diff --git a/.travis.yml b/.travis.yml index 950e14b..d1d660b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,4 +1,5 @@ language: perl +dist: bionic perl: - "5.26" addons: diff --git a/CHANGELOG.md b/CHANGELOG.md index 31f0325..36d0236 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ * Several display/output fixes * Security fix: DNS input * Don't use external pwd anymore +* STARTTLS: XMPP server support * Rating (SSL Labs, not complete) ### Features implemented / improvements in 3.0 diff --git a/CREDITS.md b/CREDITS.md index 884d8dd..3c0cd24 100644 --- a/CREDITS.md +++ b/CREDITS.md @@ -143,6 +143,9 @@ Full contribution, see git log. * Dmitri S - inspiration & help for Darwin port +* Jonas Schäfer + - XMPP server patch + * Marcin Szychowski - Quick'n'dirty client certificate support diff --git a/doc/testssl.1.html b/doc/testssl.1.html index 662cfae..37fb4dc 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -189,7 +189,7 @@ The same can be achieved by setting the environment variable WARNINGSSPECIAL INVOCATIONS -

-t <protocol>, --starttls <protocol> does a default run against a STARTTLS enabled protocol. protocol must be one of ftp, smtp, pop3, imap, xmpp, telnet, ldap, irc, lmtp, nntp, postgres, mysql. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with --ssl-native. telnet and irc is WIP.

+

-t <protocol>, --starttls <protocol> does a default run against a STARTTLS enabled protocol. protocol must be one of ftp, smtp, pop3, imap, xmpp,xmpp-server, telnet, ldap, irc, lmtp, nntp, postgres, mysql. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with --ssl-native. telnet and irc is WIP.

--xmpphost <jabber_domain> is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied.

diff --git a/doc/testssl.1.md b/doc/testssl.1.md index 4cce65b..63cfa88 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -113,7 +113,7 @@ The same can be achieved by setting the environment variable `WARNINGS`. ### SPECIAL INVOCATIONS -`-t , --starttls ` does a default run against a STARTTLS enabled `protocol`. `protocol` must be one of `ftp`, `smtp`, `pop3`, `imap`, `xmpp`, `telnet`, `ldap`, `irc`, `lmtp`, `nntp`, `postgres`, `mysql`. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with `--ssl-native`. `telnet` and `irc` is WIP. +`-t , --starttls ` does a default run against a STARTTLS enabled `protocol`. `protocol` must be one of `ftp`, `smtp`, `pop3`, `imap`, `xmpp`, `xmpp-server`, `telnet`, `ldap`, `irc`, `lmtp`, `nntp`, `postgres`, `mysql`. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with `--ssl-native`. `telnet` and `irc` is WIP. `--xmpphost ` is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied. diff --git a/t/25_baseline_starttls.t b/t/25_baseline_starttls.t index 0179e4a..efb795e 100755 --- a/t/25_baseline_starttls.t +++ b/t/25_baseline_starttls.t @@ -99,6 +99,13 @@ $openssl_out = `./testssl.sh --ssl-native $check2run -t xmpp $uri 2>&1`; unlike($openssl_out, qr/$openssl_regex_bl/, ""); $tests++; +# $uri="jabber.ccc.de:5269"; +# printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ..."; +# $openssl_out = `./testssl.sh --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`; +# # $openssl_json = json('tmp.json'); +# unlike($openssl_out, qr/$openssl_regex_bl/, ""); +# $tests++; + $uri="ldap.uni-rostock.de:21"; diff --git a/testssl.sh b/testssl.sh index d5888d7..ba67b8e 100755 --- a/testssl.sh +++ b/testssl.sh @@ -317,6 +317,7 @@ HAS_NPN=false HAS_FALLBACK_SCSV=false HAS_PROXY=false HAS_XMPP=false +HAS_XMPP_SERVER=false HAS_POSTGRES=false HAS_MYSQL=false HAS_LMTP=false @@ -5181,7 +5182,6 @@ run_protocols() { 5) prln_svrty_high "CVE-2015-3197: $supported_no_ciph2"; fileout "$jsonID" "HIGH" "offered, no cipher" "CVE-2015-3197" "CWE-310" add_proto_offered ssl2 yes - add_tls_offered ssl2 yes set_grade_cap "F" "SSLv2 is offered" ;; 7) prln_local_problem "$OPENSSL doesn't support \"s_client -ssl2\"" @@ -5210,7 +5210,6 @@ run_protocols() { latest_supported_string="SSLv3" fi add_proto_offered ssl3 yes - add_tls_offered ssl3 yes set_grade_cap "B" "SSLv3 is offered" ;; 1) prln_svrty_best "not offered (OK)" @@ -18214,6 +18213,7 @@ find_openssl_binary() { HAS_FALLBACK_SCSV=false HAS_PROXY=false HAS_XMPP=false + HAS_XMPP_SERVER=false HAS_POSTGRES=false HAS_MYSQL=false HAS_LMTP=false @@ -18298,9 +18298,12 @@ find_openssl_binary() { grep -q '\-proxy' $s_client_has && \ HAS_PROXY=true - grep -q '\-xmpp' $s_client_has && \ + grep -q 'xmpp' $s_client_starttls_has && \ HAS_XMPP=true + grep -q 'xmpp-server' $s_client_starttls_has && \ + HAS_XMPP_SERVER=true + grep -q 'postgres' $s_client_starttls_has && \ HAS_POSTGRES=true @@ -18623,6 +18626,7 @@ HAS_PKEY: $HAS_PKEY HAS_PKUTIL: $HAS_PKUTIL HAS_PROXY: $HAS_PROXY HAS_XMPP: $HAS_XMPP +HAS_XMPP_SERVER: $HAS_XMPP_SERVER HAS_POSTGRES: $HAS_POSTGRES HAS_MYSQL: $HAS_MYSQL HAS_LMTP: $HAS_LMTP @@ -19811,6 +19815,9 @@ determine_service() { fi fi fi + if [[ "$protocol" == xmpp-server ]] && ! "$HAS_XMPP_SERVER"; then + fatal "Your $OPENSSL does not support the \"-xmpphost\" option" $ERR_OSSLBIN + fi elif [[ "$protocol" == postgres ]]; then # Check if openssl version supports postgres. if ! "$HAS_POSTGRES"; then