From b1f5c6c9afec9db0d54110637ebf1f1bcc9e26c6 Mon Sep 17 00:00:00 2001 From: a1346054 <36859588+a1346054@users.noreply.github.com> Date: Fri, 3 Sep 2021 21:32:24 +0000 Subject: [PATCH] Trim excess whitespace --- .github/ISSUE_TEMPLATE/bug_report.md | 2 +- .github/workflows/docker-3.1dev.yml | 10 +++++----- CHANGELOG.md | 5 ----- CONTRIBUTING.md | 2 +- Coding_Convention.md | 3 +-- Dockerfile | 4 ++-- Dockerfile.git | 2 +- Readme.md | 4 ++-- bin/Readme.md | 30 +++++++++++++--------------- etc/README.md | 2 +- etc/client-simulation.wiresharked.md | 4 ---- t/11_baseline_ipv6_http.t.DISABLED | 1 - 12 files changed, 28 insertions(+), 41 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index a321318..e91f337 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -25,7 +25,7 @@ A clear and concise description of what you expected to happen. - Version: ``testssl.sh -b 2>/dev/null | head -4 | tail -2`` - Version if running from git repo: ``git log | head -1`` - OpenSSL: ``testssl.sh -b 2>/dev/null | awk -F':' '/openssl/ { print $2}'`` - + **Additional context** Add any other context about the problem here. diff --git a/.github/workflows/docker-3.1dev.yml b/.github/workflows/docker-3.1dev.yml index 37d3337..af7ad59 100644 --- a/.github/workflows/docker-3.1dev.yml +++ b/.github/workflows/docker-3.1dev.yml @@ -2,7 +2,7 @@ name: docker-3.1dev on: push: - branches: + branches: - 3.1dev workflow_dispatch: schedule: @@ -19,12 +19,12 @@ jobs: steps: - name: Source checkout - uses: actions/checkout@v2.3.4 - + uses: actions/checkout@v2.3.4 + - name: Setup QEMU id: qemu uses: docker/setup-qemu-action@v1.2.0 - + - name: Setup Buildx id: buildx uses: docker/setup-buildx-action@v1 @@ -38,7 +38,7 @@ jobs: org.opencontainers.image.version=${{ env.BUILD_VERSION }} org.opencontainers.image.revision=${{ github.sha }} org.opencontainers.image.title=${{ github.repository }} - + - name: GitHub login if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@v1.10.0 diff --git a/CHANGELOG.md b/CHANGELOG.md index 1c489d2..81b3713 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,7 +32,6 @@ * Added --reqheader to support custom headers in HTTP requests * Test for support for RFC 8879 certificate compression - ### Features implemented / improvements in 3.0 * Full support of TLS 1.3, shows also drafts supported @@ -115,7 +114,6 @@ * Postgres und MySQL STARTTLS support * Man page - ### New in 2.8 * Trust chain check against certificate stores from Apple (OS), Linux (OS), @@ -169,7 +167,6 @@ Full log @ https://github.com/drwetter/testssl.sh/commits/2.6/testssl.sh - ### New in 2.4 * "only one cmd line option at a time" is completely gone * several tuning parameters on the cmd line (only available through environment variables b4): --assuming-http, --ssl-native, --sneaky, --warnings, --color, -- debug, --long @@ -324,7 +321,6 @@ Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh - fix for netweaver banner (server is lowercase) - no server banner is no disadvantage (color code) - 1.89 - reordered! : protocols + cipher come first - colorized preferred server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green) @@ -471,7 +467,6 @@ Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh default now and there's a comment * openssl version + path to it in the banner - 1.20 * bugfix (ssl in ssl handshake failure is sometimes too much) * date in output diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 8597f2d..5953205 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -10,7 +10,7 @@ Note please the following * Document your PR, both in the PR and/or commit message and in the code. * Please test your changes thoroughly as reliability is important for this project. You may want to check different servers with different settings. * Travis runs automatically when anything is committed/PR'd. You should check any complains from Travis. Beforehand you can check with `prove -v`. -* If it's a new feature please consider writing a unit test for it. You can use e.g. `t/20_baseline_ipv4_http.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start. +* If it's a new feature please consider writing a unit test for it. You can use e.g. `t/20_baseline_ipv4_http.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start. * If it's a new feature it would need to be documented in the appropriate section in `help()` and in `~/doc/testssl.1.md` For questions just open an issue or feel free to send me an e-mail. diff --git a/Coding_Convention.md b/Coding_Convention.md index 03122d1..72abadd 100644 --- a/Coding_Convention.md +++ b/Coding_Convention.md @@ -47,7 +47,7 @@ Bash is actually quite powerful -- not only with respect to sockets. It's not as * Watch out for any input especially (but not only) supplied from the server. Input should never be trusted. * Unless you're really sure where the values come from, variables need to be put in quotes. * You can use `safe_echo()` when processing input which does some input validation. - * Use ``out()`` or similar output functions when writing something back to the user. + * Use ``out()`` or similar output functions when writing something back to the user. * Use `$OPENSSL` instead of `openssl`. The latter is highly system depended and also $OPENSSL is a binary which capabilities are checked internally before using it, independent whether the supplied one is being used or another one. #### Variables @@ -70,4 +70,3 @@ Bash is actually quite powerful -- not only with respect to sockets. It's not as * Unit tests are done automatically done with Perl using Travis. The trigger is `~/.travis.yml`. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start. You are encouraged to write own checks. You can use e.g. `t/20_baseline_ipv4_http.t` as an example. * If it's an OpenSSL feature you want to use and it could be not available for older OpenSSL versions testssl.sh needs to find out whether OpenSSL has that feature. Best do this with OpenSSL itself and not by checking the version as some vendors do backports. See the examples for `HAS_SSL2` or proxy option check of OpenSSL in `check_proxy()`. * If a feature of OpenSSL is not available you need to tell this the user by using `pr_warning*()`. Or accordingly with `fatal()` if a continuation of the program doesn't make sense anymore. - diff --git a/Dockerfile b/Dockerfile index 08514dc..cce2cca 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,7 @@ RUN apk update && \ apk add bash procps drill git coreutils libidn curl socat openssl xxd && \ rm -rf /var/cache/apk/* && \ addgroup testssl && \ - adduser -G testssl -g "testssl user" -s /bin/bash -D testssl && \ + adduser -G testssl -g "testssl user" -s /bin/bash -D testssl && \ ln -s /home/testssl/testssl.sh /usr/local/bin/ && \ mkdir -m 755 -p /home/testssl/etc /home/testssl/bin @@ -14,7 +14,7 @@ WORKDIR /home/testssl/ COPY --chown=testssl:testssl etc/. /home/testssl/etc/ COPY --chown=testssl:testssl bin/. /home/testssl/bin/ -COPY --chown=testssl:testssl testssl.sh /home/testssl/ +COPY --chown=testssl:testssl testssl.sh /home/testssl/ ENTRYPOINT ["testssl.sh"] diff --git a/Dockerfile.git b/Dockerfile.git index 50106a3..114b6b9 100644 --- a/Dockerfile.git +++ b/Dockerfile.git @@ -11,7 +11,7 @@ ARG URL=https://github.com/drwetter/testssl.sh.git RUN test -n "${BUILD_VERSION}" \ && apk update \ && apk add --no-cache bash procps drill git coreutils libidn curl socat openssl xxd \ - && git clone --depth 1 --branch ${BUILD_VERSION} $URL /home/testssl \ + && git clone --depth 1 --branch ${BUILD_VERSION} $URL /home/testssl \ && addgroup testssl \ && adduser -G testssl -g "testssl user" -s /bin/bash -D testssl \ && ln -s /home/testssl/testssl.sh /usr/local/bin/ \ diff --git a/Readme.md b/Readme.md index 209ca74..f8548da 100644 --- a/Readme.md +++ b/Readme.md @@ -73,9 +73,9 @@ For more please consult [Dockerfile.md](https://github.com/drwetter/testssl.sh/b ### Status -We're currently in the development phase, version 3.1dev. 3.1dev will eventually become 3.2. Bigger features are developed in a separate branch before merged into 3.1dev to avoid hiccups or inconsistencies. Albeit we try to keep 3.1dev as solid as possible things will certainly change in 3.1dev. Think of the 3.1dev branch like a rolling release. So if you need stability the 3.0 branch is better for you. +We're currently in the development phase, version 3.1dev. 3.1dev will eventually become 3.2. Bigger features are developed in a separate branch before merged into 3.1dev to avoid hiccups or inconsistencies. Albeit we try to keep 3.1dev as solid as possible things will certainly change in 3.1dev. Think of the 3.1dev branch like a rolling release. So if you need stability the 3.0 branch is better for you. -Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is released. +Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is released. Support for 2.9.5 has been dropped. Supported is >= 3.0.x only. diff --git a/bin/Readme.md b/bin/Readme.md index fba59ed..e59638a 100644 --- a/bin/Readme.md +++ b/bin/Readme.md @@ -6,7 +6,7 @@ All the precompiled binaries provided here have extended support for everything which is normally not in OpenSSL or LibreSSL -- 40+56 Bit, export/ANON ciphers, weak DH ciphers, weak EC curves, SSLv2 etc. -- all the dirty features needed for testing. OTOH they also come with extended support -for new / advanced cipher suites and/or features which are not in the +for new / advanced cipher suites and/or features which are not in the official branch like (old version of the) CHACHA20+POLY1305 and CAMELLIA 256 bit ciphers. They also have IPv6 support, see below. @@ -17,17 +17,17 @@ fork (https://github.com/PeterMosmans/openssl). Thx a bunch, Peter! Compiled Linux and FreeBSD binaries so far come from Dirk, other contributors see ../CREDITS.md . -**I discontinued to upload the not commonly used binaries at GitHub ** (ARM7l, Darwin.i386 and all except one kerberos compiles) **as it is not very appropriate to use GitHub especially for those. The main site for all +**I discontinued to upload the not commonly used binaries at GitHub ** (ARM7l, Darwin.i386 and all except one kerberos compiles) **as it is not very appropriate to use GitHub especially for those. The main site for all binaries is https://testssl.sh/openssl-1.0.2i-chacha.pm.ipv6.contributed/, also see the tarball @ https://testssl.sh/openssl-1.0.2i-chacha.pm.ipv6.Linux+FreeBSD.tar.gz** The binaries here have the naming scheme ``openssl.$(uname).$(uname -m)`` and will be picked up from testssl.sh if you run testssl.sh directly -off the git directory. Otherwise you need ``testssl.sh`` to point to it +off the git directory. Otherwise you need ``testssl.sh`` to point to it via the argument (``--openssl=``) or as an environment variable (``OPENSSL= testssl.sh ``). -The Linux binaries with the trailing ``-krb5`` come with Kerberos 5 support, +The Linux binaries with the trailing ``-krb5`` come with Kerberos 5 support, they won't be picked up automatically as you need to make sure first they run (see libraries below). @@ -39,15 +39,15 @@ General ------- Both 64+32 bit Linux binaries were compiled under Ubuntu 12.04 LTS. Likely you -cannot use them for older distributions, younger worked in all my test environments. +cannot use them for older distributions, younger worked in all my test environments. I provide for each distributions two sets of binaries (no IPv6 here): * completely statically linked binaries * dynamically linked binaries, additionally with MIT Kerberos support ("krb5" in the name). - They provide also KRB5-* and EXP-KRB5-* support (in OpenSSL terminology, see krb5-ciphers.txt). + They provide also KRB5-* and EXP-KRB5-* support (in OpenSSL terminology, see krb5-ciphers.txt). -For the latter you need a whopping bunch of kerberos runtime libraries which you maybe need to -install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support, +For the latter you need a whopping bunch of kerberos runtime libraries which you maybe need to +install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support, libkeyutils). The 'static' binaries do not have MIT kerberos support as there are no static kerberos libs and I did not bother to compile them from the sources. @@ -96,16 +96,16 @@ or use my repo: ./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \ enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \ enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \ - -static experimental-jpake -DOPENSSL_USE_BUILD_DATE + -static experimental-jpake -DOPENSSL_USE_BUILD_DATE IPv6 support would need additionally the patch from ``fedora-dirk-ipv6.diff`` (included already in my branch). This doesn't give you the option of an IPv6 enabled proxy yet. It is good practice to compile those binaries with ``-DOPENSSL_USE_IPV6`` as later on you can tell them apart by``openssl version -a``. -Four GOST [1][2] ciphers come via engine support automagically with this setup. Two additional GOST -ciphers can be compiled in (``GOST-GOST94``, ``GOST-MD5``) with ``-DTEMP_GOST_TLS`` but as of now they make -problems under some circumstances, so unless you desperately need those ciphers I would stay away from +Four GOST [1][2] ciphers come via engine support automagically with this setup. Two additional GOST +ciphers can be compiled in (``GOST-GOST94``, ``GOST-MD5``) with ``-DTEMP_GOST_TLS`` but as of now they make +problems under some circumstances, so unless you desperately need those ciphers I would stay away from ``-DTEMP_GOST_TLS``. If you don't have / don't want Kerberos libraries and devel rpms/debs, just omit "--with-krb5-flavor=MIT" @@ -118,10 +118,10 @@ If you don't have / don't want Kerberos libraries and devel rpms/debs, just omit 5.) make report (check whether it runs ok!) 6.) ``./apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l`` lists for me -* 193(+4 GOST) ciphers including kerberos +* 193(+4 GOST) ciphers including kerberos * 179(+4 GOST) ciphers without kerberos -as opposed to ~110 from Ubuntu or Opensuse. +as opposed to ~110 from Ubuntu or Opensuse. **Never use these binaries for anything other than testing** @@ -130,5 +130,3 @@ Enjoy, Dirk [1] https://en.wikipedia.org/wiki/GOST_%29block_cipher%29 [2] http://fossies.org/linux/openssl/engines/ccgost/README.gost - - diff --git a/etc/README.md b/etc/README.md index 51f1d1d..5f16b06 100644 --- a/etc/README.md +++ b/etc/README.md @@ -14,7 +14,7 @@ The certificate trust stores were retrieved from --> "Keychain Access" (2 click). In that window --> "Keychains" --> "System" --> "Category" --> "All Items" Select all CA certificates except for Developer ID Certification Authority, "File" --> "Export Items" - 2. __Internet:__ Pick the latest subdir (=highest number) from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension. Download them with ``wget --level=1 --cut-dirs=5 --mirror --convert-links --adjust-extension --page-requisites --no-parent https://opensource.apple.com/source/security_certificates/security_certificates-*/certificates/roots/`` + 2. __Internet:__ Pick the latest subdir (=highest number) from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension. Download them with ``wget --level=1 --cut-dirs=5 --mirror --convert-links --adjust-extension --page-requisites --no-parent https://opensource.apple.com/source/security_certificates/security_certificates-*/certificates/roots/`` Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy. diff --git a/etc/client-simulation.wiresharked.md b/etc/client-simulation.wiresharked.md index 6ed28a4..0ca10f3 100644 --- a/etc/client-simulation.wiresharked.md +++ b/etc/client-simulation.wiresharked.md @@ -22,7 +22,3 @@ The whole process is done manually. * "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ``~/utils/hexstream2cipher.sh`` * Figure out the services by applying a good piece of human logic * Before submitting a PR: test it yourself! You can also watch it again via wireshark - - - - diff --git a/t/11_baseline_ipv6_http.t.DISABLED b/t/11_baseline_ipv6_http.t.DISABLED index e8253f8..affa18a 100755 --- a/t/11_baseline_ipv6_http.t.DISABLED +++ b/t/11_baseline_ipv6_http.t.DISABLED @@ -59,4 +59,3 @@ sub json($) { unlink $file; return from_json($file); } -