diff --git a/etc/client-simulation.txt b/etc/client-simulation.txt index ab00f2a..4785990 100644 --- a/etc/client-simulation.txt +++ b/etc/client-simulation.txt @@ -741,7 +741,7 @@ minEcdsaBits+=(-1) curves+=("X25519:prime256v1:secp384r1") requiresSha2+=(false) - current+=(true) + current+=(false) names+=("Chrome 70 Win 10") short+=("chrome_70_win10") @@ -776,7 +776,7 @@ lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1024) maxDhBits+=(-1) minRsaBits+=(-1) @@ -798,7 +798,51 @@ lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") - service+=("HTTP,FTP") + service+=("HTTP") + minDhBits+=(1024) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1") + requiresSha2+=(false) + current+=(true) + + names+=("Chrome 78 (Win 10)") + short+=("chrome_78_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc030332e6eabb5d4b9818074f79423b0a9cde127a309671fcf0d0420bdb68f98bbc9320085a3e18e8e5cf4060c1e7065523d344f09186ffb835c10095df30b1611bc49a0022eaea130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001912a2a000000000014001200000f73736c2e677374617469632e636f6d00170000ff01000100000a000a0008eaea001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029eaea000100001d0020e0a5bb30a2a14bc13685b4a19ba59628aad22b761dceb63a9dcfa10475f84260002d00020101002b000b0a0a0a0304030303020301001b00030200025a5a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP") + minDhBits+=(1024) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1") + requiresSha2+=(false) + current+=(false) + + names+=("Chrome 79 (Win 10)") + short+=("chrome_79_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc03032f8eea63ff25d05264565777081b6d1a326e12f37751c33c7e953973af65b2ab20a62f96b75b1c41454679b64cd32fb0fbbf99ff019501d92184d589a529c21c590022caca130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001917a7a000000000014001200000f73736c2e677374617469632e636f6d00170000ff01000100000a000a0008eaea001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029eaea000100001d0020465dfa0295bf9cd3578d2f23bbfdf58d6468c5dd0c071f0b7c6bb92fc507685b002d00020101002b000b0ababa0304030303020301001b00030200029a9a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP") minDhBits+=(1024) maxDhBits+=(-1) minRsaBits+=(-1) @@ -819,7 +863,7 @@ tlsvers+=("-tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -840,7 +884,7 @@ tlsvers+=("-tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -861,7 +905,7 @@ tlsvers+=("-tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -882,7 +926,7 @@ tlsvers+=("-tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -903,7 +947,7 @@ tlsvers+=("-tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -924,7 +968,7 @@ tlsvers+=("-tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -945,7 +989,7 @@ tlsvers+=("-tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -966,7 +1010,7 @@ tlsvers+=("-tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -987,7 +1031,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1008,7 +1052,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1029,7 +1073,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1050,7 +1094,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1071,7 +1115,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1092,7 +1136,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1113,7 +1157,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1134,7 +1178,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1155,7 +1199,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1176,7 +1220,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1197,7 +1241,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1218,7 +1262,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1239,7 +1283,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1260,7 +1304,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1281,7 +1325,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1302,7 +1346,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1323,7 +1367,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1344,7 +1388,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1365,7 +1409,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0304") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1386,7 +1430,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0304") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1407,7 +1451,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0304") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1415,7 +1459,7 @@ minEcdsaBits+=(-1) curves+=("X25519:prime256v1:secp384r1:secp521r1") requiresSha2+=(false) - current+=(true) + current+=(false) names+=("Firefox 66 (Win 8.1/10)") short+=("firefox_66_win81") @@ -1429,7 +1473,29 @@ lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") - service+=("HTTP,FTP") + service+=("HTTP") + minDhBits+=(1023) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072") + requiresSha2+=(false) + current+=(true) + + names+=("Firefox 71 (Win 10)") + short+=("firefox_71_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030102580100025403036d4532515bff048c5c74cb0d39518c9c02e2dfd4d8ecae6591ee67d29ea62eab20c70c3e8feae9ed79d54914215aab37d3d5b7966a422edc41d2c027f9973d6b160024130113031302c02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a010001e700000014001200000f7777772e6d6f7a696c6c612e6f726700170000ff01000100000a000e000c001d00170018001901000101000b000201000010000e000c02683208687474702f312e310005000501000000000033006b0069001d002005dcfe2c42419119e518fb087071ba68445b825e4f4dd9ddb8679c3011d3e75800170041046bd8e6b1818d3985e55a8514d3ec5091945df5eb48136c3a9f67bb6d6665758ef088520626748d59bba63786c0164b948013e0f8eee0ba425d643b7c5d4bfa8f002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c00024001002900eb00c600c0995b148219e66aca5e58a74de1551ae6c76897f50fc853147cf22db9a937361496395112ab0382a942c95fbd48b787d031ae89a8f23f9b7a56c2a0ed5158e919d2491c003ab7d1ca1944b7e5d068d4e6a0c83d9096e9cb76ad2ac081075551cf4bdbfff1194a71c54bf8f88cbe7c246c728155e92f94015e4c5140ce84087c842033ea00fa92f5bd5b601f9650aee0eb0d000175e447945fd28e1df361c5cce443351fd0f7f13cb6cab2e2cc8c3951eb4367dc5004415ab6c3cf0adbca1e3be4f149f74100212008a1f3195cd13d7b4386acd47cdfae0afad06cf8d245744e815ec6989e3cdd6c") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1922,6 +1988,50 @@ minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1") requiresSha2+=(false) + current+=(false) + + names+=("Opera 65 (Win 10)") + short+=("opera_65_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc03039eee8c108ed7b040285658cddb0022e7e1f17bc92084335edf8ad5404fbf424a203bedd34c83b59c3e302af681b449490895335de0d8a0f10d20a0ff610130229b00224a4a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001912a2a000000000014001200000f626c6f67732e6f706572612e636f6d00170000ff01000100000a000a00081a1a001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b00291a1a000100001d0020cc29a9f8b3a69149c38b29ccb7341b98efd1714c3887fc1e84512470f783921a002d00020101002b000b0adada0304030303020301001b0003020002dada000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl2 -no_ssl3") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP,FTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1") + requiresSha2+=(false) + current+=(false) + +names+=("Opera 66 (Win 10)") + short+=("opera_66_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc0303a7ab90aa0987b33da751017bb78958f51bc1aa76e116c21eb4bb0b51a9f88f77203658175a55b25ab41867568b52e8fb8eaf4c8e91ceccf30ae498879e468579b100222a2a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001911a1a000000000014001200000f626c6f67732e6f706572612e636f6d00170000ff01000100000a000a00087a7a001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b00297a7a000100001d0020488d0d07b77098f98cb97ee85ae88b358404a8004633896e5110966ab3c18f66002d00020101002b000b0ababa0304030303020301001b00030200023a3a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl2 -no_ssl3") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP,FTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1") + requiresSha2+=(false) current+=(true) names+=("Safari 5.1.9 OS X 10.6.8") @@ -2554,7 +2664,7 @@ minEcdsaBits+=(-1) curves+=("sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1:sect239k1:sect233k1:sect233r1:secp224k1:secp224r1:sect193r1:sect193r2:secp192k1:prime192v1:sect163k1:sect163r1:sect163r2:secp160k1:secp160r1:secp160r2") requiresSha2+=(false) - current+=(true) + current+=(false) names+=("OpenSSL 1.0.2e") short+=("openssl_102e") @@ -2586,7 +2696,29 @@ handshakebytes+=("16030100c2010000be03036468410c4ae36f78a4357ad19fa61353e46aed101eff4e0c9f77ec654dc12eb4000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100005d00000013001100000e7465737473736c2e73683a343433000b000403000102000a000a0008001d001700190018002300000016000000170000000d0020001e060106020603050105020503040104020403030103020303020102020203") protos+=("-no_ssl2 -no_ssl3") tlsvers+=("-tls1_2 -tls1_1 -tls1") - lowest_protocol+=("0x0300") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") + alpn+=("h2,http/1.1") + service+=("ANY") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp521r1:secp384r1") + requiresSha2+=(false) + current+=(false) + + names+=("OpenSSL 1.1.0l (Debian)") + short+=("openssl_110l") + ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA") + ciphersuites+=("") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030100bf010000bb030350a1cc6c1ae6c9726ce0a025f4d2c522e6b503d5ccd2d1740bd1bb2e7af108d5000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100005a00000010000e00000b7465737473736c2e6e6574000b000403000102000a000a0008001d001700190018002300000016000000170000000d0020001e060106020603050105020503040104020403030103020303020102020203") + protos+=("-no_ssl2 -no_ssl3") + tlsvers+=("-tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") highest_protocol+=("0x0303") alpn+=("h2,http/1.1") service+=("ANY") @@ -2608,7 +2740,29 @@ handshakebytes+=("160301012d010001290303ac67ab7c72eea2e0f68615f02c9e566ed4a3bb0022c2ca1db7615acfb9dedd0120415470391af467e708e8983b134defcb4f4855e774606ae8223265af0fbb802a003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff010000a200000013001100000e7465737473736c2e73683a343433000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020b4556edddf807eb6b6bbcd61e25775a3992dd6f5caeee76d37f8895436efc972") protos+=("-no_ssl2 -no_ssl3") tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") - lowest_protocol+=("0x0300") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("ANY") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:x448:secp521r1:secp384r1") + requiresSha2+=(true) + current+=(false) + + names+=("OpenSSL 1.1.1d (Debian)") + short+=("openssl_111d") + ciphers+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA") + ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030101290100012503036f18cf85cf24e3676f0e79a3503aa9feefc961e3baed7b00fd876a2c6d2395b3205f4fb8769aa1e5279b848b3f35bec3d7aa9966595d22ebcd35e72f79b9d9fcc9003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100009e0000000f000d00000a7465737473736c2e7368000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020a12c2f7e04adcb76ce5eb8b05cf631e7cdf46f5e28cbe86a676d704098507b40") + protos+=("-no_ssl2 -no_ssl3") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") service+=("ANY") @@ -2641,6 +2795,28 @@ minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072") requiresSha2+=(false) + current+=(false) + + names+=("Thunderbird (68.3)") + short+=("thunderbird_68_3_1") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc030342ffc6c8b96ea60586a63fe7d97ec8d5c962b55ccfe02177cd94c8ea42f7333e209c9b6129e250f6fb8127664d26a46c410a6c217d4c2c4dc49125edd7191043810024130113031302c02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a0100018f00000013001100000e696d61702e676d61696c2e636f6d00170000ff01000100000a000e000c001d00170018001901000101000b00020100002300000005000501000000000033006b0069001d0020fb48d75e98e9e9c7a7aa32106b8856384f9af1e50f9bd45f2ae3dc349858741b00170041047138476a2fbfd6dc6fa4b351b99248abc20bf27ccb962445161036ec3df7bf7566e048374b72d4cbcf4526475a8a13bbaea75e5925514d6db1a4ae60f6a961fd002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c00024001001500a2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP,SMTP,POP,IMAP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072") + requiresSha2+=(false) current+=(true) names+=("Baidu Jan 2015") diff --git a/etc/client-simulation.wiresharked.md b/etc/client-simulation.wiresharked.md new file mode 100644 index 0000000..77458e0 --- /dev/null +++ b/etc/client-simulation.wiresharked.md @@ -0,0 +1,28 @@ +This file contains client handshake data manually created from Wireshark. +The content needs to be added to client-simulation.txt which other part +comes from the SSLlabs client API via update_client_sim_data.pl +The whole process is done manually. + +## Instructions how to add a client simulation: + +* Start wireshark at a client or router. Best is during capture to filter for the target of your choice. +* Make sure you create a bit of encrypted traffic to your target. Attention, privacy: if you want to contribute, be aware that the ClientHello contains the target hostname (SNI). +* Make sure the client traffic is specific: For just "Android" do not use a browser! Use the play store app e.g.. +* Stop recording. +* If needed sort for ClientHello. +* Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure, it's the right traffic. +* Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream. +* Figure out "protos" and "tlsvers" by looking at the supported_versions TLS extension (43=0x002b). May work only on modern clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3 here) +* Adjust "lowest_protocol" and "highest_protocol" accordingly. +* Get "curves" from at the supported groups TLS extension 10 = 0x00a. Omit any GREASE. +* Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010). +* Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true +* Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle +* For "ciphers" mark the cipher suites --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2cipher.sh` +* "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ``~/utils/hexstream2cipher.sh`` +* Figure out the services by applying a good piece of human logic +* Before submitting a PR: test it yourself! You can also watch it again via wireshark + + + + diff --git a/etc/client-simulation.wiresharked.txt b/etc/client-simulation.wiresharked.txt index d0b2fca..81eef17 100644 --- a/etc/client-simulation.wiresharked.txt +++ b/etc/client-simulation.wiresharked.txt @@ -3,28 +3,7 @@ # comes from the SSLlabs client API via update_client_sim_data.pl # The whole process is done manually. # -# Instructions how to add a client simulation: -# * Start wireshark at the client / router. Best is during capture to filter for the target you want to contribute. -# * Make sure you create a bit of encrypted traffic to a target of your choice 1) . -# * Make sure the client traffic is specific: For just "Android" do not use a browser! -# * Stop the recording. -# * If needed sort for ClientHello. -# * Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure, it's the right traffic. -# * Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream. -# * Figure out "protos" and "tlsvers" by looking at the supported_versions TLS extension (43=0x002b). May work only on modern clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3 here) -# * Adjust "lowest_protocol" and "highest_protocol" accordingly. -# * Get "curves" from at the supported groups TLS extension 10 = 0x00a. Omit any GREASE. -# * Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010). -# * Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true -# * Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle -# * For "ciphers" mark the Cipher Suites --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to ~/utils/hexstream2cipher.sh -# * "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ~/utils/hexstream2cipher.sh -# * Figure out the services by applying a good piece of logic -# * Before submitting a PR: test it yourself! You can also watch it again via wireshark -# -# -# 1) Attention, privacy: if you want to contribute it contains the target hostname (SNI) - +# Instructions how to add a client simulation see file "client-simulation.wiresharked.md". names+=("Android 8.1 (native)") short+=("android_81") @@ -104,7 +83,7 @@ lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1024) maxDhBits+=(-1) minRsaBits+=(-1) @@ -126,7 +105,51 @@ lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") - service+=("HTTP,FTP") + service+=("HTTP") + minDhBits+=(1024) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1") + requiresSha2+=(false) + current+=(true) + + names+=("Chrome 78 (Win 10)") + short+=("chrome_78_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc030332e6eabb5d4b9818074f79423b0a9cde127a309671fcf0d0420bdb68f98bbc9320085a3e18e8e5cf4060c1e7065523d344f09186ffb835c10095df30b1611bc49a0022eaea130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001912a2a000000000014001200000f73736c2e677374617469632e636f6d00170000ff01000100000a000a0008eaea001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029eaea000100001d0020e0a5bb30a2a14bc13685b4a19ba59628aad22b761dceb63a9dcfa10475f84260002d00020101002b000b0a0a0a0304030303020301001b00030200025a5a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP") + minDhBits+=(1024) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1") + requiresSha2+=(false) + current+=(false) + + names+=("Chrome 79 (Win 10)") + short+=("chrome_79_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc03032f8eea63ff25d05264565777081b6d1a326e12f37751c33c7e953973af65b2ab20a62f96b75b1c41454679b64cd32fb0fbbf99ff019501d92184d589a529c21c590022caca130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001917a7a000000000014001200000f73736c2e677374617469632e636f6d00170000ff01000100000a000a0008eaea001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029eaea000100001d0020465dfa0295bf9cd3578d2f23bbfdf58d6468c5dd0c071f0b7c6bb92fc507685b002d00020101002b000b0ababa0304030303020301001b00030200029a9a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP") minDhBits+=(1024) maxDhBits+=(-1) minRsaBits+=(-1) @@ -148,7 +171,29 @@ lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") - service+=("HTTP,FTP") + service+=("HTTP") + minDhBits+=(1023) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072") + requiresSha2+=(false) + current+=(true) + + names+=("Firefox 71 (Win 10)") + short+=("firefox_71_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030102580100025403036d4532515bff048c5c74cb0d39518c9c02e2dfd4d8ecae6591ee67d29ea62eab20c70c3e8feae9ed79d54914215aab37d3d5b7966a422edc41d2c027f9973d6b160024130113031302c02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a010001e700000014001200000f7777772e6d6f7a696c6c612e6f726700170000ff01000100000a000e000c001d00170018001901000101000b000201000010000e000c02683208687474702f312e310005000501000000000033006b0069001d002005dcfe2c42419119e518fb087071ba68445b825e4f4dd9ddb8679c3011d3e75800170041046bd8e6b1818d3985e55a8514d3ec5091945df5eb48136c3a9f67bb6d6665758ef088520626748d59bba63786c0164b948013e0f8eee0ba425d643b7c5d4bfa8f002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c00024001002900eb00c600c0995b148219e66aca5e58a74de1551ae6c76897f50fc853147cf22db9a937361496395112ab0382a942c95fbd48b787d031ae89a8f23f9b7a56c2a0ed5158e919d2491c003ab7d1ca1944b7e5d068d4e6a0c83d9096e9cb76ad2ac081075551cf4bdbfff1194a71c54bf8f88cbe7c246c728155e92f94015e4c5140ce84087c842033ea00fa92f5bd5b601f9650aee0eb0d000175e447945fd28e1df361c5cce443351fd0f7f13cb6cab2e2cc8c3951eb4367dc5004415ab6c3cf0adbca1e3be4f149f74100212008a1f3195cd13d7b4386acd47cdfae0afad06cf8d245744e815ec6989e3cdd6c") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -220,6 +265,50 @@ minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1") requiresSha2+=(false) + current+=(false) + + names+=("Opera 65 (Win 10)") + short+=("opera_65_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc03039eee8c108ed7b040285658cddb0022e7e1f17bc92084335edf8ad5404fbf424a203bedd34c83b59c3e302af681b449490895335de0d8a0f10d20a0ff610130229b00224a4a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001912a2a000000000014001200000f626c6f67732e6f706572612e636f6d00170000ff01000100000a000a00081a1a001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b00291a1a000100001d0020cc29a9f8b3a69149c38b29ccb7341b98efd1714c3887fc1e84512470f783921a002d00020101002b000b0adada0304030303020301001b0003020002dada000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl2 -no_ssl3") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP,FTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1") + requiresSha2+=(false) + current+=(false) + + names+=("Opera 66 (Win 10)") + short+=("opera_66_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc0303a7ab90aa0987b33da751017bb78958f51bc1aa76e116c21eb4bb0b51a9f88f77203658175a55b25ab41867568b52e8fb8eaf4c8e91ceccf30ae498879e468579b100222a2a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001911a1a000000000014001200000f626c6f67732e6f706572612e636f6d00170000ff01000100000a000a00087a7a001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b00297a7a000100001d0020488d0d07b77098f98cb97ee85ae88b358404a8004633896e5110966ab3c18f66002d00020101002b000b0ababa0304030303020301001b00030200023a3a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl2 -no_ssl3") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP,FTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1") + requiresSha2+=(false) current+=(true) names+=("OpenSSL 1.1.0j (Debian)") @@ -242,6 +331,28 @@ minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp521r1:secp384r1") requiresSha2+=(false) + current+=(false) + + names+=("OpenSSL 1.1.0l (Debian)") + short+=("openssl_110l") + ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA") + ciphersuites+=("") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030100bf010000bb030350a1cc6c1ae6c9726ce0a025f4d2c522e6b503d5ccd2d1740bd1bb2e7af108d5000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100005a00000010000e00000b7465737473736c2e6e6574000b000403000102000a000a0008001d001700190018002300000016000000170000000d0020001e060106020603050105020503040104020403030103020303020102020203") + protos+=("-no_ssl2 -no_ssl3") + tlsvers+=("-tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") + alpn+=("h2,http/1.1") + service+=("ANY") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp521r1:secp384r1") + requiresSha2+=(false) current+=(true) names+=("OpenSSL 1.1.1b (Debian)") @@ -253,7 +364,7 @@ handshakebytes+=("160301012d010001290303ac67ab7c72eea2e0f68615f02c9e566ed4a3bb0022c2ca1db7615acfb9dedd0120415470391af467e708e8983b134defcb4f4855e774606ae8223265af0fbb802a003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff010000a200000013001100000e7465737473736c2e73683a343433000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020b4556edddf807eb6b6bbcd61e25775a3992dd6f5caeee76d37f8895436efc972") protos+=("-no_ssl2 -no_ssl3") tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") - lowest_protocol+=("0x0300") + lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") service+=("ANY") @@ -262,7 +373,29 @@ minRsaBits+=(-1) maxRsaBits+=(-1) minEcdsaBits+=(-1) - curves+=("X25519:secp256r1:X448:secp521r1:secp384r1") + curves+=("X25519:secp256r1:x448:secp521r1:secp384r1") + requiresSha2+=(true) + current+=(false) + + names+=("OpenSSL 1.1.1d (Debian)") + short+=("openssl_111d") + ciphers+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA") + ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030101290100012503036f18cf85cf24e3676f0e79a3503aa9feefc961e3baed7b00fd876a2c6d2395b3205f4fb8769aa1e5279b848b3f35bec3d7aa9966595d22ebcd35e72f79b9d9fcc9003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100009e0000000f000d00000a7465737473736c2e7368000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020a12c2f7e04adcb76ce5eb8b05cf631e7cdf46f5e28cbe86a676d704098507b40") + protos+=("-no_ssl2 -no_ssl3 -tls1_1 -tls1") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("ANY") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:x448:secp521r1:secp384r1") requiresSha2+=(true) current+=(true) @@ -286,6 +419,28 @@ minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072") requiresSha2+=(false) + current+=(false) + + names+=("Thunderbird (68.3)") + short+=("thunderbird_68_3_1") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc030342ffc6c8b96ea60586a63fe7d97ec8d5c962b55ccfe02177cd94c8ea42f7333e209c9b6129e250f6fb8127664d26a46c410a6c217d4c2c4dc49125edd7191043810024130113031302c02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a0100018f00000013001100000e696d61702e676d61696c2e636f6d00170000ff01000100000a000e000c001d00170018001901000101000b00020100002300000005000501000000000033006b0069001d0020fb48d75e98e9e9c7a7aa32106b8856384f9af1e50f9bd45f2ae3dc349858741b00170041047138476a2fbfd6dc6fa4b351b99248abc20bf27ccb962445161036ec3df7bf7566e048374b72d4cbcf4526475a8a13bbaea75e5925514d6db1a4ae60f6a961fd002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c00024001001500a2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP,SMTP,POP,IMAP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072") + requiresSha2+=(false) current+=(true) names+=("Safari 12.1 (iOS 12.2)") diff --git a/t/00_testssl_help.t b/t/00_testssl_help.t new file mode 100755 index 0000000..8495cd5 --- /dev/null +++ b/t/00_testssl_help.t @@ -0,0 +1,42 @@ +#!/usr/bin/env perl + +# Basics: is there a synatx error where alerady bash hiccups on? + +use strict; +use Test::More; + +my $tests = 0; +my $fileout=""; +# Blacklists we use to trigger an error: +my $error_regexp1='(syntax|parse) (e|E)rror'; +my $error_regexp2='testssl.sh: line'; +my $error_regexp3='bash: warning'; +my $error_regexp4='command not found'; +my $error_regexp5='(syntax error|unexpected token)'; + +printf "\n%s\n", "Testing whether just calling \"./testssl.sh\" produces no error ..."; +$fileout = `timeout 10 bash ./testssl.sh 2>&1`; +my $retval=$?; + +unlike($fileout, qr/$error_regexp1/, "regex 1"); +$tests++; + +unlike($fileout, qr/$error_regexp2/, "regex 2"); +$tests++; + +unlike($fileout, qr/$error_regexp3/, "regex 3"); +$tests++; + +unlike($fileout, qr/$error_regexp4/, "regex 4"); +$tests++; + +unlike($fileout, qr/$error_regexp5/, "regex 5"); +$tests++; + +is($retval, 0, "return value should be equal zero: \"$retval\""); +$tests++; + +printf "\n"; +done_testing($tests); + + diff --git a/t/01_ca_hashes_up_to_date.t b/t/01_ca_hashes_up_to_date.t deleted file mode 100755 index 722a312..0000000 --- a/t/01_ca_hashes_up_to_date.t +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env perl - -use strict; -use Test::More tests => 1; - - -my $newer_bundles=`find etc/*.pem -newer etc/ca_hashes.txt`; -is($newer_bundles,"","List of CA bundles newer then etc/ca_hashes.txt should be empty. If not run utils/create_ca_hashes.sh"); -done_testing; \ No newline at end of file diff --git a/t/01_testssl_banner.t b/t/01_testssl_banner.t new file mode 100755 index 0000000..4eccadd --- /dev/null +++ b/t/01_testssl_banner.t @@ -0,0 +1,48 @@ +#!/usr/bin/env perl + +# Basics: is there a synatx error where already bash hiccups on? +# --banner is equal to --version + +use strict; +use Test::More; + +my $tests = 0; +my $fileout=""; +# Blacklists we use to trigger an error: +my $error_regexp1='(syntax|parse) (e|E)rror'; +my $error_regexp2='testssl.sh: line'; +my $error_regexp3='bash: warning'; +my $error_regexp4='command not found'; +my $error_regexp5='(syntax error|unexpected token)'; +# my $good_regexp='free software.*USAGE w/o ANY WARRANTY.*OWN RISK.*Using.*ciphers.*built(.*)platform'; +my $good_regexp='free software([\s\S]*)USAGE w/o ANY WARRANTY([\s\S]*)OWN RISK([\s\S]*)Using([\s\S]*)ciphers([\s\S]*)built([\s\S]*)platform'; + +printf "\n%s\n", "Testing whether just calling \"./testssl.sh --banner\" produces no error ..."; +$fileout = `timeout 10 bash ./testssl.sh --banner 2>&1`; +my $retval=$?; + +unlike($fileout, qr/$error_regexp1/, "regex 1"); +$tests++; + +unlike($fileout, qr/$error_regexp2/, "regex 2"); +$tests++; + +unlike($fileout, qr/$error_regexp3/, "regex 3"); +$tests++; + +unlike($fileout, qr/$error_regexp4/, "regex 4"); +$tests++; + +unlike($fileout, qr/$error_regexp5/, "regex 5"); +$tests++; + +like($fileout, qr/$good_regexp/, "regex positive"); +$tests++; + +is($retval, 0, "return value should be equal zero: \"$retval\""); +$tests++; + +printf "\n"; +done_testing($tests); + + diff --git a/t/02_clientsim_txt_parsable.t b/t/02_clientsim_txt_parsable.t new file mode 100755 index 0000000..f947db0 --- /dev/null +++ b/t/02_clientsim_txt_parsable.t @@ -0,0 +1,26 @@ +#!/usr/bin/env perl + +# Just a functional test, whether ~/etc/client-simulation.txt +# doesn't have any synatx errors + +use strict; +use Test::More; + +my $tests = 0; +my $fileout=""; +# Blacklists we use to trigger an error: +my $error_regexp1='(syntax|parse) (e|E)rror'; +my $error_regexp2='client-simulation.txt:'; + +printf "\n%s\n", "Testing whether \"~/etc/client-simulation.txt\" isn't broken ..."; +$fileout = `bash ./etc/client-simulation.txt 2>&1`; +unlike($fileout, qr/$error_regexp1/, "regex 1"); +$tests++; + +unlike($fileout, qr/$error_regexp2/, "regex 2"); +$tests++; + +printf "\n"; +done_testing($tests); + + diff --git a/t/05_ca_hashes_up_to_date.t b/t/05_ca_hashes_up_to_date.t new file mode 100755 index 0000000..ece53b5 --- /dev/null +++ b/t/05_ca_hashes_up_to_date.t @@ -0,0 +1,12 @@ +#!/usr/bin/env perl + +use strict; +use Test::More; + +printf "\n%s\n", "Testing whether CA certificates are newer their SPKI hashes \"~/etc/ca_hashes.txt\" ..."; + +my $newer_bundles=`find etc/*.pem -newer etc/ca_hashes.txt`; +is($newer_bundles,"","If there's an output with a *.pem file run \"~/utils/create_ca_hashes.sh\""); + +printf "\n"; +done_testing; diff --git a/t/07_isJSON_valid.t b/t/07_isJSON_valid.t index b6b3399..abba0f4 100755 --- a/t/07_isJSON_valid.t +++ b/t/07_isJSON_valid.t @@ -21,8 +21,10 @@ die "Unable to open $prg" unless -f $prg; my $uri="cloudflare.com"; +printf "\n%s\n", "Unit testing JSON output ..."; + #1 -printf "\n%s\n", "Unit testing plain JSON output --> $uri ..."; +printf "%s\n", ".. plain JSON --> $uri "; $out = `./testssl.sh $check2run --jsonfile tmp.json $uri`; $json = json('tmp.json'); unlink 'tmp.json'; @@ -31,7 +33,7 @@ is(@errors,0,"no errors"); $tests++; #2 -printf "\n%s\n", "Unit testing pretty JSON output --> $uri ..."; +printf "%s\n", ".. pretty JSON --> $uri "; $out = `./testssl.sh $check2run --jsonfile-pretty tmp.json $uri`; $json = json('tmp.json'); unlink 'tmp.json'; @@ -43,7 +45,7 @@ $tests++; #3 # This testss.sh run deliberately does NOT work as travis-ci.org blocks port 25 egress. # but the output should be fine. The idea is to have a unit test for a failed connection. -printf "\n%s\n", "Checking plain JSON output for a failed run '--mx $uri' ..."; +printf "%s\n", ".. plain JSON for a failed run: '--mx $uri' ..."; $out = `./testssl.sh --ssl-native --openssl-timeout=10 $check2run --jsonfile tmp.json --mx $uri`; $json = json('tmp.json'); unlink 'tmp.json'; @@ -53,7 +55,7 @@ $tests++; #4 # Same as above but with pretty JSON -printf "\n%s\n", "Checking pretty JSON output for a failed run '--mx $uri' ..."; +printf "%s\n", ".. pretty JSON for a failed run '--mx $uri' ..."; $out = `./testssl.sh --ssl-native --openssl-timeout=10 $check2run --jsonfile-pretty tmp.json --mx $uri`; $json = json('tmp.json'); unlink 'tmp.json'; @@ -63,7 +65,7 @@ $tests++; #5 my $uri = "smtp-relay.gmail.com:587"; -printf "\n%s\n", " Unit testing plain JSON output --> $uri ..."; +printf "%s\n", " .. plain JSON and STARTTLS --> $uri ..."; $out = `./testssl.sh --jsonfile tmp.json $check2run -t smtp $uri`; $json = json('tmp.json'); unlink 'tmp.json'; @@ -71,7 +73,7 @@ unlink 'tmp.json'; is(@errors,0,"no errors"); $tests++; - +printf "\n"; done_testing($tests); sub json($) { diff --git a/t/08_isHTML_valid.t b/t/08_isHTML_valid.t index 3319818..f8877a8 100755 --- a/t/08_isHTML_valid.t +++ b/t/08_isHTML_valid.t @@ -18,8 +18,10 @@ my $check2run="--color 0 --htmlfile tmp.html"; die "Unable to open $prg" unless -f $prg; +printf "\n%s\n", "Doing HTML output checks"; + #1 -printf "\n%s\n", "Running $prg against $uri to create HTML and terminal outputs (may take 2~3 minutes) ..."; +printf "%s\n", " .. running $prg against $uri to create HTML and terminal outputs (may take 2~3 minutes)"; # specify a TERM_WIDTH so that the two calls to testssl.sh don't create HTML files with different values of TERM_WIDTH $out = `TERM_WIDTH=120 $prg $check2run $uri`; $html = `cat tmp.html`; @@ -41,12 +43,12 @@ $edited_html =~ s/>/>/g; $edited_html =~ s/"/"/g; $edited_html =~ s/'/'/g; -printf "\n%s\n", "Comparing HTML and terminal outputs"; +printf "\n%s\n", " .. comparing HTML and terminal outputs"; cmp_ok($edited_html, "eq", $out, "HTML file matches terminal output"); $tests++; #2 -printf "\n%s\n", "Running $prg against $uri with --debug 4 to create HTML output (may take 2~3 minutes)"; +printf "\n%s\n", " .. running $prg against $uri with --debug 4 to create HTML output (may take another 2~3 minutes)"; # Redirect stderr to /dev/null in order to avoid some unexplained "date: invalid date" error messages $out = `TERM_WIDTH=120 $prg $check2run --debug 4 $uri 2> /dev/null`; $debughtml = `cat tmp.html`; @@ -66,9 +68,9 @@ $debughtml =~ s/HTTP clock skew \+?-?[0-9]* /HTTP clock skew $debughtml =~ s/ Pre-test: .*\n//g; $debughtml =~ s/.*OK: below 825 days.*\n//g; -printf "\n%s\n", "Checking that using the --debug option doesn't affect the HTML file"; +printf "\n%s\n", " .. checking that using the --debug option doesn't affect the HTML file"; cmp_ok($debughtml, "eq", $html, "HTML file created with --debug 4 matches HTML file created without --debug"); $tests++; -printf "\n%s\n"; +printf "\n"; done_testing($tests); diff --git a/t/09_isJSON_severitylevel_valid.t b/t/09_isJSON_severitylevel_valid.t index b933b4b..ab78d94 100755 --- a/t/09_isJSON_severitylevel_valid.t +++ b/t/09_isJSON_severitylevel_valid.t @@ -15,8 +15,11 @@ my ( $tests = 0; + +printf "\n%s\n", "Doing severity level checks"; + #1 -pass("Running testssl.sh against badssl.com to create a JSON report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++; +pass(" .. running testssl.sh against badssl.com to create a JSON report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++; $out = `./testssl.sh -S -e -U --jsonfile tmp.json --severity LOW --color 0 badssl.com`; $json = json('tmp.json'); unlink 'tmp.json'; @@ -31,7 +34,7 @@ foreach my $f ( @$json ) { is($found,0,"We should not have any finding with INFO level"); $tests++; #2 -pass("Running testssl.sh against badssl.com to create a JSON-PRETTY report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++; +pass(" .. running testssl.sh against badssl.com to create a JSON-PRETTY report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++; $out = `./testssl.sh -S -e -U --jsonfile-pretty tmp.json --severity LOW --color 0 badssl.com`; $json_pretty = json('tmp.json'); unlink 'tmp.json'; @@ -45,6 +48,7 @@ foreach my $f ( @$vulnerabilities ) { } is($found,0,"We should not have any finding with INFO level"); $tests++; +printf "\n"; done_testing($tests); sub json($) { diff --git a/t/Readme.md b/t/Readme.md index 7cfb01e..56ba9c5 100644 --- a/t/Readme.md +++ b/t/Readme.md @@ -1,6 +1,7 @@ ### Naming scheme -* 00-09: Does the reporting work at all? +* 00-05: Does the bare testssl.sh work at all? +* 06-09: Does the reporting work at all? * 20-39: Do scans work fine (client side)? * 50-69: Are the results what I expect (server side)? diff --git a/utils/hexstream2cipher.sh b/utils/hexstream2cipher.sh index d346499..1f67180 100755 --- a/utils/hexstream2cipher.sh +++ b/utils/hexstream2cipher.sh @@ -17,7 +17,11 @@ for ((i=0; i $grepstr --> " cip=$(grep -i -E "^ *${grepstr}" $mapfile | awk '{ print $3 }') - echo $cip + if [[ $grepstr == 0x00,0xff ]]; then + echo TLS_EMPTY_RENEGOTIATION_INFO_SCSV + else + echo $cip + fi if "$first"; then ciphers="$cip" first=false @@ -27,4 +31,4 @@ for ((i=0; i