From 6801279471d2fbce885922dab0ca98b580e485ea Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Tue, 28 Jun 2016 23:59:36 +0200 Subject: [PATCH 1/8] Additional tests --- t/01_badssl.com.t | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/t/01_badssl.com.t b/t/01_badssl.com.t index 9802b75..01f82f1 100755 --- a/t/01_badssl.com.t +++ b/t/01_badssl.com.t @@ -5,7 +5,7 @@ use Test::More; use Data::Dumper; use JSON; -my $tests = 21; +my $tests = 0; my ( $out, @@ -13,11 +13,13 @@ my ( $found, ); # OK -my $okout = `./testssl.sh -S --jsonfile tmp.json --color 0 badssl.com`; +ok("Running testssl.sh against badssl.com"); +my $okout = `./testssl.sh -S -e -U --jsonfile tmp.json --color 0 badssl.com`; my $okjson = json('tmp.json'); cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); # Expiration +ok("Running testssl against expired.badssl.com"); $out = `./testssl.sh -S --jsonfile tmp.json --color 0 expired.badssl.com`; like($out, qr/Certificate Expiration\s+expired\!/,"The certificate should be expired"); $json = json('tmp.json'); @@ -33,6 +35,7 @@ foreach my $f ( @$json ) { is($found,1,"We had a finding for this in the JSON output"); # Self signed and not-expired +ok("Running testssl against self-signed.badssl.com"); $out = `./testssl.sh -S --jsonfile tmp.json --color 0 self-signed.badssl.com`; like($out, qr/Certificate Expiration\s+\d+/,"The certificate should not be expired"); $json = json('tmp.json'); @@ -72,6 +75,7 @@ foreach my $f ( @$okjson ) { is($found,1,"We had a finding for this in the JSON output"); # Wrong host +#ok("Running testssl against wrong.host.badssl.com"); #$out = `./testssl.sh -S --jsonfile tmp.json --color 0 wrong.host.badssl.com`; #unlike($out, qr/Certificate Expiration\s+expired\!/,"The certificate should not be expired"); #$json = json('tmp.json'); @@ -87,8 +91,7 @@ is($found,1,"We had a finding for this in the JSON output"); #is($found,1,"We had a finding for this in the JSON output"); # Incomplete chain -# Self signed and not-expired - +ok("Running testssl against incomplete-chain.badssl.com"); $out = `./testssl.sh -S --jsonfile tmp.json --color 0 incomplete-chain.badssl.com`; like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $json = json('tmp.json'); @@ -105,6 +108,21 @@ is($found,1,"We had a finding for this in the JSON output"); # TODO: RSA 8192 +# CBC +ok("Running testssl against cbc.badssl.com"); +$out = `./testssl.sh -e -U --jsonfile tmp.json --color 0 cbc.badssl.com`; +like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); +$json = json('tmp.json'); +$found = 0; +foreach my $f ( @$json ) { + if ( $f->{id} eq "trust" ) { + $found = 1; + like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); + is($f->{severity}, "NOT ok", "Severity should be NOT ok"); + last; + } +} +is($found,1,"We had a finding for this in the JSON output"); done_testing($tests); From 0a86f07e61e678408f92dd1a38d17cbe6e1ee2d1 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Wed, 29 Jun 2016 00:02:53 +0200 Subject: [PATCH 2/8] Lets get unit testing --- .travis.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..ae61687 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,5 @@ +language: perl +perl: + - "5.18" +script: + prove From 2111008880d12665f9410a0d192c062f1478afb3 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Wed, 29 Jun 2016 00:09:12 +0200 Subject: [PATCH 3/8] Install test dependancies --- .travis.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.travis.yml b/.travis.yml index ae61687..54d4723 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,9 @@ language: perl perl: - "5.18" +install: + - cpanm Test::More + - cpanm Data::Dumper + - cpanm JSON script: prove From 353756ffd6d681bdd64d5d1750a3fac0118f630b Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Wed, 29 Jun 2016 00:12:46 +0200 Subject: [PATCH 4/8] We need dnsutils as well --- .travis.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.travis.yml b/.travis.yml index 54d4723..d4ce9b2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,10 @@ language: perl perl: - "5.18" +addons: + apt: + packages: + - dnsutils install: - cpanm Test::More - cpanm Data::Dumper From fa19ac168ff445e794fe440fff40e4b55c78bdfc Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Wed, 29 Jun 2016 00:15:32 +0200 Subject: [PATCH 5/8] Be more verbose in your error testing --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index d4ce9b2..46038c8 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,4 +10,4 @@ install: - cpanm Data::Dumper - cpanm JSON script: - prove + - prove -v From ac7dd4da79bd563bbf0f965d8b6c403e263e68c7 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Wed, 29 Jun 2016 00:24:57 +0200 Subject: [PATCH 6/8] CBC isn't done yet. Unit tests count themselves now --- t/01_badssl.com.t | 90 +++++++++++++++++++++++------------------------ 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/t/01_badssl.com.t b/t/01_badssl.com.t index 01f82f1..07f21a9 100755 --- a/t/01_badssl.com.t +++ b/t/01_badssl.com.t @@ -13,116 +13,116 @@ my ( $found, ); # OK -ok("Running testssl.sh against badssl.com"); +ok("Running testssl.sh against badssl.com\n"); tests++; my $okout = `./testssl.sh -S -e -U --jsonfile tmp.json --color 0 badssl.com`; my $okjson = json('tmp.json'); -cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); +cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); tests++; # Expiration -ok("Running testssl against expired.badssl.com"); +ok("Running testssl against expired.badssl.com\n"); tests++; $out = `./testssl.sh -S --jsonfile tmp.json --color 0 expired.badssl.com`; -like($out, qr/Certificate Expiration\s+expired\!/,"The certificate should be expired"); +like($out, qr/Certificate Expiration\s+expired\!/,"The certificate should be expired"); tests++; $json = json('tmp.json'); $found = 0; foreach my $f ( @$json ) { if ( $f->{id} eq "expiration" ) { $found = 1; - like($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding reads expired."); - is($f->{severity}, "NOT ok", "Severity should be NOT ok"); + like($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding reads expired."); tests++; + is($f->{severity}, "NOT ok", "Severity should be NOT ok"); tests++; last; } } -is($found,1,"We had a finding for this in the JSON output"); +is($found,1,"We had a finding for this in the JSON output"); tests++; # Self signed and not-expired -ok("Running testssl against self-signed.badssl.com"); +ok("Running testssl against self-signed.badssl.com\n"); tests++; $out = `./testssl.sh -S --jsonfile tmp.json --color 0 self-signed.badssl.com`; -like($out, qr/Certificate Expiration\s+\d+/,"The certificate should not be expired"); +like($out, qr/Certificate Expiration\s+\d+/,"The certificate should not be expired"); tests++; $json = json('tmp.json'); $found = 0; foreach my $f ( @$json ) { if ( $f->{id} eq "expiration" ) { $found = 1; - like($f->{finding},qr/^Certificate Expiration \: \d+/,"Finding doesn't read expired."); - is($f->{severity}, "OK", "Severity should be ok"); + like($f->{finding},qr/^Certificate Expiration \: \d+/,"Finding doesn't read expired."); tests++; + is($f->{severity}, "OK", "Severity should be ok"); tests++; last; } } -is($found,1,"We had a finding for this in the JSON output"); +is($found,1,"We had a finding for this in the JSON output"); tests++; -like($out, qr/Chain of trust.*?NOT ok.*\(self signed\)/,"Chain of trust should fail because of self signed"); +like($out, qr/Chain of trust.*?NOT ok.*\(self signed\)/,"Chain of trust should fail because of self signed"); tests++; $found = 0; foreach my $f ( @$json ) { if ( $f->{id} eq "trust" ) { $found = 1; - like($f->{finding},qr/^All certificate trust checks failed/,"Finding says certificate cannot be trusted."); - is($f->{severity}, "NOT ok", "Severity should be NOT ok"); + like($f->{finding},qr/^All certificate trust checks failed/,"Finding says certificate cannot be trusted."); tests++; + is($f->{severity}, "NOT ok", "Severity should be NOT ok"); tests++; last; } } -is($found,1,"We had a finding for this in the JSON output"); +is($found,1,"We had a finding for this in the JSON output"); tests++; -like($okout, qr/Chain of trust[^\n]*?Ok/,"Chain of trust should be ok"); +like($okout, qr/Chain of trust[^\n]*?Ok/,"Chain of trust should be ok"); tests++; $found = 0; foreach my $f ( @$okjson ) { if ( $f->{id} eq "trust" ) { $found = 1; - is($f->{finding},"All certificate trust checks passed.","Finding says certificate can be trusted."); - is($f->{severity}, "OK", "Severity should be OK"); + is($f->{finding},"All certificate trust checks passed.","Finding says certificate can be trusted."); tests++; + is($f->{severity}, "OK", "Severity should be OK"); tests++; last; } } -is($found,1,"We had a finding for this in the JSON output"); +is($found,1,"We had a finding for this in the JSON output"); tests++; # Wrong host -#ok("Running testssl against wrong.host.badssl.com"); +#ok("Running testssl against wrong.host.badssl.com"); tests++; #$out = `./testssl.sh -S --jsonfile tmp.json --color 0 wrong.host.badssl.com`; -#unlike($out, qr/Certificate Expiration\s+expired\!/,"The certificate should not be expired"); +#unlike($out, qr/Certificate Expiration\s+expired\!/,"The certificate should not be expired"); tests++; #$json = json('tmp.json'); #$found = 0; #foreach my $f ( @$json ) { # if ( $f->{id} eq "expiration" ) { # $found = 1; -# unlike($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding should not read expired."); -# is($f->{severity}, "ok", "Severity should be ok"); +# unlike($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding should not read expired."); tests++; +# is($f->{severity}, "ok", "Severity should be ok"); tests++; # last; # } #} -#is($found,1,"We had a finding for this in the JSON output"); +#is($found,1,"We had a finding for this in the JSON output"); tests++; # Incomplete chain -ok("Running testssl against incomplete-chain.badssl.com"); +ok("Running testssl against incomplete-chain.badssl.com\n"); tests++; $out = `./testssl.sh -S --jsonfile tmp.json --color 0 incomplete-chain.badssl.com`; -like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); +like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); tests++; $json = json('tmp.json'); $found = 0; foreach my $f ( @$json ) { if ( $f->{id} eq "trust" ) { $found = 1; - like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); - is($f->{severity}, "NOT ok", "Severity should be NOT ok"); + like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); tests++; + is($f->{severity}, "NOT ok", "Severity should be NOT ok"); tests++; last; } } -is($found,1,"We had a finding for this in the JSON output"); +is($found,1,"We had a finding for this in the JSON output"); tests++; # TODO: RSA 8192 -# CBC -ok("Running testssl against cbc.badssl.com"); -$out = `./testssl.sh -e -U --jsonfile tmp.json --color 0 cbc.badssl.com`; -like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); -$json = json('tmp.json'); -$found = 0; -foreach my $f ( @$json ) { - if ( $f->{id} eq "trust" ) { - $found = 1; - like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); - is($f->{severity}, "NOT ok", "Severity should be NOT ok"); - last; - } -} -is($found,1,"We had a finding for this in the JSON output"); +# TODO: CBC +#ok("Running testssl against cbc.badssl.com\n"); tests++; +#$out = `./testssl.sh -e -U --jsonfile tmp.json --color 0 cbc.badssl.com`; +#like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); tests++; +#$json = json('tmp.json'); +#$found = 0; +#foreach my $f ( @$json ) { +# if ( $f->{id} eq "trust" ) { +# $found = 1; +# like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); tests++; +# is($f->{severity}, "NOT ok", "Severity should be NOT ok"); tests++; +# last; +# } +#} +#is($found,1,"We had a finding for this in the JSON output"); tests++; done_testing($tests); From 23ef87c1344efc0d2302a9ca67f84d760726e225 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Wed, 29 Jun 2016 00:35:52 +0200 Subject: [PATCH 7/8] Making tests work correctly --- t/01_badssl.com.t | 70 +++++++++++++++++++++++------------------------ 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/t/01_badssl.com.t b/t/01_badssl.com.t index 07f21a9..fa673c2 100755 --- a/t/01_badssl.com.t +++ b/t/01_badssl.com.t @@ -13,116 +13,116 @@ my ( $found, ); # OK -ok("Running testssl.sh against badssl.com\n"); tests++; +pass("Running testssl.sh against badssl.com to craete a baseline (may take 2~3 minutes)"); $tests++; my $okout = `./testssl.sh -S -e -U --jsonfile tmp.json --color 0 badssl.com`; my $okjson = json('tmp.json'); -cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); tests++; +cmp_pass(@$okjson,'>',10,"We have more then 10 findings"); $tests++; # Expiration -ok("Running testssl against expired.badssl.com\n"); tests++; +pass("Running testssl against expired.badssl.com"); $tests++; $out = `./testssl.sh -S --jsonfile tmp.json --color 0 expired.badssl.com`; -like($out, qr/Certificate Expiration\s+expired\!/,"The certificate should be expired"); tests++; +like($out, qr/Certificate Expiration\s+expired\!/,"The certificate should be expired"); $tests++; $json = json('tmp.json'); $found = 0; foreach my $f ( @$json ) { if ( $f->{id} eq "expiration" ) { $found = 1; - like($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding reads expired."); tests++; - is($f->{severity}, "NOT ok", "Severity should be NOT ok"); tests++; + like($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding reads expired."); $tests++; + is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++; last; } } -is($found,1,"We had a finding for this in the JSON output"); tests++; +is($found,1,"We had a finding for this in the JSON output"); $tests++; # Self signed and not-expired -ok("Running testssl against self-signed.badssl.com\n"); tests++; +pass("Running testssl against self-signed.badssl.com"); $tests++; $out = `./testssl.sh -S --jsonfile tmp.json --color 0 self-signed.badssl.com`; -like($out, qr/Certificate Expiration\s+\d+/,"The certificate should not be expired"); tests++; +like($out, qr/Certificate Expiration\s+\d+/,"The certificate should not be expired"); $tests++; $json = json('tmp.json'); $found = 0; foreach my $f ( @$json ) { if ( $f->{id} eq "expiration" ) { $found = 1; - like($f->{finding},qr/^Certificate Expiration \: \d+/,"Finding doesn't read expired."); tests++; - is($f->{severity}, "OK", "Severity should be ok"); tests++; + like($f->{finding},qr/^Certificate Expiration \: \d+/,"Finding doesn't read expired."); $tests++; + is($f->{severity}, "OK", "Severity should be ok"); $tests++; last; } } -is($found,1,"We had a finding for this in the JSON output"); tests++; +is($found,1,"We had a finding for this in the JSON output"); $tests++; -like($out, qr/Chain of trust.*?NOT ok.*\(self signed\)/,"Chain of trust should fail because of self signed"); tests++; +like($out, qr/Chain of trust.*?NOT ok.*\(self signed\)/,"Chain of trust should fail because of self signed"); $tests++; $found = 0; foreach my $f ( @$json ) { if ( $f->{id} eq "trust" ) { $found = 1; - like($f->{finding},qr/^All certificate trust checks failed/,"Finding says certificate cannot be trusted."); tests++; - is($f->{severity}, "NOT ok", "Severity should be NOT ok"); tests++; + like($f->{finding},qr/^All certificate trust checks failed/,"Finding says certificate cannot be trusted."); $tests++; + is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++; last; } } -is($found,1,"We had a finding for this in the JSON output"); tests++; +is($found,1,"We had a finding for this in the JSON output"); $tests++; -like($okout, qr/Chain of trust[^\n]*?Ok/,"Chain of trust should be ok"); tests++; +like($okout, qr/Chain of trust[^\n]*?Ok/,"Chain of trust should be ok"); $tests++; $found = 0; foreach my $f ( @$okjson ) { if ( $f->{id} eq "trust" ) { $found = 1; - is($f->{finding},"All certificate trust checks passed.","Finding says certificate can be trusted."); tests++; - is($f->{severity}, "OK", "Severity should be OK"); tests++; + is($f->{finding},"All certificate trust checks passed.","Finding says certificate can be trusted."); $tests++; + is($f->{severity}, "OK", "Severity should be OK"); $tests++; last; } } -is($found,1,"We had a finding for this in the JSON output"); tests++; +is($found,1,"We had a finding for this in the JSON output"); $tests++; # Wrong host -#ok("Running testssl against wrong.host.badssl.com"); tests++; +#pass("Running testssl against wrong.host.badssl.com"); $tests++; #$out = `./testssl.sh -S --jsonfile tmp.json --color 0 wrong.host.badssl.com`; -#unlike($out, qr/Certificate Expiration\s+expired\!/,"The certificate should not be expired"); tests++; +#unlike($out, qr/Certificate Expiration\s+expired\!/,"The certificate should not be expired"); $tests++; #$json = json('tmp.json'); #$found = 0; #foreach my $f ( @$json ) { # if ( $f->{id} eq "expiration" ) { # $found = 1; -# unlike($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding should not read expired."); tests++; -# is($f->{severity}, "ok", "Severity should be ok"); tests++; +# unlike($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding should not read expired."); $tests++; +# is($f->{severity}, "ok", "Severity should be ok"); $tests++; # last; # } #} -#is($found,1,"We had a finding for this in the JSON output"); tests++; +#is($found,1,"We had a finding for this in the JSON output"); $tests++; # Incomplete chain -ok("Running testssl against incomplete-chain.badssl.com\n"); tests++; +pass("Running testssl against incomplete-chain.badssl.com"); $tests++; $out = `./testssl.sh -S --jsonfile tmp.json --color 0 incomplete-chain.badssl.com`; -like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); tests++; +like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++; $json = json('tmp.json'); $found = 0; foreach my $f ( @$json ) { if ( $f->{id} eq "trust" ) { $found = 1; - like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); tests++; - is($f->{severity}, "NOT ok", "Severity should be NOT ok"); tests++; + like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++; + is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++; last; } } -is($found,1,"We had a finding for this in the JSON output"); tests++; +is($found,1,"We had a finding for this in the JSON output"); $tests++; # TODO: RSA 8192 # TODO: CBC -#ok("Running testssl against cbc.badssl.com\n"); tests++; +#pass("Running testssl against cbc.badssl.com"); $tests++; #$out = `./testssl.sh -e -U --jsonfile tmp.json --color 0 cbc.badssl.com`; -#like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); tests++; +#like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++; #$json = json('tmp.json'); #$found = 0; #foreach my $f ( @$json ) { # if ( $f->{id} eq "trust" ) { # $found = 1; -# like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); tests++; -# is($f->{severity}, "NOT ok", "Severity should be NOT ok"); tests++; +# like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++; +# is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++; # last; # } #} -#is($found,1,"We had a finding for this in the JSON output"); tests++; +#is($found,1,"We had a finding for this in the JSON output"); $tests++; done_testing($tests); From ec9276c17d27dbbb3db7074a7e3300526df791bf Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Wed, 29 Jun 2016 00:38:51 +0200 Subject: [PATCH 8/8] Serach and replace failure, fixed now --- t/01_badssl.com.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/01_badssl.com.t b/t/01_badssl.com.t index fa673c2..0c9cb3c 100755 --- a/t/01_badssl.com.t +++ b/t/01_badssl.com.t @@ -16,7 +16,7 @@ my ( pass("Running testssl.sh against badssl.com to craete a baseline (may take 2~3 minutes)"); $tests++; my $okout = `./testssl.sh -S -e -U --jsonfile tmp.json --color 0 badssl.com`; my $okjson = json('tmp.json'); -cmp_pass(@$okjson,'>',10,"We have more then 10 findings"); $tests++; +cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); $tests++; # Expiration pass("Running testssl against expired.badssl.com"); $tests++;