From 5af152d57570672690610db096c84b6b657236e6 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 24 May 2024 13:53:09 +0200 Subject: [PATCH 1/3] Address overwrite option to --file/-iL with warnings off When choosing --file or -iL warnings were set in any case to --batch which needs e.g. crurrenly an interaction when do bacth scanning. This PR enables to supply WARNINgs / --warnings =off before so that the intercation is mot needed. See also #2496. --- testssl.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index 4f5cdd1..fdaea4e 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2306,7 +2306,7 @@ s_client_options() { fi fi fi - + # In case of mutual TLS authentication is required by the server # Note: the PEM certificate file must contain: client certificate and key (not encrypted) if [[ -n "$MTLS" ]]; then @@ -23585,7 +23585,8 @@ parse_cmd_line() { FNAME="$(parse_opt_equal_sign "$1" "$2")" [[ $? -eq 0 ]] && shift IKNOW_FNAME=true - WARNINGS="batch" # set this implicitly! + # If WARNINGS was set to "off, we shouldn't overwrite it, see #2496. "batch" is set implicitly otherwise + [[ "$WARNINGS" != off ]] && WARNINGS="batch" do_mass_testing=true ;; --mode|--mode=*) From 0d5bb1cd17d557e3503d64dcf6c00b8906f38aa3 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 24 May 2024 14:00:39 +0200 Subject: [PATCH 2/3] mute codespell --- .github/workflows/codespell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index c41d337..a2cfa57 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -12,5 +12,5 @@ jobs: - uses: actions/checkout@v4 - uses: codespell-project/actions-codespell@master with: - skip: ca_hashes.txt,tls_data.txt,*.pem,OPENSSL-LICENSE.txt,CREDITS.md,openssl.cnf + skip: ca_hashes.txt,tls_data.txt,*.pem,OPENSSL-LICENSE.txt,CREDITS.md,openssl.cnf,fedora-dirk-ipv6.diff ignore_words_list: borken,gost,ciph,ba,bloc,isnt,chello,fo,alle,anull From ed087197fe9357eb84e884fe720c35dd394c292c Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 24 May 2024 14:00:59 +0200 Subject: [PATCH 3/3] Add docu for #2497 --- doc/testssl.1 | 2 +- doc/testssl.1.html | 4 ++-- doc/testssl.1.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/testssl.1 b/doc/testssl.1 index 7d01acb..c192cb3 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -60,7 +60,7 @@ Options are either short or long options\. Any long or short option requiring a .SS "INPUT PARAMETERS" \fBURI\fR can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL\. IPv6 addresses need to be in square brackets\. For any given parameter port 443 is assumed unless specified by appending a colon and a port number\. The only preceding protocol specifier allowed is \fBhttps\fR\. You need to be aware that checks for an IP address might not hit the vhost you want\. DNS resolution (A/AAAA record) is being performed unless you have an \fB/etc/hosts\fR entry for the hostname\. .P -\fB\-\-file \fR or the equivalent \fB\-iL \fR are mass testing options\. Per default it implicitly turns on \fB\-\-warnings batch\fR\. In its first incarnation the mass testing option reads command lines from \fBfname\fR\. \fBfname\fR consists of command lines of testssl, one line per instance\. Comments after \fB#\fR are ignored, \fBEOF\fR signals the end of fname any subsequent lines will be ignored too\. You can also supply additional options which will be inherited to each child, e\.g\. When invoking \fBtestssl\.sh \-\-wide \-\-log \-\-file \fR \. Each single line in \fBfname\fR is parsed upon execution\. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer\. In parallel mode the mileage varies, likely a line won't be scanned\. +\fB\-\-file \fR or the equivalent \fB\-iL \fR are mass testing options\. Per default it implicitly turns on \fB\-\-warnings batch\fR\, unless warnings has been set to off before. In its first incarnation the mass testing option reads command lines from \fBfname\fR\. \fBfname\fR consists of command lines of testssl, one line per instance\. Comments after \fB#\fR are ignored, \fBEOF\fR signals the end of fname any subsequent lines will be ignored too\. You can also supply additional options which will be inherited to each child, e\.g\. When invoking \fBtestssl\.sh \-\-wide \-\-log \-\-file \fR \. Each single line in \fBfname\fR is parsed upon execution\. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer\. In parallel mode the mileage varies, likely a line won't be scanned\. .P Alternatively \fBfname\fR can be in \fBnmap\fR's grep(p)able output format (\fB\-oG\fR)\. Only open ports will be considered\. Multiple ports per line are allowed\. The ports can be different and will be tested by testssl\.sh according to common practice in the internet, i\.e\. if nmap shows in its output an open port 25, automatically \fB\-t smtp\fR will be added before the URI whereas port 465 will be treated as a plain TLS/SSL port, not requiring an STARTTLS SMTP handshake upfront\. This is done by an internal table which correlates nmap's open port detected to the STARTTLS/plain text decision from testssl\.sh\. .P diff --git a/doc/testssl.1.html b/doc/testssl.1.html index 05dc144..17a8ddf 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -160,7 +160,7 @@ linked OpenSSL binaries for major operating systems are supplied in ./bin/

URI can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL. IPv6 addresses need to be in square brackets. For any given parameter port 443 is assumed unless specified by appending a colon and a port number. The only preceding protocol specifier allowed is https. You need to be aware that checks for an IP address might not hit the vhost you want. DNS resolution (A/AAAA record) is being performed unless you have an /etc/hosts entry for the hostname.

-

--file <fname> or the equivalent -iL <fname> are mass testing options. Per default it implicitly turns on --warnings batch. In its first incarnation the mass testing option reads command lines from fname. fname consists of command lines of testssl, one line per instance. Comments after # are ignored, EOF signals the end of fname any subsequent lines will be ignored too. You can also supply additional options which will be inherited to each child, e.g. When invoking testssl.sh --wide --log --file <fname> . Each single line in fname is parsed upon execution. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies, likely a line won't be scanned.

+

--file <fname> or the equivalent -iL <fname> are mass testing options. Per default it implicitly turns on --warnings batch, unless warnings has been set to off before. In its first incarnation the mass testing option reads command lines from fname. fname consists of command lines of testssl, one line per instance. Comments after # are ignored, EOF signals the end of fname any subsequent lines will be ignored too. You can also supply additional options which will be inherited to each child, e.g. When invoking testssl.sh --wide --log --file <fname> . Each single line in fname is parsed upon execution. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies, likely a line won't be scanned.

Alternatively fname can be in nmap's grep(p)able output format (-oG). Only open ports will be considered. Multiple ports per line are allowed. The ports can be different and will be tested by testssl.sh according to common practice in the internet, i.e. if nmap shows in its output an open port 25, automatically -t smtp will be added before the URI whereas port 465 will be treated as a plain TLS/SSL port, not requiring an STARTTLS SMTP handshake upfront. This is done by an internal table which correlates nmap's open port detected to the STARTTLS/plain text decision from testssl.sh.

@@ -193,7 +193,7 @@ The same can be achieved by setting the environment variable WARNINGS--reqheader <header> This can be used to add additional HTTP request headers in the correct format Headername: headercontent. This parameter can be called multiple times if required. For example: --reqheader 'Proxy-Authorization: Basic dGVzdHNzbDpydWxlcw==' --reqheader 'ClientID: 0xDEADBEAF'. REQHEADER is the corresponding environment variable.

--mtls <path_to_client_cert> This can be set to provide a file containing a client certificatete and a private key (not encrypted) in PEM format, which is used when a mutual TLS authentication is required by the remote server. MTLS is the is the equivalent environment variable.

- +

SPECIAL INVOCATIONS

-t <protocol>, --starttls <protocol> does a default run against a STARTTLS enabled protocol. protocol must be one of ftp, smtp, pop3, imap, xmpp, sieve, xmpp-server, telnet, ldap, irc, lmtp, nntp, postgres, mysql. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, IRC currently only works with --ssl-native. irc is WIP.

diff --git a/doc/testssl.1.md b/doc/testssl.1.md index 2459d48..65c1df9 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -80,7 +80,7 @@ Options are either short or long options. Any long or short option requiring a v `URI` can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL. IPv6 addresses need to be in square brackets. For any given parameter port 443 is assumed unless specified by appending a colon and a port number. The only preceding protocol specifier allowed is `https`. You need to be aware that checks for an IP address might not hit the vhost you want. DNS resolution (A/AAAA record) is being performed unless you have an `/etc/hosts` entry for the hostname. -`--file ` or the equivalent `-iL ` are mass testing options. Per default it implicitly turns on `--warnings batch`. In its first incarnation the mass testing option reads command lines from `fname`. `fname` consists of command lines of testssl, one line per instance. Comments after `#` are ignored, `EOF` signals the end of fname any subsequent lines will be ignored too. You can also supply additional options which will be inherited to each child, e.g. When invoking `testssl.sh --wide --log --file ` . Each single line in `fname` is parsed upon execution. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies, likely a line won't be scanned. +`--file ` or the equivalent `-iL ` are mass testing options. Per default it implicitly turns on `--warnings batch`, unless warnings has been set to off before. In its first incarnation the mass testing option reads command lines from `fname`. `fname` consists of command lines of testssl, one line per instance. Comments after `#` are ignored, `EOF` signals the end of fname any subsequent lines will be ignored too. You can also supply additional options which will be inherited to each child, e.g. When invoking `testssl.sh --wide --log --file ` . Each single line in `fname` is parsed upon execution. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies, likely a line won't be scanned. Alternatively `fname` can be in `nmap`'s grep(p)able output format (`-oG`). Only open ports will be considered. Multiple ports per line are allowed. The ports can be different and will be tested by testssl.sh according to common practice in the internet, i.e. if nmap shows in its output an open port 25, automatically `-t smtp` will be added before the URI whereas port 465 will be treated as a plain TLS/SSL port, not requiring an STARTTLS SMTP handshake upfront. This is done by an internal table which correlates nmap's open port detected to the STARTTLS/plain text decision from testssl.sh.