Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into no_version_tolerance_test

Browse Source
This commit is contained in:
David Cooper 2016-10-27 16:51:50 -04:00
commit 95f583322a
10 changed files with 1932 additions and 1378 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1,3 @@
.DS_Store .DS_Store
tmp.json
*.bak

8
Readme.md
View File

@ -26,15 +26,17 @@ cryptographic flaws.
going on and you can change it. going on and you can change it.
* Heck, even the development is open (github) * Heck, even the development is open (github)
#### General #### Status
Here in the master branch you find the stable version 2.8rc2 of the software, it _ _Here in the master branch you find the stable version 2.8rc2 of the software, it
superseds 2.6. Version 2.8 is currently being finalized. The 2.9dev branch is the developemnet superseds 2.6. Version 2.8 is currently being finalized_ _. The 2.9dev branch is the developement
-- with new features and maybe some bugs. For the stable version and **a -- with new features and maybe some bugs. For the stable version and **a
more thorough description of the command line options** please see more thorough description of the command line options** please see
[testssl.sh](https://testssl.sh/ "Go to the site with the stable version [testssl.sh](https://testssl.sh/ "Go to the site with the stable version
and more documentation") or https://github.com/drwetter/testssl.sh/wiki/Usage-Documentation. and more documentation") or https://github.com/drwetter/testssl.sh/wiki/Usage-Documentation.
#### Compatibility
testssl.sh is working on every Linux/BSD distribution out of the box with testssl.sh is working on every Linux/BSD distribution out of the box with
some limitations of disabled features from the openssl client -- some some limitations of disabled features from the openssl client -- some
workarounds are done with bash-socket-based checks. It also works on other workarounds are done with bash-socket-based checks. It also works on other

2640
etc/Microsoft.pem
View File

File diff suppressed because it is too large Load Diff

7
etc/README.md
View File

@ -8,11 +8,14 @@ The certificate stores were retrieved by
* Microsoft: For Windows >= 7/2008 Microsoft decided not to provide * Microsoft: For Windows >= 7/2008 Microsoft decided not to provide
a full certificate store by default or via update as all other OS do. a full certificate store by default or via update as all other OS do.
It's being populated with time -- supposed you use e.g. IE while browsing. It's being populated with time -- supposed you use e.g. IE while browsing.
Thus this file is smaller as the others.
This store was destilled from three different windows installations via This store was destilled from three different windows installations via
"certmgr.msc". It's a PKCS7 export of "Trusted Root Certification Authorities" "certmgr.msc". It's a PKCS7 export of "Trusted Root Certification Authorities"
--> "Certificates". and the Third Party Store.
Third Party Root Certificates were for now deliberately omitted.
Feedback is welcome, see #317. Feedback is welcome, see #317.
It's still behind what MS publishes what [should be included](http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants-v-2016-april.aspx).
Unfortunately there doesn't seem to be store to DL. Let me know if
you have a pointer
* Apple: It comes from Apple OS X keychain app. Open Keychain Access. * Apple: It comes from Apple OS X keychain app. Open Keychain Access.
In the Finder window, under Favorites --> "Applications" --> "Utilities" In the Finder window, under Favorites --> "Applications" --> "Utilities"
--> "Keychain Access" (2 click). In that window --> "Keychains" --> "System" --> "Keychain Access" (2 click). In that window --> "Keychains" --> "System"

256
etc/ca_hashes.txt Normal file
View File

@ -0,0 +1,256 @@
+OX5BbyTmREme4PVCBSpAyO1Hhg2KdtS1PwtVGilpXg= Belgium Root CA2
+sld48JKF0GUgAz/qjylHXEWYwZkqbYMh1i07w3Fj4g= A-Trust-nQual-03
/1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY= /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
/PfamDYD6IhiAw2WE32OEwMbrftNVsH9TKzDOfa9uyo= America Online Root Certification Authority 2
/qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI= Entrust Root Certification Authority - EC1
/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= D-TRUST Root Class 3 CA 2 EV 2009
0Hc622AEPpVDCdlxT+BT6q2KpblYbtukaOJ234IGWt8= T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1
0d4q5hyN8vpiOWYWPUxz1GC/xCjldYW+a/65pWMj0bY= Deutsche Telekom Root CA 2
0qXzLw4BuRDvTjtGv4Tlr1+1aJ59FQfpKeNorIjGzHY= Sonera Class2 CA
0vkaBOOmHU6teEjI1DteEVLYhXJ0ibxlc4tnwKInhac= Symantec Class 1 Public Primary Certification Authority - G6
1qGEQ9NI25lPk0zNjmNdgzonrB5W+K+vfJfLT0Pqtos= Certification Authority of WoSign
28HjoVI4oEg7zbj97GFuA+cFpI4qUBFXyt87nHMRxeU= /C=RO/O=certSIGN/OU=certSIGN ROOT CA
2Psz44XJwtpymoRwa6kn3Lt5Jz4SL/2WczY7cLfzbLs= Root CA Generalitat Valenciana
2xXABitSDzGKGdrP7NZPnno/vmCf1YZ5byCuAo6OMFg= CA \xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6
31MLrJ/NkUwlLC+9zt3GGD1K6MaArWXwPiBIYd17HHM= Microsoft Root Certificate Authority
3V7RwJD59EgGG6qUprsRAXVE6e76ogzHFM5sYz9dxik= CFCA EV ROOT
4tiR77c4ZpEF1TDeXtcuKyrD9KZweLU0mz/ayklvXrg= Trusted Certificate Services
58qRu/uxh4gFezqAcERupSkRYBlBAvfcw7mEjGPLnNU= COMODO ECC Certification Authority
5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority
5co3vHtsNhl5vGsSPKmh2wGQRtf/X1ffuFSxnRCwaC8= Atos TrustedRoot 2011
60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root CA
60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root Certificate Authority
7KDxgUAs56hlKzG00DbfJH46MLf0GlDZHsT5CwBrQ6E= D-TRUST Root Class 3 CA 2 2009
80OOI7POUyUi+s8weSP1j9GGCOm6et3DDpUrQ8SWFsM= QuoVadis Root CA 3 G3
8ca6Zwz8iOTfUpc8rkIPCgid1HQUT+WAbEIAZOFZEik= DigiCert Assured ID Root G2
96/0GycJ8XX4q6F+VnsnBGst1Uv25+Jj0ylYc0N7nP8= A-Trust-Qual-03
9GPFTZ8aBHrtUmVqx4Xgfr7FKOAge/0/VdiTI3Zo9q4= Swisscom Root EV CA 2
9Iut199qBmkNCuMTc7EoVfje2xRRfzYqMTEBzJjMazU= NetLock Arany (Class Gold) F\xC5\x91tan\xC3\xBAs\xC3\xADtv\xC3\xA1ny
9TwiBZgX3Zb0AGUWOdL4V+IQcKWavtkHlADZ9pVQaQA= Thawte Premium Server CA
9YV9iGK8K6PJ3co/hBRtyNgfTVedKzh79gBlOB7mQd0= Class 3P Primary CA
9zvl66U2kSxVf7hVUXrR7gSHvY9jSYw5SRZBd7oGxd4= I.CA - Standard root certificate
AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4= COMODO Certification Authority
AGyyJqdyxxgtd3I4Pjc/DyKeff40RIEKjW5QkF0g1mE= VRK Gov. Root CA
AjdtCQisIwQcx9Zm2drxklVPf8NjF6qcuACQhhayivg= Microsoft Root Certificate Authority 2011
AjyBzOjnxk+pQtPBUEhwfTXZu1uH9PVExb8bxWQ68vo= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
B+hU8mp8vTiZJ6oEG/7xts0h3RQ4GK2UfcZVqeWH/og= IdenTrust Commercial Root CA 1
BRz5+pXkDpuD7a7aaWH2Fox4ecRmAXJHnN1RqwPOpis= XRamp Global Certification Authority
BStocQfshOhzA4JFLsKidFF0XXSFpX1vRk4Np6G2ryo= AddTrust Class 1 CA Root
BVcK5usPzrQhDm23lIa3CUyvIAQB4Um2Z3RBtfJeRJs= ACCVRAIZ1
Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= Staat der Nederlanden Root CA - G2
Blb1lVIEyNK8ixykdeKk+m4STRJFEnhBV8hYtVRxFBo= http:
CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk= GlobalSign
CT23Z4iPaxMnVV29Qrtck/7exQRMeoS8bqMqV4wiNcA= http:
D+FMJksXu28NZT56cOs2Pb9UvhWAOe3a5cJXEd9IwQM= UTN-USERFirst-Object
DHrKpxAiZyC7yUA0nuLmFIZSqJ2/QGojLIlfbceOu5o= QuoVadis Root CA 3
EASNAtrRvSDsXdZoz1gbc5Yc6O6YL+vHiUZu/Uj37HM= avast! Web
EGn6R6CqT4z3ERscrqNl7q7RC//zJmDe9uBhS/rnCHU= GTE CyberTrust Global Root
ELo0hcqLtogKuVMaQGPkABVVVhx/LgVRZfSbLXT8X2s= TeliaSonera Root CA v1
F3VaXClfPS1y5vAxofB/QAxYi55YKyLxfq4xoVkNEYU= GeoTrust Global CA 2
FJ8u5juaXlgDJAp3DcmR/C40ReYoMcJFpJvE8fc4/5w= OISTE WISeKey Global Root GB CA
FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= StartCom Certification Authority G2
Fbso2SB+E/i8lVfdeF66dzvqlE4E1+CP+KpV7zGUqiA= KEYNECTIS ROOT CA
Fe7TOVlLME+M+Ee0dzcdjW/sYfTbKwGvWJ58U7Ncrkw= DigiCert Assured ID Root G3
FefnF7Qo/u4686/ZFQ261JcAjTo/8BaWRxmQe9sBpkU= T\xC3\x9CB\xC4\xB0TAK UEKAE K\xC3\xB6k Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 - S\xC3\xBCr\xC3\xBCm 3
FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
FtgtZ6Htjon5q1j30P0+sNABdof8ruzUBHXxAIOltZM= SecureSign RootCA1
G4qJUxcBYIye88ZfXWCpSLG625dTYiougcCkooS+Y8w= CA DATEV STD 01
GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik= thawte Primary Root CA - G3
Ga2Y3gIVXX4z6d0h8ORWEP0R0oBEuDGLvr+fYzeIjfA= CA DATEV BT 01
Gno6GmjdI2Hj87uFXzsm/NiLGX2N1N4Gzxs2KsiewTs= Hellenic Academic and Research Institutions RootCA 2011
H0IkzshPyZztiB/2/P0+IfjFGcVHqmpd094kcwLOUNE= CNNIC ROOT
HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= thawte Primary Root CA
HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048)
I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= DigiCert Assured ID Root CA
I4SdCUkj1EpIgbY6sYXpvhWqyO8sMETZNLx/JuLSzWk= America Online Root Certification Authority 1
ICGRfpgmOUXIWcQ/HXPLQTkFPEFPoDyjvH7ohhQpjzs= USERTrust ECC Certification Authority
IgUKkoNkgcLzwfhBfTdEehZwB6ybpk6iKMtqHhTGS4s= I.CA - Qualified root certificate
IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= VeriSign Class 1 Public Primary Certification Authority - G3
JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= Secure Global CA
JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg= VeriSign Class 3 Public Primary Certification Authority - G5
JdSRPPWHCXQU0p0m9sGxlCzW1k6vRdD8+BUmrbqW0yQ= Actalis Authentication Root CA
JsGNxu6m9jL2drzrodjCtINS8pwtX82oeOCdy4Mt1uU= Equifax Secure eBusiness CA-1
K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= GlobalSign Root CA
KJa03b5hRXGDzH7Se9eKxQogf2kBxcUuU9wWdvm7HgY= Izenpe.com
KikzfD1iJMxT8LteXVggwNiEiwSHEyjwkP7jzWv4IbQ= T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1
KkISYFqj6K7LD8GYBs87QLU7lfGjTbvW4+0nIwMkq7M= /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA= Go Daddy Root Certificate Authority - G2
KovtMq5oDS0Ye5p6/Rcdg/0Lk16vniwbQ+gCeNIGPjk= SwissSign Platinum CA - G2
KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I= Starfield Services Root Certificate Authority - G2
Laj56jRU0hFGRko/nQKNxMf7tXscUsc8KwVyovWZotM= UTN-USERFirst-Client Authentication and Email
LgCRWp974GqyNwx7fCAMCpbVrGpQzhh02+/eQCLU3o4= Visa Information Delivery Root CA
M4BwmvOwlr48wqQFSBQsClIAKNsJ4st3riIGYWq2y7Q= /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2
MCeimPpXMU3A490QGUEbj0BMQ8P5NM4734VlEsgKoVw= Symantec Class 2 Public Primary Certification Authority - G4
MJ8T1J6mb1IyQbVVJHREZOKMwbgu95tk5NWBiA3Ndx8= Echoworx Root CA2
MVEmgCM/XyofKUN/VtSYjPCvxBzGxdpidZKOnAvq3ic= Symantec Class 1 Public Primary Certification Authority - G4
Md4MsZ8q27DRzXsbMe+O4+tZt0RZrvlLSAvu7rhcZMk= http:
MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= AffirmTrust Premium ECC
MtGA7THJNVieydu7ciEjuIO1/C3BD5/KOpXXfhv8tTQ= Network Solutions Certificate Authority
NJn5P9OUUjv7HsTDrU37MQEx++nuVHa95ild6AjV3Y8= Swisscom Root CA 1
NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= EBG Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1
NsIjFBMaX78bcOpMz0vBOnd9k47GXh2iTjws/QHT0WM= Hongkong Post Root CA 1
NuzGH8fl8ZI9Fn5n3940YIVJs0pjx8bmD/1cGEA4H1w= Certinomis - Autorit\xC3\xA9 Racine
O0WRggXFkSmKGSKli0kh0B9kj6nSi93frSSu7FlCz78= /C=ES/O=FNMT/OU=FNMT Clase 2 CA
OBo/x6iwgvooYTpNB/LHVT9OGRjuB8qp6LfO3lqcoGo= Certification Authority of WoSign G2
OGHXtpYfzbISBFb/b8LrdwSxp0G0vZM6g3b14ZFcppg= AddTrust Public CA Root
OoA+fApDop/XNnLj0LssNlPZSO3gs8sdtM51qFfomvE= Buypass Class 3 CA 1
Ow1ztL5KhUrcPlHX75+kiu+7LN2CTWe9x9fQmiq8LUM= Autoridad de Certificacion Firmaprofesional CIF A62634068
P6t4T8PJq57twS7NwNtVD0w9v9PobXiBUzPF66UYy50= Admin-Root-CA
PDXhZL7dLPEr64Ps/3i16A2oFY0oMCF+Tr/86JKImaY= DST ACES CA X6
QAL80xHQczFWfnG82XHkYEjI3OjRZZcRdTs9qiommvo= UTN - DATACorp SGC
QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= SwissSign Gold CA - G2
QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= Staat der Nederlanden Root CA - G3
R8ehScqC+nupQKTXEdAQYlxssLdIsXAWxG4lznrNKww= TRUST2408 OCES Primary CA
RGLBB8SF3WpUQ/XnoWBEFgNKN0w/TRCHXxw3FQJ1Y68= Microsoft Root Authority
RK+K/PE5XSqOMO+BLOGc6y6JSN/SHgD7qjRon5okch8= T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1
RpHL/ehKa2BS3b4VK7DCFq4lqG5XR4E9vA8UfzOFcL4= Secure Certificate Services
S3Lf7T7cy19JRWguKVcxoIZKxrW4Wxk+zS8GtJAMHP0= T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 H5
S9xjb0jSH7aMWjzUogaFeIBDvbUk5+hNQZLEUe40KbU= CA Disig
SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= GeoTrust Primary Certification Authority
SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= VeriSign Class 3 Public Primary Certification Authority - G3
SiZZZm3AIDuRb1PYCtj2GsML6hYfSFzHUn5qWTfkkhY= T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 H6
SkntvS+PgjC9VZKzE1c/4cFypF+pgBHMHt27Nq3j/OU= QuoVadis Root CA 2 G3
TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI= UTN-USERFirst-Hardware
Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= Global Chambersign Root
UQ0g5cR/Y89mayD2GvYrwJmkKsgk/6RDotp8kLGAipE= Certigna
UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4= VeriSign Class 3 Public Primary Certification Authority - G4
VhdNOtlxqJRJZLGJgR8wCEk6apBCLjxYBOyDjU+U9iI= EE Certification Centre Root CA
VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= DST Root CA X3
VnuCEf0g09KD7gzXzgZyy52ZvFtIeljJ1U7Gf3fUqPU= VeriSign Class 4 Public Primary Certification Authority - G3
WN1h/rNup9JYckNxcJFJyxITN4ZMrLLQmZrSBznQZHc= IdenTrust Public Sector Root CA 1
WVWuKRV0qTE0LPdFDhZlLt4eD7MJfhVx36wRyRVgFWQ= Buypass Class 2 Root CA
Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= DigiCert Trusted Root G4
WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= DigiCert High Assurance EV Root CA
Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= Baltimore CyberTrust Root
YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= T-TeleSec GlobalRoot Class 2
YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= Microsec e-Szigno Root CA 2009
YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= /C=TW/O=Chunghwa Telecom Co., Ltd./OU=ePKI Root Certification Authority
Yo46EVb2+qkvlLQJJY1Muj8gR0gNMBlPrz++0F6utbI= e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi
Z+oZMkOuODk5ta2eNWprK/k6k7zc+CikcIJJeIMIP4Y= Staat der Nederlanden Root CA
Z0A55HJWGWPIywDSGpepChi7ihxMMXrGfjgqZSu1c8A= Apple Root CA - G2
Z9xPMvoQ59AaeaBzqgyeAhLsL/w9d54Kp/nA8OHCyJM= thawte Primary Root CA - G2
ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1
ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= Autoridad de Certificacion Raiz del Estado Venezolano
ZrAFOYJqN0hJMBkeAo9i2rHLyJs6zUctxOWQXke/c2Q= Macao Post eSignTrust Root Certification Authority (G02)
a4belqZYpWggpPNdkNtsPv3VdM6UuQnLDX/xfDwYnYM= TC TrustCenter Class 4 CA II
a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= CA Disig Root R1
aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= ComSign CA
akNrWNnYMOjVuKZCUFrWtBQGrc1olNlBT3vgoUZ7rbc= CA DATEV STD 02
axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= Certinomis - Root CA
aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= Certum Trusted Network CA 2
bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= AffirmTrust Commercial
bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= Entrust Root Certification Authority
bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= /C=JP/O=Japanese Government/OU=ApplicationCA
cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= VeriSign Class 2 Public Primary Certification Authority - G3
cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= CA Disig Root R2
cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= GlobalSign
cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= ApplicationCA2 Root
du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= Entrust Root Certification Authority - G2
dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= Class 2 Primary CA
dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= SecureTrust CA
egUvWN1fX0JTrxfoxOkAplWFMtYlqYpuGmCYxVCv5UI= Cybertrust Public SureServer SV CA
eu3d82sY+Ky3N5/hzhgyErI1DQeIq+DoJFe+m62tbVQ= CA WoSign ECC Root
fDtG2b6PJ0H5gAOVIYWOTN0wd0+zKzshzuoGqnnGqsY= SecureSign RootCA2
fKoDRlEkWQxgHlZ+UhSOlSwM/+iQAFMP4NlbbVDqrkE= GeoTrust Universal CA 2
fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= GlobalSign
foeCwVDOOVL4AuY2AjpdPpW7XWjjPoWtsroXgSXOvxU= Cybertrust Global Root
fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= SwissSign Gold Root CA - G3
gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= Starfield Root Certificate Authority - G2
gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= Symantec Class 3 Public Primary Certification Authority - G4
gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= Developer ID Certification Authority
gamPx4jDX1V2RalSJOUM0drI/7IJ3B5WiKopIF8TIhg= UTN-USERFirst-Network Applications
grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME= COMODO RSA Certification Authority
h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= GeoTrust Global CA
hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= SwissSign Silver Root CA - G3
hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= ANF Global Root CA
hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= QuoVadis Root CA 1 G3
hsE6NAjdGqd+6LaUfAOVh3L1MSSMFie++yxPSwTQRJY= IGC
i+p269YTev+fHsw8CMrx3sR9uRaQ1XVMTp8VIywKLng= CA DATEV INT 01
i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= DigiCert Global Root G2
iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= GlobalSign
iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= Chambers of Commerce Root
ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= SwissSign Platinum Root CA - G3
itsjhVSgy/w6Ef7MGD480sI9JeeJTPK7rljrcKROfPM= DoD Root CA 2
j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= QuoVadis Root CA 2
jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= T-TeleSec GlobalRoot Class 3
jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= Federal Common Policy CA
jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= Cisco Root CA 2048
k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= TC TrustCenter Class 3 CA II
kRni9BNXl3eVSZFwPu4joEUjoxK1xl9/k3SqMQDr2Oc= Class 3TS Primary CA
knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= Global Chambersign Root - 2008
ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= TWCA Root Certification Authority
kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= SwissSign Silver CA - G2
lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= AffirmTrust Networking
lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= AddTrust External CA Root
lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= Staat der Nederlanden EV Root CA
lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com
lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= Symantec Class 3 Public Primary Certification Authority - G6
lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= VeriSign Universal Root Certification Authority
lpkiXF3lLlbN0y3y6W0c/qWqPKC7Us2JM8I7XCdEOCA= GeoTrust Universal CA
ly+8bVW/77Gr43WK19Z6NJu++AwG8dhQAd+5EBuavBs= CA DATEV INT 02
lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= Certum CA
mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= Common Policy
mAki7uB/hrx/Xl6V1X24va5o4XpCHE5yqWpwioeSASQ= Microsec e-Szigno Root CA
mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= DST Root CA X4
myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= Apple Root CA - G3
nG9qEjy6pO402+zu4kyX1ziHjLQj88InOQNCT10fbdU= Thawte Server CA
nZih+2BTjEzEhX/xqMgDT69vxZIJP2GZlLLIE9JQuGQ= Class 1 Primary CA
ncOKntz4KEK2dNoYa21iFaueLsbXL1ewioknKMMUMfM= SecureSign RootCA3
ndVfxXP1RstqODHRES2HEKb0+C3If1+unToaAo3Tbks= China Internet Network Information Center EV Certificates Root
nsxRNo6G40YPZsKV5JQt1TCA8nseQQr/LRqp1Oa8fnw= Entrust.net Secure Server Certification Authority
odRdBilzQbHzpzXPo48oPmh5/sBigaNh5fQXzHDSnck= CA DATEV BT 02
olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= I.CA - Qualified Certification Authority, 09
otyYyny77hgislsme9XKUC+nsM9P/wcD7mpBZwPzx+o= Class 3 Primary CA
p5jZL3bJxnVeX1X4bNFK7cwGVTceJ8zeA3d0XOPFABM= Certipost E-Trust Primary Qualified CA
pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= NetLock Kozjegyzoi (Class A) Tanusitvanykiado
pLibtwZW6kmPLZ4ApJf9udzSC4G4k46VK7ot+fZXKcM= Halcom CA FO
pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= /C=TW/O=Government Root Certification Authority
puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= Visa eCommerce Root
pvH5v4oKndwID7SbHvw9GhwsMtwOE2pbAMlzFvKj3BE= Equifax Secure Global eBusiness CA-1
q1zbM1Y5c1bW5pGXPCW4YYtl12qQSG6nqKXBd2f0Zzo= TC TrustCenter Universal CA III
q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= GeoTrust Primary Certification Authority - G3
qBKTRF2xlqIDD55FX+PHSppPgxewKwFAYCeocIF0Q0w= /C=TW/O=Government Root Certification Authority
qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= UCA Root
qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= /C=GB/O=Trustis Limited/OU=Trustis FPS Root CA
qZlyzh9sWB0Al/YmGAYuUxV7Unbh7GZRoxVwV/BXszk= WellsSecure Public Root Certificate Authority
qhwr7bGlCLqtf7P14CiXuQfHSN6pt5CJBKrb0El6q2o= Sonera Class1 CA
qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= Certum Trusted Network CA
qzh2w9pd4MnPZzaGjuW4i/m6Hf+cnXLS/lqNL3gwIWY= Thawte Timestamping CA
qzmksCWVVpGkAmnzU/odXLlOr2x+qYCEhLu7Yv2faPM= TC TrustCenter Universal CA II
r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= DigiCert Global Root CA
rPZeHWLLWKK6/W/6tA+4hpnEc5fPXLSD1C1pytNM1Is= TC TrustCenter Class 2 CA II
ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= Symantec Class 2 Public Primary Certification Authority - G6
sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= Buypass Class 3 Root CA
sIP/U29/SKkIHilKAYe1PoGXcUAtnUgQMG3gMQJOX0Y= AC1 RAIZ MTIN
sPbxW0gX6+b+C0v819Os5MdYsKtvip2i7ZLmGCOdnJg= ACEDICOM Root
sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
sh0qdDMYcSuhbzmRnZYaS6+6O8qaQ6dbH8/iLF1wyro= EC-ACC
st71NirT+s0EvSkEekOET3ZwNOpIkvgOVr7mkCQ+JQI= TC TrustCenter Universal CA I
sxguKJrjTd8r5kOrecJEMBYF+g8equbRD7kpYAr4TfA= Certipost E-Trust Primary Normalised CA
tKA56vxDELqb3gk+24+dnQs9THwATUgojDXbzBlGfRg= /O=RSA Security Inc/OU=RSA Security 2048 V3
tjjP8FyKgydY7cMCivni1VUUVovGuzSrNtFAuXrGsS0= Buypass Class 2 CA 1
u0Eo7JYg8tKknOjixOJXrrrZOg8RxWtfpLAOI3Wfo50= SecureSign RootCA11
uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= DigiCert Global Root G3
vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= SZAFIR ROOT CA
vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= GeoTrust Primary Certification Authority - G2
vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= AAA Certificate Services
vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= QuoVadis Root Certification Authority
vt2LyX6oZJcZWgeKmZojegYK664HvAoLm3eJgrpfYvQ= Halcom CA PO 2
wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= ComSign Global Root CA
wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= E-Tugra Certification Authority
x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc= AffirmTrust Premium
x/WEI22GOV6Pb4LAEIhqLFbgcaahw+0odrijpyxe+7U= I.CA - Standard Certification Authority, 09
x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= KISA RootCA 1
x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4= USERTrust RSA Certification Authority
xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= TWCA Global Root CA
xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= /C=JP/O=LGPKI/OU=Application CA G2
xeolnGKYA1CGSfAhd/Y8MvqFzErVw18NVBxF3xCkn9c= PSCProcert
xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= AddTrust Qualified CA Root
y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= Juur-SK
y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= Swisscom Root CA 2
yZBbDuASAik8oCbmTwhBJELFUEwG5Eyn6XJtYfIOQIk= Microsoft Root Certificate Authority 2010
zEmXhjyMSKTLXD5lN9wGAo2GOL5J9fiiulby8siox3k= UCA Global Root
ziTrBibe/YFoyWp3AfCTAWAP5d0NvOWOnJe4MK8C7yg= OISTE WISeKey Global Root GA CA
ztQ5AqtftXtEIyLcDhcqT7VfcXi4CPlOeApv1sxr2Bg= Chambers of Commerce Root - 2008
zwtHSs6Eafq6QC8C7r354XANnL6L5OQ0hAe2ndMZbpQ= ComSign Secured CA

9
t/10_ca_hashes_up_to_date.t Executable file
View File

@ -0,0 +1,9 @@
#!/usr/bin/env perl
use strict;
use Test::More tests => 1;
my $newer_bundles=`find etc/*.pem -newer etc/ca_hashes.txt`;
is($newer_bundles,"","List of CA bundles newer then etc/ca_hashes.txt should be empty. If not run utils/create_ca_hashes.sh");
done_testing;

79
t/11_hpkp.t Executable file
View File

@ -0,0 +1,79 @@
#!/usr/bin/env perl
use strict;
use Test::More;
use Data::Dumper;
use JSON;
my $tests = 0;
my (
$out,
$json,
$found,
);
# OK
pass("Running testssl.sh against ssl.sectionzero.org"); $tests++;
$out = `./testssl.sh -H --jsonfile tmp.json --color 0 ssl.sectionzero.org`;
$json = json('tmp.json');
# It is better to have findings in a hash
# Look for a host cert match in the process.
my $found = 0;
my %findings;
foreach my $f ( @$json ) {
$findings{$f->{id}} = $f;
if ( $f->{finding} =~ /matches the host certificate/ ) {
$found++;
}
}
is($found,1,"We found 1 'matches the host certificate' finding"); $tests++;
like($out,'/Host cert/',"There is a 'host cert match' in the text output"); $tests++;
# Sub CA match
ok( exists $findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"},"We have a finding for SPKI YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"); $tests++;
like($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{finding},'/matches Intermediate CA \'Let\'s Encrypt Authority X3\' pinned in the HPKP header/',"We have our Sub CA finding"); $tests++;
is($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{severity}, "OK", "The finding is ok"); $tests++;
like($out,'/Sub CA\: YLh1dUR9y6Kja30RrAn7JKnbQG\/uEtLMkBgFF2Fuihg/',"There is a 'Sub CA match' in the text output"); $tests++;
# Root CA match Lets encrypt
ok( exists $findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"},"We have a finding for SPKI Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"); $tests++;
like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/matches Root CA \'DST Root CA X3\' pinned in the HPKP header/',"This is a Root CA finding"); $tests++;
like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/DST Root CA X3/',"Correct Root CA"); $tests++;
like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/matches Root CA \'DST Root CA X3\' pinned in the HPKP header\. \(Root CA part of the chain\)/',"CA is indeed part of chain"); $tests++;
is($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{severity}, "INFO", "The finding is informational"); $tests++;
like($out,'/Root CA\: Vjs8r4z\+80wjNcr1YKepWQboSIRi63WsWXhIMN\+eWys/',"There is a 'Root CA match' in the text output"); $tests++;
# Root CA StartCom
ok( exists $findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"},"We have a finding for SPKI 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"); $tests++;
like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/matches Root CA \'StartCom Certification Authority\' pinned in the HPKP header/',"This is a Root CA finding"); $tests++;
like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/StartCom Certification Authority/',"Correct Root CA"); $tests++;
like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/matches Root CA \'StartCom Certification Authority\' pinned in the HPKP header\. \(Root backup SPKI\)/',"CA is indeed NOT part of chain"); $tests++;
is($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{severity}, "INFO", "The finding is informational"); $tests++;
like($out,'/Backups\: 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU/',"There is a 'Root CA match' in the text output"); $tests++;
# Bad PIN
ok( exists $findings{"hpkp_MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"},"We have a finding for SPKI MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"); $tests++;
like($findings{"hpkp_MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"}->{finding},'/doesn\'t match anything/',"It doesn't match indeed"); $tests++;
is($findings{"hpkp_MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"}->{severity}, "INFO", "The finding is informational"); $tests++;
like($out,'/MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI/',"There is an 'unmatched key' in the text output"); $tests++;
like($findings{hpkp_spkis}->{finding},'/5 keys pinned/',"5 keys pinned in json"); $tests++;
like($out,'/5 keys/',"5 keys pinned in text output"); $tests++;
like($findings{hpkp_age}->{finding},'/90 days/',"90 days in json"); $tests++;
like($out,'/90 days/',"90 days in text output"); $tests++;
like($findings{hpkp_subdomains}->{finding},'/this domain only/',"this domain only in json"); $tests++;
like($out,'/just this domain/',"just this domain text output"); $tests++;
like($findings{hpkp_preload}->{finding},'/NOT marked for/',"no preloading in json"); $tests++;
done_testing($tests);
sub json($) {
my $file = shift;
$file = `cat $file`;
unlink $file;
return from_json($file);
}

259
testssl.sh
View File

@ -83,7 +83,7 @@ readonly PS4='${LINENO}> ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
# make sure that temporary files are cleaned up after use in ANY case # make sure that temporary files are cleaned up after use in ANY case
trap "cleanup" QUIT EXIT trap "cleanup" QUIT EXIT
readonly VERSION="2.8rc2" readonly VERSION="2.8rc3"
readonly SWCONTACT="dirk aet testssl dot sh" readonly SWCONTACT="dirk aet testssl dot sh"
egrep -q "dev|rc" <<< "$VERSION" && \ egrep -q "dev|rc" <<< "$VERSION" && \
SWURL="https://testssl.sh/dev/" || SWURL="https://testssl.sh/dev/" ||
@ -143,7 +143,7 @@ SHOW_SIGALGO=${SHOW_SIGALGO:-false} # "secret" switch whether testssl.sh sho
SNEAKY=${SNEAKY:-false} # is the referer and useragent we leave behind just usual? SNEAKY=${SNEAKY:-false} # is the referer and useragent we leave behind just usual?
QUIET=${QUIET:-false} # don't output the banner. By doing this yiu acknowledge usage term appearing in the banner QUIET=${QUIET:-false} # don't output the banner. By doing this yiu acknowledge usage term appearing in the banner
SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native" SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native"
ASSUMING_HTTP=${ASSUMING_HTTP:-false} # in seldom cases (WAF, old servers, grumpy SSL) service detection fails. "True" enforces HTTP checks ASSUME_HTTP=${ASSUME_HTTP:-false} # in seldom cases (WAF, old servers, grumpy SSL) service detection fails. "True" enforces HTTP checks
BUGS=${BUGS:-""} # -bugs option from openssl, needed for some BIG IP F5 BUGS=${BUGS:-""} # -bugs option from openssl, needed for some BIG IP F5
DEBUG=${DEBUG:-0} # 1: normal putput the files in /tmp/ are kept for further debugging purposes DEBUG=${DEBUG:-0} # 1: normal putput the files in /tmp/ are kept for further debugging purposes
# 2: list more what's going on , also lists some errors of connections # 2: list more what's going on , also lists some errors of connections
@ -251,7 +251,6 @@ TLS_NOW=""
NOW_TIME="" NOW_TIME=""
HTTP_TIME="" HTTP_TIME=""
GET_REQ11="" GET_REQ11=""
HEAD_REQ10=""
readonly UA_STD="TLS tester from $SWURL" readonly UA_STD="TLS tester from $SWURL"
readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0" readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0"
FIRST_FINDING=true # Is this the first finding we are outputting to file? FIRST_FINDING=true # Is this the first finding we are outputting to file?
@ -377,6 +376,7 @@ pr_off() { [[ "$COLOR" -ne 0 ]] && out "\033[m"; }
pr_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[1m$1" || out "$1"; pr_off; } pr_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[1m$1" || out "$1"; pr_off; }
pr_boldln() { pr_bold "$1" ; outln; } pr_boldln() { pr_bold "$1" ; outln; }
pr_italic() { [[ "$COLOR" -ne 0 ]] && out "\033[3m$1" || out "$1"; pr_off; } pr_italic() { [[ "$COLOR" -ne 0 ]] && out "\033[3m$1" || out "$1"; pr_off; }
pr_italicln() { pr_italic "$1" ; outln; }
pr_underline() { [[ "$COLOR" -ne 0 ]] && out "\033[4m$1" || out "$1"; pr_off; } pr_underline() { [[ "$COLOR" -ne 0 ]] && out "\033[4m$1" || out "$1"; pr_off; }
pr_reverse() { [[ "$COLOR" -ne 0 ]] && out "\033[7m$1" || out "$1"; pr_off; } pr_reverse() { [[ "$COLOR" -ne 0 ]] && out "\033[7m$1" || out "$1"; pr_off; }
pr_reverse_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[7m\033[1m$1" || out "$1"; pr_off; } pr_reverse_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[7m\033[1m$1" || out "$1"; pr_off; }
@ -475,7 +475,15 @@ fileout_header() {
else else
"$do_json" && printf "[\n" > "$JSONFILE" "$do_json" && printf "[\n" > "$JSONFILE"
fi fi
"$do_csv" && [[ ! -f "CSVFILE" ]] && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE" if "$do_csv"; then
if [[ -f "$CSVFILE" ]]; then
# add lf, just for overview
echo >> "$CSVFILE"
else
# create file, with headline
echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE"
fi
fi
else else
"$do_json" && printf "[\n" > "$JSONFILE" "$do_json" && printf "[\n" > "$JSONFILE"
"$do_csv" && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE" "$do_csv" && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE"
@ -491,7 +499,7 @@ fileout() { # ID, SEVERITY, FINDING
if "$do_json"; then if "$do_json"; then
"$FIRST_FINDING" || echo -n "," >> $JSONFILE "$FIRST_FINDING" || echo -n "," >> $JSONFILE
echo -e " { echo " {
\"id\" : \"$1\", \"id\" : \"$1\",
\"ip\" : \"$NODE/$NODEIP\", \"ip\" : \"$NODE/$NODEIP\",
\"port\" : \"$PORT\", \"port\" : \"$PORT\",
@ -547,13 +555,17 @@ colon_to_spaces() {
} }
strip_lf() { strip_lf() {
echo "$1" | tr -d '\n' | tr -d '\r' tr -d '\n' <<< "$1" | tr -d '\r'
} }
strip_spaces() { strip_spaces() {
echo "${1// /}" echo "${1// /}"
} }
trim_trailing_space() {
echo "${1%%*( )}"
}
toupper() { toupper() {
echo -n "$1" | tr 'a-z' 'A-Z' echo -n "$1" | tr 'a-z' 'A-Z'
} }
@ -657,7 +669,7 @@ fi
# determines whether the port has an HTTP service running or not (plain TLS, no STARTTLS) # determines whether the port has an HTTP service running or not (plain TLS, no STARTTLS)
# arg1 could be the protocol determined as "working". IIS6 needs that # arg1 could be the protocol determined as "working". IIS6 needs that
runs_HTTP() { service_detection() {
local -i ret=0 local -i ret=0
local -i was_killed local -i was_killed
local addcmd="" local addcmd=""
@ -693,10 +705,10 @@ runs_HTTP() {
fileout "client_auth" "INFO" "certificate based authentication => skipping all HTTP checks" fileout "client_auth" "INFO" "certificate based authentication => skipping all HTTP checks"
else else
out " Couldn't determine what's running on port $PORT" out " Couldn't determine what's running on port $PORT"
if $ASSUMING_HTTP; then if "$ASSUME_HTTP"; then
SERVICE=HTTP SERVICE=HTTP
out " -- ASSUMING_HTTP set though" out " -- ASSUME_HTTP set though"
fileout "service" "DEBUG" "Couldn't determine service, --ASSUMING_HTTP set" fileout "service" "DEBUG" "Couldn't determine service, --ASSUME_HTTP set"
ret=0 ret=0
else else
out ", assuming no HTTP service => skipping all HTTP checks" out ", assuming no HTTP service => skipping all HTTP checks"
@ -1010,11 +1022,16 @@ run_hpkp() {
local -i hpkp_age_sec local -i hpkp_age_sec
local -i hpkp_age_days local -i hpkp_age_days
local -i hpkp_nr_keys local -i hpkp_nr_keys
local hpkp_key hpkp_key_hostcert local hpkp_spki hpkp_spki_hostcert
local -a backup_spki
local spaces=" " local spaces=" "
local key_found=false local spaces_indented=" "
local certificate_found=false
local i local i
local hpkp_headers="" local hpkp_headers
local first_hpkp_header
local spki
local ca_hashes="$TESTSSL_INSTALL_DIR/etc/ca_hashes.txt"
if [[ ! -s $HEADERFILE ]]; then if [[ ! -s $HEADERFILE ]]; then
run_http_header "$1" || return 3 run_http_header "$1" || return 3
@ -1022,12 +1039,23 @@ run_hpkp() {
pr_bold " Public Key Pinning " pr_bold " Public Key Pinning "
egrep -aiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE egrep -aiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
detect_header "Public-Key-Pins" "HPKP" if egrep -aciw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE | egrep -waq "1" ; then
hpkp_header=$HEADERVALUE :
else
#FIXME: we should treat report_only seperately hpkp_headers=""
detect_header "Public-Key-Pins-Report-Only" "HPKP_report_only" pr_svrty_medium "multiple HPKP headers: "
hpkp_header+="$HEADERVALUE " # https://scotthelme.co.uk is a candidate
#FIXME: should display both Public-Key-Pins+Public-Key-Pins-Report-Only --> egrep -ai -w
for i in $(newline_to_spaces "$(egrep -ai '^Public-Key-Pins' $HEADERFILE | awk -F':' '/Public-Key-Pins/ { print $1 }')"); do
pr_italic $i
hpkp_headers="$hpkp_headers$i "
out " "
done
out "\n$spaces Examining first one: "
first_hpkp_header=$(awk -F':' '/Public-Key-Pins/ { print $1 }' $HEADERFILE | head -1)
pr_italic "$first_hpkp_header, "
fileout "hpkp_multiple" "WARN" "Multiple HPKP headers $hpkp_headers. Using first header: $first_hpkp_header"
fi
# remove leading Public-Key-Pins*, any colons, double quotes and trailing spaces and taking the first -- whatever that is # remove leading Public-Key-Pins*, any colons, double quotes and trailing spaces and taking the first -- whatever that is
sed -e 's/Public-Key-Pins://g' -e s'/Public-Key-Pins-Report-Only://' $TMPFILE | \ sed -e 's/Public-Key-Pins://g' -e s'/Public-Key-Pins-Report-Only://' $TMPFILE | \
@ -1037,13 +1065,13 @@ run_hpkp() {
tr ' ' '\n' < $TMPFILE.2 >$TMPFILE tr ' ' '\n' < $TMPFILE.2 >$TMPFILE
hpkp_nr_keys=$(grep -ac pin-sha $TMPFILE) hpkp_nr_keys=$(grep -ac pin-sha $TMPFILE)
out " # of keys: "
if [[ $hpkp_nr_keys -eq 1 ]]; then if [[ $hpkp_nr_keys -eq 1 ]]; then
pr_svrty_high "1 (NOT ok), " pr_svrty_high "1 key (NOT ok), "
fileout "hpkp_keys" "NOT ok" "Only one key pinned in HPKP header, this means the site may become unavailable if the key is revoked" fileout "hpkp_spkis" "HIGH" "Only one key pinned in HPKP header, this means the site may become unavailable if the key is revoked"
else else
out "$hpkp_nr_keys, " pr_done_good "$hpkp_nr_keys"
fileout "hpkp_keys" "OK" "$hpkp_nr_keys keys pinned in HPKP header, additional keys are available if the current key is revoked" out " keys, "
fileout "hpkp_spkis" "OK" "$hpkp_nr_keys keys pinned in HPKP header, additional keys are available if the current key is revoked"
fi fi
# print key=value pair with awk, then strip non-numbers, to be improved with proper parsing of key-value with awk # print key=value pair with awk, then strip non-numbers, to be improved with proper parsing of key-value with awk
@ -1069,33 +1097,155 @@ run_hpkp() {
fileout "hpkp_preload" "INFO" "HPKP header is NOT marked for browser preloading" fileout "hpkp_preload" "INFO" "HPKP header is NOT marked for browser preloading"
fi fi
# Get the SPKIs first
spki=$(tr ';' '\n' < $TMPFILE | tr -d ' ' | tr -d '\"' | awk -F'=' '/pin.*=/ { print $2 }')
debugme outln "\n$spki"
# Look at the host certificate first
# get the key fingerprint from the host certificate
if [[ ! -s "$HOSTCERT" ]]; then if [[ ! -s "$HOSTCERT" ]]; then
get_host_cert || return 1 get_host_cert || return 1
fi fi
# get the key fingerprint from the host certificate
hpkp_key_hostcert="$($OPENSSL x509 -in $HOSTCERT -pubkey -noout | grep -v PUBLIC | \ hpkp_spki_hostcert="$($OPENSSL x509 -in $HOSTCERT -pubkey -noout | grep -v PUBLIC | \
$OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL base64)" $OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL base64)"
# compare it with the ones provided in the header hpkp_ca="$($OPENSSL x509 -in $HOSTCERT -issuer -noout|sed 's/^.*CN=//' | sed 's/\/.*$//')"
while read hpkp_key; do
if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then # Get keys/hashes from intermediate certificates
out "\n$spaces matching host key: " $OPENSSL s_client -showcerts $STARTTLS $BUGS $PROXY -showcerts -connect $NODEIP:$PORT ${sni[i]} </dev/null >$TMPFILE 2>$ERRFILE
pr_done_good "$hpkp_key" # Place the server's certificate in $HOSTCERT and any intermediate
fileout "hpkp_keymatch" "OK" "Key matches a key pinned in the HPKP header" # certificates that were provided in $TEMPDIR/intermediatecerts.pem
key_found=true # http://backreference.org/2010/05/09/ocsp-verification-with-openssl/
fi awk -v n=-1 "/Certificate chain/ {start=1}
debugme out "\n $hpkp_key | $hpkp_key_hostcert" /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} }
done < <(tr ';' '\n' < $TMPFILE | tr -d ' ' | tr -d '\"' | awk -F'=' '/pin.*=/ { print $2 }') inc { print > (\"$TEMPDIR/level\" n \".crt\") }
if ! $key_found ; then /---END CERTIFICATE-----/{ inc=0 }" $TMPFILE
out "\n$spaces" nrsaved=$(count_words "$(echo $TEMPDIR/level?.crt 2>/dev/null)")
pr_svrty_high " No matching key for pins found " rm $TEMPDIR/level0.crt 2>/dev/null
out "(CAs pinned? -- not checked for yet)"
fileout "hpkp_keymatch" "DEBUG" "The TLS key does not match any key pinned in the HPKP header. If you pinned a CA key you can ignore this" printf ""> "$TEMPDIR/intermediate.hashes"
if [[ nrsaved -ge 2 ]]; then
for cert_fname in $TEMPDIR/level?.crt; do
hpkp_spki_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC | $OPENSSL base64 -d |
$OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64)"
hpkp_name="$(get_cn_from_cert $cert_fname)"
hpkp_ca="$($OPENSSL x509 -in $cert_fname -issuer -noout|sed 's/^.*CN=//' | sed 's/\/.*$//')"
[[ -n $hpkp_name ]] || hpkp_name=$($OPENSSL x509 -in "$cert_fname" -subject -noout | sed 's/^subject= //')
echo "$hpkp_spki_ca $hpkp_name" >> "$TEMPDIR/intermediate.hashes"
done
fi fi
# This is where the matching magic starts, first host certificate, intermediate, then root out of the stores
spki_match=false
has_backup_spki=false
i=0
for hpkp_spki in $spki; do
certificate_found=false
# compare collected SPKIs against the host certificate
if [[ "$hpkp_spki_hostcert" == "$hpkp_spki" ]] || [[ "$hpkp_spki_hostcert" == "$hpkp_spki=" ]]; then
certificate_found=true # We have a match
spki_match=true
out "\n$spaces_indented Host cert: "
pr_done_good "$hpkp_spki"
fileout "hpkp_$hpkp_spki" "OK" "SPKI $hpkp_spki matches the host certificate"
fi
debugme out "\n $hpkp_spki | $hpkp_spki_hostcert"
# Check for intermediate match
if ! "$certificate_found"; then
hpkp_matches=$(grep "$hpkp_spki" $TEMPDIR/intermediate.hashes 2>/dev/null)
if [[ -n $hpkp_matches ]]; then # hpkp_matches + hpkp_spki + '='
# We have a match
certificate_found=true
spki_match=true
out "\n$spaces_indented Sub CA: "
pr_done_good "$hpkp_spki"
ca_cn="$(sed "s/^[a-zA-Z0-9\+\/]*=* *//" <<< $"$hpkp_matches" )"
pr_italic " $ca_cn"
fileout "hpkp_$hpkp_spki" "OK" "SPKI $hpkp_spki matches Intermediate CA \"$ca_cn\" pinned in the HPKP header"
fi
fi
# we compare now against a precompiled list of SPKIs against the ROOT CAs we have in $ca_hashes
if ! "$certificate_found"; then
hpkp_matches=$(grep -h "$hpkp_spki" $ca_hashes | sort -u)
if [[ -n $hpkp_matches ]]; then
certificate_found=true # root CA found
spki_match=true
if [[ $(count_lines "$hpkp_matches") -eq 1 ]]; then
# replace by awk
match_ca=$(sed "s/[a-zA-Z0-9\+\/]*=* *//" <<< "$hpkp_matches")
else
match_ca=""
fi
ca_cn="$(sed "s/^[a-zA-Z0-9\+\/]*=* *//" <<< $"$hpkp_matches" )"
if [[ "$match_ca" == "$hpkp_ca" ]]; then # part of the chain
out "\n$spaces_indented Root CA: "
pr_done_good "$hpkp_spki"
pr_italic " $ca_cn"
fileout "hpkp_$hpkp_spki" "INFO" "SPKI $hpkp_spki matches Root CA \"$ca_cn\" pinned in the HPKP header. (Root CA part of the chain)"
else # not part of chain
match_ca=""
has_backup_spki=true # Root CA outside the chain --> we save it for unmatched
fileout "hpkp_$hpkp_spki" "INFO" "SPKI $hpkp_spki matches Root CA \"$ca_cn\" pinned in the HPKP header. (Root backup SPKI)"
backup_spki[i]="$(strip_lf "$hpkp_spki")" # save it for later
backup_spki_str[i]="$ca_cn" # also the name=CN of the root CA
i=$((i + 1))
fi
fi
fi
# still no success --> it's probably a backup SPKI
if ! "$certificate_found"; then
# Most likely a backup SPKI, unfortunately we can't tell for what it is: host, intermediates
has_backup_spki=true
backup_spki[i]="$(strip_lf "$hpkp_spki")" # save it for later
backup_spki_str[i]="" # no root ca
i=$((i + 1))
fileout "hpkp_$hpkp_spki" "INFO" "SPKI $hpkp_spki doesn't match anything. This is ok for a backup for any certificate"
# CSV/JSON output here for the sake of simplicity, rest we do en bloc below
fi
done
# now print every backup spki out we saved before
out "\n$spaces_indented Backups: "
# for i=0 manually do the same as below as there's other indentation here
if [[ -n "${backup_spki_str[0]}" ]]; then
pr_done_good "${backup_spki[0]}"
#out " Root CA: "
pr_italicln " ${backup_spki_str[0]}"
else
outln "${backup_spki[0]}"
fi
# now for i=1
for ((i=1; i < ${#backup_spki[@]} ;i++ )); do
if [[ -n "${backup_spki_str[i]}" ]]; then
# it's a Root CA outside the chain
pr_done_good "$spaces_indented ${backup_spki[i]}"
#out " Root CA: "
pr_italicln " ${backup_spki_str[i]}"
else
outln "$spaces_indented ${backup_spki[i]}"
fi
done
# If all else fails...
if ! "$spki_match"; then
"$has_backup_spki" && out "$spaces" # we had a few lines with backup SPKIs already
pr_svrty_highln " No matching key for SPKI found "
fileout "hpkp_spkimatch" "HIGH" "None of the SPKI match your host certificate, intermediate CA or known root CAs. You may have bricked this site"
fi
if ! "$has_backup_spki"; then
pr_svrty_highln " No backup keys found. Loss/compromise of the currently pinned key(s) will lead to bricked site. "
fileout "hpkp_backup" "HIGH" "No backup keys found. Loss/compromise of the currently pinned key(s) will lead to bricked site."
fi
else else
out "--" outln "--"
fileout "hpkp" "INFO" "No support for HTTP Public Key Pinning" fileout "hpkp" "INFO" "No support for HTTP Public Key Pinning"
fi fi
outln
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
return $? return $?
@ -3019,7 +3169,6 @@ run_protocols() {
fi fi
fi ;; fi ;;
esac esac
pr_off
debugme outln debugme outln
else else
run_prototest_openssl "-ssl2" run_prototest_openssl "-ssl2"
@ -5078,7 +5227,7 @@ run_pfs() {
spdy_pre(){ spdy_pre(){
if [[ -n "$STARTTLS" ]]; then if [[ -n "$STARTTLS" ]] || [[ "$SERVICE" != HTTP ]]; then
[[ -n "$1" ]] && out "$1" [[ -n "$1" ]] && out "$1"
out "(SPDY is an HTTP protocol and thus not tested here)" out "(SPDY is an HTTP protocol and thus not tested here)"
fileout "spdy_npn" "INFO" "SPDY/NPN : (SPY is an HTTP protocol and thus not tested here)" fileout "spdy_npn" "INFO" "SPDY/NPN : (SPY is an HTTP protocol and thus not tested here)"
@ -5099,7 +5248,7 @@ spdy_pre(){
} }
http2_pre(){ http2_pre(){
if [[ -n "$STARTTLS" ]]; then if [[ -n "$STARTTLS" ]] || [[ "$SERVICE" != HTTP ]]; then
[[ -n "$1" ]] && out "$1" [[ -n "$1" ]] && out "$1"
outln "(HTTP/2 is a HTTP protocol and thus not tested here)" outln "(HTTP/2 is a HTTP protocol and thus not tested here)"
fileout "https_alpn" "INFO" "HTTP2/ALPN : HTTP/2 is and HTTP protocol and thus not tested" fileout "https_alpn" "INFO" "HTTP2/ALPN : HTTP/2 is and HTTP protocol and thus not tested"
@ -7292,7 +7441,6 @@ check4openssl_oldfarts() {
outln outln
} }
# FreeBSD needs to have /dev/fd mounted. This is a friendly hint, see #258 # FreeBSD needs to have /dev/fd mounted. This is a friendly hint, see #258
check_bsd_mount() { check_bsd_mount() {
if [[ "$(uname)" == FreeBSD ]]; then if [[ "$(uname)" == FreeBSD ]]; then
@ -7306,7 +7454,6 @@ check_bsd_mount() {
fi fi
} }
help() { help() {
cat << EOF cat << EOF
@ -7366,7 +7513,7 @@ partly mandatory parameters:
tuning options (can also be preset via environment variables): tuning options (can also be preset via environment variables):
--bugs enables the "-bugs" option of s_client, needed e.g. for some buggy F5s --bugs enables the "-bugs" option of s_client, needed e.g. for some buggy F5s
--assuming-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks --assume-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks
--ssl-native fallback to checks with OpenSSL where sockets are normally used --ssl-native fallback to checks with OpenSSL where sockets are normally used
--openssl <PATH> use this openssl binary (default: look in \$PATH, \$RUN_DIR of $PROG_NAME) --openssl <PATH> use this openssl binary (default: look in \$PATH, \$RUN_DIR of $PROG_NAME)
--proxy <host>:<port> connect via the specified HTTP proxy --proxy <host>:<port> connect via the specified HTTP proxy
@ -7468,7 +7615,7 @@ HAS_SED_E: $HAS_SED_E
SHOW_EACH_C: $SHOW_EACH_C SHOW_EACH_C: $SHOW_EACH_C
SSL_NATIVE: $SSL_NATIVE SSL_NATIVE: $SSL_NATIVE
ASSUMING_HTTP $ASSUMING_HTTP ASSUME_HTTP $ASSUME_HTTP
SNEAKY: $SNEAKY SNEAKY: $SNEAKY
DEBUG: $DEBUG DEBUG: $DEBUG
@ -8074,10 +8221,10 @@ determine_service() {
ua="$UA_SNEAKY" || \ ua="$UA_SNEAKY" || \
ua="$UA_STD" ua="$UA_STD"
GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\nConnection: Close\r\nAccept: text/*\r\n\r\n" GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\nConnection: Close\r\nAccept: text/*\r\n\r\n"
HEAD_REQ11="HEAD $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\nAccept: text/*\r\n\r\n" #HEAD_REQ11="HEAD $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\nAccept: text/*\r\n\r\n"
GET_REQ10="GET $URL_PATH HTTP/1.0\r\nUser-Agent: $ua\r\nConnection: Close\r\nAccept: text/*\r\n\r\n" #GET_REQ10="GET $URL_PATH HTTP/1.0\r\nUser-Agent: $ua\r\nConnection: Close\r\nAccept: text/*\r\n\r\n"
HEAD_REQ10="HEAD $URL_PATH HTTP/1.0\r\nUser-Agent: $ua\r\nAccept: text/*\r\n\r\n" #HEAD_REQ10="HEAD $URL_PATH HTTP/1.0\r\nUser-Agent: $ua\r\nAccept: text/*\r\n\r\n"
runs_HTTP $OPTIMAL_PROTO service_detection $OPTIMAL_PROTO
else else
# STARTTLS # STARTTLS
protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc
@ -8547,7 +8694,7 @@ parse_cmd_line() {
WIDE=true WIDE=true
;; ;;
--assuming[_-]http|--assume[-_]http) --assuming[_-]http|--assume[-_]http)
ASSUMING_HTTP=true ASSUME_HTTP=true
;; ;;
--sneaky) --sneaky)
SNEAKY=true SNEAKY=true
@ -8844,4 +8991,4 @@ fi
exit $? exit $?
# $Id: testssl.sh,v 1.557 2016/10/10 21:27:33 dirkw Exp $ # $Id: testssl.sh,v 1.559 2016/10/15 20:55:22 dirkw Exp $

48
utils/create_ca_hashes.sh Executable file
View File

@ -0,0 +1,48 @@
#!/usr/bin/env bash
#
# vim:ts=5:sw=5:expandtab
# we have a spaces softtab, that ensures readability with other editors too
# This file generates the file etc/ca_hashes.txt from the (root)certificate
# Bundles in etc (etc/*.pem)
TEMPDIR="/tmp"
OPENSSL="bin/openssl.Darwin.x86_64 "
# Check if we are in the right directory
if [[ ! -e etc ]]; then
echo "Please run this script from the base directory of the testssl.sh project"
exit 99
fi
echo "Extracting private key hashes from CA bundles"
echo -n > "$TEMPDIR/cahashes"
for bundle_fname in etc/*.pem; do
if [[ ! -r $bundle_fname ]]; then
echo "\"$bundle_fname\" cannot be found / not readable"
exit 99
fi
bundle_name=$(echo -n $bundle_fname|sed s/^etc\\///|sed 's/\.pem$//')
echo "CA Bundle: $bundle_name"
# Split up the certificate bundle
awk -v n=-1 "BEGIN {start=1}
/-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} }
inc { print >> (\"$TEMPDIR/$bundle_name.\" n \".$$.crt\") ; close (\"$TEMPDIR/$bundle_name.\" n \".$$.crt\") }
/---END CERTIFICATE-----/{ inc=0 }" $bundle_fname
for cert_fname in $TEMPDIR/$bundle_name.*.$$.crt; do
echo -n "."
hpkp_key_ca="$( ( $OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC | $OPENSSL base64 -d |
$OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64 ) 2>/dev/null )"
hpkp_name=$( $OPENSSL x509 -in "$cert_fname" -subject -noout 2>/dev/null | sed "s/^subject= //")
if [[ $(echo $hpkp_name|grep 'CN='|wc -l) -eq 1 ]]; then
hpkp_name=$(echo -n $hpkp_name|sed 's/^.*CN=//'|sed 's/\/.*$//')
fi
echo "$hpkp_key_ca $hpkp_name" >> "$TEMPDIR/cahashes"
done
echo
done
# Make a backup first
cp etc/ca_hashes.txt etc/ca_hashes.txt.bak
sort -u "$TEMPDIR/cahashes" > etc/ca_hashes.txt

2
utils/prototype.ssl2proto-check.bash
View File

@ -229,4 +229,4 @@ exit 0
# 74.116.0.167 147.237.80.2 85.92.77.27 # 74.116.0.167 147.237.80.2 85.92.77.27
# vim:tw=110:ts=5:sw=5 # vim:tw=110:ts=5:sw=5
# $Id: prototype.ssl2proto-check.bash,v 1.9 2015/01/07 22:56:22 dirkw Exp $ # $Id: prototype.ssl2proto-check.bash,v 1.10 2015/09/25 19:02:24 dirkw Exp $