Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-29 21:05:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2912 from testssl/early_data

Browse Source 
TLS 1.3 early data / 0-RTT
This commit is contained in:
Dirk Wetter
2025-10-09 18:55:14 +02:00
committed by GitHub
parent 8534e72dc3 aacde5dadb
commit 80d05c0831
5 changed files with 841 additions and 760 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -4,6 +4,7 @@
### Features implemented / improvements in 3.3dev
* QUIC protocol check
* TLS 1.3 early data (0-RTT)
* Bump SSLlabs rating guide to 2009r
* Check for Opossum vulnerability
* Enable IPv6 automagically, i.e. if target via IPv6 is reachable just (also) scan it

1422
doc/testssl.1
View File

File diff suppressed because it is too large Load Diff

34
doc/testssl.1.html
View File

@@ -470,11 +470,11 @@
encryption sucks. Also this section lists the available
elliptical curves and Diffie Hellman groups, as well as FFDHE
groups (TLS 1.2 and TLS 1.3).</p>
<p><code>-p, --protocols</code> checks TLS/SSL protocols SSLv2,
SSLv3, TLS 1.0 through TLS 1.3. And for HTTP also QUIC (HTTP/3),
SPDY (NPN) and ALPN (HTTP/2). For TLS 1.3 the final version and
several drafts (from 18 on) are tested. QUIC needs OpenSSL &gt;=
3.2 which can be automatically picked up when in
<p><code>-p, --protocols</code> checks every SSL/TLS protocols:
SSLv2, SSLv3, TLS 1.0 through TLS 1.3. And for HTTP also QUIC
(HTTP/3), SPDY (NPN) and ALPN (HTTP/2). For TLS 1.3 the final
version and several drafts (from 18 on) are tested. QUIC needs
OpenSSL &gt;= 3.2 which can be automatically picked up when in
<code>/usr/bin/openssl</code> (or when defined environment
variable OPENSSL2). If a TLS-1.3-only host is encountered and
the openssl-bad version is used testssl.sh will e.g. for HTTP
@@ -493,6 +493,7 @@
<li>Available TLS extensions,</li>
<li>TLS ticket + session ID information/capabilities,</li>
<li>session resumption capabilities,</li>
<li>TLS 1.3 early data, a.k.a 0-RTT</li>
<li>Time skew relative to localhost (most server implementations
return random values).</li>
<li>Several certificate information
@@ -927,11 +928,11 @@
and when this is set to true, it generates a separate text file
with epoch times in <code>/tmp/testssl-&lt;XX&gt;.time</code>.
They need to be concatenated by
<code>paste /tmp/testssl-&lt;XX&gt;.{time,log}</code> <!---
* FAST_SOCKET
* SHOW_SIGALGO
* FAST
--></li>
<code>paste /tmp/testssl-&lt;XX&gt;.{time,log}</code>
&lt;!—</li>
<li>FAST_SOCKET</li>
<li>SHOW_SIGALGO</li>
<li>FAST &gt;</li>
<li>EXPERIMENTAL=true is an option which is sometimes used in
the development process to make testing easier. In released
versions this has no effect.</li>
@@ -969,10 +970,9 @@
may be made larger on systems with faster processors.</li>
<li>MAX_WAIT_TEST is the maximum time (in seconds) to wait for a
single test in parallel mass testing mode to complete. The
default is 1200. <!---
* USLEEP_SND
* USLEEP_REC
--></li>
default is 1200. &lt;!—</li>
<li>USLEEP_SND</li>
<li>USLEEP_REC &gt;</li>
<li>HSTS_MIN is preset to 179 (days). If you want warnings
sooner or later for HTTP Strict Transport Security you can
change this.</li>
@@ -1194,6 +1194,7 @@
News Transfer Protocol (NNTP)</li>
<li>RFC 8446: The Transport Layer Security (TLS) Protocol
Version 1.3</li>
<li>RFC 8470: Using Early Data in HTTP</li>
<li>RFC 8701: Applying Generate Random Extensions And Sustain
Extensibility (GREASE) to TLS Extensibility</li>
<li>RFC 9000: QUIC: A UDP-Based Multiplexed and Secure
@@ -1201,7 +1202,12 @@
<li>W3C CSP: Content Security Policy Level 1-3</li>
<li>TLSWG Draft: The Transport Layer Security (TLS) Protocol
Version 1.3</li>
<li>FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism
Standard</li>
</ul>
<p><a
href="ihttps://www.rfc-editor.org/search/rfc_search_detail.php?title=TLS&amp;page=All">More
RFCs</a> might be applicable.</p>
<h2 id="exit-status">EXIT STATUS</h2>
<ul>
<li>0 testssl.sh finished successfully without errors and

9
doc/testssl.1.md
View File

@@ -178,7 +178,7 @@ Any single check switch supplied as an argument prevents testssl.sh from doing a
`-f, --fs, --nsa, --forward-secrecy` Checks robust forward secrecy key exchange. "Robust" means that ciphers having intrinsic severe weaknesses like Null Authentication or Encryption, 3DES and RC4 won't be considered here. There shouldn't be the wrong impression that a secure key exchange has been taking place and everything is fine when in reality the encryption sucks. Also this section lists the available elliptical curves and Diffie Hellman groups, as well as FFDHE groups (TLS 1.2 and TLS 1.3).
`-p, --protocols` checks TLS/SSL protocols SSLv2, SSLv3, TLS 1.0 through TLS 1.3. And for HTTP also QUIC (HTTP/3), SPDY (NPN) and ALPN (HTTP/2). For TLS 1.3 the final version and several drafts (from 18 on) are tested. QUIC needs OpenSSL >= 3.2 which can be automatically picked up when in `/usr/bin/openssl` (or when defined environment variable OPENSSL2). If a TLS-1.3-only host is encountered and the openssl-bad version is used testssl.sh will e.g. for HTTP header checks switch to `/usr/bin/openssl` (or when defined via ENV to OPENSSL2). Also this will be tried for the QUIC check.
`-p, --protocols` checks every SSL/TLS protocols: SSLv2, SSLv3, TLS 1.0 through TLS 1.3. And for HTTP also QUIC (HTTP/3), SPDY (NPN) and ALPN (HTTP/2). For TLS 1.3 the final version and several drafts (from 18 on) are tested. QUIC needs OpenSSL >= 3.2 which can be automatically picked up when in `/usr/bin/openssl` (or when defined environment variable OPENSSL2). If a TLS-1.3-only host is encountered and the openssl-bad version is used testssl.sh will e.g. for HTTP header checks switch to `/usr/bin/openssl` (or when defined via ENV to OPENSSL2). Also this will be tried for the QUIC check.
`-P, --server-preference, --preference` displays the servers preferences: cipher order, with used openssl client: negotiated protocol and cipher. If there's a cipher order enforced by the server it displays it for each protocol (openssl+sockets). If there's not, it displays instead which ciphers from the server were picked with each protocol.
@@ -187,6 +187,7 @@ Any single check switch supplied as an argument prevents testssl.sh from doing a
* Available TLS extensions,
* TLS ticket + session ID information/capabilities,
* session resumption capabilities,
* TLS 1.3 early data, a.k.a 0-RTT
* Time skew relative to localhost (most server implementations return random values).
* Several certificate information
- signature algorithm,
@@ -525,10 +526,14 @@ Please note that for plain TLS-encrypted ports you must not specify the protocol
* RFC 7919: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security
* RFC 8143: Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)
* RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3
* RFC 8470: Using Early Data in HTTP
* RFC 8701: Applying Generate Random Extensions And Sustain Extensibility (GREASE) to TLS Extensibility
* RFC 9000: QUIC: A UDP-Based Multiplexed and Secure Transport
* W3C CSP: Content Security Policy Level 1-3
* TLSWG Draft: The Transport Layer Security (TLS) Protocol Version 1.3
* FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard
[More RFCs](ihttps://www.rfc-editor.org/search/rfc_search_detail.php?title=TLS&page=All) might be applicable.
## EXIT STATUS
@@ -549,7 +554,7 @@ Please note that for plain TLS-encrypted ports you must not specify the protocol
* 252 (ERR_FNAMEPARSE) Input file couldn't be parsed
* 253 (ERR_FCREATE) Output file couldn't be created
* 254 (ERR_CMDLINE) Cmd line couldn't be parsed
* 255 (ERR_BASH) Bash version incorrect
* 255 (ERR_BASH) Bash version incorrect
## FILES

135
testssl.sh
View File

@@ -247,10 +247,10 @@ CIPHERS_BY_STRENGTH_FILE=""
TLS_DATA_FILE="" # mandatory file for socket-based handshakes
OPENSSL="" # ~/bin/openssl.$(uname).$(uname -m) if you run this from GitHub. Linux otherwise probably /usr/bin/openssl
OPENSSL2=${OPENSSL2:-/usr/bin/openssl} # This will be openssl version >=1.1.1 (auto determined) as opposed to openssl-bad (OPENSSL)
OPENSSL2_HAS_TLS_1_3=false # If we run with supplied binary AND $OPENSSL2 supports TLS 1.3 this will be set to true
OPENSSL2_HAS_CHACHA20=false
OPENSSL2_HAS_AES128_GCM=false
OPENSSL2_HAS_AES256_GCM=false
HAS2_TLS13=false # If we run with supplied binary AND $OPENSSL2 supports TLS 1.3 this will be set to true
HAS2_CHACHA20=false
HAS2_AES128_GCM=false
HAS2_AES256_GCM=false
OSSL_SHORTCUT=${OSSL_SHORTCUT:-true} # If you don't want automagically switch from $OPENSSL to $OPENSSL2 for TLS 1.3-only hosts, set this to false
OPENSSL_LOCATION=""
OPENSSL_NOTIMEOUT="" # Needed for renegotiation tests
@@ -5560,6 +5560,7 @@ run_prototest_openssl() {
#
# arg1: protocol
# arg2: available (yes) or not (no)
#
add_proto_offered() {
# the ":" is mandatory here (and @ other places), otherwise e.g. tls1 will match tls1_2
if [[ "$2" == yes ]] && [[ "$PROTOS_OFFERED" =~ $1:no ]]; then
@@ -5571,7 +5572,7 @@ add_proto_offered() {
fi
}
# function which checks whether SSLv2 - TLS 1.2 is being offered, see add_proto_offered()
# function which checks whether the supplied protocol was tested to be offered; see also add_proto_offered()
# arg1: protocol string or hex code for TLS protocol
# echos: 0 if proto known being offered, 1: known not being offered, 2: we don't know yet whether proto is being offered
# return value is always zero
@@ -7130,6 +7131,59 @@ sub_session_resumption() {
return $ret
}
# Tests for TSL 1.3 early data / 0-RTT (see RFC 8470). Defer processing or HTTP 425 is not yet tested.
# Returns:
# - 0: Early Data was accepted
# - 1: not
# - 2: no TLS 1.3
# - 3: STARTTLS
# - 4/5: problem with openssl binary
# - 6: Client Auth not possible
# - 7: no session data
#
sub_early_data() {
local sess_data=$TEMPDIR/session_data.log
local early_data=$TEMPDIR/early_data.log
local openssl_bin=""
[[ "$CLIENT_AUTH" == required ]] && [[ -z "$MTLS" ]] && return 6
[[ $(has_server_protocol 04) -eq 1 ]] && return 2
[[ -n "$STARTTLS" ]] && return 3
if "$HAS_TLS13"; then
openssl_bin=$OPENSSL
elif "$HAS2_TLS13"; then
openssl_bin="$OPENSSL2"
else
return 4
fi
if "$HAS_EARLYDATA"; then
# OpenSSL also has early data, LibreSSL won't succeeded here
openssl_bin=$OPENSSL
elif "$HAS2_EARLYDATA"; then
openssl_bin="$OPENSSL2"
else
return 5
fi
safe_echo "HEAD / HTTP/1.1\r\nHost: $NODE\r\nConnection: close\r\nEarly-Data: 1\r\n\r\n" > $early_data
$openssl_bin s_client $(s_client_options "$STARTTLS $BUGS -tls1_3 -connect $NODEIP:$PORT $PROXY $SNI") -sess_out $sess_data -ign_eof \
< $early_data >/dev/null 2>$ERRFILE
if [[ ! -s "$sess_data" ]]; then
exit 7
fi
$openssl_bin s_client $(s_client_options "$STARTTLS $BUGS -tls1_3 -connect $NODEIP:$PORT $PROXY $SNI") -sess_in $sess_data \
-early_data $early_data </dev/null 2>$ERRFILE | grep -qi '^Early Data was accepted'
if [[ $? -eq 0 ]]; then
return 0
else
return 1
fi
}
run_server_preference() {
local cipher1="" cipher2="" tls13_cipher1="" tls13_cipher2="" default_proto=""
local default_cipher="" ciph
@@ -10665,20 +10719,20 @@ run_server_defaults() {
jsonID="sessionresumption_ticket"
sub_session_resumption "$sessticket_proto"
case $? in
0) out "Tickets: yes, "
0) out "tickets: yes, "
fileout "$jsonID" "INFO" "supported"
;;
1) out "Tickets no, "
1) out "tickets no, "
fileout "$jsonID" "INFO" "not supported"
;;
5) pr_warning "Ticket resumption test failed, pls report / "
5) pr_warning "ticket resumption test failed, pls report / "
fileout "$jsonID" "WARN" "check failed, pls report"
((ret++))
;;
6) pr_warning "Client Auth: Ticket resumption test not supported / "
fileout "$jsonID" "WARN" "check couldn't be performed because of client authentication"
;;
7) pr_warning "Connect problem: Ticket resumption test not possible / "
7) pr_warning "connect problem: Ticket resumption test not possible / "
fileout "$jsonID" "WARN" "check failed because of connect problem"
((ret++))
;;
@@ -10711,6 +10765,43 @@ run_server_defaults() {
esac
fi
pr_bold " TLS 1.3 early data support "
jsonID="early_data"
if "$NO_SSL_SESSIONID"; then
pr_svrty_good "no early data"; outln " (no SSL session ID)"
fileout "$jsonID" "OK" "No early data: no session SSL ID"
else
sub_early_data
case $? in
0) out "offered, potentially " ; pr_svrty_high "NOT ok"; outln " (check context, see e.g. RFC 8446 E.5)"
fileout "$jsonID" "HIGH" "supported"
# https://www.rfc-editor.org/rfc/rfc8446#appendix-E.5
;;
1) prln_svrty_good "no early data offered"
fileout "$jsonID" "OK" "No early data"
;;
2) outln "not offered, as no TLS 1.3 offered"
fileout "$jsonID" "INFO" "No TLS 1.3 offered"
;;
3) outln "not tested, as STARTTLS doesn't offer that"
fileout "$jsonID" "OK" "not tested, as STARTTLS doesn't offer that"
;;
4) prln_warning "couldn't test it, no OpenSSL TLS 1.3 support"
fileout "$jsonID" "WARN" "no OpenSSL support TLS 1.3 support"
;;
5) prln_warning "couldn't test it, no OpenSSL early_data support"
fileout "$jsonID" "INFO" "no OpenSSL early_data support"
;;
6) prln_warning "Client Auth: early data check not supported"
fileout "$jsonID" "WARN" "check couldn't be performed because of client authentication"
;;
7) prln_warning "check failed (no session data"
fileout "$jsonID" "WARN" "check failed (no session data)"
((ret++))
;;
esac
fi
tls_time
jsonID="cert_compression"
@@ -13434,7 +13525,7 @@ chacha20() {
if "$HAS_CHACHA20"; then
plaintext="$(hex2binary "$ciphertext" | $OPENSSL enc -chacha20 -K "$key" -iv "01000000$nonce" 2>/dev/null | hexdump -v -e '16/1 "%02X"')"
enc_chacha_used=true
elif "$OPENSSL2_HAS_CHACHA20"; then
elif "$HAS2_CHACHA20"; then
# empty OPENSSL_CONF temporarily as it might cause problems, see #2780
plaintext="$(hex2binary "$ciphertext" | OPENSSL_CONF='' $OPENSSL2 enc -chacha20 -K "$key" -iv "01000000$nonce" 2>/dev/null | hexdump -v -e '16/1 "%02X"')"
enc_chacha_used=true
@@ -14135,7 +14226,7 @@ gcm-decrypt() {
if "$HAS_AES128_GCM"; then
plaintext="$(hex2binary "$ciphertext" | $OPENSSL enc -aes-128-gcm -K "$key" -iv "$nonce" 2>/dev/null | hexdump -v -e '16/1 "%02X"')"
enc_aesgcm_used=true
elif "$OPENSSL2_HAS_AES128_GCM"; then
elif "$HAS2_AES128_GCM"; then
# empty OPENSSL_CONF temporarily as it might cause problems, see #2780
plaintext="$(hex2binary "$ciphertext" | OPENSSL_CONF='' $OPENSSL2 enc -aes-128-gcm -K "$key" -iv "$nonce" 2>/dev/null | hexdump -v -e '16/1 "%02X"')"
enc_aesgcm_used=true
@@ -14144,7 +14235,7 @@ gcm-decrypt() {
if "$HAS_AES256_GCM"; then
plaintext="$(hex2binary "$ciphertext" | $OPENSSL enc -aes-256-gcm -K "$key" -iv "$nonce" 2>/dev/null | hexdump -v -e '16/1 "%02X"')"
aesgcm_used=true
elif "$OPENSSL2_HAS_AES256_GCM"; then
elif "$HAS2_AES256_GCM"; then
# empty OPENSSL_CONF temporarily as it might cause problems, see #2780
plaintext="$(hex2binary "$ciphertext" | OPENSSL_CONF='' $OPENSSL2 enc -aes-256-gcm -K "$key" -iv "$nonce" 2>/dev/null | hexdump -v -e '16/1 "%02X"')"
enc_aesgcm_used=true
@@ -21137,7 +21228,7 @@ find_openssl_binary() {
# Kind of fine this way as openssl 1.1.1 supports early_data, came with tls 1.3
if $OPENSSL s_client -help 2>&1 | grep -q early_data ; then
HAS_EARLYDATA=true
elif OPENSSL_CONF='' $OPENSS2 s_client --help 2>&1 | grep -q early_data ; then
elif OPENSSL_CONF='' $OPENSSL2 s_client --help 2>&1 | grep -q early_data ; then
HAS2_EARLYDATA=true
fi
@@ -21234,15 +21325,15 @@ find_openssl_binary() {
if [[ $OPENSSL2 != $OPENSSL ]] && [[ -x $OPENSSL2 ]]; then
if ! "$HAS_CHACHA20"; then
OPENSSL_CONF='' $OPENSSL2 enc -chacha20 -K 12345678901234567890123456789012 -iv 01000000123456789012345678901234 >/dev/null 2>/dev/null <<< "test"
[[ $? -eq 0 ]] && OPENSSL2_HAS_CHACHA20=true
[[ $? -eq 0 ]] && HAS2_CHACHA20=true
fi
if ! "$HAS_AES128_GCM"; then
OPENSSL_CONF='' $OPENSSL2 enc -aes-128-gcm -K 0123456789abcdef0123456789abcdef -iv 0123456789abcdef01234567 >/dev/null 2>/dev/null <<< "test"
[[ $? -eq 0 ]] && OPENSSL2_HAS_AES128_GCM=true
[[ $? -eq 0 ]] && HAS2_AES128_GCM=true
fi
if ! "$HAS_AES256_GCM"; then
OPENSSL_CONF='' $OPENSSL2 enc -aes-256-gcm -K 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef -iv 0123456789abcdef01234567 >/dev/null 2>/dev/null <<< "test"
[[ $? -eq 0 ]] && OPENSSL2_HAS_AES256_GCM=true
[[ $? -eq 0 ]] && HAS2_AES256_GCM=true
fi
# Now check whether the standard $OPENSSL has Unix-domain socket and xmpp-server support. If
@@ -21256,7 +21347,7 @@ find_openssl_binary() {
grep -q 'xmpp-server' $s_client2_starttls_has && HAS_XMPP_SERVER2=true
# Likely we don't need the following second check here, see 6 lines above
if grep -wq 'tls1_3' $s_client_has2; then
OPENSSL_CONF='' OPENSSL2_HAS_TLS_1_3=true
OPENSSL_CONF='' HAS2_TLS13=true
fi
fi
fi
@@ -21598,10 +21689,10 @@ HAS_CURVES: $HAS_CURVES
OSSL_SUPPORTED_CURVES: $OSSL_SUPPORTED_CURVES
OPENSSL2: $OPENSSL2 ($($OPENSSL2 version -v 2>/dev/null))
OPENSSL2_HAS_TLS_1_3: $OPENSSL2_HAS_TLS_1_3
OPENSSL2_HAS_CHACHA20: $OPENSSL2_HAS_CHACHA20
OPENSSL2_HAS_AES128_GCM: $OPENSSL2_HAS_AES128_GCM
OPENSSL2_HAS_AES256_GCM: $OPENSSL2_HAS_AES256_GCM
HAS2_TLS13: $HAS2_TLS13
HAS2_CHACHA20: $HAS2_CHACHA20
HAS2_AES128_GCM: $HAS2_AES128_GCM
HAS2_AES256_GCM: $HAS2_AES256_GCM
HAS_SSL2: $HAS_SSL2
HAS_SSL3: $HAS_SSL3
@@ -23104,7 +23195,7 @@ determine_optimal_proto() {
[[ $? -ne 0 ]] && exit $ERR_CLUELESS
elif "$all_failed" && ! "$ALL_FAILED_SOCKETS"; then
if ! "$HAS_TLS13" && "$TLS13_ONLY"; then
if "$OPENSSL2_HAS_TLS_1_3"; then
if "$HAS2_TLS13"; then
if "$OSSL_SHORTCUT" || [[ "$WARNINGS" == batch ]]; then
# switch w/o asking
OPEN_MSG=" $NODE:$PORT appeared to support TLS 1.3 ONLY. Thus switched automagically from\n \"$OPENSSL\" to \"$OPENSSL2\"."