Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 13:55:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '3.2' into mac_runner

Browse Source
This commit is contained in:
Dirk Wetter
2025-05-16 18:16:58 +02:00
parent 42b3352106 ce6cdfea75
commit c109cafa17
10 changed files with 153 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
.github/workflows/docker-3.2.yml vendored
View File

@@ -5,12 +5,14 @@ on:
branches: branches:
- 3.2 - 3.2
workflow_dispatch: workflow_dispatch:
# Every week at 8am on Mondays, publish the 3.2 branch:
# NOTE: `schedule` event is only triggered for the default branch:
# https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#schedule
schedule: schedule:
- cron: "0 8 * * 1" - cron: "0 8 * * 1"
env: env:
BUILD_VERSION: "3.2" GIT_BRANCH: "3.2"
DOCKER_CLI_EXPERIMENTAL: enabled
jobs: jobs:
@@ -18,12 +20,15 @@ jobs:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- name: lowercase the repository name
run: echo "REPO=${GITHUB_REPOSITORY@L}" >> "${GITHUB_ENV}"
- name: Source checkout - name: Source checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Setup QEMU - name: Setup QEMU
id: qemu id: qemu
uses: docker/setup-qemu-action@v3.6.0 uses: docker/setup-qemu-action@v3
- name: Setup Buildx - name: Setup Buildx
id: buildx id: buildx
@@ -33,31 +38,31 @@ jobs:
id: docker_meta id: docker_meta
uses: docker/metadata-action@v5 uses: docker/metadata-action@v5
with: with:
images: ${{ github.repository }} images: ${{ env.REPO }}
labels: | labels: |
org.opencontainers.image.version=${{ env.BUILD_VERSION }} org.opencontainers.image.version=${{ env.GIT_BRANCH }}
org.opencontainers.image.revision=${{ github.sha }} org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.title=${{ github.repository }} org.opencontainers.image.title=${{ env.REPO }}
- name: GitHub login - name: GitHub login
if: ${{ github.event_name != 'pull_request' }} if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@v3.4.0 uses: docker/login-action@v3
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.actor }} username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push - name: Build and push
uses: docker/build-push-action@v6.16.0 uses: docker/build-push-action@v6
with: with:
push: ${{ github.event_name != 'pull_request' }} push: ${{ github.event_name != 'pull_request' }}
context: . context: .
file: Dockerfile.alpine file: Dockerfile.alpine
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7,linux/arm/v6,linux/ppc64le platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7,linux/arm/v6,linux/ppc64le
build-args: BUILD_VERSION build-args: GIT_BRANCH
cache-from: type=gha, scope=${{ github.workflow }} cache-from: type=gha, scope=${{ github.workflow }}
cache-to: type=gha, scope=${{ github.workflow }} cache-to: type=gha, scope=${{ github.workflow }}
labels: ${{ steps.docker_meta.outputs.labels }} labels: ${{ steps.docker_meta.outputs.labels }}
tags: | tags: |
ghcr.io/${{ github.repository }}:${{ env.BUILD_VERSION }} ghcr.io/${{ env.REPO }}:${{ env.GIT_BRANCH }}
ghcr.io/${{ github.repository }}:latest ghcr.io/${{ env.REPO }}:latest

60
.github/workflows/unit_tests_ubuntu.yml vendored Normal file
View File

@@ -0,0 +1,60 @@
---
name: testssl.sh CI with Ubuntu
on:
pull_request:
paths-ignore:
- 'utils/**'
- 'doc/**'
- 'bin/**'
- '**.md'
- '**.pem'
- '**.pdf'
- '**.html'
- 'LICENSE'
- 'Dockerfile'
- 'Dockerfile.alpine'
permissions:
contents: read
# see https://github.com/shogo82148/actions-setup-perl
jobs:
build:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: ['ubuntu-24.04']
perl: ['5.38']
name: Unit test on ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- name: Set up perl
uses: shogo82148/actions-setup-perl@v1
with:
perl-version: ${{ matrix.perl }}
- name: Install OS dependencies
run: |
sudo apt install dnsutils jsonlint
printf "%s\n" "----------"
perl -V
printf "%s\n" "----------"
curl --version
printf "%s\n" "----------"
openssl version -a
printf "%s\n" "----------"
bash --version
printf "%s\n" "----------"
- name: Install perl modules
run: |
cpanm --notest Test::More
cpanm --notest Data::Dumper
cpanm --notest JSON
cpanm --notest Text::Diff
- name: run it
run: |
prove -v t

0
Dockerfile-alpine → Dockerfile.alpine
View File

32
Dockerfile.md
View File

@@ -17,11 +17,13 @@ Use a volume bind mount to a local host directory to access the files outside of
docker run --rm -it -v /tmp:/data --workdir /data ghcr.io/testssl/testssl.sh:3.2 --htmlfile ./ example.com docker run --rm -it -v /tmp:/data --workdir /data ghcr.io/testssl/testssl.sh:3.2 --htmlfile ./ example.com
``` ```
**NOTE:** > [!NOTE]
- The UID/GID ownership of the file will be created by the container user `testssl` (`1000:1000`), with permissions `644`. > - The UID/GID ownership of the file will be created by the container user `testssl` (`1000:1000`), with permissions `644`.
- Your host directory must permit the `testssl` container user or group to write to that host volume. You could alternatively use [`docker cp`](https://docs.docker.com/reference/cli/docker/container/cp/). > - Your host directory must permit the `testssl` container user or group to write to that host volume. You could alternatively use [`docker cp`](https://docs.docker.com/reference/cli/docker/container/cp/).
### From DockerHub or GHCR ## Images
### Available at DockerHub and GHCR
You can pull the image from either of these registries: You can pull the image from either of these registries:
- DockerHub: [`drwetter/testssl.sh`](https://hub.docker.com/r/drwetter/testssl.sh) - DockerHub: [`drwetter/testssl.sh`](https://hub.docker.com/r/drwetter/testssl.sh)
@@ -31,7 +33,7 @@ Supported tags:
- `3.2` / `latest` - `3.2` / `latest`
- `3.0` is the old stable version ([soon to become EOL](https://github.com/testssl/testssl.sh/tree/3.0#status)) - `3.0` is the old stable version ([soon to become EOL](https://github.com/testssl/testssl.sh/tree/3.0#status))
### Building ### Building the `testssl.sh` container image
You can build with a standard `git clone` + `docker build`. Tagging the image will make it easier to reference. You can build with a standard `git clone` + `docker build`. Tagging the image will make it easier to reference.
@@ -41,26 +43,30 @@ git clone --branch 3.2 --depth 1 https://github.com/testssl/testssl.sh .
docker build --tag localhost/testssl.sh:3.2 . docker build --tag localhost/testssl.sh:3.2 .
``` ```
There are two base images available: There are two base images supported:
- `Dockerfile` (openSUSE Leap), glibc-based + faster. - openSUSE Leap ([`Dockerfile`](./Dockerfile)), glibc-based + faster.
- `Dockerfile-alpine` (Alpine), musl-based + half the size. - Alpine ([`Dockerfile`](./Dockerfile.alpine)), musl-based + half the size.
Alpine is made available if you need broarder platform support or an image about 30MB smaller at the expense of speed. The Alpine variant is made available if you need broarder platform support, or an image about 30MB smaller at the expense of slightly slower performance.
#### Tip - Remote build context + `Dockerfile`
#### Remote build context + `Dockerfile`
You can build with a single command instead via: You can build with a single command instead via:
```bash ```bash
docker build --tag localhost/testssl.sh:3.2 https://github.com/testssl/testssl.sh.git#3.2 docker build --tag localhost/testssl.sh:3.2 https://github.com/testssl/testssl.sh.git#3.2
``` ```
This will produce a slightly larger image however as `.dockerignore` is not supported with remote build contexts. > [!NOTE]
> This will produce a slightly larger image as [`.dockerignore` is not supported with remote build contexts](https://github.com/docker/buildx/issues/3169).
If you would like to build the Alpine image instead this way, just provide the alternative `Dockerfile` via `--file`: ---
To build the Alpine image instead, additionally provide the ([alternative `Dockerfile`](./Dockerfile.alpine)) via the `--file` option:
```bash ```bash
docker build \ docker build \
--tag localhost/testssl.sh:3.2-alpine \ --tag localhost/testssl.sh:3.2-alpine \
--file https://raw.githubusercontent.com/testssl/testssl.sh/3.2/Dockerfile-alpine \ --file https://raw.githubusercontent.com/testssl/testssl.sh/3.2/Dockerfile.alpine \
https://github.com/testssl/testssl.sh.git#3.2 https://github.com/testssl/testssl.sh.git#3.2
``` ```

5
Readme.md
View File

@@ -1,7 +1,7 @@
## Intro ## Intro
[![CI tests](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests.yml/badge.svg)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests.yml) [![CI tests](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_ubuntu.yml/badge.svg)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_ubuntu.yml)
[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/testssl/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/testssl/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
[![License](https://img.shields.io/github/license/testssl/testssl.sh)](https://github.com/testssl/testssl.sh/LICENSE) [![License](https://img.shields.io/github/license/testssl/testssl.sh)](https://github.com/testssl/testssl.sh/LICENSE)
[![Docker](https://img.shields.io/docker/pulls/drwetter/testssl.sh)](https://github.com/testssl/testssl.sh/blob/3.2/Dockerfile.md) [![Docker](https://img.shields.io/docker/pulls/drwetter/testssl.sh)](https://github.com/testssl/testssl.sh/blob/3.2/Dockerfile.md)
@@ -119,6 +119,9 @@ You can also debug yourself, see [here](https://github.com/testssl/testssl.sh/wi
Please address questions not specifically to the code of testssl.sh to the respective projects below. Please address questions not specifically to the code of testssl.sh to the respective projects below.
#### AI powered docs @ DeepWiki
* https://deepwiki.com/testssl/testssl.sh
#### Web frontend #### Web frontend
* https://github.com/johannesschaefer/webnettools * https://github.com/johannesschaefer/webnettools
* https://github.com/TKCERT/testssl.sh-webfrontend * https://github.com/TKCERT/testssl.sh-webfrontend

26
etc/client-simulation.txt
View File

@@ -310,7 +310,31 @@
ja4+=("t13d1713h1_5b57614c22b0_352634941f3a") ja4+=("t13d1713h1_5b57614c22b0_352634941f3a")
current+=(true) current+=(true)
names+=("Chrome 27 Win 7") names+=("Android 15 (native)")
short+=("android_15")
ch_ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA")
ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
ch_sni+=("$SNI")
warning+=("")
handshakebytes+=("16030108ad010008a9030391072cb3571b43dc4a8cc1ad1c53edf47f89a855e5e52a701befa485fdcc847d201e6800efce12bdb7a96cdb1d7b6c3d451f1e7275ef468a873b746fe29fa89e2200201a1a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035010008409a9a0000000500050100000000000b0002010044cd0005000302683200170000002b000706eaea03040303002d000201010000001b0019000016706c61792d66652e676f6f676c65617069732e636f6d001b0003020002002300000010000e000c02683208687474702f312e3100120000000a000c000a3a3a11ec001d00170018fe0d00da00000100017b002072f7b873fdab02ad8a7e3ef3dd54613a0051821d29bfcde7f71af8ac49860c0500b0eb42e5082e1426108b1f5d6f67b5c35e26d985cdd337873c1ab77f3fcedc1cbf68cc86b20d82e5764fbadf86df30d44696184d7f73c5d2b67c3bc1955f7ce21900b7448b8ad575ce3533d8bfd9c6b6415a8c523454145c4c6306531fbe2bf0979002fd79fa707dea23d8bcd180662617c0a8b7a1dec7c63eeaf3156571c1e0f97f418b6d278dedf0d07fe027aea8f370d020503cdf7225ba8d0d1c1374c0580382f2880aaf82b7bab3a93f0bb40c91c6000d0012001004030804040105030805050108060601003304ef04ed3a3a00010011ec04c0fba42d89e82e616023e892af4a115a4bc5272dd77199ea670f927605acbd8607741e878836d92b9b35b9c3183b02621c5b6bca8ea93433dc4ad8abaabfc6a69e639d4ac391e9862609bc4ef0c1ba8b674f981cabe3f13007858a029b4d0ba12d170074ffb1468106cc91f9a394a947dbe32312b6936c26b0ad114d54c496e3233c5c53c9f86c35043ab012f9b658040df4614db746075e708657784eb22b1d5e63247b7820e4431ace5a82a85c83bcd686ed3a64ee2b4c55159da00744e0103c74b351a2956d6ba54c54696ad3d742f7d389c257143402254e0c7e7f292d08a7ad896c485fc362a33c73958836c32675d97c4e79c9a92ee00bfd3939ecd09be3fc58e1247ae468848455391cd7291a140103a34f4b054a7e148c9b672cc2f29c4c0482dba0cc3239b32dc6973da04b499c820159a2ec9bba37c6661794cdbbb5bf98d30c4d627ece6a883139a287799591059b5ca949f82234c1960cdd51278152bd39f2b734c187a70c478bcc8908d335a2848ff4b0aeddb4491860a269a74e6b5875c201004a51b72ae79096ec7b5c508a25fc04e2f3a1f3b15bfdc2673ce48a172b4faf175b9ae2750102a50b9893f93b06c2104b6ee73eed379713738d4090c80b30c3afc242a2e0022d8a9559d776069337c314c3ae346da1420465e3b8039635813185ae57ba77e6bc57f9c8afe0388ed228772caa7aaa5037a5234d7c4e7fe0372202add9e471248a87215c6c9a2838fdd0088e039405e62225580e326357c3a2a76f0b775ba07ad451934a916e79c537f0c0ad56e0c939d142809b2b44d0c446f554e52770f3e8cba997a59aa86429304c33161d9806a42c4c4777d7cab66290d26381953276e42a7990214b45989b9a979da1674861da4cea454412ba980842b4e8852f26db1d94416d388826b66a727bb26a51a55ac5dca267cb765a8c0999794e2a1b21048527a4366c5e670f5c36b769b030673b6dee187250f637aeebae1f01260293124bf289246813a345011e04a3e107a27a2b4ab9f4bced961fc7f570116322dab98986185ebce85f674c1bf0e4774d87055d1c2a239758eb20ae45588a294937a4a39361001863931e5d350ee0bc2950228631d49755d26988198cb6592a36e65710e1614f4608c5432138a3a7edca8520b9328aa3a3904028f7803a365194cbba86aeec8dec9711c7574baf0a8061b93762120b94923293c8cda3316f79509bdfe2328106714578130879c63270391508b29e984789067a1c59af71a807e6cb474e888773abb53ea87cced11a6ab6498c301630a65e9d37cd8e44abb18b9f97d2391eb22acc74c2f02633ae3649faf19efbe7b56ac6265b46354bba7197ecb8651c1dbeec4031a9cc3da48d8c6993905a8f0cf131a90a23af5b5b6bd2571dc15c3233a7f74ca3da76cc889a0eba3161790471da3542b4da57d9a1b2fc7c9a2693110828c405d19b8d6a0cec2a911c375c1d100671471401435cfc050b3039730de5ad30b78fd1fcb4ffa604d78ba6f72979db56008d903950e43385184b344b4ea2c0a331d8afb1954f567bb20ceb957bc72bb0c685a0f4176875107e47b59f2b4616901d0c9612e529204ea524222b39dad558deb07bda9919ae25635ff6b791e354b19f92175ed1635841072717a2e7bf8ea666d4ef0087ffe8ef74c50317c30c1406bb15e3a02606e2be51eea33beed8a3a6aef44a001d0020e3b270223362eb0f688b920f024370f2bcdc58f22ef5e7a32cbf318805e67113ff010001006a6a000100002901ca01a5019f02e416892a2f1f90b8c577cb046e05e5df038964982ae7b5b00f2450f97b2820b6a503d15f01fd0e8abe4ab5bfe3383af1fed6b5efd49450f1b773050ed43c8d4623b7d61b9ba793ed8ac81530bf3630efc169e883047220d8b7cc3290375cf03a69217648b952c2c3635f8c1f713d175e0032846f1e8887e75485561dcf7cff2555ed833a4fa236df7cdf971eb6e186213d0779c6eeae1777582a0300a2668cfc948881278534c2e3c102667c8c84325e3d5e31efbae0fdcf31347540e03d8f3c3cbb94a113df6dbf9ae2bc54d14e27dd92cf0eb708e7c5ce73aec09c0f1e006110af1c9ffe2f41cca0982db2d0e329fe6296f65b1d3d9c9bf55d88cd97fb1361c5c86a71f704b56819a5d0266d4214379df7ce093297ab2eddb69c3275c4cb98f25e4ba1849e81d7eccc52294c6aba5f750e5c5c1d41be5f42008870780b86d340108e6ef3c29362a678896d376245418ac27de83e8de2ea309bd294d510a032ff47b5651bf2a8f53fd0bdf5b569576ef6b1ea249e3f2f4a88fdd99d54ce5b53d6935f1dcb4bb6ffeac2ad08f1d8882d54240048414d6a2b7a3e8a0e04cc81ca531600212096370dc60f1571e843667259d4e4eccda96828a23587ecde81ad55262c4c5968")
protos+=("-no_ssl3 -no_ssl2")
tlsvers+=("-tls1_3 -tls1_2")
lowest_protocol+=("0x0303")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("ANY")
minDhBits+=(-1)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1")
requiresSha2+=(true)
ja3+=("78c89591bc3fffbc6aa884cc7ebbbdb5")
ja4+=("t13d1517h2_8daaf6152771_b6f405a00624")
current+=(true)
names+=("Chrome 27 Win 7")
short+=("chrome_27_win7") short+=("chrome_27_win7")
ch_ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DHE-DSS-RC4-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-AES128-SHA:SEED-SHA:CAMELLIA128-SHA:RC4-SHA:RC4-MD5:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA") ch_ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DHE-DSS-RC4-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-AES128-SHA:SEED-SHA:CAMELLIA128-SHA:RC4-SHA:RC4-MD5:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA")
ciphersuites+=("") ciphersuites+=("")

2
etc/client-simulation.wiresharked.md
View File

@@ -6,7 +6,7 @@ testssl.sh uses the file `client-simulation.txt`. Previously we queried the SSLl
* Start wireshark / tcpdump at a client or router. If it's too noisy better filter for the target of your choice. * Start wireshark / tcpdump at a client or router. If it's too noisy better filter for the target of your choice.
* Make sure you create a bit of encrypted traffic to your target. Attention, privacy: if you want to contribute, be aware that the ClientHello contains the target hostname (SNI). * Make sure you create a bit of encrypted traffic to your target. Attention, privacy: if you want to contribute, be aware that the ClientHello contains the target hostname (SNI).
* Make sure the client traffic is specific: For just "Android" do not use an Android browser! Be also careful with factory installed Google Apps, especially on older devices as they might come with a different TLS stack. * Make sure the client traffic is specific: For just "Android" do not use an Android browser! Be also careful with factory installed Google Apps, especially on older devices as they might come with a different TLS stack. The play store or e.g. f-droid works.
* Stop recording. * Stop recording.
* If needed sort for ClientHello. * If needed sort for ClientHello.
* Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure it's the right traffic. * Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure it's the right traffic.

24
etc/client-simulation.wiresharked.txt
View File

@@ -193,6 +193,30 @@
ja4+=("t13d1713h1_5b57614c22b0_352634941f3a") ja4+=("t13d1713h1_5b57614c22b0_352634941f3a")
current+=(true) current+=(true)
names+=("Android 15 (native)")
short+=("android_15")
ch_ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA")
ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
ch_sni+=("$SNI")
warning+=("")
handshakebytes+=("16030108ad010008a9030391072cb3571b43dc4a8cc1ad1c53edf47f89a855e5e52a701befa485fdcc847d201e6800efce12bdb7a96cdb1d7b6c3d451f1e7275ef468a873b746fe29fa89e2200201a1a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035010008409a9a0000000500050100000000000b0002010044cd0005000302683200170000002b000706eaea03040303002d000201010000001b0019000016706c61792d66652e676f6f676c65617069732e636f6d001b0003020002002300000010000e000c02683208687474702f312e3100120000000a000c000a3a3a11ec001d00170018fe0d00da00000100017b002072f7b873fdab02ad8a7e3ef3dd54613a0051821d29bfcde7f71af8ac49860c0500b0eb42e5082e1426108b1f5d6f67b5c35e26d985cdd337873c1ab77f3fcedc1cbf68cc86b20d82e5764fbadf86df30d44696184d7f73c5d2b67c3bc1955f7ce21900b7448b8ad575ce3533d8bfd9c6b6415a8c523454145c4c6306531fbe2bf0979002fd79fa707dea23d8bcd180662617c0a8b7a1dec7c63eeaf3156571c1e0f97f418b6d278dedf0d07fe027aea8f370d020503cdf7225ba8d0d1c1374c0580382f2880aaf82b7bab3a93f0bb40c91c6000d0012001004030804040105030805050108060601003304ef04ed3a3a00010011ec04c0fba42d89e82e616023e892af4a115a4bc5272dd77199ea670f927605acbd8607741e878836d92b9b35b9c3183b02621c5b6bca8ea93433dc4ad8abaabfc6a69e639d4ac391e9862609bc4ef0c1ba8b674f981cabe3f13007858a029b4d0ba12d170074ffb1468106cc91f9a394a947dbe32312b6936c26b0ad114d54c496e3233c5c53c9f86c35043ab012f9b658040df4614db746075e708657784eb22b1d5e63247b7820e4431ace5a82a85c83bcd686ed3a64ee2b4c55159da00744e0103c74b351a2956d6ba54c54696ad3d742f7d389c257143402254e0c7e7f292d08a7ad896c485fc362a33c73958836c32675d97c4e79c9a92ee00bfd3939ecd09be3fc58e1247ae468848455391cd7291a140103a34f4b054a7e148c9b672cc2f29c4c0482dba0cc3239b32dc6973da04b499c820159a2ec9bba37c6661794cdbbb5bf98d30c4d627ece6a883139a287799591059b5ca949f82234c1960cdd51278152bd39f2b734c187a70c478bcc8908d335a2848ff4b0aeddb4491860a269a74e6b5875c201004a51b72ae79096ec7b5c508a25fc04e2f3a1f3b15bfdc2673ce48a172b4faf175b9ae2750102a50b9893f93b06c2104b6ee73eed379713738d4090c80b30c3afc242a2e0022d8a9559d776069337c314c3ae346da1420465e3b8039635813185ae57ba77e6bc57f9c8afe0388ed228772caa7aaa5037a5234d7c4e7fe0372202add9e471248a87215c6c9a2838fdd0088e039405e62225580e326357c3a2a76f0b775ba07ad451934a916e79c537f0c0ad56e0c939d142809b2b44d0c446f554e52770f3e8cba997a59aa86429304c33161d9806a42c4c4777d7cab66290d26381953276e42a7990214b45989b9a979da1674861da4cea454412ba980842b4e8852f26db1d94416d388826b66a727bb26a51a55ac5dca267cb765a8c0999794e2a1b21048527a4366c5e670f5c36b769b030673b6dee187250f637aeebae1f01260293124bf289246813a345011e04a3e107a27a2b4ab9f4bced961fc7f570116322dab98986185ebce85f674c1bf0e4774d87055d1c2a239758eb20ae45588a294937a4a39361001863931e5d350ee0bc2950228631d49755d26988198cb6592a36e65710e1614f4608c5432138a3a7edca8520b9328aa3a3904028f7803a365194cbba86aeec8dec9711c7574baf0a8061b93762120b94923293c8cda3316f79509bdfe2328106714578130879c63270391508b29e984789067a1c59af71a807e6cb474e888773abb53ea87cced11a6ab6498c301630a65e9d37cd8e44abb18b9f97d2391eb22acc74c2f02633ae3649faf19efbe7b56ac6265b46354bba7197ecb8651c1dbeec4031a9cc3da48d8c6993905a8f0cf131a90a23af5b5b6bd2571dc15c3233a7f74ca3da76cc889a0eba3161790471da3542b4da57d9a1b2fc7c9a2693110828c405d19b8d6a0cec2a911c375c1d100671471401435cfc050b3039730de5ad30b78fd1fcb4ffa604d78ba6f72979db56008d903950e43385184b344b4ea2c0a331d8afb1954f567bb20ceb957bc72bb0c685a0f4176875107e47b59f2b4616901d0c9612e529204ea524222b39dad558deb07bda9919ae25635ff6b791e354b19f92175ed1635841072717a2e7bf8ea666d4ef0087ffe8ef74c50317c30c1406bb15e3a02606e2be51eea33beed8a3a6aef44a001d0020e3b270223362eb0f688b920f024370f2bcdc58f22ef5e7a32cbf318805e67113ff010001006a6a000100002901ca01a5019f02e416892a2f1f90b8c577cb046e05e5df038964982ae7b5b00f2450f97b2820b6a503d15f01fd0e8abe4ab5bfe3383af1fed6b5efd49450f1b773050ed43c8d4623b7d61b9ba793ed8ac81530bf3630efc169e883047220d8b7cc3290375cf03a69217648b952c2c3635f8c1f713d175e0032846f1e8887e75485561dcf7cff2555ed833a4fa236df7cdf971eb6e186213d0779c6eeae1777582a0300a2668cfc948881278534c2e3c102667c8c84325e3d5e31efbae0fdcf31347540e03d8f3c3cbb94a113df6dbf9ae2bc54d14e27dd92cf0eb708e7c5ce73aec09c0f1e006110af1c9ffe2f41cca0982db2d0e329fe6296f65b1d3d9c9bf55d88cd97fb1361c5c86a71f704b56819a5d0266d4214379df7ce093297ab2eddb69c3275c4cb98f25e4ba1849e81d7eccc52294c6aba5f750e5c5c1d41be5f42008870780b86d340108e6ef3c29362a678896d376245418ac27de83e8de2ea309bd294d510a032ff47b5651bf2a8f53fd0bdf5b569576ef6b1ea249e3f2f4a88fdd99d54ce5b53d6935f1dcb4bb6ffeac2ad08f1d8882d54240048414d6a2b7a3e8a0e04cc81ca531600212096370dc60f1571e843667259d4e4eccda96828a23587ecde81ad55262c4c5968")
protos+=("-no_ssl3 -no_ssl2")
tlsvers+=("-tls1_3 -tls1_2")
lowest_protocol+=("0x0303")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("ANY")
minDhBits+=(-1)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1")
requiresSha2+=(true)
ja3+=("78c89591bc3fffbc6aa884cc7ebbbdb5")
ja4+=("t13d1517h2_8daaf6152771_b6f405a00624")
current+=(true)
names+=("Edge 17 Win 10") names+=("Edge 17 Win 10")
short+=("edge_17_win10") short+=("edge_17_win10")
ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA") ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA")

1
t/baseline_data/default_testssl.csvfile
View File

@@ -112,6 +112,7 @@
"clientsimulation-android_X","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-android_X","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
"clientsimulation-android_11_12","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-android_11_12","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
"clientsimulation-android_13_14","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-android_13_14","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
"clientsimulation-android_15","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
"clientsimulation-chrome_101_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-chrome_101_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
"clientsimulation-chromium_137_win11","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-chromium_137_win11","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
"clientsimulation-firefox_100_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-firefox_100_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""

4
testssl.sh
View File

@@ -17980,11 +17980,11 @@ run_breach() {
# warn_empty / warn_stalled # warn_empty / warn_stalled
if [[ ${has_compression[@]} =~ warn_empty ]]; then if [[ ${has_compression[@]} =~ warn_empty ]]; then
pr_warning "At least 1/4 checks failed (HTTP header request was empty, debug: ${has_compression[@]}" pr_warning "At least 1/4 checks failed (HTTP header request was empty, debug: ${has_compression[@]}"
out ", debug: ${has_compression[@]})" outln ", debug: ${has_compression[@]})"
fileout "$jsonID" "WARN" "Test failed as HTTP response was empty, debug: ${has_compression[@]}" "$cve" "$cwe" fileout "$jsonID" "WARN" "Test failed as HTTP response was empty, debug: ${has_compression[@]}" "$cve" "$cwe"
else # warn_stalled else # warn_stalled
pr_warning "At least 1/4 checks failed (HTTP header request stalled and was terminated" pr_warning "At least 1/4 checks failed (HTTP header request stalled and was terminated"
out ", debug: ${has_compression[@]})" outln ", debug: ${has_compression[@]})"
fileout "$jsonID" "WARN" "Test failed as HTTP request stalled and was terminated" "$cve" "$cwe" fileout "$jsonID" "WARN" "Test failed as HTTP request stalled and was terminated" "$cve" "$cwe"
fi fi
else else