Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2026-06-23 08:47:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '3.3dev' into https_rr

Browse Source
This commit is contained in:
Dirk Wetter
2026-06-22 16:26:38 +02:00
parent dca6434604 689516c378
commit 50966dc1d6
19 changed files with 658 additions and 298 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/pull_request_template.md
+19 -5
View File
@@ -1,22 +1,36 @@
<!--
## Describe your changes
Please refer to an issue here or describe the change thoroughly in your PR and check the boxes which are applicable.
Please refer to an issue here or describe the change thoroughly in your PR.
This includes:
- Resolved or fixed issue: <-- ✍️ Add GitHub issue number in format `#0000`
- A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.
-->
## What is your pull request about?
- [ ] Bug fix
- [ ] Improvement
- [ ] New feature (adds functionality)
- [ ] Breaking change (bug fix, feature or improvement that would cause existing functionality to not work as expected)
- [ ] Typo fix
- [ ] Breaking change: bug fix, feature or improvement that would cause existing output (especially JSON, CSV) to not work as expected before
- [ ] Typo / spelling fix
- [ ] Documentation update
- [ ] Update of other files
## If it's a code change please check the boxes which are applicable
- [ ] For the main program: My edits contain no tabs, indentation is five spaces and any line endings do not contain any blank chars
- [ ] I've read CONTRIBUTING.md and Coding_Convention.md
- [ ] I've read [CONTRIBUTING.md](https://github.com/testssl/testssl.sh/blob/3.3dev/CONTRIBUTING.md)
- [ ] My code follows [Coding_Convention.md](https://github.com/testssl/testssl.sh/blob/3.3dev/Coding_Convention.md)
- [ ] I have tested this __fix__ or __improvement__ against >=2 hosts and I couldn't spot a problem
- [ ] I have tested this __new feature__ against >=2 hosts which show this feature and >=2 host which does not (in order to avoid side effects) . I couldn't spot a problem
- [ ] For the __new feature__ I have made corresponding changes to the documentation and / or to ``help()``
- [ ] If it's a bigger change: I added myself to CREDITS.md (alphabetical order) and the change to CHANGELOG.md
- [ ] If it's a bigger change: I added myself to [CREDITS.md](https://github.com/testssl/testssl.sh/blob/3.3dev/CREDITS.md) (alphabetical order) and the change to [CHANGELOG.md](https://github.com/testssl/testssl.sh/blob/3.3dev/CHANGELOG.md)
## AI section
- [ ] My contribution does not include any AI-generated content
- [ ] My contribution includes AI-generated content, as disclosed below:
- AI Tools: `[e.g. GitHub CoPilot, JetBrains Junie, VS Code plugin <NAME> etc.]`
- LLMs and versions: `[e.g. GPT-A.B, Claude <NAME> A.B, Gemini A.B <NAME>, Qwen<B>-Coder, DeepSeek-<A> etc.]`
.github/workflows/build_docs.yml
+43
View File
@@ -0,0 +1,43 @@
name: Build Documentation
on:
pull_request:
paths:
- "doc/testssl.1.md"
jobs:
build-docs:
runs-on: ubuntu-26.04
# Skip fork PRs: GITHUB_TOKEN can't push to a fork's branch
if: github.event.pull_request.head.repo.full_name == github.repository
steps:
- name: Checkout repository
uses: actions/checkout@v7
with:
ref: ${{ github.head_ref }}
fetch-depth: 0
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y pandoc make
- name: Build documentation
working-directory: doc
run: make -B
# -B ensures build when doc/testssl.1.md changes. When checking out the md file
# it probably might have a time stamp which indicates nothing has changed
- name: Commit and push generated doc files
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add -A
if git diff --staged --quiet; then
echo "No generated changes to commit"
else
git commit -m "Auto-generate docs from testssl.1.md [skip ci]"
git push
fi
.github/workflows/codespell.yml
+1 -1
View File
@@ -9,7 +9,7 @@ jobs:
name: Check for spelling errors
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- uses: codespell-project/actions-codespell@master
with:
skip: ca_hashes.txt,tls_data.txt,*.pem,OPENSSL-LICENSE.txt,CREDITS.md,openssl.cnf,testssl.1
.github/workflows/docker-3.3dev.yml
+1 -1
View File
@@ -22,7 +22,7 @@ jobs:
run: echo "REPO=${GITHUB_REPOSITORY@L}" >> "${GITHUB_ENV}"
- name: Source checkout
uses: actions/checkout@v6
uses: actions/checkout@v7
- name: Setup QEMU
id: qemu
.github/workflows/shellcheck.yml
+1 -1
View File
@@ -30,7 +30,7 @@ jobs:
env:
LANG: C.UTF-8
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Install shellcheck
run: sudo apt update && sudo apt install -y shellcheck && shellcheck --version
.github/workflows/unit_tests_macos.yml
+2 -1
View File
@@ -29,7 +29,7 @@ jobs:
name: PoC unit test on MacOS
steps:
- name: checkout
uses: actions/checkout@v6
uses: actions/checkout@v7
- name: Set up system (perl, curl is installed already)
run: |
@@ -54,6 +54,7 @@ jobs:
cpanm --notest Data::Dumper
cpanm --notest JSON
cpanm --notest Text::Diff
cpanm --notest IPC::Run3
- name: run it
run: |
.github/workflows/unit_tests_ubuntu.yml
+4 -1
View File
@@ -32,7 +32,7 @@ jobs:
perl: ['5.38']
name: Unit test on ${{ matrix.os }}
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Set up perl
uses: shogo82148/actions-setup-perl@v1
@@ -51,6 +51,8 @@ jobs:
printf "%s\n" "----------"
bash --version
printf "%s\n" "----------"
echo $PATH
printf "%s\n" "----------"
- name: Install perl modules
run: |
@@ -58,6 +60,7 @@ jobs:
cpanm --notest Data::Dumper
cpanm --notest JSON
cpanm --notest Text::Diff
cpanm --notest IPC::Run3
- name: run it
run: |
CHANGELOG.md
+2 -1
View File
@@ -5,10 +5,11 @@
* QUIC protocol check
* TLS 1.3 early data (0-RTT)
* Support for RFC 8998 and draft-yang-tls-hybrid-sm2-mlkem (TLS_SM4_GCM_SM3, TLS_SM4_CCM_SM3 ciphers, kx groups curveSM2, curveSM2MLKEM768; SM2 pub keys + signatures)
* Support for RFC 8998, draft-yang-tls-hybrid-sm2-mlkem (TLS_SM4_GCM_SM3, TLS_SM4_CCM_SM3 ciphers, kx groups curveSM2, curveSM2MLKEM768; SM2 pub keys + signatures)
* Adds a check for mandatory extended master secret TLS extension
* Bump SSLlabs rating guide to 2009r
* Check for Opossum vulnerability
* `--phone-out` checks the HSTS preload list on https://hstspreload.org/
* Enable IPv6 automagically, i.e. if target via IPv6 is reachable just (also) scan it
* Detect and show DNS HTTPS RR (RFC 9460)
* Provide an FAQ
CONTRIBUTING.md
+3 -3
View File
@@ -8,11 +8,11 @@ Please note the following:
* Please read the [coding convention](https://github.com/testssl/testssl.sh/blob/3.3dev/Coding_Convention.md).
* If you have something new and/or bigger which you like to contribute, better open an issue first before you get frustrated.
* Please one pull request per feature or bug fix or improvement. Please do not mix issues.
* Documentation pays off in the long run. So please your document your code and the pull request and/or commit message.
* Please test your changes thoroughly as reliability is important for this project. You may want to check different servers with different settings.
* GitHub actions are running automatically when anything is committed. You should see any complaints. Beforehand you can check with `prove -v` from the "root dir" of this project.
* Please test your changes thoroughly as reliability is important for this project. You may want to check different servers with different settings. Also a run with a different client might help.
* GitHub actions are running automatically when anything is committed. You should see any complaints. Beforehand you can check with `prove -v` from the "root dir" of this project for the whole run, a single (perl) script with `./t/NR_NAME.t`.
* If it's a new feature, please consider writing a unit test for it. You can use e.g. `t/10_baseline_ipv4_http.t` or `t/61_diff_testsslsh.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start.
* If it's a new feature, it would need to be documented in the appropriate section in `help()` and in `~/doc/testssl.1.md`
* Documentation pays off in the long run. So please your document your code and the pull request and/or commit message. You only have to change `~/doc/testssl.1.md` . The HTML and roff file should be autogenerated by github (see if you PR adds those files).
If you're interested in contributing and wonder how you can help, you can search for different tags in the issues (somewhat increasing degree of difficulty):
* [documentation](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:documentation)
CREDITS.md
+1
View File
@@ -55,6 +55,7 @@ Full contribution, see git log.
- maximum certificate lifespan of 398 days
- ssl renegotiation amount variable
- custom http request headers
- HSTS preload list lookup (finalized: Mayank)
* Frank Breedijk
- Detection of insecure redirects
Readme.md
+9 -5
View File
@@ -5,22 +5,26 @@
This would display the latest tag which is from the 3.2 branch. Here we don't have tags yet
-->
![GitHub forks](https://img.shields.io/github/forks/testssl/testssl.sh)
![GitHub Repo stars](https://img.shields.io/github/stars/testssl/testssl.sh)
![GitHub Repo stars](https://img.shields.io/github/stars/testssl/testssl.sh?style=flat)
![GitHub Created At](https://img.shields.io/github/created-at/testssl/testssl.sh)
![GitHub last commit](https://img.shields.io/github/last-commit/testssl/testssl.sh)
![GitHub commit activity](https://img.shields.io/github/commit-activity/m/testssl/testssl.sh)
[![Docker](https://img.shields.io/docker/pulls/drwetter/testssl.sh)](https://github.com/testssl/testssl.sh/blob/3.3dev/Dockerfile.md)
[![License](https://img.shields.io/github/license/testssl/testssl.sh)](https://github.com/testssl/testssl.sh/LICENSE)
![Static Badge](https://img.shields.io/badge/version-3.3dev-blue)
![Static Badge](https://img.shields.io/badge/%2Fbin%2Fbash_-blue)
![Static Badge](https://img.shields.io/badge/Libre+OpenSSL_-blue)
[![Vim](https://img.shields.io/badge/Vim-%2311AB00.svg?logo=vim&logoColor=white)](#)
[![Visual Studio Code](https://custom-icon-badges.demolab.com/badge/Visual%20Studio%20Code-0078d7.svg?logo=vsc&logoColor=white)](#)
[![CI test Ubuntu](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_ubuntu.yml/badge.svg)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_ubuntu.yml?branch=3.3dev)
[![CI test MacOS](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_macos.yml/badge.svg)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_macos.yml?branch=3.3dev)
<!--
[![CI test Ubuntu](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_ubuntu.yml/badge.svg??branch=3.3dev)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_ubuntu.yml)
[![CI test MacOS](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_macos.yml/badge.svg?branch=3.3dev)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_macos.yml)
At least as long as we're experimenting with PRs this should be not presented as it looks like the current branch is broken, see #2794
-->
![Mastodon Follow](https://img.shields.io/mastodon/follow/109319848143024146?domain=infosec.exchange)
[![Bluesky](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fpublic.api.bsky.app%2Fxrpc%2Fapp.bsky.actor.getProfile%2F%3Factor%3Dtestssl.bsky.social&query=%24.followersCount&style=social&logo=bluesky&label=Follow%20%40testssl.sh)
![Bluesky](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fpublic.api.bsky.app%2Fxrpc%2Fapp.bsky.actor.getProfile%2F%3Factor%3Dtestssl.bsky.social&query=%24.followersCount&style=social&logo=bluesky&label=Follow%20%40testssl.sh)
`testssl.sh` is a free command line tool which checks a server's service on
any port for the support of TLS/SSL ciphers, protocols as well as some
doc/testssl.1
+269 -253
View File
File diff suppressed because it is too large Load Diff
doc/testssl.1.html
+16 -12
View File
@@ -43,7 +43,7 @@
</head>
<body>
<h2 id="name">NAME</h2>
<p>testssl.sh check encryption of SSL/TLS servers</p>
<p>testssl.sh check TLS/SSL encryption of servers</p>
<h2 id="synopsis">SYNOPSIS</h2>
<p><code>testssl.sh [OPTIONS] &lt;URI&gt;</code>,
<code>testssl.sh [OPTIONS] --file &lt;FILE&gt;</code></p>
@@ -396,7 +396,8 @@
evasion techniques by changing the variables USLEEP_SND and / or
USLEEP_REC and maybe MAX_WAITSOCK.</p>
<p><code>--phone-out</code> Checking for revoked certificates
via CRL and OCSP is not done per default. This switch instructs
via CRL and OCSP, as well as the HSTS preload list status via
hstspreload.org, is not done per default. This switch instructs
testssl.sh to query external in a sense of the current run
URIs. By using this switch you acknowledge that the check might
have privacy issues, a download of several megabytes (CRL file)
@@ -548,7 +549,11 @@
<code>--assume-http</code>. It tests several HTTP headers
like</p>
<ul>
<li>HTTP Strict Transport Security (HSTS)</li>
<li>HTTP Strict Transport Security (HSTS)
<ul>
<li>HSTS preload list status (when <code>--phone-out</code>
supplied)</li>
</ul></li>
<li>HTTP Public Key Pinning (HPKP)</li>
<li>Server banner</li>
<li>HTTP date+time</li>
@@ -921,11 +926,11 @@
and when this is set to true, it generates a separate text file
with epoch times in <code>/tmp/testssl-&lt;XX&gt;.time</code>.
They need to be concatenated by
<code>paste /tmp/testssl-&lt;XX&gt;.{time,log}</code> <!---
* FAST_SOCKET
* SHOW_SIGALGO
* FAST
--></li>
<code>paste /tmp/testssl-&lt;XX&gt;.{time,log}</code>
&lt;!—</li>
<li>FAST_SOCKET</li>
<li>SHOW_SIGALGO</li>
<li>FAST &gt;</li>
<li>EXPERIMENTAL=true is an option which is sometimes used in
the development process to make testing easier. In released
versions this has no effect.</li>
@@ -965,10 +970,9 @@
may be made larger on systems with faster processors.</li>
<li>MAX_WAIT_TEST is the maximum time (in seconds) to wait for a
single test in parallel mass testing mode to complete. The
default is 1200. <!---
* USLEEP_SND
* USLEEP_REC
--></li>
default is 1200. &lt;!—</li>
<li>USLEEP_SND</li>
<li>USLEEP_REC &gt;</li>
<li>HSTS_MIN is preset to 179 (days). If you want warnings
sooner or later for HTTP Strict Transport Security you can
change this.</li>
doc/testssl.1.md
+3 -2
View File
@@ -1,6 +1,6 @@
## NAME
testssl.sh -- check encryption of SSL/TLS servers
testssl.sh -- check TLS/SSL encryption of servers
## SYNOPSIS
@@ -152,7 +152,7 @@ The same can be achieved by setting the environment variable `WARNINGS`.
`--ids-friendly` is a switch which may help to get a scan finished which otherwise would be blocked by a server side IDS. This switch skips tests for the following vulnerabilities: Heartbleed, CCS Injection, Ticketbleed and ROBOT. The environment variable OFFENSIVE set to false will achieve the same result. Please be advised that as an alternative or as a general approach you can try to apply evasion techniques by changing the variables USLEEP_SND and / or USLEEP_REC and maybe MAX_WAITSOCK.
`--phone-out` Checking for revoked certificates via CRL and OCSP is not done per default. This switch instructs testssl.sh to query external -- in a sense of the current run -- URIs. By using this switch you acknowledge that the check might have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting the endpoint which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this.
`--phone-out` Checking for revoked certificates via CRL and OCSP, as well as the HSTS preload list status via hstspreload.org, is not done per default. This switch instructs testssl.sh to query external -- in a sense of the current run -- URIs. By using this switch you acknowledge that the check might have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting the endpoint which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this.
`--add-ca <CAfile>` enables you to add your own CA(s) in PEM format for trust chain checks. `CAfile` can be a directory containing files with a \.pem extension, a single file or multiple files as a comma separated list of root CAs. Internally they will be added during runtime to all CA stores. This is (only) useful for internal hosts whose certificates are issued by internal CAs. Alternatively ADDTL_CA_FILES is the environment variable for this.
@@ -213,6 +213,7 @@ Also for multiple server certificates are being checked for as well as for the c
`-h, --header, --headers` if the service is HTTP (either by detection or by enforcing via `--assume-http`. It tests several HTTP headers like
* HTTP Strict Transport Security (HSTS)
- HSTS preload list status (when `--phone-out` supplied)
* HTTP Public Key Pinning (HPKP)
* Server banner
* HTTP date+time
t/03_debug.t.DISABLED
Executable
+39
View File
@@ -0,0 +1,39 @@
#!/usr/bin/env perl
# Example for debugging what the runners do, here MacOS only
# (we used that before), To get output on the screen it's
# needed to encapsulate the functions you want to debug with
# set -x/+x and comment the last function @ 00_testssl_help.t
use strict;
use Test::More;
use IPC::Run3;
my $os="$^O";
my $prg="./testssl.sh";
my $check2run ="-p";
my $uri="testssl.sh";
my $stdout = '';
my $stderr = '';
# if ( $os eq "darwin" ){
printf "%s\n", "testing MacOS ";
run3(["/bin/bash", $prg, $check2run, $uri], \undef, \$stdout, \$stderr);
print STDERR $stderr;
print STDOUT $stdout;
# } elsif ( $os eq "linux" ){
# printf "skipped check on Linux\n\n";
#}
# Use the following when you want to run everything below ~/t
# done_testing();
# This stops, no further checks within ~/t will run:
BAIL_OUT("Fundamental check done, aborting");
# vim:ts=5:sw=5:expandtab
t/12_diff_opensslversions.t
+5
View File
@@ -98,6 +98,11 @@ $cat_csvfile2 =~ s/.nonce-.* //g;
$cat_csvfile =~ s/","google.com\/.*","443/","google.com","443/g;
$cat_csvfile2 =~ s/","google.com\/.*","443/","google.com","443/g;
# Address differences in QUIC: Ubuntu 24.04's openssl still doesn't support QUIC, MacOS 26 does
# (Status 06/2026, should be checked later)
$cat_csvfile =~ s/"QUIC".*\n//g;
$cat_csvfile2 =~ s/"QUIC".*\n//g;
if ( $os eq "darwin" ){
# Now address the differences for LibreSSL, see t/61_diff_testsslsh.t
t/53_hsts_preload.t
Executable
+52
View File
@@ -0,0 +1,52 @@
#!/usr/bin/env perl
# Check the HSTS preload list status against the hstspreload.org API (needs --phone-out).
# github.com is on the preload list, example.com is not.
#
# We don't use a full run, only the HTTP header section.
use strict;
use Test::More;
my $tests = 0;
my $prg="./testssl.sh";
my $csv="tmp.csv";
my $cat_csv="";
my $check2run="-q --color 0 --phone-out --ip=one --headers --csvfile $csv";
my $uri="github.com";
my @args="";
die "Unable to open $prg" unless -f $prg;
# Provide proper start conditions
unlink $csv;
#1 run -- a domain which is on the HSTS preload list
printf "\n%s\n", "Unit test for HSTS preload list status against \"$uri\"";
@args="$prg $check2run $uri >/dev/null";
system("@args") == 0
or die ("FAILED: \"@args\" ");
$cat_csv=`cat $csv`;
# github.com is on the preload list
like($cat_csv, qr/"HSTS_preloadAPI".*"preloaded"/,"\"$uri\" should be on the HSTS preload list");
$tests++;
unlink $csv;
#2 run -- a domain which is NOT on the HSTS preload list
$uri="example.com";
@args="$prg $check2run $uri >/dev/null";
system("@args") == 0
or die ("FAILED: \"@args\" ");
$cat_csv=`cat $csv`;
# example.com is not on the preload list
like($cat_csv, qr/"HSTS_preloadAPI".*"no entry"/,"\"$uri\" should not be on the HSTS preload list");
$tests++;
unlink $csv;
done_testing($tests);
printf "\n";
# vim:ts=5:sw=5:expandtab
t/Readme.md
+4
View File
@@ -8,3 +8,7 @@
Please help to write CI tests! Documentation can be found [here](https://perldoc.perl.org/Test/More.html).
You can consult the existing code here. Feel free to use `10_baseline_ipv4_http.t` or `12_diff_opensslversions.t` as a
template. The latter is newer and code is cleaner.
* `03_debug.t.DISABLED` is a handy tool when the runner is not in line with checks outside github. It provides debugging means
* IPv6 was (status 2025) not allowed, thus the file `11_baseline_ipv6_http.t.DISABLED` which can be renamed if that will change.
testssl.sh
+182 -10
View File
@@ -2268,6 +2268,76 @@ check_revocation_ocsp() {
fi
}
# Checks a domain against the hstspreload.org HSTS preload list API (requires --phone-out).
# arg1: domain to check
# arg2: JSON key to check (e.g. status, bulk, preloadedDomain). Empty: only (re)fetch the response.
# arg3: value the key is expected to have (without surrounding quotes; quoting is handled here)
# Return values:
# 0 - request made, nothing compared (no key supplied)
# 1 - API request failed (connection error)
# 10 - key matched the expected value
# 20 - key present but value did not match
# 21 - key not found in the response
#
check_hsts_preloadlist_match() {
local domain="$1"
local key="$2"
local value="$3"
local response=""
local tmpfile="$TEMPDIR/$NODE.hsts-preloadlist.txt"
local uri_api_status="https://hstspreload.org/api/v2/status?domain=$domain"
"$PHONE_OUT" || return 0
# Only query the API once per host, then reuse the cached response
if [[ ! -f "$tmpfile" ]]; then
http_get "$uri_api_status" "$tmpfile" || return 1
fi
response="$(<"$tmpfile")"
# Without a key we only (re)fetched the response
[[ -z "$key" ]] && return 0
# The key must be present, otherwise the API may have changed
[[ "$response" == *"\"$key\""* ]] || { debugme echo "HSTS preloadlist key unrecognized: $key"; return 21; }
# String values are quoted in the JSON, booleans are not, so accept either form
[[ "$response" == *"\"$key\": \"$value\""* || "$response" == *"\"$key\": $value"* ]] && return 10
return 20
}
# Returns the value of a known key from the hstspreload.org preload list API.
# Depends on check_hsts_preloadlist_match().
# arg1: domain to check
# arg2: key to resolve (status or bulk)
# Echoes the matched value and returns 0, or returns 1 if no known value matched.
#
check_hsts_preloadlist_value() {
local domain="$1"
local key="$2"
local -a values=()
local value
local value_ret=""
[[ -z "$key" ]] && return 1
# Only test against known values instead of echoing the API response back,
# so no untrusted input is reflected.
case "$key" in
status) values=("unknown" "pending" "rejected" "preloaded") ;;
bulk) values=("true" "false") ;;
*) return 1 ;;
esac
for value in "${values[@]}"; do
check_hsts_preloadlist_match "$domain" "$key" "$value"
[[ $? -eq 10 ]] && value_ret="$value" && break
done
[[ -n "$value_ret" ]] && safe_echo "$value_ret" && return 0
return 1
}
# waits maxsleep 1/10 seconds (arg2) until process with arg1 (pid) will be killed
#
# return values
@@ -2932,6 +3002,8 @@ run_hsts() {
local hsts_age_days
local spaces=" "
local jsonID="HSTS"
local json_postfix=""
local preloadmarked preloadsame preloadbulk preloadcombined=""
if [[ ! -s $HEADERFILE ]]; then
run_http_header "$1" || return 1
@@ -2985,18 +3057,105 @@ run_hsts() {
fi
if preload "$TMPFILE"; then
fileout "${jsonID}_preload" "OK" "domain IS marked for preloading"
preloadmarked=true
else
fileout "${jsonID}_preload" "INFO" "domain is NOT marked for preloading"
#FIXME: To be checked against preloading lists,
# e.g. https://dxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.inc
# https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_security_state_static.json
preloadmarked=false
fi
else
pr_svrty_low "not offered"
fileout "$jsonID" "LOW" "not offered"
preloadmarked=false
fi
outln
# Check the domain against the hstspreload.org HSTS preload list (requires --phone-out).
# Run this regardless of the served header: a domain may still be listed after the header
# was removed, or be rejected because the served header does not meet the requirements.
if "$PHONE_OUT"; then
json_postfix="_preloadAPI"
pr_bold " HSTS preload API "
# If the domain itself is the preloaded entry, it may be fine that the header omits 'preload'
check_hsts_preloadlist_match "$NODE" "preloadedDomain" "$NODE"
[[ $? -eq 10 ]] && preloadsame=true || preloadsame=false
# bulk=true: added via the submission form; false: manual addition or a subdomain
check_hsts_preloadlist_match "$NODE" "bulk" "true"
[[ $? -eq 10 ]] && preloadbulk=true || preloadbulk=false
# Combine the three booleans for a compact lookup, e.g. marked+same+bulk -> "111"
[[ $preloadmarked == true ]] && preloadcombined="${preloadcombined}1" || preloadcombined="${preloadcombined}0"
[[ $preloadsame == true ]] && preloadcombined="${preloadcombined}1" || preloadcombined="${preloadcombined}0"
[[ $preloadbulk == true ]] && preloadcombined="${preloadcombined}1" || preloadcombined="${preloadcombined}0"
debugme echo "Temporary lookupvariable: $preloadcombined"
# Determine and show the outcome
case "$(check_hsts_preloadlist_value "$NODE" "status")" in
"unknown") # Not found in the HSTS preload list
case "$preloadcombined" in
"000"|"001"|"010"|"011")
outln "no entry"
fileout "${jsonID}${json_postfix}" "INFO" "no entry"
;;
"100"|"101"|"110"|"111")
pr_svrty_low "no entry"
outln " -- submit to HSTS preload list"; fileout "${jsonID}${json_postfix}" "LOW" "no entry"
;;
esac
;;
"pending") # Currently in the HSTS pending list
case "$preloadcombined" in
"000"|"001"|"010"|"100"|"101"|"110"|"111")
outln "pending"
fileout "${jsonID}${json_postfix}" "INFO" "pending"
;;
"011") pr_svrty_medium "pending"
outln " -- addition going to fail, add header"
fileout "${jsonID}${json_postfix}" "MEDIUM" "pending"
;;
esac
;;
"rejected") # Entry is considered rejected by the HSTS list
case "$preloadcombined" in
"000"|"001"|"010"|"011")
outln "rejected"
fileout "${jsonID}${json_postfix}" "INFO" "rejected"
;;
"100"|"101"|"110"|"111")
pr_svrty_medium "rejected" ; outln " -- check other requirements"
fileout "${jsonID}${json_postfix}" "MEDIUM" "rejected"
;;
esac
;;
"preloaded") # Marked as 'preload' in the HSTS preload list
case "$preloadcombined" in
"000"|"001")
prln_svrty_good "preloaded"
fileout "${jsonID}${json_postfix}" "OK" "preloaded"
;;
"010")
outln "preloaded -- manual addition detected"
fileout "${jsonID}${json_postfix}" "INFO" "preloaded"
;;
"011")
pr_svrty_medium "preloaded"
outln " -- list may remove entry, add header"
fileout "${jsonID}${json_postfix}" "MEDIUM" "preloaded"
;;
"100"|"101"|"110"|"111")
prln_svrty_best "preloaded"
fileout "${jsonID}${json_postfix}" "OK" "preloaded"
;;
esac
;;
*) # Empty: the hstspreload.org API was unreachable or returned an unexpected response
prln_warning "not checked (HSTS preload list lookup failed)"
fileout "${jsonID}${json_postfix}" "WARN" "HSTS preload list could not be checked"
;;
esac
fi
tmpfile_handle ${FUNCNAME[0]}.txt
return 0
}
@@ -3623,7 +3782,14 @@ run_security_headers() {
"Referrer-Policy INFO" \
"X-UA-Compatible INFO" \
"Cache-Control INFO" \
"Pragma INFO"; do
"Pragma INFO" \
"X-Permitted-Cross-Domain-Policies INFO" \
"Origin-Agent-Cluster INFO" \
"Document-Policy INFO" \
"Clear-Site-Data INFO" \
"Reporting-Endpoints INFO" \
"Report-To INFO" \
"NEL INFO"; do
read header svrty <<< "${header_and_svrty}"
[[ "$DEBUG" -ge 5 ]] && echo "testing \"$header\" (severity \"$svrty\")"
match_httpheader_key "$header" "$header" "$spaces" "$first"
@@ -10468,7 +10634,7 @@ certificate_info() {
out " ($enddate). "
# Match Subject/Issuer on next 5 lines, where the CN is (4 lines is fine in most cases, 5 should suffice for all certs)
cn="$(awk '/Subject:/{stop=NR+5}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')"
issuer_CN="$(awk '/Issuer:/{stop=NR+5}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')"
issuer_CN="$(awk '/Issuer:/{stop=NR+7}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')"
# to catch errors like #2789 during unit test:
[[ -z "$cn" ]] && cn="FIXME: cn error"
[[ -z "$issuer_CN" ]] && issuer_CN="FIXME: issuer_CN error"
@@ -21744,7 +21910,7 @@ tuning / connect options (most also can be preset via environment variables):
--sneaky leave less traces in target logs: user agent, referer
--user-agent <user agent> set a custom user agent instead of the standard user agent
--ids-friendly skips a few vulnerability checks which may cause IDSs to block the scanning IP
--phone-out allow to contact external servers for CRL download and querying OCSP responder
--phone-out allow to contact external servers for CRL download, querying OCSP responder and the HSTS preload API
--add-ca <CA files|CA dir> path to <CAdir> with *.pem or a comma separated list of CA files to include in trust check
--mtls <CLIENT CERT file> path to <CLIENT CERT> file in PEM format containing unencrypted certificate key (beta)
--basicauth <user:pass> provide HTTP basic auth information
@@ -24106,21 +24272,27 @@ draw_line() {
run_mx_all_ips() {
local fname_date="$1"
local domain="$2"
local mxs mx
local mxport
local mxport=${3:-25}
local -i ret=0
local word=""
STARTTLS_PROTOCOL="smtp"
# A port may be appended to the domain, e.g. "--mx example.com:587" (#2986).
# Strip it off before the MX DNS lookup and use it as the port to test.
if [[ "$domain" =~ :[0-9]+$ ]]; then
mxport="${domain##*:}"
domain="${domain%:*}"
fi
# test first higher priority servers
mxs=$(get_mx_record "$2" | sort -n | sed -e 's/^.* //' -e 's/\.$//' | tr '\n' ' ')
mxs=$(get_mx_record "$domain" | sort -n | sed -e 's/^.* //' -e 's/\.$//' | tr '\n' ' ')
if [[ $CMDLINE_IP == one ]]; then
word="as instructed one" # with highest priority
mxs=${mxs%% *}
else
word="the only"
fi
mxport=${3:-25}
if [[ -n "$LOGFILE" ]] || [[ -n "$PARENT_LOGFILE" ]]; then
prepare_logging "${fname_date}"
else
@@ -24161,7 +24333,7 @@ run_mx_all_ips() {
outln
pr_bold "Done testing all MX records (on port $mxport): "; outln "$mxs"
else
prln_bold " $1 has no MX records(s)"
prln_bold " $domain has no MX record(s)"
fi
return $ret
}