Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-07 09:10:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '3.1dev' into mta-sts

Browse Source 
... rebasing in order to kee u p with 3.1dev
This commit is contained in:
Dirk Wetter 2021-05-10 12:10:21 +02:00
commit 71571397e0
10 changed files with 437 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/ISSUE_TEMPLATE/bug_report.md vendored
View File

@ -7,8 +7,9 @@ assignees: ''
---
_**Please don't remove this template. We would like to reproduce the bug and need concise information. **_
_**Fee free to remove this line but please stick to this template. We would like to reproduce the bug and need concise information. **_
**Please check this repo whether this is a known issue**
**Command line / docker command to reproduce**
In addition the target of your scan would be helpful. If you don't want to disclose it publicly: ``grep SWCONTACT testssl.sh``.

7
.github/ISSUE_TEMPLATE/feature_request.md vendored
View File

@ -16,12 +16,19 @@ assignees: ''
---
**Please check this repo whether this is a known issue**
Feel free to comment there
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Which version are you referring to**
3.0.x or 3.1dev? (please check also how old your version is compare to the ones provided here)
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
``

3
.github/ISSUE_TEMPLATE/other-issues---question.md vendored
View File

@ -7,4 +7,5 @@ assignees: ''
---
**Which version are you referring to**
3.0.x or 3.1dev? (please check also how old your version is compare to the ones here)

8
.travis.yml
View File

@ -8,11 +8,13 @@ addons:
- dnsutils
- jsonlint
before_install:
- if ! git diff --name-only $TRAVIS_COMMIT_RANGE | grep -qvE '(.md)|(.pem)|(.pdf)|(.html)|^(LICENSE)|^(docs)|^(utils)|^(bin)|(Dockerfile)'
- |
echo "Checking if a CI run is needed post commit: ${TRAVIS_COMMIT_RANGE}"
if ! git diff --name-only ${TRAVIS_COMMIT_RANGE} | grep -qvE '(\.md$)|(\.pem$)|(\.pdf$)|(\.html$)|^(LICENSE)|^(docs)|^(utils)|^(bin)|(Dockerfile)'
then
echo "no code was updated, not running the CI."
echo "No code was updated, not running the CI."
exit
fi
fi
install:
- cpanm --notest Test::More
- cpanm --notest Data::Dumper

2
Dockerfile
View File

@ -2,7 +2,7 @@ FROM alpine:3.11
RUN apk update && \
apk upgrade && \
apk add bash procps drill git coreutils libidn curl socat openssl && \
apk add bash procps drill git coreutils libidn curl socat openssl xxd && \
rm -rf /var/cache/apk/* && \
addgroup testssl && \
adduser -G testssl -g "testssl user" -s /bin/bash -D testssl && \

6
Readme.md
View File

@ -88,7 +88,7 @@ Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
### Contributing
Contributions are welcome! See [CONTRIBUTING.md](https://github.com/drwetter/testssl.sh/blob/3.1dev/CONTRIBUTING.md) for details. Please also have a look at the [Coding Convention](https://github.com/drwetter/testssl.sh/blob/3.1dev/Coding_Convention.md}.
Contributions are welcome! See [CONTRIBUTING.md](https://github.com/drwetter/testssl.sh/blob/3.1dev/CONTRIBUTING.md) for details. Please also have a look at the [Coding Convention](https://github.com/drwetter/testssl.sh/blob/3.1dev/Coding_Convention.md).
### Bug reports
@ -106,6 +106,7 @@ You can also debug yourself, see [here](https://github.com/drwetter/testssl.sh/w
Please address questions not specifically to the code of testssl.sh to the respective projects below.
#### Web frontend
* https://github.com/johannesschaefer/webnettools
* https://github.com/TKCERT/testssl.sh-webfrontend
#### Free to use Web frontend + commercial API
@ -134,3 +135,6 @@ Please address questions not specifically to the code of testssl.sh to the respe
#### Daemon for batch processing of testssl.sh JSON result files for sending Slack alerts, reactive copying etc
* https://github.com/bitsofinfo/testssl.sh-alerts
#### GitHub Actions
* https://github.com/marketplace/actions/testssl-sh-scan

13
openssl-iana.mapping.html
View File

@ -398,8 +398,8 @@ xB9 TLS_RSA_PSK_WITH_NULL_SHA384
<tr><td> [0xc097]</td><td> DHE-PSK-CAMELLIA256-SHA384 </td><td> PSK/DHE </td><td> CAMELLIA </td><td> 256 </td><td> TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 </td></tr>
<tr><td> [0xc098]</td><td> RSA-PSK-CAMELLIA128-SHA256 </td><td> PSK/RSA </td><td> CAMELLIA </td><td> 128 </td><td> TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
<tr><td> [0xc099]</td><td> RSA-PSK-CAMELLIA256-SHA384 </td><td> PSK/RSA </td><td> CAMELLIA </td><td> 256 </td><td> TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 </td></tr>
<tr><td> [0xc09A]</td><td> ECDHE-PSK-CAMELLIA128-SHA25 </td><td> PSK/ECDHE </td><td> CAMELLIA </td><td> 128 </td><td> TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
<tr><td> [0xc09B]</td><td> ECDHE-PSK-CAMELLIA256-SHA38 </td><td> PSK/ECDHE </td><td> CAMELLIA </td><td> 256 </td><td> TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 </td></tr>
<tr><td> [0xc09A]</td><td> ECDHE-PSK-CAMELLIA128-SHA256 </td><td> PSK/ECDHE </td><td> CAMELLIA </td><td> 128 </td><td> TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 </td></tr>
<tr><td> [0xc09B]</td><td> ECDHE-PSK-CAMELLIA256-SHA384 </td><td> PSK/ECDHE </td><td> CAMELLIA </td><td> 256 </td><td> TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 </td></tr>
<!-- RFC 6655 -->
<tr><td> [0xc09c]</td><td> AES128-CCM </td><td> RSA </td><td> AESCCM </td><td> 128 </td><td> TLS_RSA_WITH_AES_128_CCM </td></tr>
@ -430,6 +430,15 @@ xB9 TLS_RSA_PSK_WITH_NULL_SHA384
<tr><td> [0xcc14]</td><td> ECDHE-ECDSA-CHACHA20-POLY1305-OLD</td><td> ECDH </td><td> ChaCha20-Poly1305</td><td> </td><td> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD</td></tr>
<tr><td> [0xcc15]</td><td> DHE-RSA-CHACHA20-POLY1305-OLD </td><td> DH </td><td> ChaCha20-Poly1305</td><td> </td><td> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD</td></tr>
<!-- RFC7905, ChaCha20-Poly1305 -->
<tr><td> [0xcca8]</td><td> ECDHE-RSA-CHACHA20-POLY1305 </td><td> ECDH </td><td> ChaCha20-Poly1305</td><td> 256 </td><td> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</td></tr>
<tr><td> [0xcca9]</td><td> ECDHE-ECDSA-CHACHA20-POLY1305</td><td> ECDH </td><td> ChaCha20-Poly1305</td><td> 256 </td><td> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256</td></tr>
<tr><td> [0xccaa]</td><td> DHE-RSA-CHACHA20-POLY1305 </td><td> DH </td><td> ChaCha20-Poly1305</td><td> 256 </td><td> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256</td></tr>
<tr><td> [0xccab]</td><td> PSK-CHACHA20-POLY1305 </td><td> PSK </td><td> ChaCha20-Poly1305</td><td> 256 </td><td> TLS_PSK_WITH_CHACHA20_POLY1305_SHA256</td></tr>
<tr><td> [0xccac]</td><td> ECDHE-PSK-CHACHA20-POLY1305 </td><td> ECDH/PSK </td><td> ChaCha20-Poly1305</td><td> 256 </td><td> TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256</td></tr>
<tr><td> [0xccad]</td><td> DHE-PSK-CHACHA20-POLY1305 </td><td> DH/PSK </td><td> ChaCha20-Poly1305</td><td> 256 </td><td> TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256</td></tr>
<tr><td> [0xccae]</td><td> RSA-PSK-CHACHA20-POLY1305 </td><td> RSA/PSK </td><td> ChaCha20-Poly1305</td><td> 256 </td><td> TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256</td></tr>
<tr><td> [0xff00]</td><td> GOST-MD5 </td><td> RSA </td><td> GOST89 </td><td> 256 </td><td>TLS_GOSTR341094_RSA_WITH_28147_CNT_MD5</td></tr>
<tr><td> [0xff01]</td><td> GOST-GOST94 </td><td> RSA </td><td> GOST89 </td><td> 256 </td><td>TLS_RSA_WITH_28147_CNT_GOST94</td></tr>
<tr><td> [0xff02]</td><td> GOST-GOST89MAC </td><td> RSA </td><td> GOST89 </td><td> 256 </td></tr>

8
t/61_diff_testsslsh.t
View File

@ -42,12 +42,16 @@ $diff = diff $socket_csv, $master_socket_csv;
$socket_csv=`cat tmp.csv`;
$master_socket_csv=`cat $master_socket_csv`;
# Filter, for now only HTTP_clock_skew
# Filter for changes that are allowed to occur
$socket_csv=~ s/HTTP_clock_skew.*\n//g;
$master_socket_csv=~ s/HTTP_clock_skew.*\n//g;
# DROWN
$socket_csv=~ s/censys.io.*\n//g;
$master_socket_csv=~ s/censys.io.*\n//g;
# Compare the differences to the master file -- and print differences if there were detected.
# Filtering takes place later, so if there will be a difference detected it'll also show HTTP_clock_skew :-(
#
cmp_ok($socket_csv, "eq", $master_socket_csv, "Check whether CSV output matches master file from $uri") or
diag ("\n%s\n", "$diff");

2
t/baseline_data/default_testssl.csvfile
View File

@ -75,8 +75,6 @@
"X-Frame-Options","testssl.sh/81.169.166.184","443","OK","DENY","",""
"X-Content-Type-Options","testssl.sh/81.169.166.184","443","OK","nosniff","",""
"Content-Security-Policy","testssl.sh/81.169.166.184","443","OK","script-src 'unsafe-inline'; style-src 'unsafe-inline' 'self'; default-src 'self' ; child-src 'none'; object-src 'self'; frame-ancestors 'self'; upgrade-insecure-requests","",""
"Expect-CT","testssl.sh/81.169.166.184","443","OK","max-age=86400, enforce","",""
"X-XSS-Protection","testssl.sh/81.169.166.184","443","INFO","1; mode=block","",""
"banner_reverseproxy","testssl.sh/81.169.166.184","443","INFO","--","","CWE-200"
"heartbleed","testssl.sh/81.169.166.184","443","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
"CCS","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2014-0224","CWE-310"

524
testssl.sh
View File

File diff suppressed because it is too large Load Diff