mirror of
https://github.com/drwetter/testssl.sh.git
synced 2024-12-27 11:59:45 +01:00
Trim excess whitespace
This commit is contained in:
parent
6782e2a3b9
commit
b1f5c6c9af
2
.github/ISSUE_TEMPLATE/bug_report.md
vendored
2
.github/ISSUE_TEMPLATE/bug_report.md
vendored
@ -25,7 +25,7 @@ A clear and concise description of what you expected to happen.
|
|||||||
- Version: ``testssl.sh -b 2>/dev/null | head -4 | tail -2``
|
- Version: ``testssl.sh -b 2>/dev/null | head -4 | tail -2``
|
||||||
- Version if running from git repo: ``git log | head -1``
|
- Version if running from git repo: ``git log | head -1``
|
||||||
- OpenSSL: ``testssl.sh -b 2>/dev/null | awk -F':' '/openssl/ { print $2}'``
|
- OpenSSL: ``testssl.sh -b 2>/dev/null | awk -F':' '/openssl/ { print $2}'``
|
||||||
|
|
||||||
|
|
||||||
**Additional context**
|
**Additional context**
|
||||||
Add any other context about the problem here.
|
Add any other context about the problem here.
|
||||||
|
10
.github/workflows/docker-3.1dev.yml
vendored
10
.github/workflows/docker-3.1dev.yml
vendored
@ -2,7 +2,7 @@ name: docker-3.1dev
|
|||||||
|
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
branches:
|
branches:
|
||||||
- 3.1dev
|
- 3.1dev
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
schedule:
|
schedule:
|
||||||
@ -19,12 +19,12 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Source checkout
|
- name: Source checkout
|
||||||
uses: actions/checkout@v2.3.4
|
uses: actions/checkout@v2.3.4
|
||||||
|
|
||||||
- name: Setup QEMU
|
- name: Setup QEMU
|
||||||
id: qemu
|
id: qemu
|
||||||
uses: docker/setup-qemu-action@v1.2.0
|
uses: docker/setup-qemu-action@v1.2.0
|
||||||
|
|
||||||
- name: Setup Buildx
|
- name: Setup Buildx
|
||||||
id: buildx
|
id: buildx
|
||||||
uses: docker/setup-buildx-action@v1
|
uses: docker/setup-buildx-action@v1
|
||||||
@ -38,7 +38,7 @@ jobs:
|
|||||||
org.opencontainers.image.version=${{ env.BUILD_VERSION }}
|
org.opencontainers.image.version=${{ env.BUILD_VERSION }}
|
||||||
org.opencontainers.image.revision=${{ github.sha }}
|
org.opencontainers.image.revision=${{ github.sha }}
|
||||||
org.opencontainers.image.title=${{ github.repository }}
|
org.opencontainers.image.title=${{ github.repository }}
|
||||||
|
|
||||||
- name: GitHub login
|
- name: GitHub login
|
||||||
if: ${{ github.event_name != 'pull_request' }}
|
if: ${{ github.event_name != 'pull_request' }}
|
||||||
uses: docker/login-action@v1.10.0
|
uses: docker/login-action@v1.10.0
|
||||||
|
@ -32,7 +32,6 @@
|
|||||||
* Added --reqheader to support custom headers in HTTP requests
|
* Added --reqheader to support custom headers in HTTP requests
|
||||||
* Test for support for RFC 8879 certificate compression
|
* Test for support for RFC 8879 certificate compression
|
||||||
|
|
||||||
|
|
||||||
### Features implemented / improvements in 3.0
|
### Features implemented / improvements in 3.0
|
||||||
|
|
||||||
* Full support of TLS 1.3, shows also drafts supported
|
* Full support of TLS 1.3, shows also drafts supported
|
||||||
@ -115,7 +114,6 @@
|
|||||||
* Postgres und MySQL STARTTLS support
|
* Postgres und MySQL STARTTLS support
|
||||||
* Man page
|
* Man page
|
||||||
|
|
||||||
|
|
||||||
### New in 2.8
|
### New in 2.8
|
||||||
|
|
||||||
* Trust chain check against certificate stores from Apple (OS), Linux (OS),
|
* Trust chain check against certificate stores from Apple (OS), Linux (OS),
|
||||||
@ -169,7 +167,6 @@
|
|||||||
|
|
||||||
Full log @ https://github.com/drwetter/testssl.sh/commits/2.6/testssl.sh
|
Full log @ https://github.com/drwetter/testssl.sh/commits/2.6/testssl.sh
|
||||||
|
|
||||||
|
|
||||||
### New in 2.4
|
### New in 2.4
|
||||||
* "only one cmd line option at a time" is completely gone
|
* "only one cmd line option at a time" is completely gone
|
||||||
* several tuning parameters on the cmd line (only available through environment variables b4): --assuming-http, --ssl-native, --sneaky, --warnings, --color, -- debug, --long
|
* several tuning parameters on the cmd line (only available through environment variables b4): --assuming-http, --ssl-native, --sneaky, --warnings, --color, -- debug, --long
|
||||||
@ -324,7 +321,6 @@ Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
|
|||||||
- fix for netweaver banner (server is lowercase)
|
- fix for netweaver banner (server is lowercase)
|
||||||
- no server banner is no disadvantage (color code)
|
- no server banner is no disadvantage (color code)
|
||||||
|
|
||||||
|
|
||||||
1.89
|
1.89
|
||||||
- reordered! : protocols + cipher come first
|
- reordered! : protocols + cipher come first
|
||||||
- colorized preferred server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green)
|
- colorized preferred server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green)
|
||||||
@ -471,7 +467,6 @@ Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
|
|||||||
default now and there's a comment
|
default now and there's a comment
|
||||||
* openssl version + path to it in the banner
|
* openssl version + path to it in the banner
|
||||||
|
|
||||||
|
|
||||||
1.20
|
1.20
|
||||||
* bugfix (ssl in ssl handshake failure is sometimes too much)
|
* bugfix (ssl in ssl handshake failure is sometimes too much)
|
||||||
* date in output
|
* date in output
|
||||||
|
@ -10,7 +10,7 @@ Note please the following
|
|||||||
* Document your PR, both in the PR and/or commit message and in the code.
|
* Document your PR, both in the PR and/or commit message and in the code.
|
||||||
* Please test your changes thoroughly as reliability is important for this project. You may want to check different servers with different settings.
|
* Please test your changes thoroughly as reliability is important for this project. You may want to check different servers with different settings.
|
||||||
* Travis runs automatically when anything is committed/PR'd. You should check any complains from Travis. Beforehand you can check with `prove -v`.
|
* Travis runs automatically when anything is committed/PR'd. You should check any complains from Travis. Beforehand you can check with `prove -v`.
|
||||||
* If it's a new feature please consider writing a unit test for it. You can use e.g. `t/20_baseline_ipv4_http.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start.
|
* If it's a new feature please consider writing a unit test for it. You can use e.g. `t/20_baseline_ipv4_http.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start.
|
||||||
* If it's a new feature it would need to be documented in the appropriate section in `help()` and in `~/doc/testssl.1.md`
|
* If it's a new feature it would need to be documented in the appropriate section in `help()` and in `~/doc/testssl.1.md`
|
||||||
|
|
||||||
For questions just open an issue or feel free to send me an e-mail.
|
For questions just open an issue or feel free to send me an e-mail.
|
||||||
|
@ -47,7 +47,7 @@ Bash is actually quite powerful -- not only with respect to sockets. It's not as
|
|||||||
* Watch out for any input especially (but not only) supplied from the server. Input should never be trusted.
|
* Watch out for any input especially (but not only) supplied from the server. Input should never be trusted.
|
||||||
* Unless you're really sure where the values come from, variables need to be put in quotes.
|
* Unless you're really sure where the values come from, variables need to be put in quotes.
|
||||||
* You can use `safe_echo()` when processing input which does some input validation.
|
* You can use `safe_echo()` when processing input which does some input validation.
|
||||||
* Use ``out()`` or similar output functions when writing something back to the user.
|
* Use ``out()`` or similar output functions when writing something back to the user.
|
||||||
* Use `$OPENSSL` instead of `openssl`. The latter is highly system depended and also $OPENSSL is a binary which capabilities are checked internally before using it, independent whether the supplied one is being used or another one.
|
* Use `$OPENSSL` instead of `openssl`. The latter is highly system depended and also $OPENSSL is a binary which capabilities are checked internally before using it, independent whether the supplied one is being used or another one.
|
||||||
|
|
||||||
#### Variables
|
#### Variables
|
||||||
@ -70,4 +70,3 @@ Bash is actually quite powerful -- not only with respect to sockets. It's not as
|
|||||||
* Unit tests are done automatically done with Perl using Travis. The trigger is `~/.travis.yml`. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start. You are encouraged to write own checks. You can use e.g. `t/20_baseline_ipv4_http.t` as an example.
|
* Unit tests are done automatically done with Perl using Travis. The trigger is `~/.travis.yml`. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start. You are encouraged to write own checks. You can use e.g. `t/20_baseline_ipv4_http.t` as an example.
|
||||||
* If it's an OpenSSL feature you want to use and it could be not available for older OpenSSL versions testssl.sh needs to find out whether OpenSSL has that feature. Best do this with OpenSSL itself and not by checking the version as some vendors do backports. See the examples for `HAS_SSL2` or proxy option check of OpenSSL in `check_proxy()`.
|
* If it's an OpenSSL feature you want to use and it could be not available for older OpenSSL versions testssl.sh needs to find out whether OpenSSL has that feature. Best do this with OpenSSL itself and not by checking the version as some vendors do backports. See the examples for `HAS_SSL2` or proxy option check of OpenSSL in `check_proxy()`.
|
||||||
* If a feature of OpenSSL is not available you need to tell this the user by using `pr_warning*()`. Or accordingly with `fatal()` if a continuation of the program doesn't make sense anymore.
|
* If a feature of OpenSSL is not available you need to tell this the user by using `pr_warning*()`. Or accordingly with `fatal()` if a continuation of the program doesn't make sense anymore.
|
||||||
|
|
||||||
|
@ -5,7 +5,7 @@ RUN apk update && \
|
|||||||
apk add bash procps drill git coreutils libidn curl socat openssl xxd && \
|
apk add bash procps drill git coreutils libidn curl socat openssl xxd && \
|
||||||
rm -rf /var/cache/apk/* && \
|
rm -rf /var/cache/apk/* && \
|
||||||
addgroup testssl && \
|
addgroup testssl && \
|
||||||
adduser -G testssl -g "testssl user" -s /bin/bash -D testssl && \
|
adduser -G testssl -g "testssl user" -s /bin/bash -D testssl && \
|
||||||
ln -s /home/testssl/testssl.sh /usr/local/bin/ && \
|
ln -s /home/testssl/testssl.sh /usr/local/bin/ && \
|
||||||
mkdir -m 755 -p /home/testssl/etc /home/testssl/bin
|
mkdir -m 755 -p /home/testssl/etc /home/testssl/bin
|
||||||
|
|
||||||
@ -14,7 +14,7 @@ WORKDIR /home/testssl/
|
|||||||
|
|
||||||
COPY --chown=testssl:testssl etc/. /home/testssl/etc/
|
COPY --chown=testssl:testssl etc/. /home/testssl/etc/
|
||||||
COPY --chown=testssl:testssl bin/. /home/testssl/bin/
|
COPY --chown=testssl:testssl bin/. /home/testssl/bin/
|
||||||
COPY --chown=testssl:testssl testssl.sh /home/testssl/
|
COPY --chown=testssl:testssl testssl.sh /home/testssl/
|
||||||
|
|
||||||
ENTRYPOINT ["testssl.sh"]
|
ENTRYPOINT ["testssl.sh"]
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ ARG URL=https://github.com/drwetter/testssl.sh.git
|
|||||||
RUN test -n "${BUILD_VERSION}" \
|
RUN test -n "${BUILD_VERSION}" \
|
||||||
&& apk update \
|
&& apk update \
|
||||||
&& apk add --no-cache bash procps drill git coreutils libidn curl socat openssl xxd \
|
&& apk add --no-cache bash procps drill git coreutils libidn curl socat openssl xxd \
|
||||||
&& git clone --depth 1 --branch ${BUILD_VERSION} $URL /home/testssl \
|
&& git clone --depth 1 --branch ${BUILD_VERSION} $URL /home/testssl \
|
||||||
&& addgroup testssl \
|
&& addgroup testssl \
|
||||||
&& adduser -G testssl -g "testssl user" -s /bin/bash -D testssl \
|
&& adduser -G testssl -g "testssl user" -s /bin/bash -D testssl \
|
||||||
&& ln -s /home/testssl/testssl.sh /usr/local/bin/ \
|
&& ln -s /home/testssl/testssl.sh /usr/local/bin/ \
|
||||||
|
@ -73,9 +73,9 @@ For more please consult [Dockerfile.md](https://github.com/drwetter/testssl.sh/b
|
|||||||
|
|
||||||
### Status
|
### Status
|
||||||
|
|
||||||
We're currently in the development phase, version 3.1dev. 3.1dev will eventually become 3.2. Bigger features are developed in a separate branch before merged into 3.1dev to avoid hiccups or inconsistencies. Albeit we try to keep 3.1dev as solid as possible things will certainly change in 3.1dev. Think of the 3.1dev branch like a rolling release. So if you need stability the 3.0 branch is better for you.
|
We're currently in the development phase, version 3.1dev. 3.1dev will eventually become 3.2. Bigger features are developed in a separate branch before merged into 3.1dev to avoid hiccups or inconsistencies. Albeit we try to keep 3.1dev as solid as possible things will certainly change in 3.1dev. Think of the 3.1dev branch like a rolling release. So if you need stability the 3.0 branch is better for you.
|
||||||
|
|
||||||
Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is released.
|
Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is released.
|
||||||
|
|
||||||
Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
|
Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
|
||||||
|
|
||||||
|
@ -6,7 +6,7 @@ All the precompiled binaries provided here have extended support for
|
|||||||
everything which is normally not in OpenSSL or LibreSSL -- 40+56 Bit,
|
everything which is normally not in OpenSSL or LibreSSL -- 40+56 Bit,
|
||||||
export/ANON ciphers, weak DH ciphers, weak EC curves, SSLv2 etc. -- all the dirty
|
export/ANON ciphers, weak DH ciphers, weak EC curves, SSLv2 etc. -- all the dirty
|
||||||
features needed for testing. OTOH they also come with extended support
|
features needed for testing. OTOH they also come with extended support
|
||||||
for new / advanced cipher suites and/or features which are not in the
|
for new / advanced cipher suites and/or features which are not in the
|
||||||
official branch like (old version of the) CHACHA20+POLY1305 and CAMELLIA 256 bit ciphers.
|
official branch like (old version of the) CHACHA20+POLY1305 and CAMELLIA 256 bit ciphers.
|
||||||
They also have IPv6 support, see below.
|
They also have IPv6 support, see below.
|
||||||
|
|
||||||
@ -17,17 +17,17 @@ fork (https://github.com/PeterMosmans/openssl). Thx a bunch, Peter!
|
|||||||
Compiled Linux and FreeBSD binaries so far come from Dirk, other
|
Compiled Linux and FreeBSD binaries so far come from Dirk, other
|
||||||
contributors see ../CREDITS.md .
|
contributors see ../CREDITS.md .
|
||||||
|
|
||||||
**I discontinued to upload the not commonly used binaries at GitHub ** (ARM7l, Darwin.i386 and all except one kerberos compiles) **as it is not very appropriate to use GitHub especially for those. The main site for all
|
**I discontinued to upload the not commonly used binaries at GitHub ** (ARM7l, Darwin.i386 and all except one kerberos compiles) **as it is not very appropriate to use GitHub especially for those. The main site for all
|
||||||
binaries is https://testssl.sh/openssl-1.0.2i-chacha.pm.ipv6.contributed/, also see the tarball @
|
binaries is https://testssl.sh/openssl-1.0.2i-chacha.pm.ipv6.contributed/, also see the tarball @
|
||||||
https://testssl.sh/openssl-1.0.2i-chacha.pm.ipv6.Linux+FreeBSD.tar.gz**
|
https://testssl.sh/openssl-1.0.2i-chacha.pm.ipv6.Linux+FreeBSD.tar.gz**
|
||||||
|
|
||||||
The binaries here have the naming scheme ``openssl.$(uname).$(uname -m)``
|
The binaries here have the naming scheme ``openssl.$(uname).$(uname -m)``
|
||||||
and will be picked up from testssl.sh if you run testssl.sh directly
|
and will be picked up from testssl.sh if you run testssl.sh directly
|
||||||
off the git directory. Otherwise you need ``testssl.sh`` to point to it
|
off the git directory. Otherwise you need ``testssl.sh`` to point to it
|
||||||
via the argument (``--openssl=<here>``) or as an environment variable
|
via the argument (``--openssl=<here>``) or as an environment variable
|
||||||
(``OPENSSL=<here> testssl.sh <yourargs>``).
|
(``OPENSSL=<here> testssl.sh <yourargs>``).
|
||||||
|
|
||||||
The Linux binaries with the trailing ``-krb5`` come with Kerberos 5 support,
|
The Linux binaries with the trailing ``-krb5`` come with Kerberos 5 support,
|
||||||
they won't be picked up automatically as you need to make sure first they
|
they won't be picked up automatically as you need to make sure first they
|
||||||
run (see libraries below).
|
run (see libraries below).
|
||||||
|
|
||||||
@ -39,15 +39,15 @@ General
|
|||||||
-------
|
-------
|
||||||
|
|
||||||
Both 64+32 bit Linux binaries were compiled under Ubuntu 12.04 LTS. Likely you
|
Both 64+32 bit Linux binaries were compiled under Ubuntu 12.04 LTS. Likely you
|
||||||
cannot use them for older distributions, younger worked in all my test environments.
|
cannot use them for older distributions, younger worked in all my test environments.
|
||||||
I provide for each distributions two sets of binaries (no IPv6 here):
|
I provide for each distributions two sets of binaries (no IPv6 here):
|
||||||
|
|
||||||
* completely statically linked binaries
|
* completely statically linked binaries
|
||||||
* dynamically linked binaries, additionally with MIT Kerberos support ("krb5" in the name).
|
* dynamically linked binaries, additionally with MIT Kerberos support ("krb5" in the name).
|
||||||
They provide also KRB5-* and EXP-KRB5-* support (in OpenSSL terminology, see krb5-ciphers.txt).
|
They provide also KRB5-* and EXP-KRB5-* support (in OpenSSL terminology, see krb5-ciphers.txt).
|
||||||
|
|
||||||
For the latter you need a whopping bunch of kerberos runtime libraries which you maybe need to
|
For the latter you need a whopping bunch of kerberos runtime libraries which you maybe need to
|
||||||
install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support,
|
install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support,
|
||||||
libkeyutils). The 'static' binaries do not have MIT kerberos support as there are no
|
libkeyutils). The 'static' binaries do not have MIT kerberos support as there are no
|
||||||
static kerberos libs and I did not bother to compile them from the sources.
|
static kerberos libs and I did not bother to compile them from the sources.
|
||||||
|
|
||||||
@ -96,16 +96,16 @@ or use my repo:
|
|||||||
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
|
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
|
||||||
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
|
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
|
||||||
enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \
|
enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \
|
||||||
-static experimental-jpake -DOPENSSL_USE_BUILD_DATE
|
-static experimental-jpake -DOPENSSL_USE_BUILD_DATE
|
||||||
|
|
||||||
IPv6 support would need additionally the patch from ``fedora-dirk-ipv6.diff`` (included already
|
IPv6 support would need additionally the patch from ``fedora-dirk-ipv6.diff`` (included already
|
||||||
in my branch). This doesn't give you the option of an IPv6 enabled proxy yet.
|
in my branch). This doesn't give you the option of an IPv6 enabled proxy yet.
|
||||||
It is good practice to compile those binaries with ``-DOPENSSL_USE_IPV6`` as
|
It is good practice to compile those binaries with ``-DOPENSSL_USE_IPV6`` as
|
||||||
later on you can tell them apart by``openssl version -a``.
|
later on you can tell them apart by``openssl version -a``.
|
||||||
|
|
||||||
Four GOST [1][2] ciphers come via engine support automagically with this setup. Two additional GOST
|
Four GOST [1][2] ciphers come via engine support automagically with this setup. Two additional GOST
|
||||||
ciphers can be compiled in (``GOST-GOST94``, ``GOST-MD5``) with ``-DTEMP_GOST_TLS`` but as of now they make
|
ciphers can be compiled in (``GOST-GOST94``, ``GOST-MD5``) with ``-DTEMP_GOST_TLS`` but as of now they make
|
||||||
problems under some circumstances, so unless you desperately need those ciphers I would stay away from
|
problems under some circumstances, so unless you desperately need those ciphers I would stay away from
|
||||||
``-DTEMP_GOST_TLS``.
|
``-DTEMP_GOST_TLS``.
|
||||||
|
|
||||||
If you don't have / don't want Kerberos libraries and devel rpms/debs, just omit "--with-krb5-flavor=MIT"
|
If you don't have / don't want Kerberos libraries and devel rpms/debs, just omit "--with-krb5-flavor=MIT"
|
||||||
@ -118,10 +118,10 @@ If you don't have / don't want Kerberos libraries and devel rpms/debs, just omit
|
|||||||
5.) make report (check whether it runs ok!)
|
5.) make report (check whether it runs ok!)
|
||||||
|
|
||||||
6.) ``./apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l`` lists for me
|
6.) ``./apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l`` lists for me
|
||||||
* 193(+4 GOST) ciphers including kerberos
|
* 193(+4 GOST) ciphers including kerberos
|
||||||
* 179(+4 GOST) ciphers without kerberos
|
* 179(+4 GOST) ciphers without kerberos
|
||||||
|
|
||||||
as opposed to ~110 from Ubuntu or Opensuse.
|
as opposed to ~110 from Ubuntu or Opensuse.
|
||||||
|
|
||||||
**Never use these binaries for anything other than testing**
|
**Never use these binaries for anything other than testing**
|
||||||
|
|
||||||
@ -130,5 +130,3 @@ Enjoy, Dirk
|
|||||||
[1] https://en.wikipedia.org/wiki/GOST_%29block_cipher%29
|
[1] https://en.wikipedia.org/wiki/GOST_%29block_cipher%29
|
||||||
|
|
||||||
[2] http://fossies.org/linux/openssl/engines/ccgost/README.gost
|
[2] http://fossies.org/linux/openssl/engines/ccgost/README.gost
|
||||||
|
|
||||||
|
|
||||||
|
@ -14,7 +14,7 @@ The certificate trust stores were retrieved from
|
|||||||
--> "Keychain Access" (2 click). In that window --> "Keychains" --> "System"
|
--> "Keychain Access" (2 click). In that window --> "Keychains" --> "System"
|
||||||
--> "Category" --> "All Items"
|
--> "Category" --> "All Items"
|
||||||
Select all CA certificates except for Developer ID Certification Authority, "File" --> "Export Items"
|
Select all CA certificates except for Developer ID Certification Authority, "File" --> "Export Items"
|
||||||
2. __Internet:__ Pick the latest subdir (=highest number) from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension. Download them with ``wget --level=1 --cut-dirs=5 --mirror --convert-links --adjust-extension --page-requisites --no-parent https://opensource.apple.com/source/security_certificates/security_certificates-*/certificates/roots/``
|
2. __Internet:__ Pick the latest subdir (=highest number) from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension. Download them with ``wget --level=1 --cut-dirs=5 --mirror --convert-links --adjust-extension --page-requisites --no-parent https://opensource.apple.com/source/security_certificates/security_certificates-*/certificates/roots/``
|
||||||
|
|
||||||
|
|
||||||
Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.
|
Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.
|
||||||
|
@ -22,7 +22,3 @@ The whole process is done manually.
|
|||||||
* "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ``~/utils/hexstream2cipher.sh``
|
* "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ``~/utils/hexstream2cipher.sh``
|
||||||
* Figure out the services by applying a good piece of human logic
|
* Figure out the services by applying a good piece of human logic
|
||||||
* Before submitting a PR: test it yourself! You can also watch it again via wireshark
|
* Before submitting a PR: test it yourself! You can also watch it again via wireshark
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -59,4 +59,3 @@ sub json($) {
|
|||||||
unlink $file;
|
unlink $file;
|
||||||
return from_json($file);
|
return from_json($file);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user