Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-09-02 01:58:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '3.2' into mac_runner

Browse Source
This commit is contained in:
Dirk Wetter
2025-05-20 16:31:34 +02:00
parent d0143b181b 242256bd58
commit 7815b67695
5 changed files with 96 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/docker-3.2.yml vendored
View File

@ -15,10 +15,8 @@ env:
GIT_BRANCH: "3.2"
jobs:
deploy:
runs-on: ubuntu-24.04
steps:
- name: lowercase the repository name
run: echo "REPO=${GITHUB_REPOSITORY@L}" >> "${GITHUB_ENV}"
@ -59,7 +57,6 @@ jobs:
context: .
file: Dockerfile.alpine
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7,linux/arm/v6,linux/ppc64le
build-args: GIT_BRANCH
cache-from: type=gha, scope=${{ github.workflow }}
cache-to: type=gha, scope=${{ github.workflow }}
labels: ${{ steps.docker_meta.outputs.labels }}

61
Dockerfile
View File

@ -6,42 +6,53 @@ ARG INSTALL_ROOT=/rootfs
FROM opensuse/leap:${LEAP_VERSION} AS builder
ARG CACHE_ZYPPER=/tmp/cache/zypper
ARG INSTALL_ROOT
RUN \
# /etc/os-release provides ${VERSION_ID} for usage in ZYPPER_OPTIONS:
source /etc/os-release \
# We don't need the openh264.repo and the non-oss repos, just costs build time (repo caches).
&& zypper removerepo repo-openh264 repo-non-oss repo-update-non-oss \
&& export ZYPPER_OPTIONS=( --releasever "${VERSION_ID}" --installroot "${INSTALL_ROOT}" --cache-dir "${CACHE_ZYPPER}" ) \
&& zypper "${ZYPPER_OPTIONS[@]}" --gpg-auto-import-keys refresh \
&& zypper "${ZYPPER_OPTIONS[@]}" --non-interactive install --download-in-advance --no-recommends \
bash procps grep gawk sed coreutils busybox ldns libidn2-0 socat openssl curl \
&& zypper "${ZYPPER_OPTIONS[@]}" clean --all \
## Cleanup (reclaim approx 13 MiB):
RUN <<HEREDOC
# Remove the `openh264` the `non-oss` repos to save on sync time, they're not needed:
zypper removerepo repo-openh264 repo-non-oss repo-update-non-oss
# `/etc/os-release` provides the `VERSION_ID` variable for usage in `ZYPPER_OPTIONS`:
source /etc/os-release
export ZYPPER_OPTIONS=( --releasever "${VERSION_ID}" --installroot "${INSTALL_ROOT}" --cache-dir "${CACHE_ZYPPER}" )
# Install packages to a custom root-fs location (defined in `ZYPPER_OPTIONS`):
zypper "${ZYPPER_OPTIONS[@]}" --gpg-auto-import-keys refresh
zypper "${ZYPPER_OPTIONS[@]}" --non-interactive install --download-in-advance --no-recommends \
bash procps grep gawk sed coreutils busybox ldns libidn2-0 socat openssl curl
# Optional - Avoid `CACHE_ZYPPER` from being redundantly cached in this RUN layer:
# (doesn't improve `INSTALL_ROOT` size thanks to `--cache-dir`)
zypper "${ZYPPER_OPTIONS[@]}" clean --all
# Cleanup (reclaim approx 13 MiB):
# None of this content should be relevant to the container:
&& rm -r "${INSTALL_ROOT}/usr/share/"{licenses,man,locale,doc,help,info} \
"${INSTALL_ROOT}/usr/share/misc/termcap" \
"${INSTALL_ROOT}/usr/lib/sysimage/rpm"
rm -r "${INSTALL_ROOT}/usr/share/"{licenses,man,locale,doc,help,info} \
"${INSTALL_ROOT}/usr/share/misc/termcap" \
"${INSTALL_ROOT}/usr/lib/sysimage/rpm"
HEREDOC
# Create a new image with the contents of ${INSTALL_ROOT}
FROM scratch AS base-leap
ARG INSTALL_ROOT
COPY --link --from=builder ${INSTALL_ROOT} /
RUN \
RUN <<HEREDOC
# Creates symlinks for any other commands that busybox can provide that
# aren't already provided by coreutils (notably hexdump + tar, see #2403):
# NOTE: `busybox --install -s` is not supported via the leap package, manually symlink commands.
ln -s /usr/bin/busybox /usr/bin/tar \
&& ln -s /usr/bin/busybox /usr/bin/hexdump \
&& ln -s /usr/bin/busybox /usr/bin/xxd \
ln -s /usr/bin/busybox /usr/bin/tar
ln -s /usr/bin/busybox /usr/bin/hexdump
ln -s /usr/bin/busybox /usr/bin/xxd
# Add a non-root user `testssl`, this is roughly equivalent to the `useradd` command:
# useradd --uid 1000 --user-group --create-home --shell /bin/bash testssl
&& echo 'testssl:x:1000:1000::/home/testssl:/bin/bash' >> /etc/passwd \
&& echo 'testssl:x:1000:' >> /etc/group \
&& echo 'testssl:!::0:::::' >> /etc/shadow \
&& install --mode 2755 --owner testssl --group testssl --directory /home/testssl \
# The home directory will install a copy of `testssl.sh`, symlink the script to be used as a command:
&& ln -s /home/testssl/testssl.sh /usr/local/bin/testssl.sh
echo 'testssl:x:1000:1000::/home/testssl:/bin/bash' >> /etc/passwd
echo 'testssl:x:1000:' >> /etc/group
echo 'testssl:!::0:::::' >> /etc/shadow
install --mode 2755 --owner testssl --group testssl --directory /home/testssl
# A copy of `testssl.sh` will be added to the home directory,
# symlink to that file so it can be treated as a command:
ln -s /home/testssl/testssl.sh /usr/local/bin/testssl.sh
HEREDOC
# Runtime config:
USER testssl
@ -49,7 +60,7 @@ ENTRYPOINT ["testssl.sh"]
CMD ["--help"]
# Final image stage (add `testssl.sh` project files)
# Choose either one as the final stage (defaults to last stage, `dist-local`)
# Choose either one as the final stage (defaults to the last stage, `dist-local`)
# 62MB Image (Remote repo clone, cannot filter content through `.dockerignore`):
FROM base-leap AS dist-git

30
Dockerfile.alpine
View File

@ -1,8 +1,20 @@
# syntax=docker.io/docker/dockerfile:1
FROM alpine:3.21 AS base-alpine
RUN apk add --no-cache bash procps drill coreutils libidn curl socat openssl xxd \
&& addgroup testssl \
&& adduser -G testssl -g "testssl user" -s /bin/bash -D testssl \
&& ln -s /home/testssl/testssl.sh /usr/local/bin/testssl.sh
RUN <<HEREDOC
apk add --no-cache bash procps drill coreutils libidn curl socat openssl xxd
# Add a non-root user `testssl`, this is roughly equivalent to the `adduser` command:
# addgroup testssl && adduser -G testssl -g "testssl user" -s /bin/bash -D testssl
echo 'testssl:x:1000:1000::/home/testssl:/bin/bash' >> /etc/passwd
echo 'testssl:x:1000:' >> /etc/group
echo 'testssl:!::0:::::' >> /etc/shadow
install --mode 2755 --owner testssl --group testssl --directory /home/testssl
# A copy of `testssl.sh` will be added to the home directory,
# symlink to that file so it can be treated as a command:
ln -s /home/testssl/testssl.sh /usr/local/bin/testssl.sh
HEREDOC
# Runtime config:
USER testssl
@ -10,14 +22,14 @@ ENTRYPOINT ["testssl.sh"]
CMD ["--help"]
# Final image stage (add `testssl.sh` project files)
# Choose either one as the final stage (defaults to last stage, `dist-git`)
# 27MB Image (Local repo copy from build context, uses `.dockerignore`):
FROM base-alpine AS dist-local
COPY --chown=testssl:testssl . /home/testssl/
# Choose either one as the final stage (defaults to the last stage, `dist-local`)
# 35MB Image (Remote repo clone, cannot filter content through `.dockerignore`):
FROM base-alpine AS dist-git
ARG GIT_URL=https://github.com/testssl/testssl.sh.git
ARG GIT_BRANCH
ADD --chown=testssl:testssl ${GIT_URL}#${GIT_BRANCH?branch-required} /home/testssl
# 27MB Image (Local repo copy from build context, uses `.dockerignore`):
FROM base-alpine AS dist-local
COPY --chown=testssl:testssl . /home/testssl/

24
Dockerfile.md
View File

@ -1,6 +1,6 @@
## Usage
Run the image with `testssl.sh` options appended (default is `--help`). The container entrypoint is already set to `testsl.sh` as the command for convenience.
Run the image with `testssl.sh` options appended (default is `--help`). The container entrypoint is already set to `testsl.sh` for convenience.
```bash
docker run --rm -it ghcr.io/testssl/testssl.sh:3.2 --fs github.com
@ -19,19 +19,19 @@ docker run --rm -it -v /tmp:/data --workdir /data ghcr.io/testssl/testssl.sh:3.2
> [!NOTE]
> - The UID/GID ownership of the file will be created by the container user `testssl` (`1000:1000`), with permissions `644`.
> - Your host directory must permit the `testssl` container user or group to write to that host volume. You could alternatively use [`docker cp`](https://docs.docker.com/reference/cli/docker/container/cp/).
> - Your host directory must permit the `testssl` container user or group to write to that host volume. You could alternatively use [`docker cp`][docker-docs::cli::cp].
## Images
### Available at DockerHub and GHCR
You can pull the image from either of these registries:
- DockerHub: [`drwetter/testssl.sh`](https://hub.docker.com/r/drwetter/testssl.sh)
- GHCR: [`ghcr.io/testssl/testssl.sh`](https://github.com/testssl/testssl.sh/pkgs/container/testssl.sh)
- DockerHub: [`drwetter/testssl.sh`][image-registry::dockerhub]
- GHCR: [`ghcr.io/testssl/testssl.sh`][image-registry::ghcr]
Supported tags:
- `3.2` / `latest`
- `3.0` is the old stable version ([soon to become EOL](https://github.com/testssl/testssl.sh/tree/3.0#status))
- `3.0` is the old stable version ([soon to become EOL][testssl::v3p0-eol])
### Building the `testssl.sh` container image
@ -47,7 +47,9 @@ There are two base images supported:
- openSUSE Leap ([`Dockerfile`](./Dockerfile)), glibc-based + faster.
- Alpine ([`Dockerfile`](./Dockerfile.alpine)), musl-based + half the size.
The Alpine variant is made available if you need broarder platform support, or an image about 30MB smaller at the expense of slightly slower performance.
The Alpine variant is made available if you need broader platform support, or an image about 30MB smaller at the expense of [slightly slower performance][testssl::base-image-performance].
For contributors, if needing context on the [package selection has been documented][testssl::base-image-packages] for each base image.
#### Tip - Remote build context + `Dockerfile`
@ -58,7 +60,7 @@ docker build --tag localhost/testssl.sh:3.2 https://github.com/testssl/testssl.s
```
> [!NOTE]
> This will produce a slightly larger image as [`.dockerignore` is not supported with remote build contexts](https://github.com/docker/buildx/issues/3169).
> This will produce a slightly larger image as [`.dockerignore` is not supported with remote build contexts][build::dockerignore-remote-context].
---
@ -70,3 +72,11 @@ docker build \
--file https://raw.githubusercontent.com/testssl/testssl.sh/3.2/Dockerfile.alpine \
https://github.com/testssl/testssl.sh.git#3.2
```
[docker-docs::cli::cp]: https://docs.docker.com/reference/cli/docker/container/cp/
[image-registry::dockerhub]: https://hub.docker.com/r/drwetter/testssl.sh
[image-registry::ghcr]: https://github.com/testssl/testssl.sh/pkgs/container/testssl.sh
[testssl::v3p0-eol]: https://github.com/testssl/testssl.sh/tree/3.0#status
[testssl::base-image-performance]: https://github.com/testssl/testssl.sh/issues/2422#issuecomment-2841822406
[testssl::base-image-packages]: https://github.com/testssl/testssl.sh/issues/2422#issuecomment-2841822406
[build::dockerignore-remote-context]: https://github.com/docker/buildx/issues/3169

37
Readme.md
View File

@ -1,11 +1,17 @@
## Intro
[![CI tests](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_ubuntu.yml/badge.svg)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_ubuntu.yml)
[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/testssl/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
![GitHub Tag](https://img.shields.io/github/v/tag/testssl/testssl.sh)
![Static Badge](https://img.shields.io/badge/%2Fbin%2Fbash_-blue)
![Static Badge](https://img.shields.io/badge/OpenSSL_-blue)
[![License](https://img.shields.io/github/license/testssl/testssl.sh)](https://github.com/testssl/testssl.sh/LICENSE)
![GitHub Created At](https://img.shields.io/github/created-at/testssl/testssl.sh)
![GitHub last commit](https://img.shields.io/github/last-commit/testssl/testssl.sh)
![GitHub commit activity](https://img.shields.io/github/commit-activity/m/testssl/testssl.sh)
[![CI tests](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_ubuntu.yml/badge.svg)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_ubuntu.yml)
[![Docker](https://img.shields.io/docker/pulls/drwetter/testssl.sh)](https://github.com/testssl/testssl.sh/blob/3.2/Dockerfile.md)
![Mastodon Follow](https://img.shields.io/mastodon/follow/109319848143024146?domain=infosec.exchange)
[![Bluesky](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fpublic.api.bsky.app%2Fxrpc%2Fapp.bsky.actor.getProfile%2F%3Factor%3Dtestssl.bsky.social&query=%24.followersCount&style=social&logo=bluesky&label=Follow%20%40testssl.sh)
[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/testssl/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
`testssl.sh` is a free command line tool which checks a server's service on
any port for the support of TLS/SSL ciphers, protocols as well as some
@ -23,7 +29,7 @@ cryptographic flaws.
* Reliability: features are tested thoroughly.
* Privacy: It's only you who sees the result, not a third party.
* Freedom: It's 100% open source. You can look at the code, see what's going on.
* The development is open @ GitHub and participation is welcome.
* The development is free and open @ GitHub and participation is welcome.
### License
@ -37,14 +43,14 @@ to get bugfixes, other feedback and more contributions.
### Compatibility
Testssl.sh is working on every Linux/BSD distribution out of the box. Latest by 2.9dev
Testssl.sh is working on every Linux/BSD distribution and MacOS out of the box. Latest by 2.9dev
most of the limitations of disabled features from the openssl client are gone
due to bash-socket-based checks. An old OpenSSL-bad version is supplied but
but you can also use any LibreSSL or OpenSSL version.
testssl.sh also works on other unixoid systems out of the box, supposed they have
`/bin/bash` >= version 3.2 and standard tools like sed and awk installed. An implicit
(silent) check for binaries is done when you start testssl.sh . System V needs probably
to have GNU grep installed. MacOS X and Windows (using MSYS2, Cygwin or WSL) work too.
to have GNU grep installed. Windows (using MSYS2, Cygwin or WSL) work too.
Update notification here or @ [mastodon](https://infosec.exchange/@testssl) or [bluesky](https://bsky.app/profile/testssl.bsky.social). [twitter](https://twitter.com/drwetter) is not being used anymore.
@ -74,7 +80,7 @@ docker run --rm -it ghcr.io/testssl/testssl.sh <your_cmd_line>
Or if you have cloned this repo you also can just ``cd`` to the INSTALLDIR and run
```
docker build . -t imagefoo && docker run --rm -t imagefoo example.com
docker build . -t imagefoo && docker run --rm -t imagefoo testssl.net
```
For more please consult [Dockerfile.md](https://github.com/testssl/testssl.sh/blob/3.2/Dockerfile.md).
@ -83,32 +89,33 @@ For more please consult [Dockerfile.md](https://github.com/testssl/testssl.sh/bl
Usage of the program is without any warranty. Use it at your own risk.
Testssl.sh is intended to be used as a standalone CLI tool. While we tried to apply best practise security measures, we can't guarantee that the program is without any vulnerabilities. Running as a service may pose security risks and you're recommended to apply additional security measures.
Testssl.sh is intended to be used as a standalone CLI tool. While we tried to apply best practise security measures and sanitize external input, we can't guarantee that the program is without any vulnerabilities. Running as a web service may pose security risks and you're advised to apply additional security measures. Validate input from the user and from all services which are queried.
### Status
This is the stable release version 3.2. Please use it **now**, as 3.0.x will not get any updates after 3.0.10, with the current manpower we only support n-1 versions. There will be soon a separate 3.3.dev branch where further development takes place before 3.4 becomes the stable version and 3.2 becomes old-stable.
This is the stable version 3.2. Please use it **now**, as 3.0.x will not get any updates after 3.0.10, with the current manpower we only support n-1 versions. There will be soon a separate 3.3.dev branch where further development takes place before 3.4 becomes the stable version and 3.2 becomes old-stable.
### Documentation
* .. it is there for reading. Please do so :-) -- at least before asking questions. See man page in groff, html and markdown format in `~/doc/`.
* [https://testssl.sh/](https://testssl.sh/) will help to get you started.
* For the (older) version 2.8, Will Hunt provides a longer [description](https://www.4armed.com/blog/doing-your-own-ssl-tls-testing/), including useful background information.
* There's also a [https://deepwiki.com/testssl/testssl.sh](AI generated doc), see also below.
* Will Hunt provides a longer [description](https://www.4armed.com/blog/doing-your-own-ssl-tls-testing/) for an older version (2.8), including useful background information.
### Contributing
A lot of contributors already helped to push the project where it currently is, see [CREDITS.md](https://github.com/testssl/testssl.sh/blob/3.2/CREDITS.md). Your contributions would be also welcome! There's a [large to-do list](https://github.com/testssl/testssl.sh/issues). To get started look for issues which are labeled as [good first issue](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22), [for grabs](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22for+grabs%22) or [help wanted](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22). The latter is more advanced, you can also lookout for documentation issues.
A lot of contributors already helped to push the project where it currently is, see [CREDITS.md](https://github.com/testssl/testssl.sh/blob/3.2/CREDITS.md). Your contribution would be also welcome! There's an [issue list](https://github.com/testssl/testssl.sh/issues). To get started look for issues which are labeled as [good first issue](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22), [for grabs](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22for+grabs%22) or [help wanted](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22). The latter is more advanced. You can also lookout for [documentation issues](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue%20state%3Aopen%20label%3Adocumentation), or you can help with [unit testing](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22unit%20test%22) or improving github actions.
It is recommended to read [CONTRIBUTING.md](https://github.com/testssl/testssl.sh/blob/3.2/CONTRIBUTING.md) and please also have a look at he [Coding Convention](https://github.com/testssl/testssl.sh/blob/3.2/Coding_Convention.md). Before you start writing patches with hundreds of lines, better create an issue first.
It is recommended to read [CONTRIBUTING.md](https://github.com/testssl/testssl.sh/blob/3.2/CONTRIBUTING.md) and please also have a look at he [Coding Convention](https://github.com/testssl/testssl.sh/blob/3.2/Coding_Convention.md). Before you start writing PRs with hundreds of lines, better create an issue first.
In general there's also some maintenance burden, like maintaining handshakes and CA stores, writing unit tests, improving github actions. If you believe you can contribute and be responsible to one of those maintenance task, please speak up. That would free resources that we could use for development.
In general there's also some maintenance burden, like maintaining handshakes and CA stores etc. . If you believe you can contribute and be responsible to one of those maintenance task, please speak up. That would free resources that we could use for development.
### Bug reports
Bug reports are important. It makes this project more robust.
Please file bugs in the issue tracker @ GitHub. Do not forget to provide detailed information, see template for issue, and further details @
Please file bugs in the issue tracker @ GitHub. Do not forget to provide detailed information, see the template for issues, and further details @
https://github.com/testssl/testssl.sh/wiki/Bug-reporting. Nobody can read your thoughts -- yet. And only agencies your screen ;-)
You can also debug yourself, see [here](https://github.com/testssl/testssl.sh/wiki/Findings-and-HowTo-Fix-them).