From 2c871f9ffa0d04a75664031b47ac6185cf88c40c Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 21 Jul 2025 11:49:03 +0200 Subject: [PATCH 1/4] Pick another host for unit tests heise.de seems too often run into to timeouts when doing this unit test. Thus it is being changed to web.de, hoping it works better. --- t/32_isHTML_valid.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/32_isHTML_valid.t b/t/32_isHTML_valid.t index 2f843f5..d276322 100755 --- a/t/32_isHTML_valid.t +++ b/t/32_isHTML_valid.t @@ -10,7 +10,7 @@ use Text::Diff; my $tests = 0; my $prg="./testssl.sh"; -my $uri="heise.de"; +my $uri="web.de"; my $out=""; my $html=""; my $debughtml=""; From b7584ea93af212c12146e0d3581b173cbd8ec728 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Wed, 23 Jul 2025 14:43:41 +0200 Subject: [PATCH 2/4] correct comment, update vulnerablites to include IDS friendly ones --- t/12_diff_opensslversions.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/12_diff_opensslversions.t b/t/12_diff_opensslversions.t index e866df1..eb4d668 100755 --- a/t/12_diff_opensslversions.t +++ b/t/12_diff_opensslversions.t @@ -1,6 +1,6 @@ #!/usr/bin/env perl -# Baseline diff test against testssl.sh (csv output) +# Baseline diff test against google.com (csv output) # # This runs a basic test with the supplied openssl vs /usr/bin/openssl @@ -11,7 +11,7 @@ use Text::Diff; my $tests = 0; my $prg="./testssl.sh"; -my $check2run="--protocols --std --server-preference --fs --header --renegotiation --crime --breach --poodle --tls-fallback --sweet32 --beast --lucky13 --freak --logjam --drown --rc4 --phone-out --client-simulation -q --ip=one --color 0 --csvfile"; +my $check2run="--protocols --std --server-preference --fs --header --vulnerable --ids-friendly --phone-out --client-simulation -q --ip=one --color 0 --csvfile"; my $csvfile="tmp.csv"; my $csvfile2="tmp2.csv"; my $cat_csvfile=""; From faa190354eaa6b47890e6ffb0d951bb339e2985f Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Wed, 23 Jul 2025 14:45:34 +0200 Subject: [PATCH 3/4] Pick different host + openssl * host is bahn.de * debug message said Your ./bin/openssl.Linux.x86_64 doesn't support X25519 --> use /usr/bin/openssl * skip debug msg check for Mac --- t/32_isHTML_valid.t | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/t/32_isHTML_valid.t b/t/32_isHTML_valid.t index d276322..f435857 100755 --- a/t/32_isHTML_valid.t +++ b/t/32_isHTML_valid.t @@ -10,14 +10,16 @@ use Text::Diff; my $tests = 0; my $prg="./testssl.sh"; -my $uri="web.de"; +my $uri="bahn.de"; my $out=""; my $html=""; my $debughtml=""; my $edited_html=""; my $htmlfile="tmp.html"; -my $check2run="--ip=one --sneaky --ids-friendly --color 0 --htmlfile $htmlfile"; +# need to avoid the debug message around L15190++ Your ./bin/openssl.Linux.x86_64 doesn't support X25519 : +my $check2run="--ip=one --openssl /usr/bin/openssl --sneaky --ids-friendly --color 0 --htmlfile $htmlfile"; my $diff=""; + die "Unable to open $prg" unless -f $prg; printf "\n%s\n", "Doing HTML output checks"; @@ -54,6 +56,13 @@ ok($edited_html eq $out, "Checking if HTML file matches terminal output") or $tests++; +if ( $^O eq "darwin" ){ + printf "\nskip debug checkon MacOS\n\n"; + done_testing($tests); + exit 0; +} + + #2 printf "%s\n", " .. running again $prg against \"$uri\", now with --debug 4 to create HTML output (may take another ~2 minutes)"; # Redirect stderr to /dev/null in order to avoid some unexplained "date: invalid date" error messages From 56c1e5856764d0d11c04915b766266e2b0b77125 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 28 Jul 2025 15:03:51 +0200 Subject: [PATCH 4/4] Mask IP addresses, change host, compression ... for t/32_isHTML_valid.t . Github.com seems to be most reliable from the ones tested so far. bahn.de has one IP to the outside however Session resumption seems to come from different hosts behind that IP. Bad choice for this test. --- t/32_isHTML_valid.t | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/t/32_isHTML_valid.t b/t/32_isHTML_valid.t index f435857..8185264 100755 --- a/t/32_isHTML_valid.t +++ b/t/32_isHTML_valid.t @@ -10,16 +10,16 @@ use Text::Diff; my $tests = 0; my $prg="./testssl.sh"; -my $uri="bahn.de"; +my $uri="github.com"; my $out=""; my $html=""; my $debughtml=""; my $edited_html=""; my $htmlfile="tmp.html"; -# need to avoid the debug message around L15190++ Your ./bin/openssl.Linux.x86_64 doesn't support X25519 : -my $check2run="--ip=one --openssl /usr/bin/openssl --sneaky --ids-friendly --color 0 --htmlfile $htmlfile"; +# Pick /usr/bin/openssl as we want to avoid the debug messages like "Your ./bin/openssl.Linux.x86_64 doesn't support X25519" +my $check2run="--ip=one -4 --openssl /usr/bin/openssl --sneaky --ids-friendly --color 0 --htmlfile $htmlfile"; my $diff=""; - +my $ip=""; die "Unable to open $prg" unless -f $prg; printf "\n%s\n", "Doing HTML output checks"; @@ -57,7 +57,7 @@ $tests++; if ( $^O eq "darwin" ){ - printf "\nskip debug checkon MacOS\n\n"; + printf "\nskip debug check on MacOS\n\n"; done_testing($tests); exit 0; } @@ -87,8 +87,21 @@ $debughtml =~ s/.*DEBUG:.*\n//g; $debughtml =~ s/No engine or GOST support via engine with your.*\n//g; $debughtml =~ s/.*built: .*\n//g; $debughtml =~ s/.*Using bash .*\n//g; +$debughtml =~ s/.*has_compression.*\n//g; # is whole line: s/.* .*\n//g; +# Extract and mask IP address as it can change +if ( $html =~ /(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/ ) { + $ip = $1; +} +$html =~ s/$ip/AAA.BBB.CCC.DDD/g; + +if ( $debughtml =~ /(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/ ) { + $ip = $1; +} +$debughtml =~ s/$ip/AAA.BBB.CCC.DDD/g; + + $diff = diff \$debughtml, \$html; ok($debughtml eq $html, "Checking if HTML file created with --debug 4 matches HTML file created without --debug") or