From 71b4c032025a2bc74183b769f4cd5d1b332fd67a Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Sat, 20 Feb 2016 11:07:47 +0100
Subject: [PATCH 1/5] - fix key problem hpkp

---
 testssl.sh | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 74de473..a7fab53 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -985,10 +985,13 @@ run_hpkp() {
                fileout "hpkp_preload" "INFO" "HPKP header is NOT marked for browser preloading"
           fi
 
-          [[ -s "$HOSTCERT" ]] || get_host_cert
-          # get the key fingerprints
+          if [[ ! -s "$HOSTCERT" ]]; then
+               get_host_cert || return 1
+          fi
+          # get the key fingerprint from the host certificate
           hpkp_key_hostcert="$($OPENSSL x509 -in $HOSTCERT -pubkey -noout | grep -v PUBLIC | \
                $OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL base64)"
+          # compare it with the ones provided in the header
           while read hpkp_key; do
                if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then
                     out "\n$spaces matching host key: "
@@ -2626,14 +2629,16 @@ cipher_pref_check() {
 get_host_cert() {
      local tmpvar=$TEMPDIR/$FUNCNAME.txt     # change later to $TMPFILE
 
-     $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $1 2>/dev/null </dev/null >$tmpdir
+     $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $1 2>/dev/null </dev/null >$tmpvar
      if sclient_connect_successful $? $tmpvar; then
           awk '/-----BEGIN/,/-----END/ { print $0 }' $tmpvar >$HOSTCERT
+          return 0
      else
+          pr_litemagentaln "could not retrieve host certificate!"
           return 1
      fi
-    tmpfile_handle $FUNCNAME.txt
-    #      return $((${PIPESTATUS[0]} + ${PIPESTATUS[1]}))
+     #tmpfile_handle $FUNCNAME.txt
+     #return $((${PIPESTATUS[0]} + ${PIPESTATUS[1]}))
 }
 
 verify_retcode_helper() {

From 583584e095e418a5b22ab37e006b5c3a8e54b3ab Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Sat, 20 Feb 2016 14:10:04 +0100
Subject: [PATCH 2/5] - FIX #297 - FIX #243 - reformmated BEAST a bit (was
 screwed up in ! WIDE mode if too many ciphers

---
 testssl.sh | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index a7fab53..d3e9076 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -4935,9 +4935,11 @@ run_beast(){
      local continued=false
      local cbc_cipher_list="EXP-RC2-CBC-MD5:IDEA-CBC-SHA:EXP-DES-CBC-SHA:DES-CBC-SHA:DES-CBC3-SHA:EXP-DH-DSS-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DH-DSS-DES-CBC3-SHA:EXP-DH-RSA-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-RSA-DES-CBC3-SHA:EXP-EDH-DSS-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:EDH-DSS-DES-CBC3-SHA:EXP-EDH-RSA-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EXP-ADH-DES-CBC-SHA:ADH-DES-CBC-SHA:ADH-DES-CBC3-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-IDEA-CBC-SHA:KRB5-DES-CBC-MD5:KRB5-DES-CBC3-MD5:KRB5-IDEA-CBC-MD5:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-MD5:AES128-SHA:DH-DSS-AES128-SHA:DH-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ADH-AES128-SHA:AES256-SHA:DH-DSS-AES256-SHA:DH-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ADH-AES256-SHA:AES128-SHA256:AES256-SHA256:DH-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DHE-RSA-CAMELLIA128-SHA:ADH-CAMELLIA128-SHA:EXP1024-DES-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA:DHE-RSA-AES128-SHA256:DH-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA256:ADH-AES128-SHA256:ADH-AES256-SHA256:CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:ADH-CAMELLIA256-SHA:PSK-3DES-EDE-CBC-SHA:PSK-AES128-CBC-SHA:PSK-AES256-CBC-SHA:SEED-SHA:DH-DSS-SEED-SHA:DH-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-SEED-SHA:ADH-SEED-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AECDH-DES-CBC3-SHA:AECDH-AES128-SHA:AECDH-AES256-SHA:SRP-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-DSS-AES-256-CBC-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDH-RSA-AES128-SHA256:ECDH-RSA-AES256-SHA384:RC2-CBC-MD5:EXP-RC2-CBC-MD5:IDEA-CBC-MD5:DES-CBC-MD5:DES-CBC3-MD5"
 
-     if [[ $VULN_COUNT -le $VULN_THRESHLD ]] || "$WIDE"; then
+     if [[ $VULN_COUNT -le $VULN_THRESHLD ]]; then
           outln
           pr_headlineln " Testing for BEAST vulnerability "
+     fi
+     if [[ $VULN_COUNT -le $VULN_THRESHLD ]] || "$WIDE"; then
           outln
      fi
      pr_bold " BEAST"; out " (CVE-2011-3389)                     "
@@ -4973,8 +4975,10 @@ run_beast(){
           sclient_connect_successful $? $TMPFILE || continue
 
           if "$WIDE"; then
-               outln "\n $(toupper $proto):";
-               neat_header         # NOT_THAT_NICE: we display the header also if in the end no cbc cipher is available on the client side
+               out "\n "; pr_underline "$(toupper $proto):\n";
+               if "$first"; then
+                    neat_header         # NOT_THAT_NICE: we display the header also if in the end no cbc cipher is available on the client side
+               fi
           fi
           for ciph in $(colon_to_spaces "$cbc_cipher_list"); do
                read hexcode dash cbc_cipher sslvers kx auth enc mac < <($OPENSSL ciphers -V "$ciph" 2>>$ERRFILE)        # -V doesn't work with openssl < 1.0
@@ -4982,7 +4986,7 @@ run_beast(){
                $OPENSSL s_client -cipher "$cbc_cipher" -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>>$ERRFILE </dev/null
                sclient_connect_successful $? $TMPFILE
                sclient_success=$?
-               [[ $sclient_success -eq 0 ]] && vuln_beast=true
+               [[ $sclient_success -eq 0 ]] && vuln_beast=true && "$WIDE" && first=false
                if "$WIDE"; then
                     normalize_ciphercode $hexcode
                     if [[ "$SHOW_EACH_C" -ne 0 ]]; then
@@ -5008,7 +5012,11 @@ run_beast(){
 
           if ! "$WIDE"; then
                if [[ -n "$detected_cbc_ciphers" ]]; then
-                    detected_cbc_ciphers=$(echo "$detected_cbc_ciphers" | sed -e "s/ /\\${cr}      ${spaces}/9" -e "s/ /\\${cr}      ${spaces}/6" -e "s/ /\\${cr}      ${spaces}/3")
+                    detected_cbc_ciphers=$(echo "$detected_cbc_ciphers" | \
+                         sed -e "s/ /\\${cr}      ${spaces}/12" \
+                             -e "s/ /\\${cr}      ${spaces}/9" \
+                             -e "s/ /\\${cr}      ${spaces}/6" \
+                             -e "s/ /\\${cr}      ${spaces}/3")
                     fileout "cbc_$proto" "NOT OK" "BEAST (CVE-2011-3389) : CBC ciphers for $(toupper $proto): $detected_cbc_ciphers"
                     ! "$first" && out "$spaces"
                     out "$(toupper $proto):"
@@ -5080,16 +5088,18 @@ run_rc4() {
      local rc4_detected=""
      local available=""
 
-     if [[ $VULN_COUNT -le $VULN_THRESHLD ]] || $WIDE; then
+     if [[ $VULN_COUNT -le $VULN_THRESHLD ]]; then
           outln
           pr_headlineln " Checking for vulnerable RC4 Ciphers "
+     fi
+     if [[ $VULN_COUNT -le $VULN_THRESHLD ]] || "$WIDE"; then
           outln
      fi
      pr_bold " RC4"; out " (CVE-2013-2566, CVE-2015-2808)        "
 
      $OPENSSL s_client -cipher $rc4_ciphers_list $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
      if sclient_connect_successful $? $TMPFILE; then
-          pr_litered "VULNERABLE (NOT ok): "
+          "$WIDE" || pr_litered "VULNERABLE (NOT ok): "
           rc4_offered=1
           if "$WIDE"; then
                outln "\n"
@@ -5123,6 +5133,7 @@ run_rc4() {
                rc4_detected+="$rc4_cipher "
           done < <($OPENSSL ciphers -V $rc4_ciphers_list:@STRENGTH)
           outln
+          "$WIDE" && pr_litered "VULNERABLE (NOT ok)"
           fileout "rc4" "NOT OK" "RC4 (CVE-2013-2566, CVE-2015-2808) : VULNERABLE (NOT ok) Detected ciphers: $rc4_detected"
      else
           pr_litegreenln "no RC4 ciphers detected (OK)"

From c70a13d014db6114fa2fc5b07d5cf381ad275c8a Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Sat, 20 Feb 2016 21:46:17 +0100
Subject: [PATCH 3/5] - fix #296 (no recent regression as assumed)

---
 testssl.sh | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index d3e9076..9174392 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -3404,7 +3404,7 @@ run_server_defaults() {
 # http://www.heise.de/security/artikel/Forward-Secrecy-testen-und-einrichten-1932806.html
 run_pfs() {
      local -i sclient_success
-     local -i pfs_offered=1
+     local pfs_offered=false
      local tmpfile
      local dhlen
      local hexcode dash pfs_cipher sslvers kx auth enc mac
@@ -3436,12 +3436,12 @@ run_pfs() {
           pr_brownln "Not OK: No ciphers supporting Forward Secrecy offered"
           fileout "pfs" "NOT OK" "(Perfect) Forward Secrecy : Not OK: No ciphers supporting Forward Secrecy offered"
      else
-          pfs_offered=0
+          pfs_offered=true
           pfs_ciphers=""
           pr_litegreen " PFS is offered (OK)"
           fileout "pfs" "OK" "(Perfect) Forward Secrecy : PFS is offered (OK)"
           if $WIDE; then
-               outln ", ciphers follow (client/browser support is here specially important) \n"
+               outln ", ciphers follow (client/browser support is important here) \n"
                neat_header
           else
                out "  "
@@ -3451,7 +3451,8 @@ run_pfs() {
                $OPENSSL s_client -cipher $pfs_cipher $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI &>$tmpfile </dev/null
                sclient_connect_successful $? $tmpfile
                sclient_success=$?
-               if [[ $sclient_success -ne 0 ]] && [[ "$SHOW_EACH_C" -eq 0 ]]; then
+               [[ "$sclient_success" -eq 0 ]] && pfs_offered=true
+               if [[ "$sclient_success" -ne 0 ]] && [[ "$SHOW_EACH_C" -eq 0 ]]; then
                     continue # no successful connect AND not verbose displaying each cipher
                fi
                if $WIDE; then
@@ -3461,7 +3462,6 @@ run_pfs() {
                          kx="$kx $dhlen"
                     fi
                     neat_list $HEXC $pfs_cipher "$kx" $enc $strength
-                    let "pfs_offered++"
                     if [[ "$SHOW_EACH_C" -ne 0 ]]; then
                          if [[ $sclient_success -eq 0 ]]; then
                               pr_green "works"
@@ -3479,7 +3479,7 @@ run_pfs() {
           debugme echo $pfs_offered
           $WIDE || outln
 
-          if [[ "$pfs_offered" -eq 1 ]]; then
+          if ! "$pfs_offered"; then
                pr_brown "no PFS ciphers found"
                fileout "pfs_ciphers" "NOT OK" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)"
           else
@@ -3493,7 +3493,11 @@ run_pfs() {
 
      tmpfile_handle $FUNCNAME.txt
 #     sub1_curves
-     return $pfs_offered
+     if "$pfs_offered"; then
+          return 0
+     else
+          return 1
+     fi
 }
 
 
@@ -6776,4 +6780,4 @@ fi
 exit $?
 
 
-#  $Id: testssl.sh,v 1.464 2016/02/07 18:13:58 dirkw Exp $
+#  $Id: testssl.sh,v 1.466 2016/02/20 20:46:16 dirkw Exp $

From 20cee1e788dfde1bdf0e9cd32c428bc8c014d36f Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Mon, 22 Feb 2016 10:44:43 +0100
Subject: [PATCH 4/5] - fix: relative redirect led to fp (https)

---
 testssl.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 9174392..8d782fd 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -720,7 +720,7 @@ run_http_header() {
           301|302|307|308)
                redirect=$(grep -a '^Location' $HEADERFILE | sed 's/Location: //' | tr -d '\r\n')
                out ", redirecting to \"$redirect\""
-               if [[ $redirect != "https://"* ]]; then
+               if [[ $redirect == "http://"* ]]; then
                     pr_litered " -- Redirect to insecure URL (NOT ok)"
                     fileout "status_code" "NOT OK" \, "Redirect to insecure URL (NOT ok). Url: \"$redirect\""
                fi
@@ -6780,4 +6780,4 @@ fi
 exit $?
 
 
-#  $Id: testssl.sh,v 1.466 2016/02/20 20:46:16 dirkw Exp $
+#  $Id: testssl.sh,v 1.467 2016/02/22 09:44:42 dirkw Exp $

From 53e76b0545a753f121649783e473b5208788b415 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Tue, 23 Feb 2016 09:08:11 +0100
Subject: [PATCH 5/5] Update Readme.md

---
 Readme.md | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/Readme.md b/Readme.md
index 740eca1..11cfd5a 100644
--- a/Readme.md
+++ b/Readme.md
@@ -45,11 +45,18 @@ Done so far:
 * Even more compatibilty improvements for FreeBSD, RH-ish and F5 systems
 * OpenSSL 1.1.0 compliant
 
-Contributions, feedback, also bug reports are welcome! For contributions please note: One patch per feature -- bug fix/improvement. Please test your changes thouroughly as reliability is important for this project. 
+Update notification here or @ [twitter](https://twitter.com/drwetter). 
+
+####Contributions
+Contributions, feedback,  bug reports are welcome! For contributions please note: One patch per feature -- bug fix/improvement. Please test your changes thouroughly as reliability is important for this project. 
+
+There's [coding guide line](https://github.com/drwetter/testssl.sh/wiki/Coding-Style). 
 
 Please file bug reports @ https://github.com/drwetter/testssl.sh/issues .
 
-Update notification here or @ [twitter](https://twitter.com/drwetter). 
+####Documentation
+
+For a start see the [wiki](https://github.com/drwetter/testssl.sh/wiki/Usage-Documentation). Help is needed here.
 
 ----