From 0911d1ae31a9e76016661a04a41ab2a02be08265 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 13 Jan 2020 11:34:25 +0100 Subject: [PATCH 01/15] For better recognition put readme in a separate file --- etc/client-simulation.wiresharked.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 etc/client-simulation.wiresharked.md diff --git a/etc/client-simulation.wiresharked.md b/etc/client-simulation.wiresharked.md new file mode 100644 index 0000000..d35ac1d --- /dev/null +++ b/etc/client-simulation.wiresharked.md @@ -0,0 +1,28 @@ +This file contains client handshake data manually created from Wireshark. +The content needs to be added to client-simulation.txt which other part +comes from the SSLlabs client API via update_client_sim_data.pl +The whole process is done manually. + +## Instructions how to add a client simulation: + +* Start wireshark at the client / router. Best is during capture to filter for the target you want to contribute. +* Make sure you create a bit of encrypted traffic to a target of your choice. Attention, privacy: if you want to contribute, be aware that the ClientHello contains the target hostname (SNI). +* Make sure the client traffic is specific: For just "Android" do not use a browser! +* Stop the recording. +* If needed sort for ClientHello. +* Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure, it's the right traffic. +* Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream. +* Figure out "protos" and "tlsvers" by looking at the supported_versions TLS extension (43=0x002b). May work only on modern clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3 here) +* Adjust "lowest_protocol" and "highest_protocol" accordingly. +* Get "curves" from at the supported groups TLS extension 10 = 0x00a. Omit any GREASE. +* Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010). +* Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true +* Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle +* For "ciphers" mark the Cipher Suites --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to ~/utils/hexstream2cipher.sh +* "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ~/utils/hexstream2cipher.sh +* Figure out the services by applying a good piece of logic +* Before submitting a PR: test it yourself! You can also watch it again via wireshark + + + + From cf8cb541d5ee787e2ea621b03d6411461533fbfc Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 13 Jan 2020 11:35:58 +0100 Subject: [PATCH 02/15] Update Thunderbird simulation to v68.3 --- etc/client-simulation.txt | 22 +++++++++++++ etc/client-simulation.wiresharked.txt | 45 ++++++++++++++------------- 2 files changed, 45 insertions(+), 22 deletions(-) diff --git a/etc/client-simulation.txt b/etc/client-simulation.txt index fec2110..43a1eff 100644 --- a/etc/client-simulation.txt +++ b/etc/client-simulation.txt @@ -2641,6 +2641,28 @@ minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072") requiresSha2+=(false) + current+=(false) + + names+=("Thunderbird ("68.3") + short+=("thunderbird_68_3_1") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc030342ffc6c8b96ea60586a63fe7d97ec8d5c962b55ccfe02177cd94c8ea42f7333e209c9b6129e250f6fb8127664d26a46c410a6c217d4c2c4dc49125edd7191043810024130113031302c02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a0100018f00000013001100000e696d61702e676d61696c2e636f6d00170000ff01000100000a000e000c001d00170018001901000101000b00020100002300000005000501000000000033006b0069001d0020fb48d75e98e9e9c7a7aa32106b8856384f9af1e50f9bd45f2ae3dc349858741b00170041047138476a2fbfd6dc6fa4b351b99248abc20bf27ccb962445161036ec3df7bf7566e048374b72d4cbcf4526475a8a13bbaea75e5925514d6db1a4ae60f6a961fd002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c00024001001500a2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP,SMTP,POP,IMAP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072") + requiresSha2+=(false) current+=(true) names+=("Baidu Jan 2015") diff --git a/etc/client-simulation.wiresharked.txt b/etc/client-simulation.wiresharked.txt index 8c342bb..23fe7d0 100644 --- a/etc/client-simulation.wiresharked.txt +++ b/etc/client-simulation.wiresharked.txt @@ -3,28 +3,7 @@ # comes from the SSLlabs client API via update_client_sim_data.pl # The whole process is done manually. # -# Instructions how to add a client simulation: -# * Start wireshark at the client / router. Best is during capture to filter for the target you want to contribute. -# * Make sure you create a bit of encrypted traffic to a target of your choice 1) . -# * Make sure the client traffic is specific: For just "Android" do not use a browser! -# * Stop the recording. -# * If needed sort for ClientHello. -# * Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure, it's the right traffic. -# * Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream. -# * Figure out "protos" and "tlsvers" by looking at the supported_versions TLS extension (43=0x002b). May work only on modern clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3 here) -# * Adjust "lowest_protocol" and "highest_protocol" accordingly. -# * Get "curves" from at the supported groups TLS extension 10 = 0x00a. Omit any GREASE. -# * Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010). -# * Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true -# * Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle -# * For "ciphers" mark the Cipher Suites --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to ~/utils/hexstream2cipher.sh -# * "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ~/utils/hexstream2cipher.sh -# * Figure out the services by applying a good piece of logic -# * Before submitting a PR: test it yourself! You can also watch it again via wireshark -# -# -# 1) Attention, privacy: if you want to contribute it contains the target hostname (SNI) - +# Instructions how to add a client simulation see file "client-simulation.wiresharked.md". names+=("Android 8.1 (native)") short+=("android_81") @@ -286,6 +265,28 @@ minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072") requiresSha2+=(false) + current+=(false) + + names+=("Thunderbird ("68.3") + short+=("thunderbird_68_3_1") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc030342ffc6c8b96ea60586a63fe7d97ec8d5c962b55ccfe02177cd94c8ea42f7333e209c9b6129e250f6fb8127664d26a46c410a6c217d4c2c4dc49125edd7191043810024130113031302c02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a0100018f00000013001100000e696d61702e676d61696c2e636f6d00170000ff01000100000a000e000c001d00170018001901000101000b00020100002300000005000501000000000033006b0069001d0020fb48d75e98e9e9c7a7aa32106b8856384f9af1e50f9bd45f2ae3dc349858741b00170041047138476a2fbfd6dc6fa4b351b99248abc20bf27ccb962445161036ec3df7bf7566e048374b72d4cbcf4526475a8a13bbaea75e5925514d6db1a4ae60f6a961fd002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c00024001001500a2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP,SMTP,POP,IMAP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072") + requiresSha2+=(false) current+=(true) names+=("Safari 12.1 (iOS 12.2)") From 69acd007311c77fb29117becc3c5551b88a4295d Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 13 Jan 2020 15:52:17 +0100 Subject: [PATCH 03/15] Add file to check whether ~/etc/client-simulation.txt is parsable --- t/02_clientsim_txt_parsable.t | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100755 t/02_clientsim_txt_parsable.t diff --git a/t/02_clientsim_txt_parsable.t b/t/02_clientsim_txt_parsable.t new file mode 100755 index 0000000..a746931 --- /dev/null +++ b/t/02_clientsim_txt_parsable.t @@ -0,0 +1,28 @@ +#!/usr/bin/env perl + +# Just a functional test, whether there are any problems on the client side +# Probably we could also inspect the JSON for any problems for +# "id" : "scanProblem" +# "finding" : "Scan interrupted" + +use strict; +use Test::More; + +my $tests = 0; +my $check2run ="--client-simulation -q --ip=one --color 0"; +my $fileout=""; +# Blacklists we use to trigger an error: +my $error_regexp1='(syntax|parse) (e|E)rror'; +my $error_regexp2='client-simulation.txt:'; + +printf "\n%s\n", "Testing whether \"~/etc/client-simulation.txt\" isn't broken ..."; +$fileout = `bash ./etc/client-simulation.txt 2>&1`; +unlike($fileout, qr/$error_regexp1/, ""); +$tests++; + +unlike($fileout, qr/$error_regexp2/, ""); +$tests++; + +done_testing($tests); + + From a714aec91295c3929fdeefd2af0eb81d5a81ebf4 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 13 Jan 2020 16:01:27 +0100 Subject: [PATCH 04/15] Clarify / correct a few bits --- etc/client-simulation.wiresharked.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/etc/client-simulation.wiresharked.md b/etc/client-simulation.wiresharked.md index d35ac1d..77458e0 100644 --- a/etc/client-simulation.wiresharked.md +++ b/etc/client-simulation.wiresharked.md @@ -5,10 +5,10 @@ The whole process is done manually. ## Instructions how to add a client simulation: -* Start wireshark at the client / router. Best is during capture to filter for the target you want to contribute. -* Make sure you create a bit of encrypted traffic to a target of your choice. Attention, privacy: if you want to contribute, be aware that the ClientHello contains the target hostname (SNI). -* Make sure the client traffic is specific: For just "Android" do not use a browser! -* Stop the recording. +* Start wireshark at a client or router. Best is during capture to filter for the target of your choice. +* Make sure you create a bit of encrypted traffic to your target. Attention, privacy: if you want to contribute, be aware that the ClientHello contains the target hostname (SNI). +* Make sure the client traffic is specific: For just "Android" do not use a browser! Use the play store app e.g.. +* Stop recording. * If needed sort for ClientHello. * Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure, it's the right traffic. * Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream. @@ -18,9 +18,9 @@ The whole process is done manually. * Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010). * Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true * Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle -* For "ciphers" mark the Cipher Suites --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to ~/utils/hexstream2cipher.sh -* "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ~/utils/hexstream2cipher.sh -* Figure out the services by applying a good piece of logic +* For "ciphers" mark the cipher suites --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2cipher.sh` +* "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ``~/utils/hexstream2cipher.sh`` +* Figure out the services by applying a good piece of human logic * Before submitting a PR: test it yourself! You can also watch it again via wireshark From 88ec92d62206a0c824f282d36f94ae12e8b1bf13 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 13 Jan 2020 16:02:39 +0100 Subject: [PATCH 05/15] Add recent Chrome and Opera handshakes Chrome 78 and 79, Opera 65 and 66 Remove FTP from Chrome --- etc/client-simulation.txt | 94 ++++++++++++++++++++++++++- etc/client-simulation.wiresharked.txt | 94 ++++++++++++++++++++++++++- 2 files changed, 182 insertions(+), 6 deletions(-) diff --git a/etc/client-simulation.txt b/etc/client-simulation.txt index 43a1eff..bfcf81e 100644 --- a/etc/client-simulation.txt +++ b/etc/client-simulation.txt @@ -776,7 +776,7 @@ lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1024) maxDhBits+=(-1) minRsaBits+=(-1) @@ -798,7 +798,51 @@ lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") - service+=("HTTP,FTP") + service+=("HTTP") + minDhBits+=(1024) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1") + requiresSha2+=(false) + current+=(false) + + names+=("Chrome 78 (Win 10)") + short+=("chrome_78_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc030332e6eabb5d4b9818074f79423b0a9cde127a309671fcf0d0420bdb68f98bbc9320085a3e18e8e5cf4060c1e7065523d344f09186ffb835c10095df30b1611bc49a0022eaea130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001912a2a000000000014001200000f73736c2e677374617469632e636f6d00170000ff01000100000a000a0008eaea001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029eaea000100001d0020e0a5bb30a2a14bc13685b4a19ba59628aad22b761dceb63a9dcfa10475f84260002d00020101002b000b0a0a0a0304030303020301001b00030200025a5a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP") + minDhBits+=(1024) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1") + requiresSha2+=(false) + current+=(false) + + names+=("Chrome 79 (Win 10)") + short+=("chrome_79_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc03032f8eea63ff25d05264565777081b6d1a326e12f37751c33c7e953973af65b2ab20a62f96b75b1c41454679b64cd32fb0fbbf99ff019501d92184d589a529c21c590022caca130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001917a7a000000000014001200000f73736c2e677374617469632e636f6d00170000ff01000100000a000a0008eaea001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029eaea000100001d0020465dfa0295bf9cd3578d2f23bbfdf58d6468c5dd0c071f0b7c6bb92fc507685b002d00020101002b000b0ababa0304030303020301001b00030200029a9a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP") minDhBits+=(1024) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1922,6 +1966,50 @@ minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1") requiresSha2+=(false) + current+=(false) + + names+=("Opera 65 (Win 10)") + short+=("opera_65_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc03039eee8c108ed7b040285658cddb0022e7e1f17bc92084335edf8ad5404fbf424a203bedd34c83b59c3e302af681b449490895335de0d8a0f10d20a0ff610130229b00224a4a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001912a2a000000000014001200000f626c6f67732e6f706572612e636f6d00170000ff01000100000a000a00081a1a001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b00291a1a000100001d0020cc29a9f8b3a69149c38b29ccb7341b98efd1714c3887fc1e84512470f783921a002d00020101002b000b0adada0304030303020301001b0003020002dada000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl2 -no_ssl3") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP,FTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1") + requiresSha2+=(false) + current+=(false) + +names+=("Opera 66 (Win 10)") + short+=("opera_66_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc0303a7ab90aa0987b33da751017bb78958f51bc1aa76e116c21eb4bb0b51a9f88f77203658175a55b25ab41867568b52e8fb8eaf4c8e91ceccf30ae498879e468579b100222a2a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001911a1a000000000014001200000f626c6f67732e6f706572612e636f6d00170000ff01000100000a000a00087a7a001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b00297a7a000100001d0020488d0d07b77098f98cb97ee85ae88b358404a8004633896e5110966ab3c18f66002d00020101002b000b0ababa0304030303020301001b00030200023a3a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl2 -no_ssl3") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP,FTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1") + requiresSha2+=(false) current+=(true) names+=("Safari 5.1.9 OS X 10.6.8") @@ -2643,7 +2731,7 @@ requiresSha2+=(false) current+=(false) - names+=("Thunderbird ("68.3") + names+=("Thunderbird (68.3)") short+=("thunderbird_68_3_1") ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384") diff --git a/etc/client-simulation.wiresharked.txt b/etc/client-simulation.wiresharked.txt index 23fe7d0..ca4a3ed 100644 --- a/etc/client-simulation.wiresharked.txt +++ b/etc/client-simulation.wiresharked.txt @@ -83,7 +83,7 @@ lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1024) maxDhBits+=(-1) minRsaBits+=(-1) @@ -105,7 +105,51 @@ lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") - service+=("HTTP,FTP") + service+=("HTTP") + minDhBits+=(1024) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1") + requiresSha2+=(false) + current+=(false) + + names+=("Chrome 78 (Win 10)") + short+=("chrome_78_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc030332e6eabb5d4b9818074f79423b0a9cde127a309671fcf0d0420bdb68f98bbc9320085a3e18e8e5cf4060c1e7065523d344f09186ffb835c10095df30b1611bc49a0022eaea130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001912a2a000000000014001200000f73736c2e677374617469632e636f6d00170000ff01000100000a000a0008eaea001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029eaea000100001d0020e0a5bb30a2a14bc13685b4a19ba59628aad22b761dceb63a9dcfa10475f84260002d00020101002b000b0a0a0a0304030303020301001b00030200025a5a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP") + minDhBits+=(1024) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1") + requiresSha2+=(false) + current+=(false) + + names+=("Chrome 79 (Win 10)") + short+=("chrome_79_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc03032f8eea63ff25d05264565777081b6d1a326e12f37751c33c7e953973af65b2ab20a62f96b75b1c41454679b64cd32fb0fbbf99ff019501d92184d589a529c21c590022caca130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001917a7a000000000014001200000f73736c2e677374617469632e636f6d00170000ff01000100000a000a0008eaea001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029eaea000100001d0020465dfa0295bf9cd3578d2f23bbfdf58d6468c5dd0c071f0b7c6bb92fc507685b002d00020101002b000b0ababa0304030303020301001b00030200029a9a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP") minDhBits+=(1024) maxDhBits+=(-1) minRsaBits+=(-1) @@ -199,6 +243,50 @@ minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1") requiresSha2+=(false) + current+=(false) + + names+=("Opera 65 (Win 10)") + short+=("opera_65_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc03039eee8c108ed7b040285658cddb0022e7e1f17bc92084335edf8ad5404fbf424a203bedd34c83b59c3e302af681b449490895335de0d8a0f10d20a0ff610130229b00224a4a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001912a2a000000000014001200000f626c6f67732e6f706572612e636f6d00170000ff01000100000a000a00081a1a001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b00291a1a000100001d0020cc29a9f8b3a69149c38b29ccb7341b98efd1714c3887fc1e84512470f783921a002d00020101002b000b0adada0304030303020301001b0003020002dada000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl2 -no_ssl3") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP,FTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1") + requiresSha2+=(false) + current+=(false) + + names+=("Opera 66 (Win 10)") + short+=("opera_66_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("1603010200010001fc0303a7ab90aa0987b33da751017bb78958f51bc1aa76e116c21eb4bb0b51a9f88f77203658175a55b25ab41867568b52e8fb8eaf4c8e91ceccf30ae498879e468579b100222a2a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001911a1a000000000014001200000f626c6f67732e6f706572612e636f6d00170000ff01000100000a000a00087a7a001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b00297a7a000100001d0020488d0d07b77098f98cb97ee85ae88b358404a8004633896e5110966ab3c18f66002d00020101002b000b0ababa0304030303020301001b00030200023a3a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") + protos+=("-no_ssl2 -no_ssl3") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP,FTP") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1") + requiresSha2+=(false) current+=(true) names+=("OpenSSL 1.1.0j (Debian)") @@ -267,7 +355,7 @@ requiresSha2+=(false) current+=(false) - names+=("Thunderbird ("68.3") + names+=("Thunderbird (68.3)") short+=("thunderbird_68_3_1") ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384") From a7b0a04480c4b333e4f59ff4d79ffaae27974006 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 13 Jan 2020 16:26:05 +0100 Subject: [PATCH 06/15] remove redundant lines --- t/02_clientsim_txt_parsable.t | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/t/02_clientsim_txt_parsable.t b/t/02_clientsim_txt_parsable.t index a746931..e0aeb40 100755 --- a/t/02_clientsim_txt_parsable.t +++ b/t/02_clientsim_txt_parsable.t @@ -1,15 +1,12 @@ #!/usr/bin/env perl -# Just a functional test, whether there are any problems on the client side -# Probably we could also inspect the JSON for any problems for -# "id" : "scanProblem" -# "finding" : "Scan interrupted" +# Just a functional test, whether ~/etc/client-simulation.txt +# doesn't have any synatx errors use strict; use Test::More; my $tests = 0; -my $check2run ="--client-simulation -q --ip=one --color 0"; my $fileout=""; # Blacklists we use to trigger an error: my $error_regexp1='(syntax|parse) (e|E)rror'; From 91f8f33a6cfd24122bbf2d032af2c85c98ef4658 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 13 Jan 2020 17:36:40 +0100 Subject: [PATCH 07/15] add new basic checks, rename ca_hashes_up_to_date --- t/00_testssl_help.t | 41 ++++++++++++++++ t/01_testssl_banner.t | 47 +++++++++++++++++++ ...up_to_date.t => 05_ca_hashes_up_to_date.t} | 0 3 files changed, 88 insertions(+) create mode 100755 t/00_testssl_help.t create mode 100755 t/01_testssl_banner.t rename t/{01_ca_hashes_up_to_date.t => 05_ca_hashes_up_to_date.t} (100%) diff --git a/t/00_testssl_help.t b/t/00_testssl_help.t new file mode 100755 index 0000000..d8dc785 --- /dev/null +++ b/t/00_testssl_help.t @@ -0,0 +1,41 @@ +#!/usr/bin/env perl + +# Basics: is there a synatx error where alerady bash hiccups on? + +use strict; +use Test::More; + +my $tests = 0; +my $fileout=""; +# Blacklists we use to trigger an error: +my $error_regexp1='(syntax|parse) (e|E)rror'; +my $error_regexp2='testssl.sh: line'; +my $error_regexp3='bash: warning'; +my $error_regexp4='command not found'; +my $error_regexp5='(syntax error|unexpected token)'; + +printf "\n%s\n", "Testing whether just calling \"./testssl.sh\" produces no error ..."; +$fileout = `timeout 10 bash ./testssl.sh 2>&1`; +my $retval=$?; + +unlike($fileout, qr/$error_regexp1/, ""); +$tests++; + +unlike($fileout, qr/$error_regexp2/, ""); +$tests++; + +unlike($fileout, qr/$error_regexp3/, ""); +$tests++; + +unlike($fileout, qr/$error_regexp4/, ""); +$tests++; + +unlike($fileout, qr/$error_regexp5/, ""); +$tests++; + +is($retval, 0, "return value should be equal zero: \"$retval\""); +$tests++; + +done_testing($tests); + + diff --git a/t/01_testssl_banner.t b/t/01_testssl_banner.t new file mode 100755 index 0000000..7a3ccea --- /dev/null +++ b/t/01_testssl_banner.t @@ -0,0 +1,47 @@ +#!/usr/bin/env perl + +# Basics: is there a synatx error where already bash hiccups on? +# --banner is equal to --version + +use strict; +use Test::More; + +my $tests = 0; +my $fileout=""; +# Blacklists we use to trigger an error: +my $error_regexp1='(syntax|parse) (e|E)rror'; +my $error_regexp2='testssl.sh: line'; +my $error_regexp3='bash: warning'; +my $error_regexp4='command not found'; +my $error_regexp5='(syntax error|unexpected token)'; +# my $good_regexp='free software.*USAGE w/o ANY WARRANTY.*OWN RISK.*Using.*ciphers.*built(.*)platform'; +my $good_regexp='free software([\s\S]*)USAGE w/o ANY WARRANTY([\s\S]*)OWN RISK([\s\S]*)Using([\s\S]*)ciphers([\s\S]*)built([\s\S]*)platform'; + +printf "\n%s\n", "Testing whether just calling \"./testssl.sh\" produces no error ..."; +$fileout = `timeout 10 bash ./testssl.sh --banner 2>&1`; +my $retval=$?; + +unlike($fileout, qr/$error_regexp1/, ""); +$tests++; + +unlike($fileout, qr/$error_regexp2/, ""); +$tests++; + +unlike($fileout, qr/$error_regexp3/, ""); +$tests++; + +unlike($fileout, qr/$error_regexp4/, ""); +$tests++; + +unlike($fileout, qr/$error_regexp5/, ""); +$tests++; + +like($fileout, qr/$good_regexp/, ""); +$tests++; + +is($retval, 0, "return value should be equal zero: \"$retval\""); +$tests++; + +done_testing($tests); + + diff --git a/t/01_ca_hashes_up_to_date.t b/t/05_ca_hashes_up_to_date.t similarity index 100% rename from t/01_ca_hashes_up_to_date.t rename to t/05_ca_hashes_up_to_date.t From 8cc3a5f514f31a6bf38c97233357271370dc890d Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 13 Jan 2020 22:57:10 +0100 Subject: [PATCH 08/15] Add firefox 71 ... and * deprecate openssl 1.0.1 * enable Chrome 74 instead of Chrome 65 --- etc/client-simulation.txt | 30 +++++++++++++++++++++++---- etc/client-simulation.wiresharked.txt | 24 ++++++++++++++++++++- 2 files changed, 49 insertions(+), 5 deletions(-) diff --git a/etc/client-simulation.txt b/etc/client-simulation.txt index bfcf81e..f0998b1 100644 --- a/etc/client-simulation.txt +++ b/etc/client-simulation.txt @@ -741,7 +741,7 @@ minEcdsaBits+=(-1) curves+=("X25519:prime256v1:secp384r1") requiresSha2+=(false) - current+=(true) + current+=(false) names+=("Chrome 70 Win 10") short+=("chrome_70_win10") @@ -806,7 +806,7 @@ minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1") requiresSha2+=(false) - current+=(false) + current+=(true) names+=("Chrome 78 (Win 10)") short+=("chrome_78_win10") @@ -1459,7 +1459,7 @@ minEcdsaBits+=(-1) curves+=("X25519:prime256v1:secp384r1:secp521r1") requiresSha2+=(false) - current+=(true) + current+=(false) names+=("Firefox 66 (Win 8.1/10)") short+=("firefox_66_win81") @@ -1483,6 +1483,28 @@ requiresSha2+=(false) current+=(true) + names+=("Firefox 71 (Win 10)") + short+=("firefox_71_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030102580100025403036d4532515bff048c5c74cb0d39518c9c02e2dfd4d8ecae6591ee67d29ea62eab20c70c3e8feae9ed79d54914215aab37d3d5b7966a422edc41d2c027f9973d6b160024130113031302c02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a010001e700000014001200000f7777772e6d6f7a696c6c612e6f726700170000ff01000100000a000e000c001d00170018001901000101000b000201000010000e000c02683208687474702f312e310005000501000000000033006b0069001d002005dcfe2c42419119e518fb087071ba68445b825e4f4dd9ddb8679c3011d3e75800170041046bd8e6b1818d3985e55a8514d3ec5091945df5eb48136c3a9f67bb6d6665758ef088520626748d59bba63786c0164b948013e0f8eee0ba425d643b7c5d4bfa8f002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c00024001002900eb00c600c0995b148219e66aca5e58a74de1551ae6c76897f50fc853147cf22db9a937361496395112ab0382a942c95fbd48b787d031ae89a8f23f9b7a56c2a0ed5158e919d2491c003ab7d1ca1944b7e5d068d4e6a0c83d9096e9cb76ad2ac081075551cf4bdbfff1194a71c54bf8f88cbe7c246c728155e92f94015e4c5140ce84087c842033ea00fa92f5bd5b601f9650aee0eb0d000175e447945fd28e1df361c5cce443351fd0f7f13cb6cab2e2cc8c3951eb4367dc5004415ab6c3cf0adbca1e3be4f149f74100212008a1f3195cd13d7b4386acd47cdfae0afad06cf8d245744e815ec6989e3cdd6c") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP,FTP") + minDhBits+=(1023) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072") + requiresSha2+=(false) + current+=(true) + names+=("IE 6 XP") short+=("ie_6_xp") ciphers+=("RC4-MD5:RC4-SHA:DES-CBC3-SHA:RC4-MD5:DES-CBC3-MD5:RC2-CBC-MD5:DES-CBC-SHA:DES-CBC-MD5:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA") @@ -2642,7 +2664,7 @@ names+=("Opera 66 (Win 10)") minEcdsaBits+=(-1) curves+=("sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1:sect239k1:sect233k1:sect233r1:secp224k1:secp224r1:sect193r1:sect193r2:secp192k1:prime192v1:sect163k1:sect163r1:sect163r2:secp160k1:secp160r1:secp160r2") requiresSha2+=(false) - current+=(true) + current+=(false) names+=("OpenSSL 1.0.2e") short+=("openssl_102e") diff --git a/etc/client-simulation.wiresharked.txt b/etc/client-simulation.wiresharked.txt index ca4a3ed..2b9b4d2 100644 --- a/etc/client-simulation.wiresharked.txt +++ b/etc/client-simulation.wiresharked.txt @@ -113,7 +113,7 @@ minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1") requiresSha2+=(false) - current+=(false) + current+=(true) names+=("Chrome 78 (Win 10)") short+=("chrome_78_win10") @@ -181,6 +181,28 @@ requiresSha2+=(false) current+=(true) + names+=("Firefox 71 (Win 10)") + short+=("firefox_71_win10") + ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030102580100025403036d4532515bff048c5c74cb0d39518c9c02e2dfd4d8ecae6591ee67d29ea62eab20c70c3e8feae9ed79d54914215aab37d3d5b7966a422edc41d2c027f9973d6b160024130113031302c02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a010001e700000014001200000f7777772e6d6f7a696c6c612e6f726700170000ff01000100000a000e000c001d00170018001901000101000b000201000010000e000c02683208687474702f312e310005000501000000000033006b0069001d002005dcfe2c42419119e518fb087071ba68445b825e4f4dd9ddb8679c3011d3e75800170041046bd8e6b1818d3985e55a8514d3ec5091945df5eb48136c3a9f67bb6d6665758ef088520626748d59bba63786c0164b948013e0f8eee0ba425d643b7c5d4bfa8f002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c00024001002900eb00c600c0995b148219e66aca5e58a74de1551ae6c76897f50fc853147cf22db9a937361496395112ab0382a942c95fbd48b787d031ae89a8f23f9b7a56c2a0ed5158e919d2491c003ab7d1ca1944b7e5d068d4e6a0c83d9096e9cb76ad2ac081075551cf4bdbfff1194a71c54bf8f88cbe7c246c728155e92f94015e4c5140ce84087c842033ea00fa92f5bd5b601f9650aee0eb0d000175e447945fd28e1df361c5cce443351fd0f7f13cb6cab2e2cc8c3951eb4367dc5004415ab6c3cf0adbca1e3be4f149f74100212008a1f3195cd13d7b4386acd47cdfae0afad06cf8d245744e815ec6989e3cdd6c") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP,FTP") + minDhBits+=(1023) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072") + requiresSha2+=(false) + current+=(true) + names+=("Java 11.0.2 (OpenJDK)") short+=("java1102") ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES256-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:AES256-SHA:ECDH-ECDSA-AES256-SHA:ECDH-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDH-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA") From 89275f7ea92da7c324198ab4cd91d6be0bccfb0c Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 13 Jan 2020 23:00:10 +0100 Subject: [PATCH 09/15] Redefine numbering scheme --- t/Readme.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/t/Readme.md b/t/Readme.md index 7cfb01e..56ba9c5 100644 --- a/t/Readme.md +++ b/t/Readme.md @@ -1,6 +1,7 @@ ### Naming scheme -* 00-09: Does the reporting work at all? +* 00-05: Does the bare testssl.sh work at all? +* 06-09: Does the reporting work at all? * 20-39: Do scans work fine (client side)? * 50-69: Are the results what I expect (server side)? From 56e6fa4bb7a02ecb91e994983cea4e54f172172a Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 13 Jan 2020 23:11:59 +0100 Subject: [PATCH 10/15] Remove FTP as a "service" from Firefox' client simulation ... as firefox never supported FTP over TLS or SSL, see https://bugzilla.mozilla.org/show_bug.cgi?id=85464 In general browsers tend to remove noaways cleartext FTP from browsers. --- etc/client-simulation.txt | 62 +++++++++++++-------------- etc/client-simulation.wiresharked.txt | 4 +- 2 files changed, 33 insertions(+), 33 deletions(-) diff --git a/etc/client-simulation.txt b/etc/client-simulation.txt index f0998b1..4f348a1 100644 --- a/etc/client-simulation.txt +++ b/etc/client-simulation.txt @@ -863,7 +863,7 @@ tlsvers+=("-tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -884,7 +884,7 @@ tlsvers+=("-tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -905,7 +905,7 @@ tlsvers+=("-tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -926,7 +926,7 @@ tlsvers+=("-tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -947,7 +947,7 @@ tlsvers+=("-tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -968,7 +968,7 @@ tlsvers+=("-tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -989,7 +989,7 @@ tlsvers+=("-tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1010,7 +1010,7 @@ tlsvers+=("-tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0301") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1031,7 +1031,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1052,7 +1052,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1073,7 +1073,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1094,7 +1094,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1115,7 +1115,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1136,7 +1136,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0300") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1157,7 +1157,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1178,7 +1178,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1199,7 +1199,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1220,7 +1220,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1241,7 +1241,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1262,7 +1262,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1283,7 +1283,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1304,7 +1304,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1325,7 +1325,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1346,7 +1346,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1367,7 +1367,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1388,7 +1388,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1409,7 +1409,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0304") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1430,7 +1430,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0304") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1451,7 +1451,7 @@ tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0304") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1473,7 +1473,7 @@ lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -1495,7 +1495,7 @@ lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) diff --git a/etc/client-simulation.wiresharked.txt b/etc/client-simulation.wiresharked.txt index 2b9b4d2..6d9184c 100644 --- a/etc/client-simulation.wiresharked.txt +++ b/etc/client-simulation.wiresharked.txt @@ -171,7 +171,7 @@ lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) @@ -193,7 +193,7 @@ lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") - service+=("HTTP,FTP") + service+=("HTTP") minDhBits+=(1023) maxDhBits+=(-1) minRsaBits+=(-1) From 58498583c994c8d80436c029c02d92bf193cd25f Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 13 Jan 2020 23:50:14 +0100 Subject: [PATCH 11/15] Modified LFs --- t/01_testssl_banner.t | 2 +- t/05_ca_hashes_up_to_date.t | 6 +++--- t/07_isJSON_valid.t | 12 +++++++----- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/t/01_testssl_banner.t b/t/01_testssl_banner.t index 7a3ccea..a60ba42 100755 --- a/t/01_testssl_banner.t +++ b/t/01_testssl_banner.t @@ -17,7 +17,7 @@ my $error_regexp5='(syntax error|unexpected token)'; # my $good_regexp='free software.*USAGE w/o ANY WARRANTY.*OWN RISK.*Using.*ciphers.*built(.*)platform'; my $good_regexp='free software([\s\S]*)USAGE w/o ANY WARRANTY([\s\S]*)OWN RISK([\s\S]*)Using([\s\S]*)ciphers([\s\S]*)built([\s\S]*)platform'; -printf "\n%s\n", "Testing whether just calling \"./testssl.sh\" produces no error ..."; +printf "\n%s\n", "Testing whether just calling \"./testssl.sh --banner\" produces no error ..."; $fileout = `timeout 10 bash ./testssl.sh --banner 2>&1`; my $retval=$?; diff --git a/t/05_ca_hashes_up_to_date.t b/t/05_ca_hashes_up_to_date.t index 722a312..33d64b8 100755 --- a/t/05_ca_hashes_up_to_date.t +++ b/t/05_ca_hashes_up_to_date.t @@ -3,7 +3,7 @@ use strict; use Test::More tests => 1; - +printf "\n%s\n", "Testing whether CA certificates are newer than \"~/etc/ca_hashes.txt\" ..."; my $newer_bundles=`find etc/*.pem -newer etc/ca_hashes.txt`; -is($newer_bundles,"","List of CA bundles newer then etc/ca_hashes.txt should be empty. If not run utils/create_ca_hashes.sh"); -done_testing; \ No newline at end of file +is($newer_bundles,"","List of CA bundles newer then etc/ca_hashes.txt should be empty. If not run utils/create_ca_hashes.sh"); +done_testing; diff --git a/t/07_isJSON_valid.t b/t/07_isJSON_valid.t index b6b3399..9acd953 100755 --- a/t/07_isJSON_valid.t +++ b/t/07_isJSON_valid.t @@ -21,8 +21,10 @@ die "Unable to open $prg" unless -f $prg; my $uri="cloudflare.com"; +printf "\n%s", "Unit testing JSON output ..."; + #1 -printf "\n%s\n", "Unit testing plain JSON output --> $uri ..."; +printf "%s\n", ".. plain JSON output --> $uri "; $out = `./testssl.sh $check2run --jsonfile tmp.json $uri`; $json = json('tmp.json'); unlink 'tmp.json'; @@ -31,7 +33,7 @@ is(@errors,0,"no errors"); $tests++; #2 -printf "\n%s\n", "Unit testing pretty JSON output --> $uri ..."; +printf "%s\n", ".. pretty JSON output --> $uri "; $out = `./testssl.sh $check2run --jsonfile-pretty tmp.json $uri`; $json = json('tmp.json'); unlink 'tmp.json'; @@ -43,7 +45,7 @@ $tests++; #3 # This testss.sh run deliberately does NOT work as travis-ci.org blocks port 25 egress. # but the output should be fine. The idea is to have a unit test for a failed connection. -printf "\n%s\n", "Checking plain JSON output for a failed run '--mx $uri' ..."; +printf "%s\n", ".. plain JSON output for a failed run '--mx $uri' ..."; $out = `./testssl.sh --ssl-native --openssl-timeout=10 $check2run --jsonfile tmp.json --mx $uri`; $json = json('tmp.json'); unlink 'tmp.json'; @@ -53,7 +55,7 @@ $tests++; #4 # Same as above but with pretty JSON -printf "\n%s\n", "Checking pretty JSON output for a failed run '--mx $uri' ..."; +printf "%s\n", ".. pretty JSON output for a failed run '--mx $uri' ..."; $out = `./testssl.sh --ssl-native --openssl-timeout=10 $check2run --jsonfile-pretty tmp.json --mx $uri`; $json = json('tmp.json'); unlink 'tmp.json'; @@ -63,7 +65,7 @@ $tests++; #5 my $uri = "smtp-relay.gmail.com:587"; -printf "\n%s\n", " Unit testing plain JSON output --> $uri ..."; +printf "%s\n", " .. plain JSON output --> $uri ..."; $out = `./testssl.sh --jsonfile tmp.json $check2run -t smtp $uri`; $json = json('tmp.json'); unlink 'tmp.json'; From 331b5cb750641eb83f7963e2f8618123f9e4caa5 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Tue, 14 Jan 2020 17:38:02 +0100 Subject: [PATCH 12/15] Output changes * add TLS_EMPTY_RENEGOTIATION_INFO_SCSV in screen output * remove trailing ":" to be sure no one copies it, see also #1440 --- utils/hexstream2cipher.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/utils/hexstream2cipher.sh b/utils/hexstream2cipher.sh index d346499..1f67180 100755 --- a/utils/hexstream2cipher.sh +++ b/utils/hexstream2cipher.sh @@ -17,7 +17,11 @@ for ((i=0; i $grepstr --> " cip=$(grep -i -E "^ *${grepstr}" $mapfile | awk '{ print $3 }') - echo $cip + if [[ $grepstr == 0x00,0xff ]]; then + echo TLS_EMPTY_RENEGOTIATION_INFO_SCSV + else + echo $cip + fi if "$first"; then ciphers="$cip" first=false @@ -27,4 +31,4 @@ for ((i=0; i Date: Tue, 14 Jan 2020 18:02:43 +0100 Subject: [PATCH 13/15] Update openssl handshakes to 1.1.0l and 1.1.1d. Seems that for the latter TLS 1.0 and 1.1 are disabled now, looking at the supported version extension. However on the command line an s_client connect works. So this commit need to be amended. --- etc/client-simulation.txt | 48 +++++++++++++++++++++++++-- etc/client-simulation.wiresharked.txt | 46 ++++++++++++++++++++++++- 2 files changed, 91 insertions(+), 3 deletions(-) diff --git a/etc/client-simulation.txt b/etc/client-simulation.txt index 4f348a1..397c38c 100644 --- a/etc/client-simulation.txt +++ b/etc/client-simulation.txt @@ -2696,7 +2696,29 @@ names+=("Opera 66 (Win 10)") handshakebytes+=("16030100c2010000be03036468410c4ae36f78a4357ad19fa61353e46aed101eff4e0c9f77ec654dc12eb4000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100005d00000013001100000e7465737473736c2e73683a343433000b000403000102000a000a0008001d001700190018002300000016000000170000000d0020001e060106020603050105020503040104020403030103020303020102020203") protos+=("-no_ssl2 -no_ssl3") tlsvers+=("-tls1_2 -tls1_1 -tls1") - lowest_protocol+=("0x0300") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") + alpn+=("h2,http/1.1") + service+=("ANY") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp521r1:secp384r1") + requiresSha2+=(false) + current+=(false) + + names+=("OpenSSL 1.1.0l (Debian)") + short+=("openssl_110l") + ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA") + ciphersuites+=("") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030100bf010000bb030350a1cc6c1ae6c9726ce0a025f4d2c522e6b503d5ccd2d1740bd1bb2e7af108d5000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100005a00000010000e00000b7465737473736c2e6e6574000b000403000102000a000a0008001d001700190018002300000016000000170000000d0020001e060106020603050105020503040104020403030103020303020102020203") + protos+=("-no_ssl2 -no_ssl3") + tlsvers+=("-tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") highest_protocol+=("0x0303") alpn+=("h2,http/1.1") service+=("ANY") @@ -2718,7 +2740,29 @@ names+=("Opera 66 (Win 10)") handshakebytes+=("160301012d010001290303ac67ab7c72eea2e0f68615f02c9e566ed4a3bb0022c2ca1db7615acfb9dedd0120415470391af467e708e8983b134defcb4f4855e774606ae8223265af0fbb802a003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff010000a200000013001100000e7465737473736c2e73683a343433000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020b4556edddf807eb6b6bbcd61e25775a3992dd6f5caeee76d37f8895436efc972") protos+=("-no_ssl2 -no_ssl3") tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") - lowest_protocol+=("0x0300") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("ANY") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:x448:secp521r1:secp384r1") + requiresSha2+=(true) + current+=(false) + + names+=("OpenSSL 1.1.1d (Debian)") + short+=("openssl_111d") + ciphers+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA") + ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030101290100012503036f18cf85cf24e3676f0e79a3503aa9feefc961e3baed7b00fd876a2c6d2395b3205f4fb8769aa1e5279b848b3f35bec3d7aa9966595d22ebcd35e72f79b9d9fcc9003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100009e0000000f000d00000a7465737473736c2e7368000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020a12c2f7e04adcb76ce5eb8b05cf631e7cdf46f5e28cbe86a676d704098507b40") + protos+=("-no_ssl2 -no_ssl3 -tls1_1 -tls1") + tlsvers+=("-tls1_3 -tls1_2") + lowest_protocol+=("0x0303") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") service+=("ANY") diff --git a/etc/client-simulation.wiresharked.txt b/etc/client-simulation.wiresharked.txt index 6d9184c..2601325 100644 --- a/etc/client-simulation.wiresharked.txt +++ b/etc/client-simulation.wiresharked.txt @@ -331,6 +331,28 @@ minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp521r1:secp384r1") requiresSha2+=(false) + current+=(false) + + names+=("OpenSSL 1.1.0l (Debian)") + short+=("openssl_110l") + ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA") + ciphersuites+=("") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030100bf010000bb030350a1cc6c1ae6c9726ce0a025f4d2c522e6b503d5ccd2d1740bd1bb2e7af108d5000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100005a00000010000e00000b7465737473736c2e6e6574000b000403000102000a000a0008001d001700190018002300000016000000170000000d0020001e060106020603050105020503040104020403030103020303020102020203") + protos+=("-no_ssl2 -no_ssl3") + tlsvers+=("-tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0303") + alpn+=("h2,http/1.1") + service+=("ANY") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:secp521r1:secp384r1") + requiresSha2+=(false) current+=(true) names+=("OpenSSL 1.1.1b (Debian)") @@ -342,6 +364,28 @@ handshakebytes+=("160301012d010001290303ac67ab7c72eea2e0f68615f02c9e566ed4a3bb0022c2ca1db7615acfb9dedd0120415470391af467e708e8983b134defcb4f4855e774606ae8223265af0fbb802a003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff010000a200000013001100000e7465737473736c2e73683a343433000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020b4556edddf807eb6b6bbcd61e25775a3992dd6f5caeee76d37f8895436efc972") protos+=("-no_ssl2 -no_ssl3") tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("ANY") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519:secp256r1:x448:secp521r1:secp384r1") + requiresSha2+=(true) + current+=(false) + + names+=("OpenSSL 1.1.1d (Debian)") + short+=("openssl_111d") + ciphers+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA") + ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256") + sni+=("$SNI") + warning+=("") + handshakebytes+=("16030101290100012503036f18cf85cf24e3676f0e79a3503aa9feefc961e3baed7b00fd876a2c6d2395b3205f4fb8769aa1e5279b848b3f35bec3d7aa9966595d22ebcd35e72f79b9d9fcc9003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100009e0000000f000d00000a7465737473736c2e7368000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020a12c2f7e04adcb76ce5eb8b05cf631e7cdf46f5e28cbe86a676d704098507b40") + protos+=("-no_ssl2 -no_ssl3 -tls1_1 -tls1") + tlsvers+=("-tls1_3 -tls1_2") lowest_protocol+=("0x0300") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") @@ -351,7 +395,7 @@ minRsaBits+=(-1) maxRsaBits+=(-1) minEcdsaBits+=(-1) - curves+=("X25519:secp256r1:X448:secp521r1:secp384r1") + curves+=("X25519:secp256r1:x448:secp521r1:secp384r1") requiresSha2+=(true) current+=(true) From 13aa6aa433b8b6ef116ab73e6a9ad8d4f8be6a7c Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Tue, 14 Jan 2020 18:17:44 +0100 Subject: [PATCH 14/15] Readd TLS 1.0 and TLS 1.1 to openssl 1.1.1d (Debian) ... see previous commit --- etc/client-simulation.txt | 6 +++--- etc/client-simulation.wiresharked.txt | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/etc/client-simulation.txt b/etc/client-simulation.txt index 397c38c..b4afc9f 100644 --- a/etc/client-simulation.txt +++ b/etc/client-simulation.txt @@ -2760,9 +2760,9 @@ names+=("Opera 66 (Win 10)") sni+=("$SNI") warning+=("") handshakebytes+=("16030101290100012503036f18cf85cf24e3676f0e79a3503aa9feefc961e3baed7b00fd876a2c6d2395b3205f4fb8769aa1e5279b848b3f35bec3d7aa9966595d22ebcd35e72f79b9d9fcc9003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100009e0000000f000d00000a7465737473736c2e7368000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020a12c2f7e04adcb76ce5eb8b05cf631e7cdf46f5e28cbe86a676d704098507b40") - protos+=("-no_ssl2 -no_ssl3 -tls1_1 -tls1") - tlsvers+=("-tls1_3 -tls1_2") - lowest_protocol+=("0x0303") + protos+=("-no_ssl2 -no_ssl3") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") service+=("ANY") diff --git a/etc/client-simulation.wiresharked.txt b/etc/client-simulation.wiresharked.txt index 2601325..321ddd6 100644 --- a/etc/client-simulation.wiresharked.txt +++ b/etc/client-simulation.wiresharked.txt @@ -385,8 +385,8 @@ warning+=("") handshakebytes+=("16030101290100012503036f18cf85cf24e3676f0e79a3503aa9feefc961e3baed7b00fd876a2c6d2395b3205f4fb8769aa1e5279b848b3f35bec3d7aa9966595d22ebcd35e72f79b9d9fcc9003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100009e0000000f000d00000a7465737473736c2e7368000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020a12c2f7e04adcb76ce5eb8b05cf631e7cdf46f5e28cbe86a676d704098507b40") protos+=("-no_ssl2 -no_ssl3 -tls1_1 -tls1") - tlsvers+=("-tls1_3 -tls1_2") - lowest_protocol+=("0x0300") + tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") + lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") service+=("ANY") From 8d864aba2e1300c2f6838b487d68ab5b8fcdca96 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Tue, 14 Jan 2020 18:44:11 +0100 Subject: [PATCH 15/15] Output adjustments closer to a more common format --- t/00_testssl_help.t | 11 ++++++----- t/01_testssl_banner.t | 13 +++++++------ t/02_clientsim_txt_parsable.t | 5 +++-- t/05_ca_hashes_up_to_date.t | 9 ++++++--- t/07_isJSON_valid.t | 14 +++++++------- t/08_isHTML_valid.t | 12 +++++++----- t/09_isJSON_severitylevel_valid.t | 8 ++++++-- 7 files changed, 42 insertions(+), 30 deletions(-) diff --git a/t/00_testssl_help.t b/t/00_testssl_help.t index d8dc785..8495cd5 100755 --- a/t/00_testssl_help.t +++ b/t/00_testssl_help.t @@ -18,24 +18,25 @@ printf "\n%s\n", "Testing whether just calling \"./testssl.sh\" produces no erro $fileout = `timeout 10 bash ./testssl.sh 2>&1`; my $retval=$?; -unlike($fileout, qr/$error_regexp1/, ""); +unlike($fileout, qr/$error_regexp1/, "regex 1"); $tests++; -unlike($fileout, qr/$error_regexp2/, ""); +unlike($fileout, qr/$error_regexp2/, "regex 2"); $tests++; -unlike($fileout, qr/$error_regexp3/, ""); +unlike($fileout, qr/$error_regexp3/, "regex 3"); $tests++; -unlike($fileout, qr/$error_regexp4/, ""); +unlike($fileout, qr/$error_regexp4/, "regex 4"); $tests++; -unlike($fileout, qr/$error_regexp5/, ""); +unlike($fileout, qr/$error_regexp5/, "regex 5"); $tests++; is($retval, 0, "return value should be equal zero: \"$retval\""); $tests++; +printf "\n"; done_testing($tests); diff --git a/t/01_testssl_banner.t b/t/01_testssl_banner.t index a60ba42..4eccadd 100755 --- a/t/01_testssl_banner.t +++ b/t/01_testssl_banner.t @@ -21,27 +21,28 @@ printf "\n%s\n", "Testing whether just calling \"./testssl.sh --banner\" produce $fileout = `timeout 10 bash ./testssl.sh --banner 2>&1`; my $retval=$?; -unlike($fileout, qr/$error_regexp1/, ""); +unlike($fileout, qr/$error_regexp1/, "regex 1"); $tests++; -unlike($fileout, qr/$error_regexp2/, ""); +unlike($fileout, qr/$error_regexp2/, "regex 2"); $tests++; -unlike($fileout, qr/$error_regexp3/, ""); +unlike($fileout, qr/$error_regexp3/, "regex 3"); $tests++; -unlike($fileout, qr/$error_regexp4/, ""); +unlike($fileout, qr/$error_regexp4/, "regex 4"); $tests++; -unlike($fileout, qr/$error_regexp5/, ""); +unlike($fileout, qr/$error_regexp5/, "regex 5"); $tests++; -like($fileout, qr/$good_regexp/, ""); +like($fileout, qr/$good_regexp/, "regex positive"); $tests++; is($retval, 0, "return value should be equal zero: \"$retval\""); $tests++; +printf "\n"; done_testing($tests); diff --git a/t/02_clientsim_txt_parsable.t b/t/02_clientsim_txt_parsable.t index e0aeb40..f947db0 100755 --- a/t/02_clientsim_txt_parsable.t +++ b/t/02_clientsim_txt_parsable.t @@ -14,12 +14,13 @@ my $error_regexp2='client-simulation.txt:'; printf "\n%s\n", "Testing whether \"~/etc/client-simulation.txt\" isn't broken ..."; $fileout = `bash ./etc/client-simulation.txt 2>&1`; -unlike($fileout, qr/$error_regexp1/, ""); +unlike($fileout, qr/$error_regexp1/, "regex 1"); $tests++; -unlike($fileout, qr/$error_regexp2/, ""); +unlike($fileout, qr/$error_regexp2/, "regex 2"); $tests++; +printf "\n"; done_testing($tests); diff --git a/t/05_ca_hashes_up_to_date.t b/t/05_ca_hashes_up_to_date.t index 33d64b8..ece53b5 100755 --- a/t/05_ca_hashes_up_to_date.t +++ b/t/05_ca_hashes_up_to_date.t @@ -1,9 +1,12 @@ #!/usr/bin/env perl use strict; -use Test::More tests => 1; +use Test::More; + +printf "\n%s\n", "Testing whether CA certificates are newer their SPKI hashes \"~/etc/ca_hashes.txt\" ..."; -printf "\n%s\n", "Testing whether CA certificates are newer than \"~/etc/ca_hashes.txt\" ..."; my $newer_bundles=`find etc/*.pem -newer etc/ca_hashes.txt`; -is($newer_bundles,"","List of CA bundles newer then etc/ca_hashes.txt should be empty. If not run utils/create_ca_hashes.sh"); +is($newer_bundles,"","If there's an output with a *.pem file run \"~/utils/create_ca_hashes.sh\""); + +printf "\n"; done_testing; diff --git a/t/07_isJSON_valid.t b/t/07_isJSON_valid.t index 9acd953..abba0f4 100755 --- a/t/07_isJSON_valid.t +++ b/t/07_isJSON_valid.t @@ -21,10 +21,10 @@ die "Unable to open $prg" unless -f $prg; my $uri="cloudflare.com"; -printf "\n%s", "Unit testing JSON output ..."; +printf "\n%s\n", "Unit testing JSON output ..."; #1 -printf "%s\n", ".. plain JSON output --> $uri "; +printf "%s\n", ".. plain JSON --> $uri "; $out = `./testssl.sh $check2run --jsonfile tmp.json $uri`; $json = json('tmp.json'); unlink 'tmp.json'; @@ -33,7 +33,7 @@ is(@errors,0,"no errors"); $tests++; #2 -printf "%s\n", ".. pretty JSON output --> $uri "; +printf "%s\n", ".. pretty JSON --> $uri "; $out = `./testssl.sh $check2run --jsonfile-pretty tmp.json $uri`; $json = json('tmp.json'); unlink 'tmp.json'; @@ -45,7 +45,7 @@ $tests++; #3 # This testss.sh run deliberately does NOT work as travis-ci.org blocks port 25 egress. # but the output should be fine. The idea is to have a unit test for a failed connection. -printf "%s\n", ".. plain JSON output for a failed run '--mx $uri' ..."; +printf "%s\n", ".. plain JSON for a failed run: '--mx $uri' ..."; $out = `./testssl.sh --ssl-native --openssl-timeout=10 $check2run --jsonfile tmp.json --mx $uri`; $json = json('tmp.json'); unlink 'tmp.json'; @@ -55,7 +55,7 @@ $tests++; #4 # Same as above but with pretty JSON -printf "%s\n", ".. pretty JSON output for a failed run '--mx $uri' ..."; +printf "%s\n", ".. pretty JSON for a failed run '--mx $uri' ..."; $out = `./testssl.sh --ssl-native --openssl-timeout=10 $check2run --jsonfile-pretty tmp.json --mx $uri`; $json = json('tmp.json'); unlink 'tmp.json'; @@ -65,7 +65,7 @@ $tests++; #5 my $uri = "smtp-relay.gmail.com:587"; -printf "%s\n", " .. plain JSON output --> $uri ..."; +printf "%s\n", " .. plain JSON and STARTTLS --> $uri ..."; $out = `./testssl.sh --jsonfile tmp.json $check2run -t smtp $uri`; $json = json('tmp.json'); unlink 'tmp.json'; @@ -73,7 +73,7 @@ unlink 'tmp.json'; is(@errors,0,"no errors"); $tests++; - +printf "\n"; done_testing($tests); sub json($) { diff --git a/t/08_isHTML_valid.t b/t/08_isHTML_valid.t index 3319818..f8877a8 100755 --- a/t/08_isHTML_valid.t +++ b/t/08_isHTML_valid.t @@ -18,8 +18,10 @@ my $check2run="--color 0 --htmlfile tmp.html"; die "Unable to open $prg" unless -f $prg; +printf "\n%s\n", "Doing HTML output checks"; + #1 -printf "\n%s\n", "Running $prg against $uri to create HTML and terminal outputs (may take 2~3 minutes) ..."; +printf "%s\n", " .. running $prg against $uri to create HTML and terminal outputs (may take 2~3 minutes)"; # specify a TERM_WIDTH so that the two calls to testssl.sh don't create HTML files with different values of TERM_WIDTH $out = `TERM_WIDTH=120 $prg $check2run $uri`; $html = `cat tmp.html`; @@ -41,12 +43,12 @@ $edited_html =~ s/>/>/g; $edited_html =~ s/"/"/g; $edited_html =~ s/'/'/g; -printf "\n%s\n", "Comparing HTML and terminal outputs"; +printf "\n%s\n", " .. comparing HTML and terminal outputs"; cmp_ok($edited_html, "eq", $out, "HTML file matches terminal output"); $tests++; #2 -printf "\n%s\n", "Running $prg against $uri with --debug 4 to create HTML output (may take 2~3 minutes)"; +printf "\n%s\n", " .. running $prg against $uri with --debug 4 to create HTML output (may take another 2~3 minutes)"; # Redirect stderr to /dev/null in order to avoid some unexplained "date: invalid date" error messages $out = `TERM_WIDTH=120 $prg $check2run --debug 4 $uri 2> /dev/null`; $debughtml = `cat tmp.html`; @@ -66,9 +68,9 @@ $debughtml =~ s/HTTP clock skew \+?-?[0-9]* /HTTP clock skew $debughtml =~ s/ Pre-test: .*\n//g; $debughtml =~ s/.*OK: below 825 days.*\n//g; -printf "\n%s\n", "Checking that using the --debug option doesn't affect the HTML file"; +printf "\n%s\n", " .. checking that using the --debug option doesn't affect the HTML file"; cmp_ok($debughtml, "eq", $html, "HTML file created with --debug 4 matches HTML file created without --debug"); $tests++; -printf "\n%s\n"; +printf "\n"; done_testing($tests); diff --git a/t/09_isJSON_severitylevel_valid.t b/t/09_isJSON_severitylevel_valid.t index b933b4b..ab78d94 100755 --- a/t/09_isJSON_severitylevel_valid.t +++ b/t/09_isJSON_severitylevel_valid.t @@ -15,8 +15,11 @@ my ( $tests = 0; + +printf "\n%s\n", "Doing severity level checks"; + #1 -pass("Running testssl.sh against badssl.com to create a JSON report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++; +pass(" .. running testssl.sh against badssl.com to create a JSON report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++; $out = `./testssl.sh -S -e -U --jsonfile tmp.json --severity LOW --color 0 badssl.com`; $json = json('tmp.json'); unlink 'tmp.json'; @@ -31,7 +34,7 @@ foreach my $f ( @$json ) { is($found,0,"We should not have any finding with INFO level"); $tests++; #2 -pass("Running testssl.sh against badssl.com to create a JSON-PRETTY report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++; +pass(" .. running testssl.sh against badssl.com to create a JSON-PRETTY report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++; $out = `./testssl.sh -S -e -U --jsonfile-pretty tmp.json --severity LOW --color 0 badssl.com`; $json_pretty = json('tmp.json'); unlink 'tmp.json'; @@ -45,6 +48,7 @@ foreach my $f ( @$vulnerabilities ) { } is($found,0,"We should not have any finding with INFO level"); $tests++; +printf "\n"; done_testing($tests); sub json($) {