Trim excess whitespace

This commit is contained in:
a1346054 2021-09-03 21:32:24 +00:00
parent 6782e2a3b9
commit b1f5c6c9af
12 changed files with 28 additions and 41 deletions

View File

@ -25,7 +25,7 @@ A clear and concise description of what you expected to happen.
- Version: ``testssl.sh -b 2>/dev/null | head -4 | tail -2``
- Version if running from git repo: ``git log | head -1``
- OpenSSL: ``testssl.sh -b 2>/dev/null | awk -F':' '/openssl/ { print $2}'``
**Additional context**
Add any other context about the problem here.

View File

@ -2,7 +2,7 @@ name: docker-3.1dev
on:
push:
branches:
branches:
- 3.1dev
workflow_dispatch:
schedule:
@ -19,12 +19,12 @@ jobs:
steps:
- name: Source checkout
uses: actions/checkout@v2.3.4
uses: actions/checkout@v2.3.4
- name: Setup QEMU
id: qemu
uses: docker/setup-qemu-action@v1.2.0
- name: Setup Buildx
id: buildx
uses: docker/setup-buildx-action@v1
@ -38,7 +38,7 @@ jobs:
org.opencontainers.image.version=${{ env.BUILD_VERSION }}
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.title=${{ github.repository }}
- name: GitHub login
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@v1.10.0

View File

@ -32,7 +32,6 @@
* Added --reqheader to support custom headers in HTTP requests
* Test for support for RFC 8879 certificate compression
### Features implemented / improvements in 3.0
* Full support of TLS 1.3, shows also drafts supported
@ -115,7 +114,6 @@
* Postgres und MySQL STARTTLS support
* Man page
### New in 2.8
* Trust chain check against certificate stores from Apple (OS), Linux (OS),
@ -169,7 +167,6 @@
Full log @ https://github.com/drwetter/testssl.sh/commits/2.6/testssl.sh
### New in 2.4
* "only one cmd line option at a time" is completely gone
* several tuning parameters on the cmd line (only available through environment variables b4): --assuming-http, --ssl-native, --sneaky, --warnings, --color, -- debug, --long
@ -324,7 +321,6 @@ Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
- fix for netweaver banner (server is lowercase)
- no server banner is no disadvantage (color code)
1.89
- reordered! : protocols + cipher come first
- colorized preferred server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green)
@ -471,7 +467,6 @@ Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
default now and there's a comment
* openssl version + path to it in the banner
1.20
* bugfix (ssl in ssl handshake failure is sometimes too much)
* date in output

View File

@ -10,7 +10,7 @@ Note please the following
* Document your PR, both in the PR and/or commit message and in the code.
* Please test your changes thoroughly as reliability is important for this project. You may want to check different servers with different settings.
* Travis runs automatically when anything is committed/PR'd. You should check any complains from Travis. Beforehand you can check with `prove -v`.
* If it's a new feature please consider writing a unit test for it. You can use e.g. `t/20_baseline_ipv4_http.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start.
* If it's a new feature please consider writing a unit test for it. You can use e.g. `t/20_baseline_ipv4_http.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start.
* If it's a new feature it would need to be documented in the appropriate section in `help()` and in `~/doc/testssl.1.md`
For questions just open an issue or feel free to send me an e-mail.

View File

@ -47,7 +47,7 @@ Bash is actually quite powerful -- not only with respect to sockets. It's not as
* Watch out for any input especially (but not only) supplied from the server. Input should never be trusted.
* Unless you're really sure where the values come from, variables need to be put in quotes.
* You can use `safe_echo()` when processing input which does some input validation.
* Use ``out()`` or similar output functions when writing something back to the user.
* Use ``out()`` or similar output functions when writing something back to the user.
* Use `$OPENSSL` instead of `openssl`. The latter is highly system depended and also $OPENSSL is a binary which capabilities are checked internally before using it, independent whether the supplied one is being used or another one.
#### Variables
@ -70,4 +70,3 @@ Bash is actually quite powerful -- not only with respect to sockets. It's not as
* Unit tests are done automatically done with Perl using Travis. The trigger is `~/.travis.yml`. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start. You are encouraged to write own checks. You can use e.g. `t/20_baseline_ipv4_http.t` as an example.
* If it's an OpenSSL feature you want to use and it could be not available for older OpenSSL versions testssl.sh needs to find out whether OpenSSL has that feature. Best do this with OpenSSL itself and not by checking the version as some vendors do backports. See the examples for `HAS_SSL2` or proxy option check of OpenSSL in `check_proxy()`.
* If a feature of OpenSSL is not available you need to tell this the user by using `pr_warning*()`. Or accordingly with `fatal()` if a continuation of the program doesn't make sense anymore.

View File

@ -5,7 +5,7 @@ RUN apk update && \
apk add bash procps drill git coreutils libidn curl socat openssl xxd && \
rm -rf /var/cache/apk/* && \
addgroup testssl && \
adduser -G testssl -g "testssl user" -s /bin/bash -D testssl && \
adduser -G testssl -g "testssl user" -s /bin/bash -D testssl && \
ln -s /home/testssl/testssl.sh /usr/local/bin/ && \
mkdir -m 755 -p /home/testssl/etc /home/testssl/bin
@ -14,7 +14,7 @@ WORKDIR /home/testssl/
COPY --chown=testssl:testssl etc/. /home/testssl/etc/
COPY --chown=testssl:testssl bin/. /home/testssl/bin/
COPY --chown=testssl:testssl testssl.sh /home/testssl/
COPY --chown=testssl:testssl testssl.sh /home/testssl/
ENTRYPOINT ["testssl.sh"]

View File

@ -11,7 +11,7 @@ ARG URL=https://github.com/drwetter/testssl.sh.git
RUN test -n "${BUILD_VERSION}" \
&& apk update \
&& apk add --no-cache bash procps drill git coreutils libidn curl socat openssl xxd \
&& git clone --depth 1 --branch ${BUILD_VERSION} $URL /home/testssl \
&& git clone --depth 1 --branch ${BUILD_VERSION} $URL /home/testssl \
&& addgroup testssl \
&& adduser -G testssl -g "testssl user" -s /bin/bash -D testssl \
&& ln -s /home/testssl/testssl.sh /usr/local/bin/ \

View File

@ -73,9 +73,9 @@ For more please consult [Dockerfile.md](https://github.com/drwetter/testssl.sh/b
### Status
We're currently in the development phase, version 3.1dev. 3.1dev will eventually become 3.2. Bigger features are developed in a separate branch before merged into 3.1dev to avoid hiccups or inconsistencies. Albeit we try to keep 3.1dev as solid as possible things will certainly change in 3.1dev. Think of the 3.1dev branch like a rolling release. So if you need stability the 3.0 branch is better for you.
We're currently in the development phase, version 3.1dev. 3.1dev will eventually become 3.2. Bigger features are developed in a separate branch before merged into 3.1dev to avoid hiccups or inconsistencies. Albeit we try to keep 3.1dev as solid as possible things will certainly change in 3.1dev. Think of the 3.1dev branch like a rolling release. So if you need stability the 3.0 branch is better for you.
Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is released.
Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is released.
Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.

View File

@ -6,7 +6,7 @@ All the precompiled binaries provided here have extended support for
everything which is normally not in OpenSSL or LibreSSL -- 40+56 Bit,
export/ANON ciphers, weak DH ciphers, weak EC curves, SSLv2 etc. -- all the dirty
features needed for testing. OTOH they also come with extended support
for new / advanced cipher suites and/or features which are not in the
for new / advanced cipher suites and/or features which are not in the
official branch like (old version of the) CHACHA20+POLY1305 and CAMELLIA 256 bit ciphers.
They also have IPv6 support, see below.
@ -17,17 +17,17 @@ fork (https://github.com/PeterMosmans/openssl). Thx a bunch, Peter!
Compiled Linux and FreeBSD binaries so far come from Dirk, other
contributors see ../CREDITS.md .
**I discontinued to upload the not commonly used binaries at GitHub ** (ARM7l, Darwin.i386 and all except one kerberos compiles) **as it is not very appropriate to use GitHub especially for those. The main site for all
**I discontinued to upload the not commonly used binaries at GitHub ** (ARM7l, Darwin.i386 and all except one kerberos compiles) **as it is not very appropriate to use GitHub especially for those. The main site for all
binaries is https://testssl.sh/openssl-1.0.2i-chacha.pm.ipv6.contributed/, also see the tarball @
https://testssl.sh/openssl-1.0.2i-chacha.pm.ipv6.Linux+FreeBSD.tar.gz**
The binaries here have the naming scheme ``openssl.$(uname).$(uname -m)``
and will be picked up from testssl.sh if you run testssl.sh directly
off the git directory. Otherwise you need ``testssl.sh`` to point to it
off the git directory. Otherwise you need ``testssl.sh`` to point to it
via the argument (``--openssl=<here>``) or as an environment variable
(``OPENSSL=<here> testssl.sh <yourargs>``).
The Linux binaries with the trailing ``-krb5`` come with Kerberos 5 support,
The Linux binaries with the trailing ``-krb5`` come with Kerberos 5 support,
they won't be picked up automatically as you need to make sure first they
run (see libraries below).
@ -39,15 +39,15 @@ General
-------
Both 64+32 bit Linux binaries were compiled under Ubuntu 12.04 LTS. Likely you
cannot use them for older distributions, younger worked in all my test environments.
cannot use them for older distributions, younger worked in all my test environments.
I provide for each distributions two sets of binaries (no IPv6 here):
* completely statically linked binaries
* dynamically linked binaries, additionally with MIT Kerberos support ("krb5" in the name).
They provide also KRB5-* and EXP-KRB5-* support (in OpenSSL terminology, see krb5-ciphers.txt).
They provide also KRB5-* and EXP-KRB5-* support (in OpenSSL terminology, see krb5-ciphers.txt).
For the latter you need a whopping bunch of kerberos runtime libraries which you maybe need to
install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support,
For the latter you need a whopping bunch of kerberos runtime libraries which you maybe need to
install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support,
libkeyutils). The 'static' binaries do not have MIT kerberos support as there are no
static kerberos libs and I did not bother to compile them from the sources.
@ -96,16 +96,16 @@ or use my repo:
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \
-static experimental-jpake -DOPENSSL_USE_BUILD_DATE
-static experimental-jpake -DOPENSSL_USE_BUILD_DATE
IPv6 support would need additionally the patch from ``fedora-dirk-ipv6.diff`` (included already
in my branch). This doesn't give you the option of an IPv6 enabled proxy yet.
It is good practice to compile those binaries with ``-DOPENSSL_USE_IPV6`` as
later on you can tell them apart by``openssl version -a``.
Four GOST [1][2] ciphers come via engine support automagically with this setup. Two additional GOST
ciphers can be compiled in (``GOST-GOST94``, ``GOST-MD5``) with ``-DTEMP_GOST_TLS`` but as of now they make
problems under some circumstances, so unless you desperately need those ciphers I would stay away from
Four GOST [1][2] ciphers come via engine support automagically with this setup. Two additional GOST
ciphers can be compiled in (``GOST-GOST94``, ``GOST-MD5``) with ``-DTEMP_GOST_TLS`` but as of now they make
problems under some circumstances, so unless you desperately need those ciphers I would stay away from
``-DTEMP_GOST_TLS``.
If you don't have / don't want Kerberos libraries and devel rpms/debs, just omit "--with-krb5-flavor=MIT"
@ -118,10 +118,10 @@ If you don't have / don't want Kerberos libraries and devel rpms/debs, just omit
5.) make report (check whether it runs ok!)
6.) ``./apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l`` lists for me
* 193(+4 GOST) ciphers including kerberos
* 193(+4 GOST) ciphers including kerberos
* 179(+4 GOST) ciphers without kerberos
as opposed to ~110 from Ubuntu or Opensuse.
as opposed to ~110 from Ubuntu or Opensuse.
**Never use these binaries for anything other than testing**
@ -130,5 +130,3 @@ Enjoy, Dirk
[1] https://en.wikipedia.org/wiki/GOST_%29block_cipher%29
[2] http://fossies.org/linux/openssl/engines/ccgost/README.gost

View File

@ -14,7 +14,7 @@ The certificate trust stores were retrieved from
--> "Keychain Access" (2 click). In that window --> "Keychains" --> "System"
--> "Category" --> "All Items"
Select all CA certificates except for Developer ID Certification Authority, "File" --> "Export Items"
2. __Internet:__ Pick the latest subdir (=highest number) from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension. Download them with ``wget --level=1 --cut-dirs=5 --mirror --convert-links --adjust-extension --page-requisites --no-parent https://opensource.apple.com/source/security_certificates/security_certificates-*/certificates/roots/``
2. __Internet:__ Pick the latest subdir (=highest number) from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension. Download them with ``wget --level=1 --cut-dirs=5 --mirror --convert-links --adjust-extension --page-requisites --no-parent https://opensource.apple.com/source/security_certificates/security_certificates-*/certificates/roots/``
Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.

View File

@ -22,7 +22,3 @@ The whole process is done manually.
* "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ``~/utils/hexstream2cipher.sh``
* Figure out the services by applying a good piece of human logic
* Before submitting a PR: test it yourself! You can also watch it again via wireshark

View File

@ -59,4 +59,3 @@ sub json($) {
unlink $file;
return from_json($file);
}