Merge pull request #1985 from DimitriPapadopoulos/codespell

Typos found by codespell
This commit is contained in:
Dirk Wetter 2021-09-14 13:37:59 +02:00 committed by GitHub
commit 3207357e8c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 43 additions and 30 deletions

13
.github/workflows/codespell.yml vendored Normal file
View File

@ -0,0 +1,13 @@
---
name: Codespell
on: [push, pull_request]
jobs:
codespell:
name: Check for spelling errors
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: codespell-project/actions-codespell@master
with:
skip: ca_hashes.txt,tls_data.txt,*.pem,OPENSSL-LICENSE.txt
ignore_words_list: borken,gost,ciph,ba,bloc,isnt,chello,fo,alle

View File

@ -507,7 +507,7 @@ Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
* as a courtesy I am providing 64+32 Linux binaries for testing 56 Bit ciphers * as a courtesy I am providing 64+32 Linux binaries for testing 56 Bit ciphers
1.11 1.11
* Hint for howto enable 56 Bit ciphers fpr testing * Hint for howto enable 56 Bit ciphers for testing
* possible to specify where openssl is (hardcoded, $ENV, last resort: auto) * possible to specify where openssl is (hardcoded, $ENV, last resort: auto)
* warns if netcat is not there * warns if netcat is not there

View File

@ -17,7 +17,7 @@ cryptographic flaws.
* Machine readable output (CSV, two JSON formats) * Machine readable output (CSV, two JSON formats)
* No need to install or to configure something. No gems, CPAN, pip or the like. * No need to install or to configure something. No gems, CPAN, pip or the like.
* Works out of the box: Linux, OSX/Darwin, FreeBSD, NetBSD, MSYS2/Cygwin, WSL (bash on Windows). Only OpenBSD needs bash. * Works out of the box: Linux, OSX/Darwin, FreeBSD, NetBSD, MSYS2/Cygwin, WSL (bash on Windows). Only OpenBSD needs bash.
* A Dockerfile is provided, there's also an offical container build @ dockerhub. * A Dockerfile is provided, there's also an official container build @ dockerhub.
* Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only web servers at port 443. * Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only web servers at port 443.
* Toolbox: Several command line options help you to run *your* test and configure *your* output. * Toolbox: Several command line options help you to run *your* test and configure *your* output.
* Reliability: features are tested thoroughly. * Reliability: features are tested thoroughly.

View File

@ -641,7 +641,7 @@ MAX_SOCKET_FAIL: A number which tells testssl\.sh how often a TCP socket connect
MAX_OSSL_FAIL: A number which tells testssl\.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates\. The default is 2\. You can increase it to a higher value if you frequently see a message like \fIFatal error: repeated TCP connect problems, giving up\fR\. MAX_OSSL_FAIL: A number which tells testssl\.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates\. The default is 2\. You can increase it to a higher value if you frequently see a message like \fIFatal error: repeated TCP connect problems, giving up\fR\.
. .
.IP "\(bu" 4 .IP "\(bu" 4
MAX_HEADER_FAIL: A number which tells testssl\.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates\. The default is 3\. Also here you can incerase the threshold when you spot messages like \fIFatal error: repeated HTTP header connect problems, doesn\'t make sense to continue\fR\. MAX_HEADER_FAIL: A number which tells testssl\.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates\. The default is 3\. Also here you can increase the threshold when you spot messages like \fIFatal error: repeated HTTP header connect problems, doesn\'t make sense to continue\fR\.
. .
.IP "" 0 .IP "" 0
. .

View File

@ -236,7 +236,7 @@ containing files with a .pem extension, a single file or multiple files as a com
<p><code>-E, --cipher-per-proto</code> is similar to <code>-e, --each-cipher</code>. It checks each of the possible ciphers, here: per protocol. If you want to display each cipher tested you need to add <code>--show-each</code>. The output is sorted by security strength, it lists the encryption bits though.</p> <p><code>-E, --cipher-per-proto</code> is similar to <code>-e, --each-cipher</code>. It checks each of the possible ciphers, here: per protocol. If you want to display each cipher tested you need to add <code>--show-each</code>. The output is sorted by security strength, it lists the encryption bits though.</p>
<p><code>-s, --std, --categories</code> tests certain lists of cipher suites / cipher catagories by strength. (<code>--standard</code> is deprecated.) Those lists are (<code>openssl ciphers $LIST</code>, $LIST from below:)</p> <p><code>-s, --std, --categories</code> tests certain lists of cipher suites / cipher categories by strength. (<code>--standard</code> is deprecated.) Those lists are (<code>openssl ciphers $LIST</code>, $LIST from below:)</p>
<ul> <ul>
<li><code>NULL encryption ciphers</code>: 'NULL:eNULL'</li> <li><code>NULL encryption ciphers</code>: 'NULL:eNULL'</li>
@ -486,7 +486,7 @@ Rating automatically gets disabled, to not give a wrong or misleading grade, whe
<li>CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl.sh will use. Please note that it overrides completely the builtin path of testssl.sh which means that you will only test against the bundles you point to. Also you might want to use <code>~/utils/create_ca_hashes.sh</code> to create the hashes for HPKP.</li> <li>CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl.sh will use. Please note that it overrides completely the builtin path of testssl.sh which means that you will only test against the bundles you point to. Also you might want to use <code>~/utils/create_ca_hashes.sh</code> to create the hashes for HPKP.</li>
<li>MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like <em>Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue</em>.</li> <li>MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like <em>Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue</em>.</li>
<li>MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like <em>Fatal error: repeated TCP connect problems, giving up</em>.</li> <li>MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like <em>Fatal error: repeated TCP connect problems, giving up</em>.</li>
<li>MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can incerase the threshold when you spot messages like <em>Fatal error: repeated HTTP header connect problems, doesn't make sense to continue</em>.</li> <li>MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can increase the threshold when you spot messages like <em>Fatal error: repeated HTTP header connect problems, doesn't make sense to continue</em>.</li>
</ul> </ul>

View File

@ -161,7 +161,7 @@ Any single check switch supplied as an argument prevents testssl.sh from doing a
`-E, --cipher-per-proto` is similar to `-e, --each-cipher`. It checks each of the possible ciphers, here: per protocol. If you want to display each cipher tested you need to add `--show-each`. The output is sorted by security strength, it lists the encryption bits though. `-E, --cipher-per-proto` is similar to `-e, --each-cipher`. It checks each of the possible ciphers, here: per protocol. If you want to display each cipher tested you need to add `--show-each`. The output is sorted by security strength, it lists the encryption bits though.
`-s, --std, --categories` tests certain lists of cipher suites / cipher catagories by strength. (`--standard` is deprecated.) Those lists are (`openssl ciphers $LIST`, $LIST from below:) `-s, --std, --categories` tests certain lists of cipher suites / cipher categories by strength. (`--standard` is deprecated.) Those lists are (`openssl ciphers $LIST`, $LIST from below:)
* `NULL encryption ciphers`: 'NULL:eNULL' * `NULL encryption ciphers`: 'NULL:eNULL'
* `Anonymous NULL ciphers`: 'aNULL:ADH' * `Anonymous NULL ciphers`: 'aNULL:ADH'
@ -396,7 +396,7 @@ Except the environment variables mentioned above which can replace command line
* CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl.sh will use. Please note that it overrides completely the builtin path of testssl.sh which means that you will only test against the bundles you point to. Also you might want to use `~/utils/create_ca_hashes.sh` to create the hashes for HPKP. * CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl.sh will use. Please note that it overrides completely the builtin path of testssl.sh which means that you will only test against the bundles you point to. Also you might want to use `~/utils/create_ca_hashes.sh` to create the hashes for HPKP.
* MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like *Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue*. * MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like *Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue*.
* MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like *Fatal error: repeated TCP connect problems, giving up*. * MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like *Fatal error: repeated TCP connect problems, giving up*.
* MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can incerase the threshold when you spot messages like *Fatal error: repeated HTTP header connect problems, doesn't make sense to continue*. * MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can increase the threshold when you spot messages like *Fatal error: repeated HTTP header connect problems, doesn't make sense to continue*.
### RATING ### RATING
This program has a near-complete implementation of SSL Labs's '[SSL Server Rating Guide](https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide)'. This program has a near-complete implementation of SSL Labs's '[SSL Server Rating Guide](https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide)'.

View File

@ -28,7 +28,7 @@ If you want to check trust against e.g. a company internal CA you need to use ``
* ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS * ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS
* ``curves-mapping.txt`` contains information about all of the eliptic curves defined by IANA * ``curves-mapping.txt`` contains information about all of the elliptic curves defined by IANA
* ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. Use * ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. Use
``~/utils/create_ca_hashes.sh`` for an update ``~/utils/create_ca_hashes.sh`` for an update

View File

@ -19,6 +19,6 @@ The whole process is done manually.
* Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true * Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true
* Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle * Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle
* For "ciphers" mark the cipher suites --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2cipher.sh` * For "ciphers" mark the cipher suites --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2cipher.sh`
* "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ``~/utils/hexstream2cipher.sh`` * "ciphersuites" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ``~/utils/hexstream2cipher.sh``
* Figure out the services by applying a good piece of human logic * Figure out the services by applying a good piece of human logic
* Before submitting a PR: test it yourself! You can also watch it again via wireshark * Before submitting a PR: test it yourself! You can also watch it again via wireshark

View File

@ -1056,7 +1056,7 @@ set_grade_cap() {
# Always set special attributes. These are hard caps, due to name mismatch or cert being invalid # Always set special attributes. These are hard caps, due to name mismatch or cert being invalid
if [[ "$1" == T || "$1" == M ]]; then if [[ "$1" == T || "$1" == M ]]; then
GRADE_CAP="$1" GRADE_CAP="$1"
# Only keep track of the lowest grade cap, since a higher grade cap wont do anything (F = lowest, A = highest) # Only keep track of the lowest grade cap, since a higher grade cap won't do anything (F = lowest, A = highest)
elif [[ ! "$GRADE_CAP" > "$1" ]]; then elif [[ ! "$GRADE_CAP" > "$1" ]]; then
GRADE_CAP="$1" GRADE_CAP="$1"
fi fi
@ -2044,7 +2044,7 @@ wait_kill(){
# Convert date formats -- we always use GMT=UTC here # Convert date formats -- we always use GMT=UTC here
# argv1: source date string # argv1: source date string
# argv2: dest date sting # argv2: dest date string
if "$HAS_GNUDATE"; then # Linux and NetBSD if "$HAS_GNUDATE"; then # Linux and NetBSD
parse_date() { parse_date() {
LC_ALL=C TZ=GMT date -d "$1" "$2" LC_ALL=C TZ=GMT date -d "$1" "$2"
@ -2402,7 +2402,7 @@ run_http_header() {
debugme echo "NOW_TIME: $NOW_TIME | HTTP_TIME: $HTTP_TIME" debugme echo "NOW_TIME: $NOW_TIME | HTTP_TIME: $HTTP_TIME"
# Quit on first empty line to catch 98% of the cases. Next pattern is there because the SEDs tested # Quit on first empty line to catch 98% of the cases. Next pattern is there because the SEDs tested
# so far seem not to be fine with header containing x0d x0a (CRLF) which is the usal case. # so far seem not to be fine with header containing x0d x0a (CRLF) which is the usual case.
# So we also trigger also on any sign on a single line which is not alphanumeric (plus _) # So we also trigger also on any sign on a single line which is not alphanumeric (plus _)
sed -e '/^$/q' -e '/^[^a-zA-Z_0-9]$/q' $HEADERFILE >$HEADERFILE.tmp sed -e '/^$/q' -e '/^[^a-zA-Z_0-9]$/q' $HEADERFILE >$HEADERFILE.tmp
# Now to be more sure we delete from '<' or '{' maybe with a leading blank until the end # Now to be more sure we delete from '<' or '{' maybe with a leading blank until the end
@ -7672,19 +7672,19 @@ get_server_certificate() {
local success ret local success ret
local npn_params="" line local npn_params="" line
local ciphers_to_test="" local ciphers_to_test=""
# Cipher suites that use a certifiate with an RSA (signature) public key # Cipher suites that use a certificate with an RSA (signature) public key
local -r a_rsa="cc,13, cc,15, c0,30, c0,28, c0,14, 00,9f, cc,a8, cc,aa, c0,a3, c0,9f, 00,6b, 00,39, c0,77, 00,c4, 00,88, c0,45, c0,4d, c0,53, c0,61, c0,7d, c0,8b, 16,b7, 16,b9, c0,2f, c0,27, c0,13, 00,9e, c0,a2, c0,9e, 00,67, 00,33, c0,76, 00,be, 00,9a, 00,45, c0,44, c0,4c, c0,52, c0,60, c0,7c, c0,8a, c0,11, c0,12, 00,16, 00,15, 00,14, c0,10" local -r a_rsa="cc,13, cc,15, c0,30, c0,28, c0,14, 00,9f, cc,a8, cc,aa, c0,a3, c0,9f, 00,6b, 00,39, c0,77, 00,c4, 00,88, c0,45, c0,4d, c0,53, c0,61, c0,7d, c0,8b, 16,b7, 16,b9, c0,2f, c0,27, c0,13, 00,9e, c0,a2, c0,9e, 00,67, 00,33, c0,76, 00,be, 00,9a, 00,45, c0,44, c0,4c, c0,52, c0,60, c0,7c, c0,8a, c0,11, c0,12, 00,16, 00,15, 00,14, c0,10"
# Cipher suites that use a certifiate with an RSA (encryption) public key # Cipher suites that use a certificate with an RSA (encryption) public key
local -r e_rsa="00,b7, c0,99, 00,ad, cc,ae, 00,9d, c0,a1, c0,9d, 00,3d, 00,35, 00,c0, 00,84, 00,95, c0,3d, c0,51, c0,69, c0,6f, c0,7b, c0,93, ff,01, 00,ac, c0,a0, c0,9c, 00,9c, 00,3c, 00,2f, 00,ba, 00,b6, 00,96, 00,41, c0,98, 00,07, 00,94, c0,3c, c0,50, c0,68, c0,6e, c0,7a, c0,92, 00,05, 00,04, 00,92, 00,0a, 00,93, fe,ff, ff,e0, 00,62, 00,09, 00,61, fe,fe, ff,e1, 00,64, 00,60, 00,08, 00,06, 00,03, 00,b9, 00,b8, 00,2e, 00,3b, 00,02, 00,01, ff,00" local -r e_rsa="00,b7, c0,99, 00,ad, cc,ae, 00,9d, c0,a1, c0,9d, 00,3d, 00,35, 00,c0, 00,84, 00,95, c0,3d, c0,51, c0,69, c0,6f, c0,7b, c0,93, ff,01, 00,ac, c0,a0, c0,9c, 00,9c, 00,3c, 00,2f, 00,ba, 00,b6, 00,96, 00,41, c0,98, 00,07, 00,94, c0,3c, c0,50, c0,68, c0,6e, c0,7a, c0,92, 00,05, 00,04, 00,92, 00,0a, 00,93, fe,ff, ff,e0, 00,62, 00,09, 00,61, fe,fe, ff,e1, 00,64, 00,60, 00,08, 00,06, 00,03, 00,b9, 00,b8, 00,2e, 00,3b, 00,02, 00,01, ff,00"
# Cipher suites that use a certifiate with a DSA public key # Cipher suites that use a certificate with a DSA public key
local -r a_dss="00,a3, 00,6a, 00,38, 00,c3, 00,87, c0,43, c0,57, c0,81, 00,a2, 00,40, 00,32, 00,bd, 00,99, 00,44, c0,42, c0,56, c0,80, 00,66, 00,13, 00,63, 00,12, 00,65, 00,11" local -r a_dss="00,a3, 00,6a, 00,38, 00,c3, 00,87, c0,43, c0,57, c0,81, 00,a2, 00,40, 00,32, 00,bd, 00,99, 00,44, c0,42, c0,56, c0,80, 00,66, 00,13, 00,63, 00,12, 00,65, 00,11"
# Cipher suites that use a certifiate with a DH public key # Cipher suites that use a certificate with a DH public key
local -r a_dh="00,a5, 00,a1, 00,69, 00,68, 00,37, 00,36, 00,c2, 00,c1, 00,86, 00,85, c0,3f, c0,41, c0,55, c0,59, c0,7f, c0,83, 00,a4, 00,a0, 00,3f, 00,3e, 00,31, 00,30, 00,bc, 00,bb, 00,98, 00,97, 00,43, 00,42, c0,3e, c0,40, c0,54, c0,58, c0,7e, c0,82, 00,10, 00,0d, 00,0f, 00,0c, 00,0b, 00,0e" local -r a_dh="00,a5, 00,a1, 00,69, 00,68, 00,37, 00,36, 00,c2, 00,c1, 00,86, 00,85, c0,3f, c0,41, c0,55, c0,59, c0,7f, c0,83, 00,a4, 00,a0, 00,3f, 00,3e, 00,31, 00,30, 00,bc, 00,bb, 00,98, 00,97, 00,43, 00,42, c0,3e, c0,40, c0,54, c0,58, c0,7e, c0,82, 00,10, 00,0d, 00,0f, 00,0c, 00,0b, 00,0e"
# Cipher suites that use a certifiate with an ECDH public key # Cipher suites that use a certificate with an ECDH public key
local -r a_ecdh="c0,32, c0,2e, c0,2a, c0,26, c0,0f, c0,05, c0,79, c0,75, c0,4b, c0,4f, c0,5f, c0,63, c0,89, c0,8d, c0,31, c0,2d, c0,29, c0,25, c0,0e, c0,04, c0,78, c0,74, c0,4a, c0,4e, c0,5e, c0,62, c0,88, c0,8c, c0,0c, c0,02, c0,0d, c0,03, c0,0b, c0,01" local -r a_ecdh="c0,32, c0,2e, c0,2a, c0,26, c0,0f, c0,05, c0,79, c0,75, c0,4b, c0,4f, c0,5f, c0,63, c0,89, c0,8d, c0,31, c0,2d, c0,29, c0,25, c0,0e, c0,04, c0,78, c0,74, c0,4a, c0,4e, c0,5e, c0,62, c0,88, c0,8c, c0,0c, c0,02, c0,0d, c0,03, c0,0b, c0,01"
# Cipher suites that use a certifiate with an ECDSA public key # Cipher suites that use a certificate with an ECDSA public key
local -r a_ecdsa="cc,14, c0,2c, c0,24, c0,0a, cc,a9, c0,af, c0,ad, c0,73, c0,49, c0,5d, c0,87, 16,b8, 16,ba, c0,2b, c0,23, c0,09, c0,ae, c0,ac, c0,72, c0,48, c0,5c, c0,86, c0,07, c0,08, c0,06" local -r a_ecdsa="cc,14, c0,2c, c0,24, c0,0a, cc,a9, c0,af, c0,ad, c0,73, c0,49, c0,5d, c0,87, 16,b8, 16,ba, c0,2b, c0,23, c0,09, c0,ae, c0,ac, c0,72, c0,48, c0,5c, c0,86, c0,07, c0,08, c0,06"
# Cipher suites that use a certifiate with a GOST public key # Cipher suites that use a certificate with a GOST public key
local -r a_gost="00,80, 00,81, 00,82, 00,83" local -r a_gost="00,80, 00,81, 00,82, 00,83"
local using_sockets=true local using_sockets=true
@ -7849,7 +7849,7 @@ get_server_certificate() {
"ssl3") DETECTED_TLS_VERSION="0300" ;; "ssl3") DETECTED_TLS_VERSION="0300" ;;
esac esac
# When "$2" is empty, get_server_certificate() is being called with SNI="". # When "$2" is empty, get_server_certificate() is being called with SNI="".
# In case the extensions returned by the server differ depending on wheter # In case the extensions returned by the server differ depending on whether
# SNI is provided or not, don't collect extensions when SNI="" (unless # SNI is provided or not, don't collect extensions when SNI="" (unless
# no DNS name was provided at the command line). # no DNS name was provided at the command line).
[[ -z "$2" ]] && extract_new_tls_extensions $TMPFILE [[ -z "$2" ]] && extract_new_tls_extensions $TMPFILE
@ -8891,7 +8891,7 @@ certificate_info() {
fileout "cert_fingerprintSHA256${json_postfix}" "INFO" "${cert_fingerprint_sha2}" fileout "cert_fingerprintSHA256${json_postfix}" "INFO" "${cert_fingerprint_sha2}"
outln "${spaces}SHA256 ${cert_fingerprint_sha2}" outln "${spaces}SHA256 ${cert_fingerprint_sha2}"
# " " needs to be converted back to lf in JSON/CSV output. watch out leading/ending line containting "CERTIFICATE" # " " needs to be converted back to lf in JSON/CSV output. watch out leading/ending line containing "CERTIFICATE"
fileout "cert${json_postfix}" "INFO" "$hostcert" fileout "cert${json_postfix}" "INFO" "$hostcert"
[[ -z $CERT_FINGERPRINT_SHA2 ]] && \ [[ -z $CERT_FINGERPRINT_SHA2 ]] && \
@ -11026,7 +11026,7 @@ fd_socket() {
fi fi
((NR_STARTTLS_FAIL++)) ((NR_STARTTLS_FAIL++))
# This are mostly timeouts here (code >=128). We give the client a chance to try again later. For cases # This are mostly timeouts here (code >=128). We give the client a chance to try again later. For cases
# where we have no STARTTLS in the server banner however - ret code=3 - we don't neet to try again # where we have no STARTTLS in the server banner however - ret code=3 - we don't need to try again
connectivity_problem $NR_STARTTLS_FAIL $MAX_STARTTLS_FAIL "STARTTLS handshake failed (code: $ret)" "repeated STARTTLS problems, giving up ($ret)" connectivity_problem $NR_STARTTLS_FAIL $MAX_STARTTLS_FAIL "STARTTLS handshake failed (code: $ret)" "repeated STARTTLS problems, giving up ($ret)"
return 6 ;; return 6 ;;
esac esac
@ -11083,7 +11083,7 @@ socksend_clienthello() {
} }
# ARG1: hexbytes -- preceeded by x -- separated by commas, with a leading comma # ARG1: hexbytes -- preceded by x -- separated by commas, with a leading comma
# ARG2: seconds to sleep # ARG2: seconds to sleep
socksend() { socksend() {
local data line local data line
@ -16684,7 +16684,7 @@ run_sweet32() {
fileout "SWEET32" "LOW" "uses 64 bit block ciphers" "$cve" "$cwe" "$hint" fileout "SWEET32" "LOW" "uses 64 bit block ciphers" "$cve" "$cwe" "$hint"
"$tls1_1_vulnerable" && set_grade_cap "C" "Uses 64 bit block ciphers with TLS 1.1 (vulnerable to SWEET32)" "$tls1_1_vulnerable" && set_grade_cap "C" "Uses 64 bit block ciphers with TLS 1.1 (vulnerable to SWEET32)"
elif "$ssl2_sweet"; then elif "$ssl2_sweet"; then
pr_svrty_low "VULNERABLE"; out ", uses 64 bit block ciphers wth SSLv2 only" pr_svrty_low "VULNERABLE"; out ", uses 64 bit block ciphers with SSLv2 only"
fileout "SWEET32" "LOW" "uses 64 bit block ciphers with SSLv2 only" "$cve" "$cwe" "$hint" fileout "SWEET32" "LOW" "uses 64 bit block ciphers with SSLv2 only" "$cve" "$cwe" "$hint"
else else
pr_svrty_best "not vulnerable (OK)"; pr_svrty_best "not vulnerable (OK)";

View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# no early data, but TLS 1.3 with debian:buster (sid simlar in Feb 2019) # no early data, but TLS 1.3 with debian:buster (sid similar in Feb 2019)
image=${1:-"debian:buster"} image=${1:-"debian:buster"}
docker pull "$image" docker pull "$image"

View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# Utility which converts grepable nmap outout to testssl's file input # Utility which converts grepable nmap output to testssl's file input
# It is just borrowed from testssl.sh # It is just borrowed from testssl.sh
# License see testssl.sh # License see testssl.sh

View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# simple check for seesion resumption 1) by SID, 2) by tickets # simple check for session resumption 1) by SID, 2) by tickets
# Author: Dirk Wetter, GPLv2 see https://testssl.sh/LICENSE.txt # Author: Dirk Wetter, GPLv2 see https://testssl.sh/LICENSE.txt

View File

@ -50,7 +50,7 @@ yellow=$(tput setaf 3; tput bold)
normal=$(tput sgr0) normal=$(tput sgr0)
send_clienthello() { send_clienthello() {
local -i len_ch=216 # len of clienthello, exlcuding TLS session ticket and SID (record layer) local -i len_ch=216 # len of clienthello, excluding TLS session ticket and SID (record layer)
local session_tckt_tls="$1" local session_tckt_tls="$1"
local -i len_tckt_tls="${#1}" local -i len_tckt_tls="${#1}"
local xlen_tckt_tls="" local xlen_tckt_tls=""
@ -269,7 +269,7 @@ trap "cleanup" QUIT EXIT
"$DEBUG" && ( echo; echo ) "$DEBUG" && ( echo; echo )
echo "##### 2) Sending 1 to 3 ClientHello(s) (TLS version 03,$TLSV) with this ticket and a made up SessionID" echo "##### 2) Sending 1 to 3 ClientHello(s) (TLS version 03,$TLSV) with this ticket and a made up SessionID"
# we do 3 client hellos, and see whether different memmory is returned # we do 3 client hellos, and see whether different memory is returned
for i in 1 2 3; do for i in 1 2 3; do
fd_socket $PORT fd_socket $PORT