From cf66ad61bd5102e10fb1ed37442efe506d9c23c1 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Thu, 28 May 2026 19:03:39 +0200 Subject: [PATCH 1/7] Add forward secrecy data to file output This fixes #3040 . Also this removes the debug lines within the if statement (bottom of run_client_simulation() ), probably a historic leftover. --- testssl.sh | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/testssl.sh b/testssl.sh index 2489c50..7755844 100755 --- a/testssl.sh +++ b/testssl.sh @@ -5244,6 +5244,7 @@ run_client_simulation() { local -i ret=0 local jsonID="clientsimulation" local client_service="" + local appendfile="" # source the external file . "$TESTSSL_INSTALL_DIR/etc/client-simulation.txt" 2>/dev/null @@ -5441,29 +5442,32 @@ run_client_simulation() { fi if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then print_n_spaces "$((34-${#cipher}))" + appendfile="$(print_n_spaces $((34-${#cipher})))" else print_n_spaces "$((50-${#cipher}))" + appendfile="$(print_n_spaces $((50-${#cipher})))" fi if [[ -n "$what_dh" ]]; then [[ -n "$curve" ]] && curve="($curve)" if [[ "$what_dh" =~ MLKEM ]] || [[ "$what_dh" =~ Kyber ]]; then pr_kem_quality "$bits" "$(printf -- "%-12s" "$what_dh")" + appendfile+="$what_dh" elif [[ "$what_dh" == ECDH ]]; then pr_ecdh_quality "$bits" "$(printf -- "%-12s" "$bits bit $what_dh") $curve" + appendfile+="$what_dh $bits $curve" else pr_dh_quality "$bits" "$(printf -- "%-12s" "$bits bit $what_dh") $curve" + appendfile+="$what_dh $bits $curve" fi else if "$HAS_DH_BITS" || { "$using_sockets" && [[ -n "${handshakebytes[i]}" ]]; }; then out "No FS" + appendfile+="no FS" fi fi outln - if [[ -n "${warning[i]}" ]]; then - out " " - outln "${warning[i]}" - fi - fileout "${jsonID}-${short[i]}" "INFO" "$proto $cipher ${warning[i]}" + fileout "${jsonID}-${short[i]}" "INFO" "$proto $cipher $appendfile" + # Just one "finding" with all the data has space for improvements debugme cat $TMPFILE fi fi # correct service? From 01d58f5e9ced43d3887df3b6324873bb9cca0c13 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Thu, 28 May 2026 19:07:28 +0200 Subject: [PATCH 2/7] update client simulation data --- t/baseline_data/default_testssl.csvfile | 62 ++++++++++++------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/t/baseline_data/default_testssl.csvfile b/t/baseline_data/default_testssl.csvfile index 3b50649..89dd06e 100644 --- a/t/baseline_data/default_testssl.csvfile +++ b/t/baseline_data/default_testssl.csvfile @@ -100,36 +100,36 @@ "LUCKY13","testssl.sh/81.169.235.32","443","LOW","potentially vulnerable, uses TLS CBC ciphers","CVE-2013-0169","CWE-310" "winshock","testssl.sh/81.169.235.32","443","OK","not vulnerable","CVE-2014-6321","CWE-94" "RC4","testssl.sh/81.169.235.32","443","OK","not vulnerable","CVE-2013-2566 CVE-2015-2808","CWE-310" -"clientsimulation-android_70","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","","" -"clientsimulation-android_81","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","","" -"clientsimulation-android_90","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-android_X","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-android_11_12","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-android_13_14","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-android_15_16","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-chromium_137_win11","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-firefox_100_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-firefox_137_win11","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" +"clientsimulation-android_70","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 (P-256)","","" +"clientsimulation-android_81","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-android_90","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-android_X","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-android_11_12","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-android_13_14","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-android_15_16","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 X25519MLKEM768","","" +"clientsimulation-chromium_137_win11","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 X25519MLKEM768","","" +"clientsimulation-firefox_100_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-firefox_137_win11","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 X25519MLKEM768","","" "clientsimulation-ie_8_win7","testssl.sh/81.169.235.32","443","INFO","No connection","","" -"clientsimulation-ie_11_win7","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-SHA384","","" -"clientsimulation-ie_11_win81","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-SHA384","","" -"clientsimulation-ie_11_winphone81","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES128-SHA256","","" -"clientsimulation-ie_11_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","","" -"clientsimulation-edge_15_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","","" -"clientsimulation-edge_101_win10_21h2","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-edge_133_win11_23h2","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-safari_184_osx_154","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-safari_264_all","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" +"clientsimulation-ie_11_win7","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-SHA384 ECDH 256 (P-256)","","" +"clientsimulation-ie_11_win81","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-SHA384 ECDH 256 (P-256)","","" +"clientsimulation-ie_11_winphone81","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES128-SHA256 ECDH 256 (P-256)","","" +"clientsimulation-ie_11_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 (P-256)","","" +"clientsimulation-edge_15_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-edge_101_win10_21h2","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-edge_133_win11_23h2","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 X25519MLKEM768","","" +"clientsimulation-safari_184_osx_154","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-safari_264_all","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 X25519MLKEM768","","" "clientsimulation-java_7u25","testssl.sh/81.169.235.32","443","INFO","No connection","","" -"clientsimulation-java_80442","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-java_1102","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-java_1703_2106","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-go_1178","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-libressl_336","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-openssl_102e","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","","" -"clientsimulation-openssl_111d","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-openssl_315","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-openssl_350","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-openssl_400","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-apple_mail_16_0","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","","" -"clientsimulation-thunderbird_91_9","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" +"clientsimulation-java_80442","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-java_1102","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 256 (P-256)","","" +"clientsimulation-java_1703_2106","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-go_1178","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-libressl_336","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-openssl_102e","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 (P-256)","","" +"clientsimulation-openssl_111d","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-openssl_315","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-openssl_350","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 X25519MLKEM768","","" +"clientsimulation-openssl_400","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 X25519MLKEM768","","" +"clientsimulation-apple_mail_16_0","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 (P-256)","","" +"clientsimulation-thunderbird_91_9","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" From cff2c0810c0d0e1d8781e526bd14dfa99ca42058 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 28 May 2026 20:41:00 +0200 Subject: [PATCH 3/7] Add Linux, not Mac baseline ;-) --- t/baseline_data/default_testssl.csvfile | 44 ++++++++++++------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/t/baseline_data/default_testssl.csvfile b/t/baseline_data/default_testssl.csvfile index 89dd06e..df0542c 100644 --- a/t/baseline_data/default_testssl.csvfile +++ b/t/baseline_data/default_testssl.csvfile @@ -102,34 +102,34 @@ "RC4","testssl.sh/81.169.235.32","443","OK","not vulnerable","CVE-2013-2566 CVE-2015-2808","CWE-310" "clientsimulation-android_70","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 (P-256)","","" "clientsimulation-android_81","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 (X25519)","","" -"clientsimulation-android_90","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" -"clientsimulation-android_X","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" -"clientsimulation-android_11_12","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" -"clientsimulation-android_13_14","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" -"clientsimulation-android_15_16","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 X25519MLKEM768","","" -"clientsimulation-chromium_137_win11","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 X25519MLKEM768","","" -"clientsimulation-firefox_100_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" -"clientsimulation-firefox_137_win11","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 X25519MLKEM768","","" +"clientsimulation-android_90","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" +"clientsimulation-android_X","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" +"clientsimulation-android_11_12","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" +"clientsimulation-android_13_14","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" +"clientsimulation-android_15_16","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" +"clientsimulation-chromium_137_win11","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" +"clientsimulation-firefox_100_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" +"clientsimulation-firefox_137_win11","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" "clientsimulation-ie_8_win7","testssl.sh/81.169.235.32","443","INFO","No connection","","" "clientsimulation-ie_11_win7","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-SHA384 ECDH 256 (P-256)","","" "clientsimulation-ie_11_win81","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-SHA384 ECDH 256 (P-256)","","" "clientsimulation-ie_11_winphone81","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES128-SHA256 ECDH 256 (P-256)","","" "clientsimulation-ie_11_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 (P-256)","","" "clientsimulation-edge_15_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 (X25519)","","" -"clientsimulation-edge_101_win10_21h2","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" -"clientsimulation-edge_133_win11_23h2","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 X25519MLKEM768","","" -"clientsimulation-safari_184_osx_154","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" -"clientsimulation-safari_264_all","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 X25519MLKEM768","","" +"clientsimulation-edge_101_win10_21h2","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" +"clientsimulation-edge_133_win11_23h2","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" +"clientsimulation-safari_184_osx_154","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" +"clientsimulation-safari_264_all","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" "clientsimulation-java_7u25","testssl.sh/81.169.235.32","443","INFO","No connection","","" -"clientsimulation-java_80442","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" -"clientsimulation-java_1102","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 256 (P-256)","","" -"clientsimulation-java_1703_2106","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" -"clientsimulation-go_1178","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" -"clientsimulation-libressl_336","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-java_80442","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" +"clientsimulation-java_1102","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 256 (P-256)","","" +"clientsimulation-java_1703_2106","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" +"clientsimulation-go_1178","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" +"clientsimulation-libressl_336","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" "clientsimulation-openssl_102e","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 (P-256)","","" -"clientsimulation-openssl_111d","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" -"clientsimulation-openssl_315","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" -"clientsimulation-openssl_350","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 X25519MLKEM768","","" -"clientsimulation-openssl_400","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 X25519MLKEM768","","" +"clientsimulation-openssl_111d","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" +"clientsimulation-openssl_315","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" +"clientsimulation-openssl_350","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" +"clientsimulation-openssl_400","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" "clientsimulation-apple_mail_16_0","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 (P-256)","","" -"clientsimulation-thunderbird_91_9","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 AEAD-AES256-GCM-SHA384 ECDH 253 (X25519)","","" +"clientsimulation-thunderbird_91_9","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" From 566e1b1f656f29e05e8720e3feffe7373240f7c6 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 29 May 2026 10:33:03 +0200 Subject: [PATCH 4/7] Fix diff complaint raised by ./t/12_diff_opensslversions.t --- testssl.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index 7755844..be6a3cc 100755 --- a/testssl.sh +++ b/testssl.sh @@ -5451,13 +5451,13 @@ run_client_simulation() { [[ -n "$curve" ]] && curve="($curve)" if [[ "$what_dh" =~ MLKEM ]] || [[ "$what_dh" =~ Kyber ]]; then pr_kem_quality "$bits" "$(printf -- "%-12s" "$what_dh")" - appendfile+="$what_dh" + appendfile+="$(printf -- "%-12s" "$what_dh")" elif [[ "$what_dh" == ECDH ]]; then pr_ecdh_quality "$bits" "$(printf -- "%-12s" "$bits bit $what_dh") $curve" - appendfile+="$what_dh $bits $curve" + appendfile+="$(printf -- "%-12s" "$bits bit $what_dh") $curve" else pr_dh_quality "$bits" "$(printf -- "%-12s" "$bits bit $what_dh") $curve" - appendfile+="$what_dh $bits $curve" + appendfile+="$(printf -- "%-12s" "$bits bit $what_dh") $curve" fi else if "$HAS_DH_BITS" || { "$using_sockets" && [[ -n "${handshakebytes[i]}" ]]; }; then From 1ee1a60a99e13de8304accb0e5591465769b5082 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 29 May 2026 10:53:28 +0200 Subject: [PATCH 5/7] var name append_fileout is clearer --- testssl.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/testssl.sh b/testssl.sh index be6a3cc..0fb1b68 100755 --- a/testssl.sh +++ b/testssl.sh @@ -5244,7 +5244,7 @@ run_client_simulation() { local -i ret=0 local jsonID="clientsimulation" local client_service="" - local appendfile="" + local append_fileout="" # source the external file . "$TESTSSL_INSTALL_DIR/etc/client-simulation.txt" 2>/dev/null @@ -5442,31 +5442,31 @@ run_client_simulation() { fi if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then print_n_spaces "$((34-${#cipher}))" - appendfile="$(print_n_spaces $((34-${#cipher})))" + append_fileout="$(print_n_spaces $((34-${#cipher})))" else print_n_spaces "$((50-${#cipher}))" - appendfile="$(print_n_spaces $((50-${#cipher})))" + append_fileout="$(print_n_spaces $((50-${#cipher})))" fi if [[ -n "$what_dh" ]]; then [[ -n "$curve" ]] && curve="($curve)" if [[ "$what_dh" =~ MLKEM ]] || [[ "$what_dh" =~ Kyber ]]; then pr_kem_quality "$bits" "$(printf -- "%-12s" "$what_dh")" - appendfile+="$(printf -- "%-12s" "$what_dh")" + append_fileout+="$(printf -- "%-12s" "$what_dh")" elif [[ "$what_dh" == ECDH ]]; then pr_ecdh_quality "$bits" "$(printf -- "%-12s" "$bits bit $what_dh") $curve" - appendfile+="$(printf -- "%-12s" "$bits bit $what_dh") $curve" + append_fileout+="$(printf -- "%-12s" "$bits bit $what_dh") $curve" else pr_dh_quality "$bits" "$(printf -- "%-12s" "$bits bit $what_dh") $curve" - appendfile+="$(printf -- "%-12s" "$bits bit $what_dh") $curve" + append_fileout+="$(printf -- "%-12s" "$bits bit $what_dh") $curve" fi else if "$HAS_DH_BITS" || { "$using_sockets" && [[ -n "${handshakebytes[i]}" ]]; }; then out "No FS" - appendfile+="no FS" + append_fileout+="no FS" fi fi outln - fileout "${jsonID}-${short[i]}" "INFO" "$proto $cipher $appendfile" + fileout "${jsonID}-${short[i]}" "INFO" "$proto $cipher $append_fileout" # Just one "finding" with all the data has space for improvements debugme cat $TMPFILE fi From ec99148700f1bec97352fe51d0cfa0b28d5a4879 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 29 May 2026 13:00:58 +0200 Subject: [PATCH 6/7] Fix html output runner --- testssl.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index 0fb1b68..18c741a 100755 --- a/testssl.sh +++ b/testssl.sh @@ -5440,12 +5440,13 @@ run_client_simulation() { else pr_cipher_quality "$cipher" fi + # attention: print_n_spaces() should only be used once, otherwise HTML output will be doubled if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then print_n_spaces "$((34-${#cipher}))" - append_fileout="$(print_n_spaces $((34-${#cipher})))" + append_fileout=" " else print_n_spaces "$((50-${#cipher}))" - append_fileout="$(print_n_spaces $((50-${#cipher})))" + append_fileout=" " fi if [[ -n "$what_dh" ]]; then [[ -n "$curve" ]] && curve="($curve)" From 209e76541ec0f9857d277d08b68031a892f69f19 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 29 May 2026 15:20:17 +0200 Subject: [PATCH 7/7] Using a compariable Linux distro in the firstplace for updating handshake would have been great ;-) --- t/baseline_data/default_testssl.csvfile | 62 ++++++++++++------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/t/baseline_data/default_testssl.csvfile b/t/baseline_data/default_testssl.csvfile index df0542c..f43bbb9 100644 --- a/t/baseline_data/default_testssl.csvfile +++ b/t/baseline_data/default_testssl.csvfile @@ -100,36 +100,36 @@ "LUCKY13","testssl.sh/81.169.235.32","443","LOW","potentially vulnerable, uses TLS CBC ciphers","CVE-2013-0169","CWE-310" "winshock","testssl.sh/81.169.235.32","443","OK","not vulnerable","CVE-2014-6321","CWE-94" "RC4","testssl.sh/81.169.235.32","443","OK","not vulnerable","CVE-2013-2566 CVE-2015-2808","CWE-310" -"clientsimulation-android_70","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 (P-256)","","" -"clientsimulation-android_81","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 (X25519)","","" -"clientsimulation-android_90","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" -"clientsimulation-android_X","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" -"clientsimulation-android_11_12","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" -"clientsimulation-android_13_14","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" -"clientsimulation-android_15_16","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" -"clientsimulation-chromium_137_win11","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" -"clientsimulation-firefox_100_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" -"clientsimulation-firefox_137_win11","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" +"clientsimulation-android_70","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256)","","" +"clientsimulation-android_81","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 253 bit ECDH (X25519)","","" +"clientsimulation-android_90","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)","","" +"clientsimulation-android_X","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)","","" +"clientsimulation-android_11_12","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)","","" +"clientsimulation-android_13_14","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)","","" +"clientsimulation-android_15_16","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" +"clientsimulation-chromium_137_win11","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" +"clientsimulation-firefox_100_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)","","" +"clientsimulation-firefox_137_win11","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" "clientsimulation-ie_8_win7","testssl.sh/81.169.235.32","443","INFO","No connection","","" -"clientsimulation-ie_11_win7","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-SHA384 ECDH 256 (P-256)","","" -"clientsimulation-ie_11_win81","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-SHA384 ECDH 256 (P-256)","","" -"clientsimulation-ie_11_winphone81","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES128-SHA256 ECDH 256 (P-256)","","" -"clientsimulation-ie_11_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 (P-256)","","" -"clientsimulation-edge_15_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 (X25519)","","" -"clientsimulation-edge_101_win10_21h2","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" -"clientsimulation-edge_133_win11_23h2","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" -"clientsimulation-safari_184_osx_154","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" -"clientsimulation-safari_264_all","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" +"clientsimulation-ie_11_win7","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-SHA384 256 bit ECDH (P-256)","","" +"clientsimulation-ie_11_win81","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-SHA384 256 bit ECDH (P-256)","","" +"clientsimulation-ie_11_winphone81","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES128-SHA256 256 bit ECDH (P-256)","","" +"clientsimulation-ie_11_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256)","","" +"clientsimulation-edge_15_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 253 bit ECDH (X25519)","","" +"clientsimulation-edge_101_win10_21h2","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)","","" +"clientsimulation-edge_133_win11_23h2","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" +"clientsimulation-safari_184_osx_154","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)","","" +"clientsimulation-safari_264_all","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" "clientsimulation-java_7u25","testssl.sh/81.169.235.32","443","INFO","No connection","","" -"clientsimulation-java_80442","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" -"clientsimulation-java_1102","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 256 (P-256)","","" -"clientsimulation-java_1703_2106","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" -"clientsimulation-go_1178","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" -"clientsimulation-libressl_336","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" -"clientsimulation-openssl_102e","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 (P-256)","","" -"clientsimulation-openssl_111d","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" -"clientsimulation-openssl_315","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" -"clientsimulation-openssl_350","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" -"clientsimulation-openssl_400","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" -"clientsimulation-apple_mail_16_0","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 (P-256)","","" -"clientsimulation-thunderbird_91_9","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 ECDH 253 (X25519)","","" +"clientsimulation-java_80442","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)","","" +"clientsimulation-java_1102","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 256 bit ECDH (P-256)","","" +"clientsimulation-java_1703_2106","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)","","" +"clientsimulation-go_1178","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)","","" +"clientsimulation-libressl_336","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)","","" +"clientsimulation-openssl_102e","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256)","","" +"clientsimulation-openssl_111d","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)","","" +"clientsimulation-openssl_315","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)","","" +"clientsimulation-openssl_350","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" +"clientsimulation-openssl_400","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768","","" +"clientsimulation-apple_mail_16_0","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256)","","" +"clientsimulation-thunderbird_91_9","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519)","",""