Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-30 12:21:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '3.2' into bump_version

Browse Source
This commit is contained in:
Dirk Wetter 2025-01-24 11:05:00 +01:00
commit 69d6a50696
19 changed files with 475 additions and 254 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/docker-3.2.yml vendored
View File

@ -23,7 +23,7 @@ jobs:
- name: Setup QEMU
id: qemu
uses: docker/setup-qemu-action@v3.2.0
uses: docker/setup-qemu-action@v3.3.0
- name: Setup Buildx
id: buildx
@ -48,7 +48,7 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v6.7.0
uses: docker/build-push-action@v6.12.0
with:
push: ${{ github.event_name != 'pull_request' }}
context: .

0
.github/workflows/test.yml → .github/workflows/unit_tests.yml vendored
View File

8
CHANGELOG.md
View File

@ -137,7 +137,7 @@
* Trust chain check against certificate stores from Apple (OS), Linux (OS),
Microsoft (OS), Mozilla (Firefox Browser), works for openssl >=1.0.1
* IPv6 (status: 80% working, details see
https://github.com/drwetter/testssl.sh/issues/11
https://github.com/testssl/testssl.sh/issues/11
* works now on servers requiring a x509 certificate for authentication
* extensive CN <--> hostname check
* SSL Session ID check
@ -183,7 +183,7 @@
* quite some LibreSSL fixes, still not recommended to use though (see https://testssl.sh/)
* lots of fixes, code improvements, even more robust
Full log @ https://github.com/drwetter/testssl.sh/commits/2.6/testssl.sh
Full log @ https://github.com/testssl/testssl.sh/commits/2.6/testssl.sh
### New in 2.4
* "only one cmd line option at a time" is completely gone
@ -198,7 +198,7 @@ Full log @ https://github.com/drwetter/testssl.sh/commits/2.6/testssl.sh
* lots of cosmetic and maintainability code cleanups
* bugfixing
Full changelog: https://github.com/drwetter/testssl.sh/commits/2.4/testssl.sh
Full changelog: https://github.com/testssl/testssl.sh/commits/2.4/testssl.sh
### 2.2. new features:
* Works fully under FreeBSD (openssl >=1.0)
@ -214,7 +214,7 @@ Full changelog: https://github.com/drwetter/testssl.sh/commits/2.4/testssl.sh
* RFC <---> OpenSSL name space mapping of ciphers everywhere
* includes a lot of fixes
Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
Full changelog @ https://github.com/testssl/testssl.sh/commits/2.2/testssl.sh
### 2.0 major release, new features:
* SNI

30
CONTRIBUTING.md
View File

@ -1,21 +1,25 @@
### Contributions / participation
### Contributing / participating
is always welcome, here @ github or via e-mail.
Contributing / participating is always welcome!
Note please the following
Please note the following:
* Please read at least the [coding convention](https://github.com/drwetter/testssl.sh/Coding_Convention.md).
* One PR per feature or bug fix or improvement. Please do not mix issues.
* Document your PR, both in the PR and/or commit message and in the code.
* Please read the [coding convention](https://github.com/testssl/testssl.sh/blob/3.2/Coding_Convention.md).
* If you have something new and/or bigger which you like to contribute, better open an issue first before you get frustrated.
* Please one pull request per feature or bug fix or improvement. Please do not mix issues.
* Documentation pays off in the long run. So please your document your code and the pull request and/or commit message.
* Please test your changes thoroughly as reliability is important for this project. You may want to check different servers with different settings.
* Travis runs automatically when anything is committed/PR'd. You should check any complains from Travis. Beforehand you can check with `prove -v`.
* If it's a new feature please consider writing a unit test for it. You can use e.g. `t/20_baseline_ipv4_http.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start.
* If it's a new feature it would need to be documented in the appropriate section in `help()` and in `~/doc/testssl.1.md`
* GitHub actions are running automatically when anything is committed. You should see any complains. Beforehand you can check with `prove -v` from the "root dir" of this project.
* If it's a new feature, please consider writing a unit test for it. You can use e.g. `t/10_baseline_ipv4_http.t` or `t/61_diff_testsslsh.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start.
* If it's a new feature, it would need to be documented in the appropriate section in `help()` and in `~/doc/testssl.1.md`
For questions just open an issue or feel free to send me an e-mail.
If you're interested in contributing and wonder how you can help, you can search for different tags in the issues (somewhat increasing degree of difficulty):
* [documentation](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:documentation)
* [good first issue](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:%22good%20first%20issue%22)
* [help wanted](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:%22help%20wanted%22)
* [for grabs](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:%22good%20first%20issue%22)
For questions just open an issue. Thanks for reading this!
#### Patches via e-mail
Of course it is fine when you want to send in patches to use e-mail. For the address please grep for SWCONTACT in testssl.sh .
Let me know how you like them to be attributed.

5
Dockerfile
View File

@ -1,6 +1,6 @@
# syntax=docker.io/docker/dockerfile:1
ARG LEAP_VERSION=15.5
ARG LEAP_VERSION=15.6
ARG INSTALL_ROOT=/rootfs
FROM opensuse/leap:${LEAP_VERSION} as builder
@ -18,7 +18,7 @@ RUN source /etc/os-release \
&& zypper "${ZYPPER_OPTIONS[@]}" --gpg-auto-import-keys refresh \
&& rpm -e util-linux --nodeps \
&& zypper "${ZYPPER_OPTIONS[@]}" --non-interactive install --download-in-advance --no-recommends \
bash procps grep gawk sed coreutils busybox-util-linux busybox-vi ldns libidn2-0 socat openssl curl \
bash procps grep gawk sed coreutils busybox ldns libidn2-0 socat openssl curl \
&& zypper up -y \
&& zypper "${ZYPPER_OPTIONS[@]}" clean --all
## Cleanup (reclaim approx 13 MiB):
@ -35,6 +35,7 @@ ARG INSTALL_ROOT
COPY --link --from=builder ${INSTALL_ROOT} /
# Link busybox to tar, see #2403. Create user + (home with SGID set):
RUN ln -s /usr/bin/busybox /usr/bin/tar \
&& ln -s /usr/bin/busybox /usr/bin/hexdump \
&& echo 'testssl:x:1000:1000::/home/testssl:/bin/bash' >> /etc/passwd \
&& echo 'testssl:x:1000:' >> /etc/group \
&& echo 'testssl:!::0:::::' >> /etc/shadow \

4
Dockerfile.git
View File

@ -5,8 +5,8 @@ FROM alpine:3.20
WORKDIR /home/testssl
ARG BUILD_VERSION
ARG ARCHIVE_URL=https://github.com/drwetter/testssl.sh/archive/
ARG URL=https://github.com/drwetter/testssl.sh.git
ARG ARCHIVE_URL=https://github.com/testssl/testssl.sh/archive/
ARG URL=https://github.com/testssl/testssl.sh.git
RUN test -n "${BUILD_VERSION}" \
&& apk update \

37
Readme.md
View File

@ -1,11 +1,11 @@
## Intro
<!-- [![Travis CI Status](https://img.shields.io/travis/drwetter/testssl.sh)](https://travis-ci.org/drwetter/testssl.sh) -->
[![Build Status](https://github.com/drwetter/testssl.sh/actions/workflows/test.yml/badge.svg)](https://github.com/drwetter/testssl.sh/actions/workflows/test.yml)
[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/drwetter/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
[![License](https://img.shields.io/github/license/drwetter/testssl.sh)](https://github.com/drwetter/testssl.sh/LICENSE)
[![Docker](https://img.shields.io/docker/pulls/drwetter/testssl.sh)](https://github.com/drwetter/testssl.sh/blob/3.2/Dockerfile.md)
[![CI tests](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests.yml/badge.svg)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests.yml)
[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/testssl/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
[![License](https://img.shields.io/github/license/testssl/testssl.sh)](https://github.com/testssl/testssl.sh/LICENSE)
[![Docker](https://img.shields.io/docker/pulls/testssl/testssl.sh)](https://github.com/testssl/testssl.sh/blob/3.2/Dockerfile.md)
`testssl.sh` is a free command line tool which checks a server's service on
any port for the support of TLS/SSL ciphers, protocols as well as some
@ -45,16 +45,16 @@ due to bash-socket-based checks. As a result you can also use e.g. LibreSSL or O
(silent) check for binaries is done when you start testssl.sh . System V needs probably
to have GNU grep installed. MacOS X and Windows (using MSYS2, Cygwin or WSL) work too.
Update notification here or @ [mastodon](https://infosec.exchange/@testssl) (old: [twitter](https://twitter.com/drwetter))
Update notification here or @ [mastodon](https://infosec.exchange/@testssl or [bluesky](https://bsky.app/profile/testssl.bsky.social). Please note the [twitter](https://twitter.com/drwetter) account is not being used anymore.
### Installation
You can download testssl.sh branch 3.2 just by cloning this git repository:
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
git clone --depth 1 https://github.com/testssl/testssl.sh.git
3.2 is now the latest branch which evolved from 3.1dev. It's in the release candidate phase.
For the former stable version help yourself by downloading the [ZIP](https://codeload.github.com/drwetter/testssl.sh/zip/v3.0.8) or [tar.gz](https://codeload.github.com/drwetter/testssl.sh/tar.gz/v3.0.8) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there.
3.2 is now the latest branch which evolved from 3.1dev. It's in the release candidate phase and considered as stable.
For the former stable version named oldstable please help yourself by downloading the [ZIP](https://codeload.github.com/testssl/testssl.sh/zip/v3.0.9) or [tar.gz](https://codeload.github.com/testssl/testssl.sh/tar.gz/v3.0.9) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there.
#### Docker
@ -69,19 +69,19 @@ Or if you have cloned this repo you also can just ``cd`` to the INSTALLDIR and r
docker build . -t imagefoo && docker run --rm -t imagefoo example.com
```
For more please consult [Dockerfile.md](https://github.com/drwetter/testssl.sh/blob/3.2/Dockerfile.md).
For more please consult [Dockerfile.md](https://github.com/testssl/testssl.sh/blob/3.2/Dockerfile.md).
### No Warranty
Usage of the program is without any warranty. Use it at yor own risk.
Usage of the program is without any warranty. Use it at your own risk.
Testssl.sh is intended to be used as a standalone CLI tool. While we tried to apply best practise security measures, we can't guarantee that the program is without any vulnerabilities. Running as a service may pose security risks and you're recommended to apply additional security measures.
### Status
We're currently in the release candidate phase for version 3.2. Bigger features will be developed in a separate branch before merged into a 3.3dev to avoid hiccups or inconsistencies.
We're currently in the release candidate phase for version 3.2. You should use it despite the label "RC". Bigger features will be developed in a separate branch before merged into a 3.3dev to avoid hiccups or inconsistencies.
Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is released.
Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is finally released.
Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
@ -93,16 +93,19 @@ Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
### Contributing
Contributions are welcome! See [CONTRIBUTING.md](https://github.com/drwetter/testssl.sh/blob/3.2/CONTRIBUTING.md) for details. Please also have a look at the [Coding Convention](https://github.com/drwetter/testssl.sh/blob/3.2/Coding_Convention.md).
Contributions are welcome! See [CONTRIBUTING.md](https://github.com/testssl/testssl.sh/blob/3.2/CONTRIBUTING.md) for details. Please also have a look at the [Coding Convention](https://github.com/testssl/testssl.sh/blob/3.2/Coding_Convention.md). A lot of contributors already helped to push the project where it currently is, see [CREDITS.md](https://github.com/testssl/testssl.sh/blob/3.2/CREDITS.md). We still you use your help now. A start would be look for issues which are labeled as [good first issue](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22), [for grabs](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22for+grabs%22) or [help wanted](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22). The latter is more advanced.
In general there's some maintenance burden, like maintaining handshakes and CA stores, writing unit tests, improving github actions. If you believe you can contribute, speak up.
### Bug reports
Bug reports are important. It makes this project more robust.
Please file bugs in the issue tracker @ GitHub. Do not forget to provide detailed information, see template for issue, and further details @
https://github.com/drwetter/testssl.sh/wiki/Bug-reporting. Nobody can read your thoughts -- yet. And only agencies your screen ;-)
https://github.com/testssl/testssl.sh/wiki/Bug-reporting. Nobody can read your thoughts -- yet. And only agencies your screen ;-)
You can also debug yourself, see [here](https://github.com/drwetter/testssl.sh/wiki/Findings-and-HowTo-Fix-them).
You can also debug yourself, see [here](https://github.com/testssl/testssl.sh/wiki/Findings-and-HowTo-Fix-them).
----
@ -129,7 +132,7 @@ Please address questions not specifically to the code of testssl.sh to the respe
#### Brew package
* see [#233](https://github.com/drwetter/testssl.sh/issues/233) and
* see [#233](https://github.com/testssl/testssl.sh/issues/233) and
[https://github.com/Homebrew/homebrew](https://github.com/Homebrew/homebrew)
#### Daemon for batch execution of testssl.sh command files

2
etc/cipher-mapping.txt
View File

@ -342,6 +342,8 @@
0x02,0x00,0x80 - EXP-RC4-MD5 SSL_CK_RC4_128_EXPORT40_WITH_MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
0x00,0x28 - EXP-KRB5-RC4-SHA TLS_KRB5_EXPORT_WITH_RC4_40_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1 export
0x00,0x2B - EXP-KRB5-RC4-MD5 TLS_KRB5_EXPORT_WITH_RC4_40_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5 export
0xC0,0xB4 - TLS_SHA256_SHA256 TLS_SHA256_SHA256 TLSv1.3 Kx=any Au=any Enc=None Mac=SHA256
0xC0,0xB5 - TLS_SHA384_SHA384 TLS_SHA384_SHA384 TLSv1.3 Kx=any Au=any Enc=None Mac=SHA384
0xC0,0x10 - ECDHE-RSA-NULL-SHA TLS_ECDHE_RSA_WITH_NULL_SHA SSLv3 Kx=ECDH Au=RSA Enc=None Mac=SHA1
0xC0,0x06 - ECDHE-ECDSA-NULL-SHA TLS_ECDHE_ECDSA_WITH_NULL_SHA SSLv3 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1
0xC0,0x15 - AECDH-NULL-SHA TLS_ECDH_anon_WITH_NULL_SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1

4
etc/curves-mapping.txt
View File

@ -45,3 +45,7 @@
0x01,0x02 - ffdhe4096 ffdhe4096
0x01,0x03 - ffdhe6144 ffdhe6144
0x01,0x04 - ffdhe8192 ffdhe8192
0x11,0xeb - SecP256r1MLKEM768 SecP256r1MLKEM768
0x11,0xec - X25519MLKEM768 X25519MLKEM768
0x11,0xed - SecP384r1MLKEM1024 SecP384r1MLKEM1024
0x63,0x99 - X25519Kyber768Draft00 X25519Kyber768Draft00

9
etc/tls_data.txt
View File

File diff suppressed because one or more lines are too long

4
openssl-iana.mapping.html
View File

@ -425,6 +425,10 @@ xB9 TLS_RSA_PSK_WITH_NULL_SHA384
<tr><td> [0xc0ae]</td><td> ECDHE-ECDSA-AES128-CCM8 </td><td> ECDH </td><td> AESCCM </td><td> 128 </td><td> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 </td></tr>
<tr><td> [0xc0af]</td><td> ECDHE-ECDSA-AES256-CCM8 </td><td> ECDH </td><td> AESCCM </td><td> 256 </td><td> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 </td></tr>
<!-- RFC 9150 -->
<tr><td> [0xc0b4]</td><td> TLS_SHA256_SHA256 </td><td> ECDH </td><td> Null </td><td> 0 </td><td> TLS_SHA256_SHA256</td></tr>
<tr><td> [0xc0b5]</td><td> TLS_SHA384_SHA384 </td><td> ECDH </td><td> Null </td><td> 0 </td><td> TLS_SHA384_SHA384</td></tr>
<!-- OLD CHACHA POLY CIPHERS, per agreement with Peter Mosmans we use the names like SSLlabs -->
<tr><td> [0xcc13]</td><td> ECDHE-RSA-CHACHA20-POLY1305-OLD </td><td> ECDH </td><td> ChaCha20-Poly1305</td><td> </td><td> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD</td></tr>
<tr><td> [0xcc14]</td><td> ECDHE-ECDSA-CHACHA20-POLY1305-OLD</td><td> ECDH </td><td> ChaCha20-Poly1305</td><td> </td><td> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD</td></tr>

6
t/00_testssl_help.t
View File

@ -24,10 +24,10 @@ printf "\n%s\n", "Testing whether just calling \"./testssl.sh\" produces no erro
my $info = stat($prg);
my $retMode = $info->mode;
is($retMode & 0400, 0400, "Checking \"./testssl.sh\" for read permission");
is($retMode & 0400, 0400, "Checking \"./testssl.sh\" for read permission");
$tests++;
is($retMode & 0100, 0100, "Checking \"./testssl.sh\" for execute permission");
is($retMode & 0100, 0100, "Checking \"./testssl.sh\" for execute permission");
$tests++;
$fileout = `timeout 10 bash $prg 2>&1`;
@ -55,7 +55,7 @@ $out=`grep -E "$debug_regexp" $prg`;
unlike($out, qr/$debug_regexp/, "Debug RegEx");
$tests++;
printf "\n";
printf "\n\n";
done_testing($tests);

2
t/05_ca_hashes_up_to_date.t
View File

@ -6,7 +6,7 @@ use Test::More;
printf "\n%s\n", "Testing whether CA certificates are newer their SPKI hashes \"~/etc/ca_hashes.txt\" ...";
my $newer_bundles=`find etc/*.pem -newer etc/ca_hashes.txt`;
is($newer_bundles,"","If there's an output with a *.pem file run \"~/utils/create_ca_hashes.sh\"");
is($newer_bundles,"","Checking if there's an output with a *.pem file run \"~/utils/create_ca_hashes.sh\"");
printf "\n";
done_testing;

22
t/32_isHTML_valid.t
View File

@ -46,15 +46,16 @@ $edited_html =~ s/&gt;/>/g;
$edited_html =~ s/&quot;/"/g;
$edited_html =~ s/&apos;/'/g;
cmp_ok($edited_html, "eq", $out, "HTML file matches terminal output");
$tests++;
$diff = diff \$edited_html, \$out;
printf "\n%s\n", "$diff";
cmp_ok($edited_html, "eq", $out, "Checking if HTML file matches terminal output") or
diag ("\n%s\n", "$diff");
$tests++;
#2
printf "\n%s\n", " .. running again $prg against \"$uri\", now with --debug 4 to create HTML output (may take another ~2 minutes)";
printf "%s\n", " .. running again $prg against \"$uri\", now with --debug 4 to create HTML output (may take another ~2 minutes)";
# Redirect stderr to /dev/null in order to avoid some unexplained "date: invalid date" error messages
$out = `TERM_WIDTH=120 $prg $check2run --debug 4 $uri 2> /dev/null`;
$debughtml = `cat $htmlfile`;
@ -79,15 +80,14 @@ $debughtml =~ s/.*built: .*\n//g;
$debughtml =~ s/.*Using bash .*\n//g;
# is whole line: s/.*<pattern> .*\n//g;
cmp_ok($debughtml, "eq", $html, "HTML file created with --debug 4 matches HTML file created without --debug");
$diff = diff \$debughtml, \$html;
cmp_ok($debughtml, "eq", $html, "Checking if HTML file created with --debug 4 matches HTML file created without --debug") or
diag ("\n%s\n", "$diff");
$tests++;
$diff = diff \$debughtml, \$html;
printf "\n%s\n", "$diff";
printf "\n";
printf "\n\n";
done_testing($tests);

12
t/51_badssl.com.t
View File

@ -17,7 +17,7 @@ pass("Running testssl.sh against badssl.com to create a baseline (may take 2~3 m
my $okout = `./testssl.sh -S -e --freak --logjam --drown --rc4 --sweet32 --breach --winshock --crime --jsonfile tmp.json --color 0 badssl.com`;
my $okjson = json('tmp.json');
unlink 'tmp.json';
cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); $tests++;
cmp_ok(@$okjson,'>',10,"We should have more then 10 findings"); $tests++;
# Expiration
pass("Running testssl against expired.badssl.com"); $tests++;
@ -35,7 +35,7 @@ foreach my $f ( @$json ) {
last;
}
}
is($found,1,"We had a finding for this in the JSON output"); $tests++;
is($found,1,"We should have a finding for this in the JSON output"); $tests++;
# Self signed and not-expired
pass("Running testssl against self-signed.badssl.com"); $tests++;
@ -52,7 +52,7 @@ foreach my $f ( @$json ) {
last;
}
}
is($found,1,"We had a finding for this in the JSON output"); $tests++;
is($found,1,"We should a finding for this in the JSON output"); $tests++;
like($out, qr/Chain of trust.*?NOT ok.*\(self signed\)/,"Chain of trust should fail because of self signed"); $tests++;
$found = 0;
@ -64,7 +64,7 @@ foreach my $f ( @$json ) {
last;
}
}
is($found,1,"We had a finding for this in the JSON output"); $tests++;
is($found,1,"We should have a finding for this in the JSON output"); $tests++;
like($okout, qr/Chain of trust[^\n]*?Ok/,"Chain of trust should be ok"); $tests++;
$found = 0;
@ -77,7 +77,7 @@ foreach my $f ( @$okjson ) {
last;
}
}
is($found,1,"We had a finding for this in the JSON output"); $tests++;
is($found,1,"We should have a finding for this in the JSON output"); $tests++;
# Wrong host
#pass("Running testssl against wrong.host.badssl.com"); $tests++;
@ -111,7 +111,7 @@ foreach my $f ( @$json ) {
last;
}
}
is($found,1,"We had a finding for this in the JSON output"); $tests++;
is($found,1,"We should have a finding for this in the JSON output"); $tests++;
# TODO: RSA 8192

56
t/61_diff_testsslsh.t
View File

@ -3,11 +3,10 @@
# Baseline diff test against testssl.sh (csv output)
#
# We don't use a full run yet and only the certificate section.
# There we would need to blacklist at least:
# There we would need to blacklist more, like:
# cert_serialNumber, cert_fingerprintSHA1, cert_fingerprintSHA256, cert
# cert_expirationStatus, cert_notBefore, cert_notAfter, cert_caIssuers, intermediate_cert
#
# help is appreciated here
use strict;
use Test::More;
@ -16,55 +15,54 @@ use Text::Diff;
my $tests = 0;
my $prg="./testssl.sh";
my $master_socket_csv="./t/baseline_data/default_testssl.csvfile";
my $socket_csv="tmp.csv";
my $check2run="-p -s -P --fs -h -U -c -q --ip=one --color 0 --csvfile $socket_csv";
#my $check2run="-p --color 0 --csvfile $socket_csv";
my $baseline_csv="./t/baseline_data/default_testssl.csvfile";
my $cat_csv="tmp.csv";
my $check2run="-p -s -P --fs -h -U -c -q --ip=one --color 0 --csvfile $cat_csv";
my $uri="testssl.sh";
my $diff="";
die "Unable to open $prg" unless -f $prg;
die "Unable to open $master_socket_csv" unless -f $master_socket_csv;
die "Unable to open $baseline_csv" unless -f $baseline_csv;
# Provide proper start conditions
unlink "tmp.csv";
unlink $cat_csv;
# Title
printf "\n%s\n", "Diff unit test IPv4 against \"$uri\"";
my @args=("$prg", "$check2run", "$uri", "2>&1");
#1 run
`$prg $check2run $uri 2>&1`;
printf "\n%s\n", "Diff unit test (IPv4) against \"$uri\"";
printf "@args\n";
system("@args") == 0
or die ("FAILED: \"@args\" ");
$diff = diff $socket_csv, $master_socket_csv;
$socket_csv=`cat tmp.csv`;
$master_socket_csv=`cat $master_socket_csv`;
$cat_csv=`cat $cat_csv`;
$baseline_csv=`cat $baseline_csv`;
# Filter for changes that are allowed to occur
$socket_csv=~ s/HTTP_clock_skew.*\n//g;
$master_socket_csv=~ s/HTTP_clock_skew.*\n//g;
# DROWN
$socket_csv=~ s/censys.io.*\n//g;
$master_socket_csv=~ s/censys.io.*\n//g;
$cat_csv =~ s/HTTP_clock_skew.*\n//g;
$baseline_csv =~ s/HTTP_clock_skew.*\n//g;
# HTTP time
$socket_csv=~ s/HTTP_headerTime.*\n//g;
$master_socket_csv=~ s/HTTP_headerTime.*\n//g;
$cat_csv =~ s/HTTP_headerTime.*\n//g;
$baseline_csv =~ s/HTTP_headerTime.*\n//g;
# Compare the differences to the master file -- and print differences if there were detected.
# DROWN
$cat_csv =~ s/censys.io.*\n//g;
$baseline_csv =~ s/censys.io.*\n//g;
$diff = diff \$cat_csv, \$baseline_csv;
# Compare the differences to the baseline file -- and print differences if there were detected.
#
cmp_ok($socket_csv, "eq", $master_socket_csv, "Check whether CSV output matches master file from $uri") or
ok($cat_csv eq $baseline_csv, "Check whether CSV output matches baseline file from $uri") or
diag ("\n%s\n", "$diff");
$tests++;
unlink "tmp.csv";
$tests++;
done_testing($tests);
printf "\n";
# vim:ts=5:sw=5:expandtab
# vim:ts=5:sw=5:expandtab

6
t/baseline_data/default_testssl.csvfile
View File

@ -70,7 +70,7 @@
"FS_TLS13_sig_algs","testssl.sh/81.169.166.184","443","INFO","RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512","",""
"HTTP_status_code","testssl.sh/81.169.166.184","443","INFO","200 OK ('/')","",""
"HTTP_clock_skew","testssl.sh/81.169.166.184","443","INFO","0 seconds from localtime","",""
"HTTP_headerTime","testssl.sh/81.169.166.184","443","INFO","1654006271","",""
"HTTP_headerTime","testssl.sh/81.169.166.184","443","INFO","1737570310","",""
"HSTS_time","testssl.sh/81.169.166.184","443","OK","362 days (=31337000 seconds) > 15552000 seconds","",""
"HSTS_subdomains","testssl.sh/81.169.166.184","443","INFO","only for this domain","",""
"HSTS_preload","testssl.sh/81.169.166.184","443","INFO","domain is NOT marked for preloading","",""
@ -81,6 +81,8 @@
"X-Frame-Options","testssl.sh/81.169.166.184","443","OK","DENY","",""
"X-Content-Type-Options","testssl.sh/81.169.166.184","443","OK","nosniff","",""
"Content-Security-Policy","testssl.sh/81.169.166.184","443","OK","script-src 'unsafe-inline'; style-src 'unsafe-inline' 'self'; object-src 'self'; base-uri 'none'; form-action 'none'; img-src 'self' ; default-src 'self'; frame-ancestors 'self'; upgrade-insecure-requests;","",""
"Cross-Origin-Opener-Policy","testssl.sh/81.169.166.184","443","INFO","same-origin-allow-popups","",""
"Cross-Origin-Resource-Policy","testssl.sh/81.169.166.184","443","INFO","same-site","",""
"banner_reverseproxy","testssl.sh/81.169.166.184","443","INFO","--","","CWE-200"
"heartbleed","testssl.sh/81.169.166.184","443","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
"CCS","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2014-0224","CWE-310"
@ -95,7 +97,7 @@
"SWEET32","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2016-2183 CVE-2016-6329","CWE-327"
"FREAK","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2015-0204","CWE-310"
"DROWN","testssl.sh/81.169.166.184","443","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310"
"DROWN_hint","testssl.sh/81.169.166.184","443","INFO","Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=31B44391529821C6A77F3C78B02D716A07F99B8FDB342BF5A78F263C25375968","CVE-2016-0800 CVE-2016-0703","CWE-310"
"DROWN_hint","testssl.sh/81.169.166.184","443","INFO","Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=5B4BC205947AED96ECB1879F2668F7F69D696C143BA8D1C69DBB4DC873C92AE9","CVE-2016-0800 CVE-2016-0703","CWE-310"
"LOGJAM","testssl.sh/81.169.166.184","443","OK","not vulnerable, no DH EXPORT ciphers,","CVE-2015-4000","CWE-310"
"LOGJAM-common_primes","testssl.sh/81.169.166.184","443","OK","--","CVE-2015-4000","CWE-310"
"BEAST_CBC_TLS1","testssl.sh/81.169.166.184","443","MEDIUM","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","CVE-2011-3389","CWE-20"

514
testssl.sh
View File

File diff suppressed because it is too large Load Diff

4
utils/update_client_sim_data.pl
View File

@ -72,6 +72,10 @@ foreach my $client ( @$ssllabs ) {
push @ciphersuites, "TLS_AES_128_CCM_SHA256"; }
elsif ( $suite == "4869" ) {
push @ciphersuites, "TLS_AES_128_CCM_8_SHA256"; }
elsif ( $suite == "49332" ) {
push @ciphersuites, "TLS_SHA256_SHA256"; }
elsif ( $suite == "49333" ) {
push @ciphersuites, "TLS_SHA384_SHA384"; }
elsif ( exists $ciphers{$suite} ) {
push @ciphers, $ciphers{$suite}; }
elsif ( $suite == "255" ) {