Merge remote-tracking branch 'upstream/master'

CREDITS.md

@@ -10,17 +10,16 @@
 
 * Rechi
  - initial MX stuff
+ - fixes
 
 * Mark Felder
  - lots of cleanups
  - Shellcheck static analysis
 
 * Peter Mosmans
+ - started way better cmd line parsing
  - cleanups
-
-* Markus Manzke: 
- - Fix for HSTS + subdomains
- - LibreSSL patch
+ - openssl sources support with the "missing" features
 
 * Дилян Палаузов
  - bug fix for 3des report
@@ -28,6 +27,10 @@
 * @nvsofts (NV)
  - LibreSSL patch for GOST
 
+* Markus Manzke: 
+ - Fix for HSTS + subdomains
+ - LibreSSL patch
+
 * Dmitri S
  - inspiration & help for Darwin port
 
@@ -39,9 +42,6 @@
 * OpenSSL team
   - for providing openssl ;-)
 
-* Peter Mosmans
-  - openssl binary support with the "missing" features
-
 
 
 

Readme.md

@@ -3,21 +3,22 @@
 
 [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/drwetter/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 
-`testssl.sh` is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws. It's designed to provide clear output for a "is this good or bad" decision.
+`testssl.sh` is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws. It's designed to provide clear output for your "is this good or bad" decision.
 
-It is working on every Linux distribution out of the box with the limitations of disabled features from the openssl client. It also works on BSD and other Unices out of the box, supposed they have `/bin/bash` and standard tools like sed and awk installed. MacOS X and Windows (using MSYS2) work too. 
+It is working on every Linux distribution out of the box with some limitations of disabled features from the openssl client -- some workarounds are done with bash-socket-based checks. It also works on BSD and other Unices out of the box, supposed they have `/bin/bash` and standard tools like sed and awk installed. MacOS X and Windows (using MSYS2) work too. OpenSSL version >= 1 is highly recommended.
 
 On github you will find in the master branch the development version of the software -- with new features and maybe some bugs. For the stable version and a more thorough description of the software please see [testssl.sh](https://testssl.sh/ "Go to the site with the stable version and more documentation"). 
 
-New features in this release are / will be
+New features in the upcoming stable release 2.6 are: 
 
-* certificate information (done), 
-* more HTTP header infos (partly done, needs a bit f cleanup), 
-* protocol check via bash sockets (SSLv2: done, for others: function need to be called)
-* maybe cipher check via bash sockets (not done yet)
-* debug file handling (ongoing)
-* BEAST (works, need some polishing for the output)
+* display matching key (HPKP)
+* logjam, not named yet, but display dh/ecdh bits on negotiated and every cipher
 
-Contributions, feedback, also bug reports are welcome. For contributions please note: One patch per feature -- bug fix/improvement.
+more see https://github.com/drwetter/testssl.sh/issues?q=is%3Aopen+is%3Aissue+milestone%3A%222.6+%2F+2.5dev%22
+
+
+Contributions, feedback, also bug reports are welcome. For contributions please note: One patch per feature -- bug fix/improvement. Please file bug reports @ https://github.com/drwetter/testssl.sh/issues .
+
+Update notification here or @ [twitter](https://twitter.com/drwetter). 
 
 

openssl-bins/openssl-1.0.2-chacha.pm/Readme.md

@@ -1,15 +1,15 @@
 
-Instructions
-============
+Compiling and Usage Instructions
+================================
 
 The precompiled binaries provided here have extended support for everything
 which is normally not configured to be compiled (40+56 Bit, export/ANON ciphers, 
-SSLv2 etc.). The binaraies come also with extended support for new cipher suites 
-and/or features which are not yet in the official branch.
+SSLv2 etc.). The binaries also come with extended support for new cipher suites 
+and/or features which are not (yet?) in the official branch.
 
 The binaries in this directory are all compiled from an OpenSSL 1.0.2 fork
 from Peter Mosmans. He has patched the master git branch
-to support CHACHA20 + POLY1305 and other ciphers (like CAMELIA 256 Bit).
+to support CHACHA20 + POLY1305 and other ciphers like CAMELIA 256 Bit.
 
 CHACHA20 + POLY1305 cipher suites from the official git repo didn't 
 work for me work correctly, it's also likely they'll disappear shortly
@@ -20,13 +20,12 @@ General
 -------
 
 Both 64+32 bit versions were compiled under Ubuntu 12.04 LTS. Likely you
-cannot use older distributions, younger should work. I provide for each
-distributions two sets of binaries:
+cannot use older distributions, younger worked in my test environments. I provide 
+for each distributions two sets of binaries:
 
 * completely statically linked binaries
-* dynamically linked binaries with MIT Kerberos support ("krb5" in the name).
-  They provide additionally  KRB5-* and EXP-KRB5-* support (in OpenSSL 
-  terminology, see krb5-ciphers.txt). 
+* dynamically linked binaries, additionally with MIT Kerberos support ("krb5" in the name).
+  They provide also KRB5-* and EXP-KRB5-* support (in OpenSSL terminology, see krb5-ciphers.txt). 
 
 For the latter you need a whopping bunch of kerberos runtime libraries which you maybe need to 
 install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support, 
@@ -76,8 +75,8 @@ If you want to compile OpenSSL yourself, here are the instructions:
 
 Don't use -DTEMP_GOST_TLS, it currently breaks things and it is not needed for general GOST [1] support.
 
-If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT" (see examples). 
-If you have other Kerberos flavors you need to figure out by yourself.
+So the difference ypu maybe spotted: If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT" (see examples). 
+If you have another Kerberos flavor you need to figure out by yourself.
 
 3.) make depend
 

openssl-bins/openssl-1.0.2-chacha.pm/sha256sum.txt

@@ -1,4 +1,4 @@
-afae3cc810d10d84c380cfccf84dae1c4a930443550d039245f34c920f5dcb9e  openssl32-1.0.2pm-krb5.chacha+poly
-eb12a4ad63c987b8a427cd2320eda0b800122bb3cb335e6b3c5364874733ae3d  openssl32-1.0.2pm-static.chacha+poly
-d5a7fe0517dc6fbfef45d1db23b963b476a5e71eaffd5cb89a5513fc4d079852  openssl64-1.0.2pm-krb5.chacha+poly
-c0756219db62fdd711fb96b22765262fc32dafb9039d3636de843677a5f624ed  openssl64-1.0.2pm-static.chacha+poly
+38641a024e82a9b850ac7e71a3b6e1b6940253661eb1164280bfaaac1f00afb3  openssl32-1.0.2pm-krb5.chacha+poly
+d069363e65039cd2472d0259f6a5e205e56780d15b4d1b3e04944c09750929ca  openssl32-1.0.2pm-static.chacha+poly
+e3f1cc649142ffe493ab94bb758933ef32cbdcf6cb4b1d8625ec78a10fd54b28  openssl64-1.0.2pm-krb5.chacha+poly
+0b96c859a1695881dc34aab7c98a5e3d02c612aae3e709727964276d0d5d4e90  openssl64-1.0.2pm-static.chacha+poly

openssl-bins/openssl-1.0.2-chacha.pm/sha256sum.txt.asc

@@ -1,17 +1,17 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
-iQIVAwUAVOhP7cmu7OHQp0VpAQL1fRAAiHnaYeJv7D91Y9qyW1OENZ7U9pughxMG
-NICzQ/hGsE3VokUcjtFqxfQPy1+w4K+vu2iRmdbjjfsoG0oT/ZwmUPA8tK3NJ/XL
-l4Nn1588AAcsqbveeySZcjbq/Aok5LWtLoMXhVN4nQ7fudp06fbvuZAMPonu2DLp
-FEAYUpQrtBMXtpFzp87XZhjzYV/V8MHnki9XWfLOXEp/CoE0SJzG178+F2vwwc14
-XO7OpT28ERb7THjnk/blPyedJdCKoKNTO8YVjgl3ZqXQv0Nh7SL39HMcoOtxbn9g
-XougTeKhfj1xekBcvjyTkOP7hdVXirFxAsV5wpTNcFdt7XHkRh5DcRXGnXAbO273
-J52ZNZEa1WkOfkIX/KD0AcIxpHK/f30Dyc4XkM43kPqEbxDff6MaeCvkZ4fYzGdC
-ZnS/iOUWQj6FOoTRvPiX9B1XOIl6HYUtw8TqHXXcFCfvGtGgOzUq/1ktxU4xHS/S
-S0a+vsdvnU71XcURXD2sLgmzMcLi/RXru4BtH51U77FIa0oKFp1XoED2H4AeiXqu
-kAqWhV/fzkB3u3MLDQ768qekVJcDwMm1kGT40o/tAPYjqMPkK0sSw0WBWwFXnkXD
-Wgt5PSZEUJfAuVSUPFNVnUDGOW97KetLtBPYqOIdCL+vhDf6wIAaOnzKVo7Im3cM
-j2viEcnYKmE=
-=kQPt
+iQIVAwUAVR0Pt8mu7OHQp0VpAQLDUhAAm+sLa9LwkW+XCh1GM/+dKUJt55TMBlvL
+NuryQ5uZXPpq/yf6T6oRM178AkzAt5fmZ1w3Q/1gkbaDWHDnd9RY0lTz9EPx0Sii
+SMwqUnStTFJe/PX15gAcNuekZb4immlf8XkhsF5R5OGWbRAw/brqHkvCnkbIguYy
+RLof9DAudUeoQDdg4nFQ8/B0PQ8n7OrzagImfWPkyWrjrGrcUyxPFy/LReXLXJ3N
+SCnMGM1h38ZL0Bu05PBVe3j4QwryY4R7xP2Z4i1bS5GojvMbbxJjeNtqhoxkH3fU
+671carP+IpC8fIA6WkgQXRtC0K7wvgw5/TN96b1yiWfZxZxfYRjSQig/Hem6FzzW
+e8IIjWNbG3Y9qMD6CPBD4BG0PT0BgjSn3jmTicB+AqKAQ7XFXPPTj233q+YVqxyv
+zg3qpbg7QGXMBBghpr4ZYCkdCWv6UnTyIOQrVxkLvI6bzeE9Qi+IpNo5SSfcENK9
+fmM60lbJFpCwhfTkVDRFFsXmTLR/URT3mEoFX/GEU5Q8zoArfBDykUOrbGFkd6Mk
+KFOpt296DTSe1Z7IwrxselcNrxZvlVWzhgqFCxE92ngnQzutJL/KcxCV0zAbXBOa
+ZJTk9AUPhrgq9XEbGRSfTvOMmKtPvB90sr7e38qgcHqSXmzICgkcio31pHhEWZzE
+++Smb4f5068=
+=2/8h
 -----END PGP SIGNATURE-----

openssl-rfc.mappping.html

@@ -1,6 +1,6 @@
 <html>
 <head>
-<title>Mapping OpenSSL sipher suite names to RFC names</title>
+<title>Mapping OpenSSL cipher suite names to RFC names</title>
 </head>
 <style type="text/css">
 .mytable { background-color:#eee;border-collapse:collapse; text-align:left; table-layout: fixed; width:1000px; }