Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2024-12-29 12:59:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '3.1dev' into chore/dockerfile-simplify-user

Browse Source
This commit is contained in:
Dirk Wetter 2023-02-07 09:03:15 +01:00 committed by GitHub
commit 64ae161218
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 27 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/testssl.1
View File

@ -128,13 +128,15 @@ Any single check switch supplied as an argument prevents testssl\.sh from doing
.IP "\[ci]" 4 .IP "\[ci]" 4
\fBExport ciphers\fR (w/o the preceding ones): 'EXPORT:!ADH:!NULL' \fBExport ciphers\fR (w/o the preceding ones): 'EXPORT:!ADH:!NULL'
.IP "\[ci]" 4 .IP "\[ci]" 4
\fBLOW\fR (64 Bit + DES ciphers, without EXPORT ciphers): 'LOW:DES:RC2:RC4:!ADH:!EXP:!NULL:!eNULL' \fBLOW\fR (64 Bit + DES ciphers, without EXPORT ciphers): 'LOW:DES:RC2:RC4:MD5:!ADH:!EXP:!NULL:!eNULL:!AECDH'
.IP "\[ci]" 4 .IP "\[ci]" 4
\fB3DES + IDEA Ciphers\fR: '3DES:IDEA:!aNULL:!ADH' \fB3DES + IDEA ciphers\fR: '3DES:IDEA:!aNULL:!ADH:!MD5'
.IP "\[ci]" 4 .IP "\[ci]" 4
\fBAverage grade Ciphers\fR: 'HIGH:MEDIUM:AES:CAMELLIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AESGCM:!ARIAGCM:!aNULL' \fBObsoleted CBC ciphers\fR: 'HIGH:MEDIUM:AES:CAMELLIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AESGCM:!ARIAGCM:!aNULL:!MD5'
.IP "\[ci]" 4 .IP "\[ci]" 4
\fBStrong grade Ciphers\fR (AEAD): 'AESGCM:CHACHA20:CamelliaGCM:AESCCM8:AESCCM' \fBStrong ciphers with no FS\fR (AEAD): 'AESGCM:CHACHA20:CamelliaGCM:AESCCM:ARIAGCM:!kEECDH:!kEDH:!kDHE:!kDHEPSK:!kECDHEPSK:!aNULL'
.IP "\[ci]" 4
\fBForward Secrecy strong ciphers\fR (AEAD): 'AESGCM:CHACHA20:CamelliaGCM:AESCCM:ARIAGCM:!kPSK:!kRSAPSK:!kRSA:!kDH:!kECDH:!aNULL'
.IP "" 0 .IP "" 0
.P .P
\fB\-f, \-\-fs, \-\-nsa, \-\-forward\-secrecy\fR Checks robust forward secrecy key exchange\. "Robust" means that ciphers having intrinsic severe weaknesses like Null Authentication or Encryption, 3DES and RC4 won't be considered here\. There shouldn't be the wrong impression that a secure key exchange has been taking place and everything is fine when in reality the encryption sucks\. Also this section lists the available elliptical curves and Diffie Hellman groups, as well as FFDHE groups (TLS 1\.2 and TLS 1\.3)\. \fB\-f, \-\-fs, \-\-nsa, \-\-forward\-secrecy\fR Checks robust forward secrecy key exchange\. "Robust" means that ciphers having intrinsic severe weaknesses like Null Authentication or Encryption, 3DES and RC4 won't be considered here\. There shouldn't be the wrong impression that a secure key exchange has been taking place and everything is fine when in reality the encryption sucks\. Also this section lists the available elliptical curves and Diffie Hellman groups, as well as FFDHE groups (TLS 1\.2 and TLS 1\.3)\.

10
doc/testssl.1.html
View File

@ -247,13 +247,15 @@ in <code>/etc/hosts</code>. The use of the switch is only useful if you either
<li> <li>
<code>Export ciphers</code> (w/o the preceding ones): 'EXPORT:!ADH:!NULL'</li> <code>Export ciphers</code> (w/o the preceding ones): 'EXPORT:!ADH:!NULL'</li>
<li> <li>
<code>LOW</code> (64 Bit + DES ciphers, without EXPORT ciphers): 'LOW:DES:RC2:RC4:!ADH:!EXP:!NULL:!eNULL'</li> <code>LOW</code> (64 Bit + DES ciphers, without EXPORT ciphers): 'LOW:DES:RC2:RC4:MD5:!ADH:!EXP:!NULL:!eNULL:!AECDH'</li>
<li> <li>
<code>3DES + IDEA Ciphers</code>: '3DES:IDEA:!aNULL:!ADH'</li> <code>3DES + IDEA ciphers</code>: '3DES:IDEA:!aNULL:!ADH:!MD5'</li>
<li> <li>
<code>Average grade Ciphers</code>: 'HIGH:MEDIUM:AES:CAMELLIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AESGCM:!ARIAGCM:!aNULL'</li> <code>Obsoleted CBC ciphers</code>: 'HIGH:MEDIUM:AES:CAMELLIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AESGCM:!ARIAGCM:!aNULL:!MD5'</li>
<li> <li>
<code>Strong grade Ciphers</code> (AEAD): 'AESGCM:CHACHA20:CamelliaGCM:AESCCM8:AESCCM'</li> <code>Strong ciphers with no FS</code> (AEAD): 'AESGCM:CHACHA20:CamelliaGCM:AESCCM:ARIAGCM:!kEECDH:!kEDH:!kDHE:!kDHEPSK:!kECDHEPSK:!aNULL'</li>
<li>
<code>Forward Secrecy strong ciphers</code> (AEAD): 'AESGCM:CHACHA20:CamelliaGCM:AESCCM:ARIAGCM:!kPSK:!kRSAPSK:!kRSA:!kDH:!kECDH:!aNULL'</li>
</ul> </ul>
<p><code>-f, --fs, --nsa, --forward-secrecy</code> Checks robust forward secrecy key exchange. "Robust" means that ciphers having intrinsic severe weaknesses like Null Authentication or Encryption, 3DES and RC4 won't be considered here. There shouldn't be the wrong impression that a secure key exchange has been taking place and everything is fine when in reality the encryption sucks. Also this section lists the available elliptical curves and Diffie Hellman groups, as well as FFDHE groups (TLS 1.2 and TLS 1.3).</p> <p><code>-f, --fs, --nsa, --forward-secrecy</code> Checks robust forward secrecy key exchange. "Robust" means that ciphers having intrinsic severe weaknesses like Null Authentication or Encryption, 3DES and RC4 won't be considered here. There shouldn't be the wrong impression that a secure key exchange has been taking place and everything is fine when in reality the encryption sucks. Also this section lists the available elliptical curves and Diffie Hellman groups, as well as FFDHE groups (TLS 1.2 and TLS 1.3).</p>

9
doc/testssl.1.md
View File

@ -166,10 +166,11 @@ Any single check switch supplied as an argument prevents testssl.sh from doing a
* `NULL encryption ciphers`: 'NULL:eNULL' * `NULL encryption ciphers`: 'NULL:eNULL'
* `Anonymous NULL ciphers`: 'aNULL:ADH' * `Anonymous NULL ciphers`: 'aNULL:ADH'
* `Export ciphers` (w/o the preceding ones): 'EXPORT:!ADH:!NULL' * `Export ciphers` (w/o the preceding ones): 'EXPORT:!ADH:!NULL'
* `LOW` (64 Bit + DES ciphers, without EXPORT ciphers): 'LOW:DES:RC2:RC4:!ADH:!EXP:!NULL:!eNULL' * `LOW` (64 Bit + DES ciphers, without EXPORT ciphers): 'LOW:DES:RC2:RC4:MD5:!ADH:!EXP:!NULL:!eNULL:!AECDH'
* `3DES + IDEA Ciphers`: '3DES:IDEA:!aNULL:!ADH' * `3DES + IDEA ciphers`: '3DES:IDEA:!aNULL:!ADH:!MD5'
* `Average grade Ciphers`: 'HIGH:MEDIUM:AES:CAMELLIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AESGCM:!ARIAGCM:!aNULL' * `Obsoleted CBC ciphers`: 'HIGH:MEDIUM:AES:CAMELLIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AESGCM:!ARIAGCM:!aNULL:!MD5'
* `Strong grade Ciphers` (AEAD): 'AESGCM:CHACHA20:CamelliaGCM:AESCCM8:AESCCM' * `Strong ciphers with no FS` (AEAD): 'AESGCM:CHACHA20:CamelliaGCM:AESCCM:ARIAGCM:!kEECDH:!kEDH:!kDHE:!kDHEPSK:!kECDHEPSK:!aNULL'
* `Forward Secrecy strong ciphers` (AEAD): 'AESGCM:CHACHA20:CamelliaGCM:AESCCM:ARIAGCM:!kPSK:!kRSAPSK:!kRSA:!kDH:!kECDH:!aNULL'
`-f, --fs, --nsa, --forward-secrecy` Checks robust forward secrecy key exchange. "Robust" means that ciphers having intrinsic severe weaknesses like Null Authentication or Encryption, 3DES and RC4 won't be considered here. There shouldn't be the wrong impression that a secure key exchange has been taking place and everything is fine when in reality the encryption sucks. Also this section lists the available elliptical curves and Diffie Hellman groups, as well as FFDHE groups (TLS 1.2 and TLS 1.3). `-f, --fs, --nsa, --forward-secrecy` Checks robust forward secrecy key exchange. "Robust" means that ciphers having intrinsic severe weaknesses like Null Authentication or Encryption, 3DES and RC4 won't be considered here. There shouldn't be the wrong impression that a secure key exchange has been taking place and everything is fine when in reality the encryption sucks. Also this section lists the available elliptical curves and Diffie Hellman groups, as well as FFDHE groups (TLS 1.2 and TLS 1.3).

19
testssl.sh
View File

@ -535,11 +535,11 @@ html_reserved(){
local output local output
"$do_html" || return 0 "$do_html" || return 0
#sed -e 's/\&/\&amp;/g' -e 's/</\&lt;/g' -e 's/>/\&gt;/g' -e 's/"/\&quot;/g' -e "s/'/\&apos;/g" <<< "$1" #sed -e 's/\&/\&amp;/g' -e 's/</\&lt;/g' -e 's/>/\&gt;/g' -e 's/"/\&quot;/g' -e "s/'/\&apos;/g" <<< "$1"
output="${1//&/&amp;}" output="${1//&/$'&'amp;}"
output="${output//</&lt;}" output="${output//</$'&'lt;}"
output="${output//>/&gt;}" output="${output//>/$'&'gt;}"
output="${output//\"/&quot;}" output="${output//\"/$'&'quot;}"
output="${output//\'/&apos;}" output="${output//\'/$'&'apos;}"
printf -- "%s" "$output" printf -- "%s" "$output"
return 0 return 0
} }
@ -9416,10 +9416,11 @@ certificate_info() {
out "$indent"; pr_bold " Chain of trust"; out " " out "$indent"; pr_bold " Chain of trust"; out " "
jsonID="cert_chain_of_trust" jsonID="cert_chain_of_trust"
if [[ "$issuer_O" =~ StartCom ]] || [[ "$issuer_O" =~ WoSign ]] || [[ "$issuer_CN" =~ StartCom ]] || [[ "$issuer_CN" =~ WoSign ]]; then # Looks for CA's that have their trust removed by the first part of their Organization Name, add multiple with ^(TrustCor Systems|WoSign) etc.
# Shortcut for this special case here. if [[ "$issuer_O" =~ ^(TrustCor Systems) ]]; then
pr_italic "WoSign/StartCom"; out " are " ; prln_svrty_critical "not trusted anymore (NOT ok)" # Shortcut for this special case here. There is a difference between not being in a root store and being removed from a root store.
fileout "${jsonID}${json_postfix}" "CRITICAL" "Issuer not trusted anymore (WoSign/StartCom)" pr_italic "$issuer_O"; out " is " ; prln_svrty_critical "actively removed from one or more root stores (NOT ok)"
fileout "${jsonID}${json_postfix}" "CRITICAL" "Issuer removed from one or more root stores ($issuer_O)"
set_grade_cap "T" "Untrusted certificate chain" set_grade_cap "T" "Untrusted certificate chain"
else else
# Also handles fileout, keep error if happened # Also handles fileout, keep error if happened