Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-30 20:31:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '3.2' into bump_version

Browse Source
This commit is contained in:
Dirk Wetter 2025-01-24 11:05:00 +01:00
commit 69d6a50696
19 changed files with 475 additions and 254 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/docker-3.2.yml vendored
View File

@ -23,7 +23,7 @@ jobs:
- name: Setup QEMU - name: Setup QEMU
id: qemu id: qemu
uses: docker/setup-qemu-action@v3.2.0 uses: docker/setup-qemu-action@v3.3.0
- name: Setup Buildx - name: Setup Buildx
id: buildx id: buildx
@ -48,7 +48,7 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push - name: Build and push
uses: docker/build-push-action@v6.7.0 uses: docker/build-push-action@v6.12.0
with: with:
push: ${{ github.event_name != 'pull_request' }} push: ${{ github.event_name != 'pull_request' }}
context: . context: .

0
.github/workflows/test.yml → .github/workflows/unit_tests.yml vendored
View File

8
CHANGELOG.md
View File

@ -137,7 +137,7 @@
* Trust chain check against certificate stores from Apple (OS), Linux (OS), * Trust chain check against certificate stores from Apple (OS), Linux (OS),
Microsoft (OS), Mozilla (Firefox Browser), works for openssl >=1.0.1 Microsoft (OS), Mozilla (Firefox Browser), works for openssl >=1.0.1
* IPv6 (status: 80% working, details see * IPv6 (status: 80% working, details see
https://github.com/drwetter/testssl.sh/issues/11 https://github.com/testssl/testssl.sh/issues/11
* works now on servers requiring a x509 certificate for authentication * works now on servers requiring a x509 certificate for authentication
* extensive CN <--> hostname check * extensive CN <--> hostname check
* SSL Session ID check * SSL Session ID check
@ -183,7 +183,7 @@
* quite some LibreSSL fixes, still not recommended to use though (see https://testssl.sh/) * quite some LibreSSL fixes, still not recommended to use though (see https://testssl.sh/)
* lots of fixes, code improvements, even more robust * lots of fixes, code improvements, even more robust
Full log @ https://github.com/drwetter/testssl.sh/commits/2.6/testssl.sh Full log @ https://github.com/testssl/testssl.sh/commits/2.6/testssl.sh
### New in 2.4 ### New in 2.4
* "only one cmd line option at a time" is completely gone * "only one cmd line option at a time" is completely gone
@ -198,7 +198,7 @@ Full log @ https://github.com/drwetter/testssl.sh/commits/2.6/testssl.sh
* lots of cosmetic and maintainability code cleanups * lots of cosmetic and maintainability code cleanups
* bugfixing * bugfixing
Full changelog: https://github.com/drwetter/testssl.sh/commits/2.4/testssl.sh Full changelog: https://github.com/testssl/testssl.sh/commits/2.4/testssl.sh
### 2.2. new features: ### 2.2. new features:
* Works fully under FreeBSD (openssl >=1.0) * Works fully under FreeBSD (openssl >=1.0)
@ -214,7 +214,7 @@ Full changelog: https://github.com/drwetter/testssl.sh/commits/2.4/testssl.sh
* RFC <---> OpenSSL name space mapping of ciphers everywhere * RFC <---> OpenSSL name space mapping of ciphers everywhere
* includes a lot of fixes * includes a lot of fixes
Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh Full changelog @ https://github.com/testssl/testssl.sh/commits/2.2/testssl.sh
### 2.0 major release, new features: ### 2.0 major release, new features:
* SNI * SNI

30
CONTRIBUTING.md
View File

@ -1,21 +1,25 @@
### Contributions / participation ### Contributing / participating
is always welcome, here @ github or via e-mail. Contributing / participating is always welcome!
Note please the following Please note the following:
* Please read at least the [coding convention](https://github.com/drwetter/testssl.sh/Coding_Convention.md). * Please read the [coding convention](https://github.com/testssl/testssl.sh/blob/3.2/Coding_Convention.md).
* One PR per feature or bug fix or improvement. Please do not mix issues. * If you have something new and/or bigger which you like to contribute, better open an issue first before you get frustrated.
* Document your PR, both in the PR and/or commit message and in the code. * Please one pull request per feature or bug fix or improvement. Please do not mix issues.
* Documentation pays off in the long run. So please your document your code and the pull request and/or commit message.
* Please test your changes thoroughly as reliability is important for this project. You may want to check different servers with different settings. * Please test your changes thoroughly as reliability is important for this project. You may want to check different servers with different settings.
* Travis runs automatically when anything is committed/PR'd. You should check any complains from Travis. Beforehand you can check with `prove -v`. * GitHub actions are running automatically when anything is committed. You should see any complains. Beforehand you can check with `prove -v` from the "root dir" of this project.
* If it's a new feature please consider writing a unit test for it. You can use e.g. `t/20_baseline_ipv4_http.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start. * If it's a new feature, please consider writing a unit test for it. You can use e.g. `t/10_baseline_ipv4_http.t` or `t/61_diff_testsslsh.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start.
* If it's a new feature it would need to be documented in the appropriate section in `help()` and in `~/doc/testssl.1.md` * If it's a new feature, it would need to be documented in the appropriate section in `help()` and in `~/doc/testssl.1.md`
For questions just open an issue or feel free to send me an e-mail. If you're interested in contributing and wonder how you can help, you can search for different tags in the issues (somewhat increasing degree of difficulty):
* [documentation](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:documentation)
* [good first issue](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:%22good%20first%20issue%22)
* [help wanted](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:%22help%20wanted%22)
* [for grabs](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:%22good%20first%20issue%22)
For questions just open an issue. Thanks for reading this!
#### Patches via e-mail
Of course it is fine when you want to send in patches to use e-mail. For the address please grep for SWCONTACT in testssl.sh .
Let me know how you like them to be attributed.

5
Dockerfile
View File

@ -1,6 +1,6 @@
# syntax=docker.io/docker/dockerfile:1 # syntax=docker.io/docker/dockerfile:1
ARG LEAP_VERSION=15.5 ARG LEAP_VERSION=15.6
ARG INSTALL_ROOT=/rootfs ARG INSTALL_ROOT=/rootfs
FROM opensuse/leap:${LEAP_VERSION} as builder FROM opensuse/leap:${LEAP_VERSION} as builder
@ -18,7 +18,7 @@ RUN source /etc/os-release \
&& zypper "${ZYPPER_OPTIONS[@]}" --gpg-auto-import-keys refresh \ && zypper "${ZYPPER_OPTIONS[@]}" --gpg-auto-import-keys refresh \
&& rpm -e util-linux --nodeps \ && rpm -e util-linux --nodeps \
&& zypper "${ZYPPER_OPTIONS[@]}" --non-interactive install --download-in-advance --no-recommends \ && zypper "${ZYPPER_OPTIONS[@]}" --non-interactive install --download-in-advance --no-recommends \
bash procps grep gawk sed coreutils busybox-util-linux busybox-vi ldns libidn2-0 socat openssl curl \ bash procps grep gawk sed coreutils busybox ldns libidn2-0 socat openssl curl \
&& zypper up -y \ && zypper up -y \
&& zypper "${ZYPPER_OPTIONS[@]}" clean --all && zypper "${ZYPPER_OPTIONS[@]}" clean --all
## Cleanup (reclaim approx 13 MiB): ## Cleanup (reclaim approx 13 MiB):
@ -35,6 +35,7 @@ ARG INSTALL_ROOT
COPY --link --from=builder ${INSTALL_ROOT} / COPY --link --from=builder ${INSTALL_ROOT} /
# Link busybox to tar, see #2403. Create user + (home with SGID set): # Link busybox to tar, see #2403. Create user + (home with SGID set):
RUN ln -s /usr/bin/busybox /usr/bin/tar \ RUN ln -s /usr/bin/busybox /usr/bin/tar \
&& ln -s /usr/bin/busybox /usr/bin/hexdump \
&& echo 'testssl:x:1000:1000::/home/testssl:/bin/bash' >> /etc/passwd \ && echo 'testssl:x:1000:1000::/home/testssl:/bin/bash' >> /etc/passwd \
&& echo 'testssl:x:1000:' >> /etc/group \ && echo 'testssl:x:1000:' >> /etc/group \
&& echo 'testssl:!::0:::::' >> /etc/shadow \ && echo 'testssl:!::0:::::' >> /etc/shadow \

4
Dockerfile.git
View File

@ -5,8 +5,8 @@ FROM alpine:3.20
WORKDIR /home/testssl WORKDIR /home/testssl
ARG BUILD_VERSION ARG BUILD_VERSION
ARG ARCHIVE_URL=https://github.com/drwetter/testssl.sh/archive/ ARG ARCHIVE_URL=https://github.com/testssl/testssl.sh/archive/
ARG URL=https://github.com/drwetter/testssl.sh.git ARG URL=https://github.com/testssl/testssl.sh.git
RUN test -n "${BUILD_VERSION}" \ RUN test -n "${BUILD_VERSION}" \
&& apk update \ && apk update \

37
Readme.md
View File

@ -1,11 +1,11 @@
## Intro ## Intro
<!-- [![Travis CI Status](https://img.shields.io/travis/drwetter/testssl.sh)](https://travis-ci.org/drwetter/testssl.sh) --> [![CI tests](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests.yml/badge.svg)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests.yml)
[![Build Status](https://github.com/drwetter/testssl.sh/actions/workflows/test.yml/badge.svg)](https://github.com/drwetter/testssl.sh/actions/workflows/test.yml) [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/testssl/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/drwetter/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) [![License](https://img.shields.io/github/license/testssl/testssl.sh)](https://github.com/testssl/testssl.sh/LICENSE)
[![License](https://img.shields.io/github/license/drwetter/testssl.sh)](https://github.com/drwetter/testssl.sh/LICENSE) [![Docker](https://img.shields.io/docker/pulls/testssl/testssl.sh)](https://github.com/testssl/testssl.sh/blob/3.2/Dockerfile.md)
[![Docker](https://img.shields.io/docker/pulls/drwetter/testssl.sh)](https://github.com/drwetter/testssl.sh/blob/3.2/Dockerfile.md)
`testssl.sh` is a free command line tool which checks a server's service on `testssl.sh` is a free command line tool which checks a server's service on
any port for the support of TLS/SSL ciphers, protocols as well as some any port for the support of TLS/SSL ciphers, protocols as well as some
@ -45,16 +45,16 @@ due to bash-socket-based checks. As a result you can also use e.g. LibreSSL or O
(silent) check for binaries is done when you start testssl.sh . System V needs probably (silent) check for binaries is done when you start testssl.sh . System V needs probably
to have GNU grep installed. MacOS X and Windows (using MSYS2, Cygwin or WSL) work too. to have GNU grep installed. MacOS X and Windows (using MSYS2, Cygwin or WSL) work too.
Update notification here or @ [mastodon](https://infosec.exchange/@testssl) (old: [twitter](https://twitter.com/drwetter)) Update notification here or @ [mastodon](https://infosec.exchange/@testssl or [bluesky](https://bsky.app/profile/testssl.bsky.social). Please note the [twitter](https://twitter.com/drwetter) account is not being used anymore.
### Installation ### Installation
You can download testssl.sh branch 3.2 just by cloning this git repository: You can download testssl.sh branch 3.2 just by cloning this git repository:
git clone --depth 1 https://github.com/drwetter/testssl.sh.git git clone --depth 1 https://github.com/testssl/testssl.sh.git
3.2 is now the latest branch which evolved from 3.1dev. It's in the release candidate phase. 3.2 is now the latest branch which evolved from 3.1dev. It's in the release candidate phase and considered as stable.
For the former stable version help yourself by downloading the [ZIP](https://codeload.github.com/drwetter/testssl.sh/zip/v3.0.8) or [tar.gz](https://codeload.github.com/drwetter/testssl.sh/tar.gz/v3.0.8) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there. For the former stable version named oldstable please help yourself by downloading the [ZIP](https://codeload.github.com/testssl/testssl.sh/zip/v3.0.9) or [tar.gz](https://codeload.github.com/testssl/testssl.sh/tar.gz/v3.0.9) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there.
#### Docker #### Docker
@ -69,19 +69,19 @@ Or if you have cloned this repo you also can just ``cd`` to the INSTALLDIR and r
docker build . -t imagefoo && docker run --rm -t imagefoo example.com docker build . -t imagefoo && docker run --rm -t imagefoo example.com
``` ```
For more please consult [Dockerfile.md](https://github.com/drwetter/testssl.sh/blob/3.2/Dockerfile.md). For more please consult [Dockerfile.md](https://github.com/testssl/testssl.sh/blob/3.2/Dockerfile.md).
### No Warranty ### No Warranty
Usage of the program is without any warranty. Use it at yor own risk. Usage of the program is without any warranty. Use it at your own risk.
Testssl.sh is intended to be used as a standalone CLI tool. While we tried to apply best practise security measures, we can't guarantee that the program is without any vulnerabilities. Running as a service may pose security risks and you're recommended to apply additional security measures. Testssl.sh is intended to be used as a standalone CLI tool. While we tried to apply best practise security measures, we can't guarantee that the program is without any vulnerabilities. Running as a service may pose security risks and you're recommended to apply additional security measures.
### Status ### Status
We're currently in the release candidate phase for version 3.2. Bigger features will be developed in a separate branch before merged into a 3.3dev to avoid hiccups or inconsistencies. We're currently in the release candidate phase for version 3.2. You should use it despite the label "RC". Bigger features will be developed in a separate branch before merged into a 3.3dev to avoid hiccups or inconsistencies.
Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is released. Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is finally released.
Support for 2.9.5 has been dropped. Supported is >= 3.0.x only. Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
@ -93,16 +93,19 @@ Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
### Contributing ### Contributing
Contributions are welcome! See [CONTRIBUTING.md](https://github.com/drwetter/testssl.sh/blob/3.2/CONTRIBUTING.md) for details. Please also have a look at the [Coding Convention](https://github.com/drwetter/testssl.sh/blob/3.2/Coding_Convention.md). Contributions are welcome! See [CONTRIBUTING.md](https://github.com/testssl/testssl.sh/blob/3.2/CONTRIBUTING.md) for details. Please also have a look at the [Coding Convention](https://github.com/testssl/testssl.sh/blob/3.2/Coding_Convention.md). A lot of contributors already helped to push the project where it currently is, see [CREDITS.md](https://github.com/testssl/testssl.sh/blob/3.2/CREDITS.md). We still you use your help now. A start would be look for issues which are labeled as [good first issue](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22), [for grabs](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22for+grabs%22) or [help wanted](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22). The latter is more advanced.
In general there's some maintenance burden, like maintaining handshakes and CA stores, writing unit tests, improving github actions. If you believe you can contribute, speak up.
### Bug reports ### Bug reports
Bug reports are important. It makes this project more robust. Bug reports are important. It makes this project more robust.
Please file bugs in the issue tracker @ GitHub. Do not forget to provide detailed information, see template for issue, and further details @ Please file bugs in the issue tracker @ GitHub. Do not forget to provide detailed information, see template for issue, and further details @
https://github.com/drwetter/testssl.sh/wiki/Bug-reporting. Nobody can read your thoughts -- yet. And only agencies your screen ;-) https://github.com/testssl/testssl.sh/wiki/Bug-reporting. Nobody can read your thoughts -- yet. And only agencies your screen ;-)
You can also debug yourself, see [here](https://github.com/drwetter/testssl.sh/wiki/Findings-and-HowTo-Fix-them). You can also debug yourself, see [here](https://github.com/testssl/testssl.sh/wiki/Findings-and-HowTo-Fix-them).
---- ----
@ -129,7 +132,7 @@ Please address questions not specifically to the code of testssl.sh to the respe
#### Brew package #### Brew package
* see [#233](https://github.com/drwetter/testssl.sh/issues/233) and * see [#233](https://github.com/testssl/testssl.sh/issues/233) and
[https://github.com/Homebrew/homebrew](https://github.com/Homebrew/homebrew) [https://github.com/Homebrew/homebrew](https://github.com/Homebrew/homebrew)
#### Daemon for batch execution of testssl.sh command files #### Daemon for batch execution of testssl.sh command files

2
etc/cipher-mapping.txt
View File

@ -342,6 +342,8 @@
0x02,0x00,0x80 - EXP-RC4-MD5 SSL_CK_RC4_128_EXPORT40_WITH_MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export 0x02,0x00,0x80 - EXP-RC4-MD5 SSL_CK_RC4_128_EXPORT40_WITH_MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
0x00,0x28 - EXP-KRB5-RC4-SHA TLS_KRB5_EXPORT_WITH_RC4_40_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1 export 0x00,0x28 - EXP-KRB5-RC4-SHA TLS_KRB5_EXPORT_WITH_RC4_40_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1 export
0x00,0x2B - EXP-KRB5-RC4-MD5 TLS_KRB5_EXPORT_WITH_RC4_40_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5 export 0x00,0x2B - EXP-KRB5-RC4-MD5 TLS_KRB5_EXPORT_WITH_RC4_40_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5 export
0xC0,0xB4 - TLS_SHA256_SHA256 TLS_SHA256_SHA256 TLSv1.3 Kx=any Au=any Enc=None Mac=SHA256
0xC0,0xB5 - TLS_SHA384_SHA384 TLS_SHA384_SHA384 TLSv1.3 Kx=any Au=any Enc=None Mac=SHA384
0xC0,0x10 - ECDHE-RSA-NULL-SHA TLS_ECDHE_RSA_WITH_NULL_SHA SSLv3 Kx=ECDH Au=RSA Enc=None Mac=SHA1 0xC0,0x10 - ECDHE-RSA-NULL-SHA TLS_ECDHE_RSA_WITH_NULL_SHA SSLv3 Kx=ECDH Au=RSA Enc=None Mac=SHA1
0xC0,0x06 - ECDHE-ECDSA-NULL-SHA TLS_ECDHE_ECDSA_WITH_NULL_SHA SSLv3 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1 0xC0,0x06 - ECDHE-ECDSA-NULL-SHA TLS_ECDHE_ECDSA_WITH_NULL_SHA SSLv3 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1
0xC0,0x15 - AECDH-NULL-SHA TLS_ECDH_anon_WITH_NULL_SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1 0xC0,0x15 - AECDH-NULL-SHA TLS_ECDH_anon_WITH_NULL_SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1

4
etc/curves-mapping.txt
View File

@ -45,3 +45,7 @@
0x01,0x02 - ffdhe4096 ffdhe4096 0x01,0x02 - ffdhe4096 ffdhe4096
0x01,0x03 - ffdhe6144 ffdhe6144 0x01,0x03 - ffdhe6144 ffdhe6144
0x01,0x04 - ffdhe8192 ffdhe8192 0x01,0x04 - ffdhe8192 ffdhe8192
0x11,0xeb - SecP256r1MLKEM768 SecP256r1MLKEM768
0x11,0xec - X25519MLKEM768 X25519MLKEM768
0x11,0xed - SecP384r1MLKEM1024 SecP384r1MLKEM1024
0x63,0x99 - X25519Kyber768Draft00 X25519Kyber768Draft00

9
etc/tls_data.txt
View File

File diff suppressed because one or more lines are too long

4
openssl-iana.mapping.html
View File

@ -425,6 +425,10 @@ xB9 TLS_RSA_PSK_WITH_NULL_SHA384
<tr><td> [0xc0ae]</td><td> ECDHE-ECDSA-AES128-CCM8 </td><td> ECDH </td><td> AESCCM </td><td> 128 </td><td> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 </td></tr> <tr><td> [0xc0ae]</td><td> ECDHE-ECDSA-AES128-CCM8 </td><td> ECDH </td><td> AESCCM </td><td> 128 </td><td> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 </td></tr>
<tr><td> [0xc0af]</td><td> ECDHE-ECDSA-AES256-CCM8 </td><td> ECDH </td><td> AESCCM </td><td> 256 </td><td> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 </td></tr> <tr><td> [0xc0af]</td><td> ECDHE-ECDSA-AES256-CCM8 </td><td> ECDH </td><td> AESCCM </td><td> 256 </td><td> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 </td></tr>
<!-- RFC 9150 -->
<tr><td> [0xc0b4]</td><td> TLS_SHA256_SHA256 </td><td> ECDH </td><td> Null </td><td> 0 </td><td> TLS_SHA256_SHA256</td></tr>
<tr><td> [0xc0b5]</td><td> TLS_SHA384_SHA384 </td><td> ECDH </td><td> Null </td><td> 0 </td><td> TLS_SHA384_SHA384</td></tr>
<!-- OLD CHACHA POLY CIPHERS, per agreement with Peter Mosmans we use the names like SSLlabs --> <!-- OLD CHACHA POLY CIPHERS, per agreement with Peter Mosmans we use the names like SSLlabs -->
<tr><td> [0xcc13]</td><td> ECDHE-RSA-CHACHA20-POLY1305-OLD </td><td> ECDH </td><td> ChaCha20-Poly1305</td><td> </td><td> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD</td></tr> <tr><td> [0xcc13]</td><td> ECDHE-RSA-CHACHA20-POLY1305-OLD </td><td> ECDH </td><td> ChaCha20-Poly1305</td><td> </td><td> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD</td></tr>
<tr><td> [0xcc14]</td><td> ECDHE-ECDSA-CHACHA20-POLY1305-OLD</td><td> ECDH </td><td> ChaCha20-Poly1305</td><td> </td><td> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD</td></tr> <tr><td> [0xcc14]</td><td> ECDHE-ECDSA-CHACHA20-POLY1305-OLD</td><td> ECDH </td><td> ChaCha20-Poly1305</td><td> </td><td> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD</td></tr>

2
t/00_testssl_help.t
View File

@ -55,7 +55,7 @@ $out=`grep -E "$debug_regexp" $prg`;
unlike($out, qr/$debug_regexp/, "Debug RegEx"); unlike($out, qr/$debug_regexp/, "Debug RegEx");
$tests++; $tests++;
printf "\n"; printf "\n\n";
done_testing($tests); done_testing($tests);

2
t/05_ca_hashes_up_to_date.t
View File

@ -6,7 +6,7 @@ use Test::More;
printf "\n%s\n", "Testing whether CA certificates are newer their SPKI hashes \"~/etc/ca_hashes.txt\" ..."; printf "\n%s\n", "Testing whether CA certificates are newer their SPKI hashes \"~/etc/ca_hashes.txt\" ...";
my $newer_bundles=`find etc/*.pem -newer etc/ca_hashes.txt`; my $newer_bundles=`find etc/*.pem -newer etc/ca_hashes.txt`;
is($newer_bundles,"","If there's an output with a *.pem file run \"~/utils/create_ca_hashes.sh\""); is($newer_bundles,"","Checking if there's an output with a *.pem file run \"~/utils/create_ca_hashes.sh\"");
printf "\n"; printf "\n";
done_testing; done_testing;

22
t/32_isHTML_valid.t
View File

@ -46,15 +46,16 @@ $edited_html =~ s/&gt;/>/g;
$edited_html =~ s/&quot;/"/g; $edited_html =~ s/&quot;/"/g;
$edited_html =~ s/&apos;/'/g; $edited_html =~ s/&apos;/'/g;
cmp_ok($edited_html, "eq", $out, "HTML file matches terminal output");
$tests++;
$diff = diff \$edited_html, \$out; $diff = diff \$edited_html, \$out;
printf "\n%s\n", "$diff";
cmp_ok($edited_html, "eq", $out, "Checking if HTML file matches terminal output") or
diag ("\n%s\n", "$diff");
$tests++;
#2 #2
printf "\n%s\n", " .. running again $prg against \"$uri\", now with --debug 4 to create HTML output (may take another ~2 minutes)"; printf "%s\n", " .. running again $prg against \"$uri\", now with --debug 4 to create HTML output (may take another ~2 minutes)";
# Redirect stderr to /dev/null in order to avoid some unexplained "date: invalid date" error messages # Redirect stderr to /dev/null in order to avoid some unexplained "date: invalid date" error messages
$out = `TERM_WIDTH=120 $prg $check2run --debug 4 $uri 2> /dev/null`; $out = `TERM_WIDTH=120 $prg $check2run --debug 4 $uri 2> /dev/null`;
$debughtml = `cat $htmlfile`; $debughtml = `cat $htmlfile`;
@ -79,15 +80,14 @@ $debughtml =~ s/.*built: .*\n//g;
$debughtml =~ s/.*Using bash .*\n//g; $debughtml =~ s/.*Using bash .*\n//g;
# is whole line: s/.*<pattern> .*\n//g; # is whole line: s/.*<pattern> .*\n//g;
cmp_ok($debughtml, "eq", $html, "HTML file created with --debug 4 matches HTML file created without --debug"); $diff = diff \$debughtml, \$html;
cmp_ok($debughtml, "eq", $html, "Checking if HTML file created with --debug 4 matches HTML file created without --debug") or
diag ("\n%s\n", "$diff");
$tests++; $tests++;
$diff = diff \$debughtml, \$html;
printf "\n%s\n", "$diff";
printf "\n\n";
printf "\n";
done_testing($tests); done_testing($tests);

12
t/51_badssl.com.t
View File

@ -17,7 +17,7 @@ pass("Running testssl.sh against badssl.com to create a baseline (may take 2~3 m
my $okout = `./testssl.sh -S -e --freak --logjam --drown --rc4 --sweet32 --breach --winshock --crime --jsonfile tmp.json --color 0 badssl.com`; my $okout = `./testssl.sh -S -e --freak --logjam --drown --rc4 --sweet32 --breach --winshock --crime --jsonfile tmp.json --color 0 badssl.com`;
my $okjson = json('tmp.json'); my $okjson = json('tmp.json');
unlink 'tmp.json'; unlink 'tmp.json';
cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); $tests++; cmp_ok(@$okjson,'>',10,"We should have more then 10 findings"); $tests++;
# Expiration # Expiration
pass("Running testssl against expired.badssl.com"); $tests++; pass("Running testssl against expired.badssl.com"); $tests++;
@ -35,7 +35,7 @@ foreach my $f ( @$json ) {
last; last;
} }
} }
is($found,1,"We had a finding for this in the JSON output"); $tests++; is($found,1,"We should have a finding for this in the JSON output"); $tests++;
# Self signed and not-expired # Self signed and not-expired
pass("Running testssl against self-signed.badssl.com"); $tests++; pass("Running testssl against self-signed.badssl.com"); $tests++;
@ -52,7 +52,7 @@ foreach my $f ( @$json ) {
last; last;
} }
} }
is($found,1,"We had a finding for this in the JSON output"); $tests++; is($found,1,"We should a finding for this in the JSON output"); $tests++;
like($out, qr/Chain of trust.*?NOT ok.*\(self signed\)/,"Chain of trust should fail because of self signed"); $tests++; like($out, qr/Chain of trust.*?NOT ok.*\(self signed\)/,"Chain of trust should fail because of self signed"); $tests++;
$found = 0; $found = 0;
@ -64,7 +64,7 @@ foreach my $f ( @$json ) {
last; last;
} }
} }
is($found,1,"We had a finding for this in the JSON output"); $tests++; is($found,1,"We should have a finding for this in the JSON output"); $tests++;
like($okout, qr/Chain of trust[^\n]*?Ok/,"Chain of trust should be ok"); $tests++; like($okout, qr/Chain of trust[^\n]*?Ok/,"Chain of trust should be ok"); $tests++;
$found = 0; $found = 0;
@ -77,7 +77,7 @@ foreach my $f ( @$okjson ) {
last; last;
} }
} }
is($found,1,"We had a finding for this in the JSON output"); $tests++; is($found,1,"We should have a finding for this in the JSON output"); $tests++;
# Wrong host # Wrong host
#pass("Running testssl against wrong.host.badssl.com"); $tests++; #pass("Running testssl against wrong.host.badssl.com"); $tests++;
@ -111,7 +111,7 @@ foreach my $f ( @$json ) {
last; last;
} }
} }
is($found,1,"We had a finding for this in the JSON output"); $tests++; is($found,1,"We should have a finding for this in the JSON output"); $tests++;
# TODO: RSA 8192 # TODO: RSA 8192

56
t/61_diff_testsslsh.t
View File

@ -3,11 +3,10 @@
# Baseline diff test against testssl.sh (csv output) # Baseline diff test against testssl.sh (csv output)
# #
# We don't use a full run yet and only the certificate section. # We don't use a full run yet and only the certificate section.
# There we would need to blacklist at least: # There we would need to blacklist more, like:
# cert_serialNumber, cert_fingerprintSHA1, cert_fingerprintSHA256, cert # cert_serialNumber, cert_fingerprintSHA1, cert_fingerprintSHA256, cert
# cert_expirationStatus, cert_notBefore, cert_notAfter, cert_caIssuers, intermediate_cert # cert_expirationStatus, cert_notBefore, cert_notAfter, cert_caIssuers, intermediate_cert
# #
# help is appreciated here
use strict; use strict;
use Test::More; use Test::More;
@ -16,55 +15,54 @@ use Text::Diff;
my $tests = 0; my $tests = 0;
my $prg="./testssl.sh"; my $prg="./testssl.sh";
my $master_socket_csv="./t/baseline_data/default_testssl.csvfile"; my $baseline_csv="./t/baseline_data/default_testssl.csvfile";
my $socket_csv="tmp.csv"; my $cat_csv="tmp.csv";
my $check2run="-p -s -P --fs -h -U -c -q --ip=one --color 0 --csvfile $socket_csv"; my $check2run="-p -s -P --fs -h -U -c -q --ip=one --color 0 --csvfile $cat_csv";
#my $check2run="-p --color 0 --csvfile $socket_csv";
my $uri="testssl.sh"; my $uri="testssl.sh";
my $diff=""; my $diff="";
die "Unable to open $prg" unless -f $prg; die "Unable to open $prg" unless -f $prg;
die "Unable to open $master_socket_csv" unless -f $master_socket_csv; die "Unable to open $baseline_csv" unless -f $baseline_csv;
# Provide proper start conditions # Provide proper start conditions
unlink "tmp.csv"; unlink $cat_csv;
# Title my @args=("$prg", "$check2run", "$uri", "2>&1");
printf "\n%s\n", "Diff unit test IPv4 against \"$uri\"";
#1 run #1 run
`$prg $check2run $uri 2>&1`; printf "\n%s\n", "Diff unit test (IPv4) against \"$uri\"";
printf "@args\n";
system("@args") == 0
or die ("FAILED: \"@args\" ");
$diff = diff $socket_csv, $master_socket_csv; $cat_csv=`cat $cat_csv`;
$baseline_csv=`cat $baseline_csv`;
$socket_csv=`cat tmp.csv`;
$master_socket_csv=`cat $master_socket_csv`;
# Filter for changes that are allowed to occur # Filter for changes that are allowed to occur
$socket_csv=~ s/HTTP_clock_skew.*\n//g; $cat_csv =~ s/HTTP_clock_skew.*\n//g;
$master_socket_csv=~ s/HTTP_clock_skew.*\n//g; $baseline_csv =~ s/HTTP_clock_skew.*\n//g;
# DROWN
$socket_csv=~ s/censys.io.*\n//g;
$master_socket_csv=~ s/censys.io.*\n//g;
# HTTP time # HTTP time
$socket_csv=~ s/HTTP_headerTime.*\n//g; $cat_csv =~ s/HTTP_headerTime.*\n//g;
$master_socket_csv=~ s/HTTP_headerTime.*\n//g; $baseline_csv =~ s/HTTP_headerTime.*\n//g;
# Compare the differences to the master file -- and print differences if there were detected. # DROWN
$cat_csv =~ s/censys.io.*\n//g;
$baseline_csv =~ s/censys.io.*\n//g;
$diff = diff \$cat_csv, \$baseline_csv;
# Compare the differences to the baseline file -- and print differences if there were detected.
# #
cmp_ok($socket_csv, "eq", $master_socket_csv, "Check whether CSV output matches master file from $uri") or ok($cat_csv eq $baseline_csv, "Check whether CSV output matches baseline file from $uri") or
diag ("\n%s\n", "$diff"); diag ("\n%s\n", "$diff");
$tests++;
unlink "tmp.csv"; unlink "tmp.csv";
$tests++;
done_testing($tests); done_testing($tests);
printf "\n"; printf "\n";
# vim:ts=5:sw=5:expandtab # vim:ts=5:sw=5:expandtab

6
t/baseline_data/default_testssl.csvfile
View File

@ -70,7 +70,7 @@
"FS_TLS13_sig_algs","testssl.sh/81.169.166.184","443","INFO","RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512","","" "FS_TLS13_sig_algs","testssl.sh/81.169.166.184","443","INFO","RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512","",""
"HTTP_status_code","testssl.sh/81.169.166.184","443","INFO","200 OK ('/')","","" "HTTP_status_code","testssl.sh/81.169.166.184","443","INFO","200 OK ('/')","",""
"HTTP_clock_skew","testssl.sh/81.169.166.184","443","INFO","0 seconds from localtime","","" "HTTP_clock_skew","testssl.sh/81.169.166.184","443","INFO","0 seconds from localtime","",""
"HTTP_headerTime","testssl.sh/81.169.166.184","443","INFO","1654006271","","" "HTTP_headerTime","testssl.sh/81.169.166.184","443","INFO","1737570310","",""
"HSTS_time","testssl.sh/81.169.166.184","443","OK","362 days (=31337000 seconds) > 15552000 seconds","","" "HSTS_time","testssl.sh/81.169.166.184","443","OK","362 days (=31337000 seconds) > 15552000 seconds","",""
"HSTS_subdomains","testssl.sh/81.169.166.184","443","INFO","only for this domain","","" "HSTS_subdomains","testssl.sh/81.169.166.184","443","INFO","only for this domain","",""
"HSTS_preload","testssl.sh/81.169.166.184","443","INFO","domain is NOT marked for preloading","","" "HSTS_preload","testssl.sh/81.169.166.184","443","INFO","domain is NOT marked for preloading","",""
@ -81,6 +81,8 @@
"X-Frame-Options","testssl.sh/81.169.166.184","443","OK","DENY","","" "X-Frame-Options","testssl.sh/81.169.166.184","443","OK","DENY","",""
"X-Content-Type-Options","testssl.sh/81.169.166.184","443","OK","nosniff","","" "X-Content-Type-Options","testssl.sh/81.169.166.184","443","OK","nosniff","",""
"Content-Security-Policy","testssl.sh/81.169.166.184","443","OK","script-src 'unsafe-inline'; style-src 'unsafe-inline' 'self'; object-src 'self'; base-uri 'none'; form-action 'none'; img-src 'self' ; default-src 'self'; frame-ancestors 'self'; upgrade-insecure-requests;","","" "Content-Security-Policy","testssl.sh/81.169.166.184","443","OK","script-src 'unsafe-inline'; style-src 'unsafe-inline' 'self'; object-src 'self'; base-uri 'none'; form-action 'none'; img-src 'self' ; default-src 'self'; frame-ancestors 'self'; upgrade-insecure-requests;","",""
"Cross-Origin-Opener-Policy","testssl.sh/81.169.166.184","443","INFO","same-origin-allow-popups","",""
"Cross-Origin-Resource-Policy","testssl.sh/81.169.166.184","443","INFO","same-site","",""
"banner_reverseproxy","testssl.sh/81.169.166.184","443","INFO","--","","CWE-200" "banner_reverseproxy","testssl.sh/81.169.166.184","443","INFO","--","","CWE-200"
"heartbleed","testssl.sh/81.169.166.184","443","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119" "heartbleed","testssl.sh/81.169.166.184","443","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
"CCS","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2014-0224","CWE-310" "CCS","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2014-0224","CWE-310"
@ -95,7 +97,7 @@
"SWEET32","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2016-2183 CVE-2016-6329","CWE-327" "SWEET32","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2016-2183 CVE-2016-6329","CWE-327"
"FREAK","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2015-0204","CWE-310" "FREAK","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2015-0204","CWE-310"
"DROWN","testssl.sh/81.169.166.184","443","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310" "DROWN","testssl.sh/81.169.166.184","443","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310"
"DROWN_hint","testssl.sh/81.169.166.184","443","INFO","Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=31B44391529821C6A77F3C78B02D716A07F99B8FDB342BF5A78F263C25375968","CVE-2016-0800 CVE-2016-0703","CWE-310" "DROWN_hint","testssl.sh/81.169.166.184","443","INFO","Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=5B4BC205947AED96ECB1879F2668F7F69D696C143BA8D1C69DBB4DC873C92AE9","CVE-2016-0800 CVE-2016-0703","CWE-310"
"LOGJAM","testssl.sh/81.169.166.184","443","OK","not vulnerable, no DH EXPORT ciphers,","CVE-2015-4000","CWE-310" "LOGJAM","testssl.sh/81.169.166.184","443","OK","not vulnerable, no DH EXPORT ciphers,","CVE-2015-4000","CWE-310"
"LOGJAM-common_primes","testssl.sh/81.169.166.184","443","OK","--","CVE-2015-4000","CWE-310" "LOGJAM-common_primes","testssl.sh/81.169.166.184","443","OK","--","CVE-2015-4000","CWE-310"
"BEAST_CBC_TLS1","testssl.sh/81.169.166.184","443","MEDIUM","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","CVE-2011-3389","CWE-20" "BEAST_CBC_TLS1","testssl.sh/81.169.166.184","443","MEDIUM","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","CVE-2011-3389","CWE-20"

514
testssl.sh
View File

File diff suppressed because it is too large Load Diff

4
utils/update_client_sim_data.pl
View File

@ -72,6 +72,10 @@ foreach my $client ( @$ssllabs ) {
push @ciphersuites, "TLS_AES_128_CCM_SHA256"; } push @ciphersuites, "TLS_AES_128_CCM_SHA256"; }
elsif ( $suite == "4869" ) { elsif ( $suite == "4869" ) {
push @ciphersuites, "TLS_AES_128_CCM_8_SHA256"; } push @ciphersuites, "TLS_AES_128_CCM_8_SHA256"; }
elsif ( $suite == "49332" ) {
push @ciphersuites, "TLS_SHA256_SHA256"; }
elsif ( $suite == "49333" ) {
push @ciphersuites, "TLS_SHA384_SHA384"; }
elsif ( exists $ciphers{$suite} ) { elsif ( exists $ciphers{$suite} ) {
push @ciphers, $ciphers{$suite}; } push @ciphers, $ciphers{$suite}; }
elsif ( $suite == "255" ) { elsif ( $suite == "255" ) {