches terminal output"); $tests++; #2 -printf "\n%s\n", " .. running $prg against $uri with --debug 4 to create HTML output (may take another 2~3 minutes)"; +printf "\n%s\n", " .. running again $prg against \"$uri\", now with --debug 4 to create HTML output (may take another ~2 minutes)"; # Redirect stderr to /dev/null in order to avoid some unexplained "date: invalid date" error messages $out = `TERM_WIDTH=120 $prg $check2run --debug 4 $uri 2> /dev/null`; $debughtml = `cat tmp.html`; @@ -68,6 +68,7 @@ $debughtml =~ s/HTTP clock skew \+?-?[0-9]* /HTTP clock skew $debughtml =~ s/ Pre-test: .*\n//g; $debughtml =~ s/.*OK: below 825 days.*\n//g; +$debughtml =~ s/.*DEBUG:.*\n//g; printf "\n%s\n", " .. checking that using the --debug option doesn't affect the HTML file"; cmp_ok($debughtml, "eq", $html, "HTML file created with --debug 4 matches HTML file created without --debug"); From e0f8c8d43e3d8087bd71580ce81f5ab4b8cbddce Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 21 Jan 2020 22:47:53 +0100 Subject: [PATCH 3/7] Relax misunderstanding of DEBUG statemement There's a check for >825 days certificate lifetime. That check emits a debug statement when the lifetime is within this limit. It does that also when the certificate expired. This commit adds now the word "total" DEBUG: all is fine with total certificate life time to make sure the life time left not is what should be understood. --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index f2ae525..aabfc46 100755 --- a/testssl.sh +++ b/testssl.sh @@ -8789,7 +8789,7 @@ certificate_info() { else # All is fine with valididy period # We ignore for now certificates < 2018/03/01. On the screen we only show debug info - [[ "$DEBUG" -ge 1 ]] && outln "${spaces}DEBUG: all is fine with certificate life time" + [[ "$DEBUG" -ge 1 ]] && outln "${spaces}DEBUG: all is fine with total certificate life time" fileout "cert_validityPeriod${json_postfix}" "INFO" "No finding" fi From 80530aa34c66dc95194c035ed0ec0450ae1355fc Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 21 Jan 2020 23:53:52 +0100 Subject: [PATCH 4/7] remove fast as it makes problems especially with Travis+testssl.net --- t/08_isHTML_valid.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/08_isHTML_valid.t b/t/08_isHTML_valid.t index 1cd1e88..f93490c 100755 --- a/t/08_isHTML_valid.t +++ b/t/08_isHTML_valid.t @@ -14,7 +14,7 @@ my $out=""; my $html=""; my $debughtml=""; my $edited_html=""; -my $check2run="--fast --ip=one --color 0 --htmlfile tmp.html"; +my $check2run="--ip=one --color 0 --htmlfile tmp.html"; die "Unable to open $prg" unless -f $prg; From 39abb27dd9de17d87725c55d1ef9fc6108507b62 Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 22 Jan 2020 00:28:59 +0100 Subject: [PATCH 5/7] cloudflare seems not good for html travis checks --- t/08_isHTML_valid.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/08_isHTML_valid.t b/t/08_isHTML_valid.t index f93490c..6d83d39 100755 --- a/t/08_isHTML_valid.t +++ b/t/08_isHTML_valid.t @@ -9,12 +9,12 @@ use Data::Dumper; my $tests = 0; my $prg="./testssl.sh"; -my $uri="testssl.net"; +my $uri="dev.testssl.sh"; my $out=""; my $html=""; my $debughtml=""; my $edited_html=""; -my $check2run="--ip=one --color 0 --htmlfile tmp.html"; +my $check2run="--ip=one --color 0 --htmlfile tmp.html"; die "Unable to open $prg" unless -f $prg; From cae052cfabfa6d752753e0a49023d1068558f12e Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 22 Jan 2020 11:29:04 +0100 Subject: [PATCH 6/7] Address some HTML check failures in travis (shouldn't work too late) --- testssl.sh | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/testssl.sh b/testssl.sh index aabfc46..f73afe6 100755 --- a/testssl.sh +++ b/testssl.sh @@ -14801,9 +14801,8 @@ run_ssl_poodle() { if "$TLS13_ONLY" || [[ $(has_server_protocol ssl3) -ne 0 ]]; then # one condition should normally suffice but we don't know when run_poddle() was called pr_svrty_best "not vulnerable (OK)" - [[ $DEBUG -ge 1 ]] && out ", no SSLv3 support" - outln - fileout "$jsonID" "OK" "not vulnerable, no SSLv3 support" "$cve" "$cwe" + outln ", no SSLv3 support" + fileout "$jsonID" "OK" "not vulnerable, no SSLv3" "$cve" "$cwe" return 0 fi @@ -15530,8 +15529,7 @@ run_beast(){ if "$TLS13_ONLY" || ( [[ $(has_server_protocol ssl3) -eq 1 ]] && [[ $(has_server_protocol tls1) -eq 1 ]] ); then pr_svrty_good "not vulnerable (OK)" - [[ $DEBUG -ge 1 ]] && out ", no SSL3 or TLS1" - outln + outln ", no SSL3 or TLS1" fileout "$jsonID" "OK" "not vulnerable, no SSL3 or TLS1" "$cve" "$cwe" return 0 fi From d4d5a61a0bc0c6233221509ee06c382916037cbf Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 22 Jan 2020 11:30:21 +0100 Subject: [PATCH 7/7] Hopefully make Travis shut up now picked a TLS 1.2 host --- t/08_isHTML_valid.t | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/t/08_isHTML_valid.t b/t/08_isHTML_valid.t index 6d83d39..48139b7 100755 --- a/t/08_isHTML_valid.t +++ b/t/08_isHTML_valid.t @@ -9,12 +9,12 @@ use Data::Dumper; my $tests = 0; my $prg="./testssl.sh"; -my $uri="dev.testssl.sh"; +my $uri="heise.de"; my $out=""; my $html=""; my $debughtml=""; my $edited_html=""; -my $check2run="--ip=one --color 0 --htmlfile tmp.html"; +my $check2run="--ip=one --color 0 --htmlfile tmp.html"; die "Unable to open $prg" unless -f $prg; @@ -44,7 +44,6 @@ $edited_html =~ s/>/>/g; $edited_html =~ s/"/"/g; $edited_html =~ s/'/'/g; -printf "\n%s\n", " .. comparing HTML and terminal outputs"; cmp_ok($edited_html, "eq", $out, "HTML file matches terminal output"); $tests++; @@ -70,7 +69,6 @@ $debughtml =~ s/ Pre-test: .*\n//g; $debughtml =~ s/.*OK: below 825 days.*\n//g; $debughtml =~ s/.*DEBUG:.*\n//g; -printf "\n%s\n", " .. checking that using the --debug option doesn't affect the HTML file"; cmp_ok($debughtml, "eq", $html, "HTML file created with --debug 4 matches HTML file created without --debug"); $tests++;