Merge remote-tracking branch 'upstream/master'

This commit is contained in:
Peter Mosmans 2015-05-29 08:39:50 +02:00
commit c923baaecd
11 changed files with 2023 additions and 1321 deletions

View File

@ -10,17 +10,16 @@
* Rechi
- initial MX stuff
- fixes
* Mark Felder
- lots of cleanups
- Shellcheck static analysis
* Peter Mosmans
- started way better cmd line parsing
- cleanups
* Markus Manzke:
- Fix for HSTS + subdomains
- LibreSSL patch
- openssl sources support with the "missing" features
* Дилян Палаузов
- bug fix for 3des report
@ -28,6 +27,10 @@
* @nvsofts (NV)
- LibreSSL patch for GOST
* Markus Manzke:
- Fix for HSTS + subdomains
- LibreSSL patch
* Dmitri S
- inspiration & help for Darwin port
@ -39,9 +42,6 @@
* OpenSSL team
- for providing openssl ;-)
* Peter Mosmans
- openssl binary support with the "missing" features

View File

@ -3,21 +3,22 @@
[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/drwetter/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
`testssl.sh` is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws. It's designed to provide clear output for a "is this good or bad" decision.
`testssl.sh` is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws. It's designed to provide clear output for your "is this good or bad" decision.
It is working on every Linux distribution out of the box with the limitations of disabled features from the openssl client. It also works on BSD and other Unices out of the box, supposed they have `/bin/bash` and standard tools like sed and awk installed. MacOS X and Windows (using MSYS2) work too.
It is working on every Linux distribution out of the box with some limitations of disabled features from the openssl client -- some workarounds are done with bash-socket-based checks. It also works on BSD and other Unices out of the box, supposed they have `/bin/bash` and standard tools like sed and awk installed. MacOS X and Windows (using MSYS2) work too. OpenSSL version >= 1 is highly recommended.
On github you will find in the master branch the development version of the software -- with new features and maybe some bugs. For the stable version and a more thorough description of the software please see [testssl.sh](https://testssl.sh/ "Go to the site with the stable version and more documentation").
New features in this release are / will be
New features in the upcoming stable release 2.6 are:
* certificate information (done),
* more HTTP header infos (partly done, needs a bit f cleanup),
* protocol check via bash sockets (SSLv2: done, for others: function need to be called)
* maybe cipher check via bash sockets (not done yet)
* debug file handling (ongoing)
* BEAST (works, need some polishing for the output)
* display matching key (HPKP)
* logjam, not named yet, but display dh/ecdh bits on negotiated and every cipher
Contributions, feedback, also bug reports are welcome. For contributions please note: One patch per feature -- bug fix/improvement.
more see https://github.com/drwetter/testssl.sh/issues?q=is%3Aopen+is%3Aissue+milestone%3A%222.6+%2F+2.5dev%22
Contributions, feedback, also bug reports are welcome. For contributions please note: One patch per feature -- bug fix/improvement. Please file bug reports @ https://github.com/drwetter/testssl.sh/issues .
Update notification here or @ [twitter](https://twitter.com/drwetter).

View File

@ -1,15 +1,15 @@
Instructions
============
Compiling and Usage Instructions
================================
The precompiled binaries provided here have extended support for everything
which is normally not configured to be compiled (40+56 Bit, export/ANON ciphers,
SSLv2 etc.). The binaraies come also with extended support for new cipher suites
and/or features which are not yet in the official branch.
SSLv2 etc.). The binaries also come with extended support for new cipher suites
and/or features which are not (yet?) in the official branch.
The binaries in this directory are all compiled from an OpenSSL 1.0.2 fork
from Peter Mosmans. He has patched the master git branch
to support CHACHA20 + POLY1305 and other ciphers (like CAMELIA 256 Bit).
to support CHACHA20 + POLY1305 and other ciphers like CAMELIA 256 Bit.
CHACHA20 + POLY1305 cipher suites from the official git repo didn't
work for me work correctly, it's also likely they'll disappear shortly
@ -20,13 +20,12 @@ General
-------
Both 64+32 bit versions were compiled under Ubuntu 12.04 LTS. Likely you
cannot use older distributions, younger should work. I provide for each
distributions two sets of binaries:
cannot use older distributions, younger worked in my test environments. I provide
for each distributions two sets of binaries:
* completely statically linked binaries
* dynamically linked binaries with MIT Kerberos support ("krb5" in the name).
They provide additionally KRB5-* and EXP-KRB5-* support (in OpenSSL
terminology, see krb5-ciphers.txt).
* dynamically linked binaries, additionally with MIT Kerberos support ("krb5" in the name).
They provide also KRB5-* and EXP-KRB5-* support (in OpenSSL terminology, see krb5-ciphers.txt).
For the latter you need a whopping bunch of kerberos runtime libraries which you maybe need to
install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support,
@ -76,8 +75,8 @@ If you want to compile OpenSSL yourself, here are the instructions:
Don't use -DTEMP_GOST_TLS, it currently breaks things and it is not needed for general GOST [1] support.
If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT" (see examples).
If you have other Kerberos flavors you need to figure out by yourself.
So the difference ypu maybe spotted: If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT" (see examples).
If you have another Kerberos flavor you need to figure out by yourself.
3.) make depend

View File

@ -1,4 +1,4 @@
afae3cc810d10d84c380cfccf84dae1c4a930443550d039245f34c920f5dcb9e openssl32-1.0.2pm-krb5.chacha+poly
eb12a4ad63c987b8a427cd2320eda0b800122bb3cb335e6b3c5364874733ae3d openssl32-1.0.2pm-static.chacha+poly
d5a7fe0517dc6fbfef45d1db23b963b476a5e71eaffd5cb89a5513fc4d079852 openssl64-1.0.2pm-krb5.chacha+poly
c0756219db62fdd711fb96b22765262fc32dafb9039d3636de843677a5f624ed openssl64-1.0.2pm-static.chacha+poly
38641a024e82a9b850ac7e71a3b6e1b6940253661eb1164280bfaaac1f00afb3 openssl32-1.0.2pm-krb5.chacha+poly
d069363e65039cd2472d0259f6a5e205e56780d15b4d1b3e04944c09750929ca openssl32-1.0.2pm-static.chacha+poly
e3f1cc649142ffe493ab94bb758933ef32cbdcf6cb4b1d8625ec78a10fd54b28 openssl64-1.0.2pm-krb5.chacha+poly
0b96c859a1695881dc34aab7c98a5e3d02c612aae3e709727964276d0d5d4e90 openssl64-1.0.2pm-static.chacha+poly

View File

@ -1,17 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIVAwUAVOhP7cmu7OHQp0VpAQL1fRAAiHnaYeJv7D91Y9qyW1OENZ7U9pughxMG
NICzQ/hGsE3VokUcjtFqxfQPy1+w4K+vu2iRmdbjjfsoG0oT/ZwmUPA8tK3NJ/XL
l4Nn1588AAcsqbveeySZcjbq/Aok5LWtLoMXhVN4nQ7fudp06fbvuZAMPonu2DLp
FEAYUpQrtBMXtpFzp87XZhjzYV/V8MHnki9XWfLOXEp/CoE0SJzG178+F2vwwc14
XO7OpT28ERb7THjnk/blPyedJdCKoKNTO8YVjgl3ZqXQv0Nh7SL39HMcoOtxbn9g
XougTeKhfj1xekBcvjyTkOP7hdVXirFxAsV5wpTNcFdt7XHkRh5DcRXGnXAbO273
J52ZNZEa1WkOfkIX/KD0AcIxpHK/f30Dyc4XkM43kPqEbxDff6MaeCvkZ4fYzGdC
ZnS/iOUWQj6FOoTRvPiX9B1XOIl6HYUtw8TqHXXcFCfvGtGgOzUq/1ktxU4xHS/S
S0a+vsdvnU71XcURXD2sLgmzMcLi/RXru4BtH51U77FIa0oKFp1XoED2H4AeiXqu
kAqWhV/fzkB3u3MLDQ768qekVJcDwMm1kGT40o/tAPYjqMPkK0sSw0WBWwFXnkXD
Wgt5PSZEUJfAuVSUPFNVnUDGOW97KetLtBPYqOIdCL+vhDf6wIAaOnzKVo7Im3cM
j2viEcnYKmE=
=kQPt
iQIVAwUAVR0Pt8mu7OHQp0VpAQLDUhAAm+sLa9LwkW+XCh1GM/+dKUJt55TMBlvL
NuryQ5uZXPpq/yf6T6oRM178AkzAt5fmZ1w3Q/1gkbaDWHDnd9RY0lTz9EPx0Sii
SMwqUnStTFJe/PX15gAcNuekZb4immlf8XkhsF5R5OGWbRAw/brqHkvCnkbIguYy
RLof9DAudUeoQDdg4nFQ8/B0PQ8n7OrzagImfWPkyWrjrGrcUyxPFy/LReXLXJ3N
SCnMGM1h38ZL0Bu05PBVe3j4QwryY4R7xP2Z4i1bS5GojvMbbxJjeNtqhoxkH3fU
671carP+IpC8fIA6WkgQXRtC0K7wvgw5/TN96b1yiWfZxZxfYRjSQig/Hem6FzzW
e8IIjWNbG3Y9qMD6CPBD4BG0PT0BgjSn3jmTicB+AqKAQ7XFXPPTj233q+YVqxyv
zg3qpbg7QGXMBBghpr4ZYCkdCWv6UnTyIOQrVxkLvI6bzeE9Qi+IpNo5SSfcENK9
fmM60lbJFpCwhfTkVDRFFsXmTLR/URT3mEoFX/GEU5Q8zoArfBDykUOrbGFkd6Mk
KFOpt296DTSe1Z7IwrxselcNrxZvlVWzhgqFCxE92ngnQzutJL/KcxCV0zAbXBOa
ZJTk9AUPhrgq9XEbGRSfTvOMmKtPvB90sr7e38qgcHqSXmzICgkcio31pHhEWZzE
++Smb4f5068=
=2/8h
-----END PGP SIGNATURE-----

View File

@ -1,6 +1,6 @@
<html>
<head>
<title>Mapping OpenSSL sipher suite names to RFC names</title>
<title>Mapping OpenSSL cipher suite names to RFC names</title>
</head>
<style type="text/css">
.mytable { background-color:#eee;border-collapse:collapse; text-align:left; table-layout: fixed; width:1000px; }

3240
testssl.sh

File diff suppressed because it is too large Load Diff