From 5a1fd2623f7f362ea01e0d873e14f65a125c27e2 Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 3 Sep 2024 15:40:55 +0200 Subject: [PATCH 1/3] Improve banner (3.2) ... for readability and bugs to be filed (fixes #2506) This PR defines a short string for the OpenSSL banner as some suppliers have made them (unnecessarily) long so that it won't fit nice in the banner anymore. The banner also now omits the built line from openssl as for the user it is normally not important. --- testssl.sh | 58 +++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 42 insertions(+), 16 deletions(-) diff --git a/testssl.sh b/testssl.sh index 3c9c2ad..3e50818 100755 --- a/testssl.sh +++ b/testssl.sh @@ -317,6 +317,7 @@ OSSL_VER="" # openssl version, will be auto-determin OSSL_VER_MAJOR=0 OSSL_VER_MINOR=0 OSSL_VER_APPENDIX="none" +OSSL_SHORT_STR="" # short string for banner CLIENT_PROB_NO=1 GOOD_CA_BUNDLE="" # A bundle of CA certificates that can be used to validate the server's certificate @@ -20127,6 +20128,21 @@ find_openssl_binary() { OSSL_VER_PLATFORM=$($OPENSSL version -p 2>/dev/null | sed 's/^platform: //') OSSL_BUILD_DATE=$($OPENSSL version -a 2>/dev/null | grep '^built' | sed -e 's/built on//' -e 's/: ... //' -e 's/: //' -e 's/ UTC//' -e 's/ +0000//' -e 's/.000000000//') + # Determine an OpenSSL short string for the banner + # E.g MacOS' homebrew and Debian add a library string: OpenSSL 3.3.1 4 Jun 2024 (Library: OpenSSL 3.3.1 4 Jun 2024), + # so we omit the part after the round bracket as it breaks formatting and doesn't provide more useful info + OSSL_SHORT_STR=$($OPENSSL version 2>/dev/null) + OSSL_SHORT_STR=${OSSL_SHORT_STR%\(*} + # Now handle strings like this: OpenSSL 1.1.1l-fips 24 Aug 2021 SUSE release 150500.17.34.1 + # we find the year, remove until first occurrence, re-add it + for yr in {2014..2029} ; do + if [[ $OSSL_SHORT_STR =~ \ $yr ]] ; then + OSSL_SHORT_STR=${OSSL_SHORT_STR%%$yr*} + OSSL_SHORT_STR="${OSSL_SHORT_STR}${yr}" + break + fi + done + # see #190, reverting logic: unless otherwise proved openssl has no dh bits case "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" in 1.0.2|1.1.0|1.1.1|3.*) HAS_DH_BITS=true ;; @@ -20765,47 +20781,56 @@ prepare_arrays() { mybanner() { local bb1 bb2 bb3 + local spaces=" " + local full="$1" "$QUIET" && return "$CHILD_MASS_TESTING" && return OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL')") bb1=$(cat </dev/null)\" [~$OPENSSL_NR_CIPHERS ciphers]" - out " on $HNAME:" + out "${spaces}Using " + pr_italic "$OSSL_SHORT_STR" + outln " [~$OPENSSL_NR_CIPHERS ciphers]" + out "${spaces}on $HNAME:" outln "$OPENSSL_LOCATION" - outln " (built: \"$OSSL_BUILD_DATE\", platform: \"$OSSL_VER_PLATFORM\")\n" + if [[ -n $full ]] || [[ $DEBUG -ge 1 ]]; then + out "${spaces}built: "; pr_italic "$OSSL_BUILD_DATE"; out ", platform: "; prln_italic "$OSSL_VER_PLATFORM" + out "${spaces}Using " + pr_italic "bash ${BASH_VERSINFO[0]}.${BASH_VERSINFO[1]}.${BASH_VERSINFO[2]}" + fi + outln } + calc_scantime() { END_TIME=$(date +%s) SCAN_TIME=$(( END_TIME - START_TIME )) @@ -23318,7 +23343,8 @@ parse_cmd_line() { get_install_dir find_openssl_binary prepare_debug - mybanner + # full banner + mybanner true exit $ALLOK ;; esac From 408e8f84f4b114ca4860bc77b60c8b84c3d1d63a Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 3 Sep 2024 15:42:54 +0200 Subject: [PATCH 2/3] modify issue template for bash version --- .github/ISSUE_TEMPLATE/bug_report.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 9a5206d..3265f4c 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -8,17 +8,17 @@ assignees: '' --- **Before you open an issue please check which version you are running and whether it is the latest in stable / dev branch** -I am running version ( ``git log | head -1`` if running from the git repo. Otherwise ``testssl.sh -v | grep from``) +I am running version (``git log | head -1`` if running from the git repo. Otherwise ``testssl.sh -v | grep from``) **Before you open an issue please whether this is a known problem by searching the issues** -Is related to / couldn't find anything +Is related to / couldn't find anything **Command line / docker command to reproduce** @@ -33,9 +33,8 @@ A clear and concise description of what you would expect to happen. **Your system (please complete the following information):** - OS: ``awk -F\" '/PRETTY_NAME/ { print $2 }' /etc/os-release`` - - Platform: ``uname -srm`` - - OpenSSL: ``testssl.sh -b 2>/dev/null | grep Using '`` - - Bash: ``bash --version`` + - Platform: ``uname -srm`` + - OpenSSL + bash: ``testssl.sh -b 2>/dev/null | grep Using '`` **Additional context** From dbb8fc8013e25e2703098955a888db62cdf8265d Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 3 Sep 2024 18:28:56 +0200 Subject: [PATCH 3/3] Fix CI --- t/32_isHTML_valid.t | 3 +++ testssl.sh | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/t/32_isHTML_valid.t b/t/32_isHTML_valid.t index c006329..84db98d 100755 --- a/t/32_isHTML_valid.t +++ b/t/32_isHTML_valid.t @@ -75,6 +75,9 @@ $debughtml =~ s/ Pre-test: .*\n//g; $debughtml =~ s/.*OK: below 825 days.*\n//g; $debughtml =~ s/.*DEBUG:.*\n//g; $debughtml =~ s/No engine or GOST support via engine with your.*\n//g; +$debughtml =~ s/.*built: .*\n//g; +$debughtml =~ s/.*Using bash .*\n//g; +# is whole line: s/.* .*\n//g; cmp_ok($debughtml, "eq", $html, "HTML file created with --debug 4 matches HTML file created without --debug"); $tests++; diff --git a/testssl.sh b/testssl.sh index 3e50818..fb5fbc6 100755 --- a/testssl.sh +++ b/testssl.sh @@ -20826,8 +20826,8 @@ EOF out "${spaces}built: "; pr_italic "$OSSL_BUILD_DATE"; out ", platform: "; prln_italic "$OSSL_VER_PLATFORM" out "${spaces}Using " pr_italic "bash ${BASH_VERSINFO[0]}.${BASH_VERSINFO[1]}.${BASH_VERSINFO[2]}" + outln fi - outln }