From 1b7653e438af9e96ad4b31613bdbff0eff871311 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Sat, 11 Jun 2016 09:08:51 +0200 Subject: [PATCH 1/3] Update Readme.md --- Readme.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/Readme.md b/Readme.md index 6853fc6..e44643d 100644 --- a/Readme.md +++ b/Readme.md @@ -56,18 +56,18 @@ Done so far: https://github.com/drwetter/testssl.sh/issues/11 * works on servers requiring a x509 certificate for authentication * SSL Session ID check -* avahi/mDNS based name resolution +* Avahi/mDNS based name resolution * HTTP2/ALPN protocol check * Logging to a file / dir * Logging to JSON + CSV -* check for multiple server certificates -* browser cipher simulation -* assistance for color-blind users -* Even more compatibility improvements for FreeBSD, RH-ish and F5 systems +* Check for multiple server certificates +* Browser cipher simulation +* Assistance for color-blind users +* Even more compatibility improvements for FreeBSD, RH-ish, F5 and Cisco systems * Considerable speed improvements for each cipher runs (-e/-E) -* more robust socket interface +* More robust socket interface * OpenSSL 1.1.0 compliant -* whole number of busg squashed +* Whole number of bugs squashed Update notification here or @ [twitter](https://twitter.com/drwetter). @@ -89,8 +89,8 @@ Help is needed here. #### Bug reports -Please file bugs in the issue tracker. Do not forget to provide detailed information, see https://github.com/drwetter/testssl.sh/wiki/Findings-and-HowTo-Fix-them#file-a-proper-bug-report -Nobody can read your thoughts -- yet. +Please file bugs in the issue tracker. Do not forget to provide detailed information, see https://github.com/drwetter/testssl.sh/wiki/Bug-reporting. (Nobody can read your thoughts +-- yet. And only agencies your screen) ;-) ---- From a06c71d91548e5918adcad9b4788c9f9ad00c787 Mon Sep 17 00:00:00 2001 From: Peter Mosmans Date: Mon, 13 Jun 2016 10:34:04 +1000 Subject: [PATCH 2/3] Updated ChaCha20 cipher names See https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305-04 (the latest version as of this writing is 04). The previous version received the suffix _2013. See https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04 --- etc/mapping-rfc.txt | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/etc/mapping-rfc.txt b/etc/mapping-rfc.txt index 3a1d092..3ae12d6 100644 --- a/etc/mapping-rfc.txt +++ b/etc/mapping-rfc.txt @@ -336,16 +336,16 @@ xC0AC TLS_ECDHE_ECDSA_WITH_AES_128_CCM xC0AD TLS_ECDHE_ECDSA_WITH_AES_256_CCM xC0AE TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 xC0AF TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 -xCCA8 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 -xCCA9 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 -xCCAA TLS_DHE_RSA_WITH_CHACHA20_POLY1305 -xCCAB TLS_PSK_WITH_CHACHA20_POLY1305 -xCCAC TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305 -xCCAD TLS_DHE_PSK_WITH_CHACHA20_POLY1305 -xCCAE TLS_RSA_PSK_WITH_CHACHA20_POLY1305 -xCC13 OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 -xCC14 OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 -xCC15 OLD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 +xCCA8 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 +xCCA9 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 +xCCAA TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 +xCCAB TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 +xCCAC TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 +xCCAD TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 +xCCAE TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 +xCC13 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_2013 +xCC14 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_2013 +xCC15 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_2013 xFEFE SSL_RSA_FIPS_WITH_DES_CBC_SHA xFEFF SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA xFFE0 SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA From 1d0c8cb3f8fdb38e3b62a949496907b058455ed9 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Mon, 13 Jun 2016 12:52:19 -0400 Subject: [PATCH 3/3] Printing of subjectAltName extension Modify the extraction of the subjectAltName extension from certificates in order to address SANs with name forms other than DNS and otherName. --- testssl.sh | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/testssl.sh b/testssl.sh index 8fc1ccb..1a6c408 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3442,15 +3442,18 @@ certificate_info() { fi fileout "${json_prefix}cn" "$cnok" "$cnfinding" - sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \ - sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername://g') -# ^^^ CACert + sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | \ + egrep "DNS:|IP Address:|email:|URI:|DirName:|Registered ID:" | \ + sed -e 's/ *DNS://g' -e 's/ *IP Address://g' -e 's/ *email://g' -e 's/ *URI://g' -e 's/ *DirName://g' \ + -e 's/ *Registered ID://g' -e 's/,/\n/g' \ + -e 's/ *othername://g' -e 's/ *X400Name://g' -e 's/ *EdiPartyName://g') +# ^^^ CACert out "$indent"; pr_bold " subjectAltName (SAN) " if [[ -n "$sans" ]]; then - for san in $sans; do - pr_dquoted "$san" + while read san; do + [[ -n "$san" ]] && pr_dquoted "$san" out " " - done + done <<< "$sans" fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : $sans" else out "-- "