mirror of
https://github.com/drwetter/testssl.sh.git
synced 2024-12-29 12:59:44 +01:00
Merge branch '3.1dev' into starttls_injection
This commit is contained in:
commit
e1a43e6e16
@ -7,6 +7,12 @@ addons:
|
|||||||
packages:
|
packages:
|
||||||
- dnsutils
|
- dnsutils
|
||||||
- jsonlint
|
- jsonlint
|
||||||
|
before_install:
|
||||||
|
- if ! git diff --name-only $TRAVIS_COMMIT_RANGE | grep -qvE '(.md)|(.pem)|(.pdf)|(.html)|^(LICENSE)|^(docs)|^(utils)|^(bin)|(Dockerfile)'
|
||||||
|
then
|
||||||
|
echo "no code was updated, not running the CI."
|
||||||
|
exit
|
||||||
|
fi
|
||||||
install:
|
install:
|
||||||
- cpanm --notest Test::More
|
- cpanm --notest Test::More
|
||||||
- cpanm --notest Data::Dumper
|
- cpanm --notest Data::Dumper
|
||||||
|
@ -27,7 +27,10 @@
|
|||||||
* Added environment variable for amount of attempts for ssl renegotiation check
|
* Added environment variable for amount of attempts for ssl renegotiation check
|
||||||
* Added --user-agent argument to support using a custom User Agent
|
* Added --user-agent argument to support using a custom User Agent
|
||||||
* Added --overwrite argument to support overwriting output files without warning
|
* Added --overwrite argument to support overwriting output files without warning
|
||||||
* Headerflag X-XSS-Protection is labeled as INFO
|
* Headerflag X-XSS-Protection is now labeled as INFO
|
||||||
|
* Client simulation runs in wide mode which is even better readable
|
||||||
|
* Added --reqheader to support custom headers in HTTP requests
|
||||||
|
|
||||||
|
|
||||||
### Features implemented / improvements in 3.0
|
### Features implemented / improvements in 3.0
|
||||||
|
|
||||||
|
@ -42,6 +42,7 @@ Full contribution, see git log.
|
|||||||
* Jim Blankendaal
|
* Jim Blankendaal
|
||||||
- maximum certificate lifespan of 398 days
|
- maximum certificate lifespan of 398 days
|
||||||
- ssl renegotiation amount variable
|
- ssl renegotiation amount variable
|
||||||
|
- custom http request headers
|
||||||
|
|
||||||
* Frank Breedijk
|
* Frank Breedijk
|
||||||
- Detection of insecure redirects
|
- Detection of insecure redirects
|
||||||
@ -181,4 +182,3 @@ Probably more I forgot to mention which did give me feedback, bug reports and he
|
|||||||
* Ivan Ristic/Qualys for the liberal license which made it possible to make partly use of the client data
|
* Ivan Ristic/Qualys for the liberal license which made it possible to make partly use of the client data
|
||||||
|
|
||||||
* My family for supporting me doing this work
|
* My family for supporting me doing this work
|
||||||
|
|
||||||
|
@ -1,6 +1,21 @@
|
|||||||
## Usage:
|
## Usage
|
||||||
|
|
||||||
|
### From git directory
|
||||||
|
|
||||||
|
```
|
||||||
|
docker build .
|
||||||
|
```
|
||||||
|
|
||||||
|
Catch is when you run without image tags you need to catch the ID when building
|
||||||
|
|
||||||
|
```
|
||||||
|
[..]
|
||||||
|
---> 889fa2f99933
|
||||||
|
Successfully built 889fa2f99933
|
||||||
|
```
|
||||||
|
|
||||||
|
More comfortable is
|
||||||
|
|
||||||
(in git directory):
|
|
||||||
```
|
```
|
||||||
docker build -t mytestssl .
|
docker build -t mytestssl .
|
||||||
docker run --rm -t mytestssl example.com
|
docker run --rm -t mytestssl example.com
|
||||||
@ -13,22 +28,22 @@ docker run -t mytestssl --help
|
|||||||
docker run --rm -t mytestssl -p --header example.com
|
docker run --rm -t mytestssl -p --header example.com
|
||||||
```
|
```
|
||||||
|
|
||||||
or pull the image from dockerhub and run:
|
### From dockerhub
|
||||||
|
|
||||||
|
You can pull the image from dockerhub and run:
|
||||||
|
|
||||||
```
|
```
|
||||||
docker run --rm -t drwetter/testssl.sh --pfs example.com
|
docker run --rm -t drwetter/testssl.sh --fs example.com
|
||||||
```
|
```
|
||||||
|
|
||||||
Tags supported are: ``latest``, ``stable`` which _for now_ are all the same and point to ``3.0``.
|
Supported tages are: ``3.1dev`` and ``latest`, which are the same, i.e. the rolling release. ``3.0`` is the latest stable version from git which might have a few improvements (see git log) over the released version 3.0.X.
|
||||||
|
|
||||||
``docker run --rm -t drwetter/testssl.sh:stable example.com``.
|
``docker run --rm -t drwetter/testssl.sh:stable example.com``.
|
||||||
|
|
||||||
And for the indomitable users who prefer to run old stuff you can use the tag ``2.9.5``. Please note ``2.9dev`` should not be used anymore.
|
Keep in mind that any output file (--log, --html, --json etc.) will be created within the container. If you wish to have this created in a local directory on your host you can mount a volume into the container and change the output prefix where the container user has write access to, e.g.:
|
||||||
|
|
||||||
Keep in mind that any output file (--log, --html, --json etc.) will be created in the container. If you wish to have this created in a local directory you can mount a volume into the container and change the output prefix where the container user has write access to, e.g.:
|
|
||||||
|
|
||||||
```
|
```
|
||||||
docker run --rm -t -v /tmp:/data drwetter/testssl.sh --htmlfile /data/ example.com
|
docker run --rm -t -v /tmp:/data drwetter/testssl.sh --htmlfile /data/ example.com
|
||||||
```
|
```
|
||||||
|
|
||||||
which writes the output to ``/tmp/example.com_p443-<date>-<time>.html.`` The uid/gid is the one from the docker user but normally the file is 644. testssl.sh's docker container uses a non-root user (usually with user/groupid 1000:1000).
|
which writes the HTML output to ``/tmp/example.com_p443-<date>-<time>.html.`` The uid/gid is the one from the docker user. Normally the file is 644. testssl.sh's docker container uses a non-root user (usually with user/groupid 1000:1000).
|
||||||
|
22
Readme.md
22
Readme.md
@ -40,7 +40,7 @@ to get bugfixes, other feedback and more contributions.
|
|||||||
Testssl.sh is working on every Linux/BSD distribution out of the box. Latest by 2.9dev
|
Testssl.sh is working on every Linux/BSD distribution out of the box. Latest by 2.9dev
|
||||||
most of the limitations of disabled features from the openssl client are gone
|
most of the limitations of disabled features from the openssl client are gone
|
||||||
due to bash-socket-based checks. As a result you can also use e.g. LibreSSL or OpenSSL >=
|
due to bash-socket-based checks. As a result you can also use e.g. LibreSSL or OpenSSL >=
|
||||||
1.1.1 . testssl.sh also works on other unixoid system out of the box, supposed they have
|
1.1.1 . testssl.sh also works on other unixoid systems out of the box, supposed they have
|
||||||
`/bin/bash` >= version 3.2 and standard tools like sed and awk installed. An implicit
|
`/bin/bash` >= version 3.2 and standard tools like sed and awk installed. An implicit
|
||||||
(silent) check for binaries is done when you start testssl.sh . System V needs probably
|
(silent) check for binaries is done when you start testssl.sh . System V needs probably
|
||||||
to have GNU grep installed. MacOS X and Windows (using MSYS2, Cygwin or WSL) work too.
|
to have GNU grep installed. MacOS X and Windows (using MSYS2, Cygwin or WSL) work too.
|
||||||
@ -53,33 +53,31 @@ You can download testssl.sh branch 3.1dev just by cloning this git repository:
|
|||||||
|
|
||||||
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
|
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
|
||||||
|
|
||||||
Think of 3.1dev like a rolling release, see below. For the stable version help yourself by downloading the [ZIP](https://github.com/drwetter/testssl.sh/archive/3.0.2.zip) or [tar.gz](https://github.com/drwetter/testssl.sh/archive/3.0.2.zip) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there.
|
Think of 3.1dev like a rolling release, see below. For the stable version help yourself by downloading the [ZIP](https://codeload.github.com/drwetter/testssl.sh/zip/3.0.4) or [tar.gz](https://codeload.github.com/drwetter/testssl.sh/tar.gz/3.0.4) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there.
|
||||||
|
|
||||||
#### Docker
|
#### Docker
|
||||||
|
|
||||||
Testssl.sh has minimal requirements. As stated you don't have to install or build anything. You can just run it from the pulled/cloned directory. Still if you don't want to pull the github repo to your directory of choice you can pull a container from dockerhub and run it:
|
Testssl.sh has minimal requirements. As stated you don't have to install or build anything. You can just run it from the pulled/cloned directory. Still if you don't want to pull the github repo to your directory of choice you can pull a container from dockerhub and run it:
|
||||||
|
|
||||||
```
|
```
|
||||||
docker run --rm -ti drwetter/testssl.sh:3.1dev <your_cmd_line>
|
docker run --rm -ti drwetter/testssl.sh <your_cmd_line>
|
||||||
```
|
```
|
||||||
|
|
||||||
Or if you have cloned this repo you also can just ``cd`` to the INSTALLDIR and run
|
Or if you have cloned this repo you also can just ``cd`` to the INSTALLDIR and run
|
||||||
```
|
```
|
||||||
docker build .
|
docker build . -t imagefoo && docker run --rm -t imagefoo example.com
|
||||||
```
|
```
|
||||||
|
|
||||||
followed by ``docker run -ti <ID> <your_cmd_line>`` where ``ID`` is the identifier in the last line from the build command like
|
For more please consult [Dockerfile.md](https://github.com/drwetter/testssl.sh/blob/3.1dev/Dockerfile.md).
|
||||||
|
|
||||||
```
|
|
||||||
---> 889fa2f99933
|
|
||||||
Successfully built 889fa2f99933
|
|
||||||
```
|
|
||||||
|
|
||||||
### Status
|
### Status
|
||||||
|
|
||||||
We're currently in the development phase, version 3.1dev. 3.1dev will eventually become 3.2. Bigger features are developed in a separate branch before merged into 3.1dev to avoid hiccups or inconsistencies. Albeit we try to keep 3.1dev as solid as possible things will certainly change in 3.1dev. So if you need stability the 3.0 branch is better for you. Think of the 3.1dev branch like a rolling release.
|
We're currently in the development phase, version 3.1dev. 3.1dev will eventually become 3.2. Bigger features are developed in a separate branch before merged into 3.1dev to avoid hiccups or inconsistencies. Albeit we try to keep 3.1dev as solid as possible things will certainly change in 3.1dev. Think of the 3.1dev branch like a rolling release. So if you need stability the 3.0 branch is better for you.
|
||||||
|
|
||||||
Support for 2.9.5 has been dropped. Supported is 3.0.x only.
|
Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is released.
|
||||||
|
|
||||||
|
Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
|
||||||
|
|
||||||
### Documentation
|
### Documentation
|
||||||
|
|
||||||
@ -90,7 +88,7 @@ Support for 2.9.5 has been dropped. Supported is 3.0.x only.
|
|||||||
|
|
||||||
### Contributing
|
### Contributing
|
||||||
|
|
||||||
Contributions are welcome! See [CONTRIBUTING.md](https://github.com/drwetter/testssl.sh/blob/3.0/CONTRIBUTING.md) for details.
|
Contributions are welcome! See [CONTRIBUTING.md](https://github.com/drwetter/testssl.sh/blob/3.1dev/CONTRIBUTING.md) for details. Please also have a look at the [Coding Convention](https://github.com/drwetter/testssl.sh/blob/3.1dev/Coding_Convention.md}.
|
||||||
|
|
||||||
### Bug reports
|
### Bug reports
|
||||||
|
|
||||||
|
@ -136,6 +136,9 @@ Please note that \fBfname\fR has to be in Unix format\. DOS carriage returns won
|
|||||||
.P
|
.P
|
||||||
\fB\-\-basicauth <user:pass>\fR This can be set to provide HTTP basic auth credentials which are used during checks for security headers\. BASICAUTH is the ENV variable you can use instead\.
|
\fB\-\-basicauth <user:pass>\fR This can be set to provide HTTP basic auth credentials which are used during checks for security headers\. BASICAUTH is the ENV variable you can use instead\.
|
||||||
.
|
.
|
||||||
|
.P
|
||||||
|
\fB\-\-reqheader <header>\fR This can be used to add additional HTTP request headers in the correct format \fBHeadername: headercontent\fR\. This parameter can be called multiple times if required\. For example: \fB\-\-reqheader \'Proxy\-Authorization: Basic dGVzdHNzbDpydWxlcw==\' \-\-reqheader \'ClientID: 0xDEADBEAF\'\fR\. REQHEADER is the corresponding environment variable\.
|
||||||
|
.
|
||||||
.SS "SPECIAL INVOCATIONS"
|
.SS "SPECIAL INVOCATIONS"
|
||||||
\fB\-t <protocol>, \-\-starttls <protocol>\fR does a default run against a STARTTLS enabled \fBprotocol\fR\. \fBprotocol\fR must be one of \fBftp\fR, \fBsmtp\fR, \fBpop3\fR, \fBimap\fR, \fBxmpp\fR, \fBxmpp-server\fR, \fBtelnet\fR, \fBldap\fR, \fBirc\fR, \fBlmtp\fR, \fBnntp\fR, \fBpostgres\fR, \fBmysql\fR\. For the latter four you need e\.g\. the supplied OpenSSL or OpenSSL version 1\.1\.1\. Please note: MongoDB doesn\'t offer a STARTTLS connection, LDAP currently only works with \fB\-\-ssl\-native\fR\. \fBtelnet\fR and \fBirc\fR is WIP\.
|
\fB\-t <protocol>, \-\-starttls <protocol>\fR does a default run against a STARTTLS enabled \fBprotocol\fR\. \fBprotocol\fR must be one of \fBftp\fR, \fBsmtp\fR, \fBpop3\fR, \fBimap\fR, \fBxmpp\fR, \fBxmpp-server\fR, \fBtelnet\fR, \fBldap\fR, \fBirc\fR, \fBlmtp\fR, \fBnntp\fR, \fBpostgres\fR, \fBmysql\fR\. For the latter four you need e\.g\. the supplied OpenSSL or OpenSSL version 1\.1\.1\. Please note: MongoDB doesn\'t offer a STARTTLS connection, LDAP currently only works with \fB\-\-ssl\-native\fR\. \fBtelnet\fR and \fBirc\fR is WIP\.
|
||||||
.
|
.
|
||||||
|
@ -187,6 +187,8 @@ The same can be achieved by setting the environment variable <code>WARNINGS</cod
|
|||||||
|
|
||||||
<p><code>--basicauth <user:pass></code> This can be set to provide HTTP basic auth credentials which are used during checks for security headers. BASICAUTH is the ENV variable you can use instead.</p>
|
<p><code>--basicauth <user:pass></code> This can be set to provide HTTP basic auth credentials which are used during checks for security headers. BASICAUTH is the ENV variable you can use instead.</p>
|
||||||
|
|
||||||
|
<p><code>--reqheader <header></code> This can be used to add additional HTTP request headers in the correct format <code>Headername: headercontent</code>. This parameter can be called multiple times if required. For example: <code>--reqheader 'Proxy-Authorization: Basic dGVzdHNzbDpydWxlcw==' --reqheader 'ClientID: 0xDEADBEAF'</code>. REQHEADER is the corresponding environment variable.</p>
|
||||||
|
|
||||||
<h3 id="SPECIAL-INVOCATIONS">SPECIAL INVOCATIONS</h3>
|
<h3 id="SPECIAL-INVOCATIONS">SPECIAL INVOCATIONS</h3>
|
||||||
|
|
||||||
<p><code>-t <protocol>, --starttls <protocol></code> does a default run against a STARTTLS enabled <code>protocol</code>. <code>protocol</code> must be one of <code>ftp</code>, <code>smtp</code>, <code>pop3</code>, <code>imap</code>, <code>xmpp</code>, <code>xmpp-server</code>, <code>telnet</code>, <code>ldap</code>, <code>irc</code>, <code>lmtp</code>, <code>nntp</code>, <code>postgres</code>, <code>mysql</code>. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with <code>--ssl-native</code>. <code>telnet</code> and <code>irc</code> is WIP.</p>
|
<p><code>-t <protocol>, --starttls <protocol></code> does a default run against a STARTTLS enabled <code>protocol</code>. <code>protocol</code> must be one of <code>ftp</code>, <code>smtp</code>, <code>pop3</code>, <code>imap</code>, <code>xmpp</code>, <code>xmpp-server</code>, <code>telnet</code>, <code>ldap</code>, <code>irc</code>, <code>lmtp</code>, <code>nntp</code>, <code>postgres</code>, <code>mysql</code>. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with <code>--ssl-native</code>. <code>telnet</code> and <code>irc</code> is WIP.</p>
|
||||||
|
@ -110,6 +110,8 @@ The same can be achieved by setting the environment variable `WARNINGS`.
|
|||||||
|
|
||||||
`--basicauth <user:pass>` This can be set to provide HTTP basic auth credentials which are used during checks for security headers. BASICAUTH is the ENV variable you can use instead.
|
`--basicauth <user:pass>` This can be set to provide HTTP basic auth credentials which are used during checks for security headers. BASICAUTH is the ENV variable you can use instead.
|
||||||
|
|
||||||
|
`--reqheader <header>` This can be used to add additional HTTP request headers in the correct format `Headername: headercontent`. This parameter can be called multiple times if required. For example: `--reqheader 'Proxy-Authorization: Basic dGVzdHNzbDpydWxlcw==' --reqheader 'ClientID: 0xDEADBEAF'`. REQHEADER is the corresponding environment variable.
|
||||||
|
|
||||||
|
|
||||||
### SPECIAL INVOCATIONS
|
### SPECIAL INVOCATIONS
|
||||||
|
|
||||||
|
@ -28,6 +28,8 @@ If you want to check trust against e.g. a company internal CA you need to use ``
|
|||||||
|
|
||||||
* ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS
|
* ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS
|
||||||
|
|
||||||
|
* ``curves-mapping.txt`` contains information about all of the eliptic curves defined by IANA
|
||||||
|
|
||||||
* ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. Use
|
* ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. Use
|
||||||
``~/utils/create_ca_hashes.sh`` for an update
|
``~/utils/create_ca_hashes.sh`` for an update
|
||||||
|
|
||||||
|
@ -14,7 +14,7 @@ The whole process is done manually.
|
|||||||
* Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream.
|
* Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream.
|
||||||
* Figure out "protos" and "tlsvers" by looking at the supported_versions TLS extension (43=0x002b). May work only on modern clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3 here)
|
* Figure out "protos" and "tlsvers" by looking at the supported_versions TLS extension (43=0x002b). May work only on modern clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3 here)
|
||||||
* Adjust "lowest_protocol" and "highest_protocol" accordingly.
|
* Adjust "lowest_protocol" and "highest_protocol" accordingly.
|
||||||
* Get "curves" from at the supported groups TLS extension 10 = 0x00a. Omit any GREASE.
|
* For "curves" mark the supported groups TLS extension --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2curves.sh`
|
||||||
* Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010).
|
* Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010).
|
||||||
* Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true
|
* Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true
|
||||||
* Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle
|
* Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle
|
||||||
|
47
etc/curves-mapping.txt
Normal file
47
etc/curves-mapping.txt
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
0x00,0x00 - NULL TPM_ECC_NONE
|
||||||
|
0x00,0x01 - sect163k1 sect163k1
|
||||||
|
0x00,0x02 - sect163r1 sect163r1
|
||||||
|
0x00,0x03 - sect163r2 sect163r2
|
||||||
|
0x00,0x04 - sect193r1 sect193r1
|
||||||
|
0x00,0x05 - sect193r2 sect193r2
|
||||||
|
0x00,0x06 - sect233k1 sect233k1
|
||||||
|
0x00,0x07 - sect233r1 sect233r1
|
||||||
|
0x00,0x08 - sect239k1 sect239k1
|
||||||
|
0x00,0x09 - sect283k1 sect283k1
|
||||||
|
0x00,0x0a - sect283r1 sect283r1
|
||||||
|
0x00,0x0b - sect409k1 sect409k1
|
||||||
|
0x00,0x0c - sect409r1 sect409r1
|
||||||
|
0x00,0x0d - sect571k1 sect571k1
|
||||||
|
0x00,0x0e - sect571r1 sect571r1
|
||||||
|
0x00,0x0f - secp160k1 secp160k1
|
||||||
|
0x00,0x10 - secp160r1 secp160r1
|
||||||
|
0x00,0x11 - secp160r2 secp160r2
|
||||||
|
0x00,0x12 - secp192k1 secp192k1
|
||||||
|
0x00,0x13 - secp192r1 secp192r1
|
||||||
|
0x00,0x14 - secp224k1 secp224k1
|
||||||
|
0x00,0x15 - secp224r1 secp224r1
|
||||||
|
0x00,0x16 - secp256k1 secp256k1
|
||||||
|
0x00,0x17 - secp256r1 secp256r1
|
||||||
|
0x00,0x18 - secp384r1 secp384r1
|
||||||
|
0x00,0x19 - secp521r1 secp521r1
|
||||||
|
0x00,0x1a - brainpoolP256r1 brainpoolP256r1
|
||||||
|
0x00,0x1b - brainpoolP384r1 brainpoolP384r1
|
||||||
|
0x00,0x1c - brainpoolP512r1 brainpoolP512r1
|
||||||
|
0x00,0x1d - x25519 x25519
|
||||||
|
0x00,0x1e - x448 x448
|
||||||
|
0x00,0x1f - brainpoolP256r1tls13 brainpoolP256r1tls13
|
||||||
|
0x00,0x20 - brainpoolP384r1tls13 brainpoolP384r1tls13
|
||||||
|
0x00,0x21 - brainpoolP512r1tls13 brainpoolP512r1tls13
|
||||||
|
0x00,0x22 - GC256A GC256A
|
||||||
|
0x00,0x23 - GC256B GC256B
|
||||||
|
0x00,0x24 - GC256C GC256C
|
||||||
|
0x00,0x25 - GC256D GC256D
|
||||||
|
0x00,0x26 - GC512A GC512A
|
||||||
|
0x00,0x27 - GC512B GC512B
|
||||||
|
0x00,0x28 - GC512C GC512C
|
||||||
|
0x00,0x29 - curveSM2 curveSM2
|
||||||
|
0x00,0x100 - ffdhe2048 ffdhe2048
|
||||||
|
0x00,0x101 - ffdhe3072 ffdhe3072
|
||||||
|
0x00,0x102 - ffdhe4096 ffdhe4096
|
||||||
|
0x00,0x103 - ffdhe6144 ffdhe6144
|
||||||
|
0x00,0x104 - ffdhe8192 ffdhe8192
|
@ -20,8 +20,8 @@ my $uri="google.com";
|
|||||||
my $socket_out="";
|
my $socket_out="";
|
||||||
my $openssl_out="";
|
my $openssl_out="";
|
||||||
# Blacklists we use to trigger an error:
|
# Blacklists we use to trigger an error:
|
||||||
my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal';
|
my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
|
||||||
my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem';
|
my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
|
||||||
my $json_regex_bl='(id".*:\s"scanProblem"|severity".*:\s"FATAL"|"Scan interrupted")';
|
my $json_regex_bl='(id".*:\s"scanProblem"|severity".*:\s"FATAL"|"Scan interrupted")';
|
||||||
|
|
||||||
my $socket_json="";
|
my $socket_json="";
|
@ -20,8 +20,8 @@ my $uri="";
|
|||||||
my $socket_out="";
|
my $socket_out="";
|
||||||
my $openssl_out="";
|
my $openssl_out="";
|
||||||
# Blacklists we use to trigger an error:
|
# Blacklists we use to trigger an error:
|
||||||
my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal';
|
my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
|
||||||
my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem';
|
my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
|
||||||
|
|
||||||
# my $socket_json="";
|
# my $socket_json="";
|
||||||
# my $openssl_json="";
|
# my $openssl_json="";
|
@ -17,14 +17,14 @@ use Data::Dumper;
|
|||||||
|
|
||||||
my $tests = 0;
|
my $tests = 0;
|
||||||
my $prg="./testssl.sh";
|
my $prg="./testssl.sh";
|
||||||
my $check2run_smtp="--protocols --standard --fs --server-preference --headers --vulnerable --each-cipher -q --ip=one --color 0";
|
my $check2run_smtp="--protocols --standard --fs --server-preference --headers --vulnerable -q --ip=one --color 0";
|
||||||
my $check2run="-q --ip=one --color 0";
|
my $check2run="-q --ip=one --color 0";
|
||||||
my $uri="";
|
my $uri="";
|
||||||
my $socket_out="";
|
my $socket_out="";
|
||||||
my $openssl_out="";
|
my $openssl_out="";
|
||||||
# Blacklists we use to trigger an error:
|
# Blacklists we use to trigger an error:
|
||||||
my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal';
|
my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
|
||||||
my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem';
|
my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
|
||||||
|
|
||||||
# my $socket_json="";
|
# my $socket_json="";
|
||||||
# my $openssl_json="";
|
# my $openssl_json="";
|
||||||
@ -60,12 +60,14 @@ $socket_out = `./testssl.sh $check2run -t pop3 $uri 2>&1`;
|
|||||||
unlike($socket_out, qr/$socket_regex_bl/, "");
|
unlike($socket_out, qr/$socket_regex_bl/, "");
|
||||||
$tests++;
|
$tests++;
|
||||||
|
|
||||||
|
# commented out, bc of travis' limits
|
||||||
|
#
|
||||||
|
#printf "\n%s\n", "STARTTLS POP3 unit tests via OpenSSL --> $uri ...";
|
||||||
# unlink "tmp.json";
|
# unlink "tmp.json";
|
||||||
printf "\n%s\n", "STARTTLS POP3 unit tests via OpenSSL --> $uri ...";
|
#$openssl_out = `./testssl.sh --ssl-native $check2run -t pop3 $uri 2>&1`;
|
||||||
$openssl_out = `./testssl.sh --ssl-native $check2run -t pop3 $uri 2>&1`;
|
|
||||||
# $openssl_json = json('tmp.json');
|
# $openssl_json = json('tmp.json');
|
||||||
unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
#unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||||
$tests++;
|
#$tests++;
|
||||||
|
|
||||||
|
|
||||||
$uri="imap.gmx.net:143";
|
$uri="imap.gmx.net:143";
|
||||||
@ -93,11 +95,13 @@ $socket_out = `./testssl.sh $check2run -t xmpp $uri 2>&1`;
|
|||||||
unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||||
$tests++;
|
$tests++;
|
||||||
|
|
||||||
printf "\n%s\n", "STARTTLS XMPP unit tests via OpenSSL --> $uri ...";
|
# commented out, bc of travis' limits
|
||||||
$openssl_out = `./testssl.sh --ssl-native $check2run -t xmpp $uri 2>&1`;
|
#
|
||||||
|
#printf "\n%s\n", "STARTTLS XMPP unit tests via OpenSSL --> $uri ...";
|
||||||
|
#$openssl_out = `./testssl.sh --ssl-native $check2run -t xmpp $uri 2>&1`;
|
||||||
# $openssl_json = json('tmp.json');
|
# $openssl_json = json('tmp.json');
|
||||||
unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
#unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||||
$tests++;
|
#$tests++;
|
||||||
|
|
||||||
# $uri="jabber.ccc.de:5269";
|
# $uri="jabber.ccc.de:5269";
|
||||||
# printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ...";
|
# printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ...";
|
||||||
@ -118,13 +122,15 @@ $socket_out =~ s/ error querying OCSP responder .*\n//g;
|
|||||||
unlike($socket_out, qr/$socket_regex_bl/, "");
|
unlike($socket_out, qr/$socket_regex_bl/, "");
|
||||||
$tests++;
|
$tests++;
|
||||||
|
|
||||||
printf "\n%s\n", "STARTTLS FTP unit tests via OpenSSL --> $uri ...";
|
# commented out, bc of travis' limits
|
||||||
$openssl_out = `./testssl.sh --ssl-native $check2run -t ftp $uri 2>&1`;
|
#
|
||||||
|
# printf "\n%s\n", "STARTTLS FTP unit tests via OpenSSL --> $uri ...";
|
||||||
|
# $openssl_out = `./testssl.sh --ssl-native $check2run -t ftp $uri 2>&1`;
|
||||||
# $openssl_json = json('tmp.json');
|
# $openssl_json = json('tmp.json');
|
||||||
# OCSP stapling fails sometimes with: 'offered, error querying OCSP responder (ERROR: No Status found)'
|
# OCSP stapling fails sometimes with: 'offered, error querying OCSP responder (ERROR: No Status found)'
|
||||||
$openssl_out =~ s/ error querying OCSP responder .*\n//g;
|
# $openssl_out =~ s/ error querying OCSP responder .*\n//g;
|
||||||
unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
# unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||||
$tests++;
|
# $tests++;
|
||||||
|
|
||||||
|
|
||||||
# https://ldapwiki.com/wiki/Public%20LDAP%20Servers
|
# https://ldapwiki.com/wiki/Public%20LDAP%20Servers
|
||||||
@ -146,11 +152,13 @@ $socket_out = `./testssl.sh $check2run -t nntp $uri 2>&1`;
|
|||||||
unlike($socket_out, qr/$socket_regex_bl/, "");
|
unlike($socket_out, qr/$socket_regex_bl/, "");
|
||||||
$tests++;
|
$tests++;
|
||||||
|
|
||||||
printf "\n%s\n", "STARTTLS NNTP unit tests via OpenSSL --> $uri ...";
|
# commented out, bc of travis' limits
|
||||||
$openssl_out = `./testssl.sh --ssl-native $check2run -t nntp $uri 2>&1`;
|
#
|
||||||
|
#printf "\n%s\n", "STARTTLS NNTP unit tests via OpenSSL --> $uri ...";
|
||||||
|
#$openssl_out = `./testssl.sh --ssl-native $check2run -t nntp $uri 2>&1`;
|
||||||
# $openssl_json = json('tmp.json');
|
# $openssl_json = json('tmp.json');
|
||||||
unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
#unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||||
$tests++;
|
#$tests++;
|
||||||
|
|
||||||
|
|
||||||
# IRC: missing
|
# IRC: missing
|
@ -18,8 +18,8 @@ my $uri="";
|
|||||||
my $socket_out="";
|
my $socket_out="";
|
||||||
my $openssl_out="";
|
my $openssl_out="";
|
||||||
# Blacklists we use to trigger an error:
|
# Blacklists we use to trigger an error:
|
||||||
my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal';
|
my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
|
||||||
my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem';
|
my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
|
||||||
|
|
||||||
# my $socket_json="";
|
# my $socket_json="";
|
||||||
# my $openssl_json="";
|
# my $openssl_json="";
|
||||||
@ -53,12 +53,14 @@ $socket_out = `./testssl.sh $check2run -t smtp $uri 2>&1`;
|
|||||||
unlike($socket_out, qr/$socket_regex_bl/, "");
|
unlike($socket_out, qr/$socket_regex_bl/, "");
|
||||||
$tests++;
|
$tests++;
|
||||||
|
|
||||||
|
# commented out, bc of travis' limits
|
||||||
|
#
|
||||||
# unlink "tmp.json";
|
# unlink "tmp.json";
|
||||||
printf "\n%s\n", "STARTTLS: Client simulations unit test via OpenSSL --> $uri ...";
|
#printf "\n%s\n", "STARTTLS: Client simulations unit test via OpenSSL --> $uri ...";
|
||||||
$openssl_out = `./testssl.sh --ssl-native $check2run -t smtp $uri 2>&1`;
|
#$openssl_out = `./testssl.sh --ssl-native $check2run -t smtp $uri 2>&1`;
|
||||||
# $openssl_json = json('tmp.json');
|
## $openssl_json = json('tmp.json');
|
||||||
unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
#unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||||
$tests++;
|
#$tests++;
|
||||||
|
|
||||||
done_testing($tests);
|
done_testing($tests);
|
||||||
unlink "tmp.json";
|
unlink "tmp.json";
|
||||||
|
@ -9,13 +9,13 @@ use JSON;
|
|||||||
|
|
||||||
my $tests = 0;
|
my $tests = 0;
|
||||||
my $prg="./testssl.sh";
|
my $prg="./testssl.sh";
|
||||||
my $check2run ="--ip=one -q --color 0";
|
my $check2run ="--ip=one --ids-friendly -q --color 0";
|
||||||
my $uri="";
|
my $uri="";
|
||||||
my $json="";
|
my $json="";
|
||||||
my $out="";
|
my $out="";
|
||||||
# Blacklists we use to trigger an error:
|
# Blacklists we use to trigger an error:
|
||||||
my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal';
|
my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
|
||||||
my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem';
|
my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
|
||||||
|
|
||||||
die "Unable to open $prg" unless -f $prg;
|
die "Unable to open $prg" unless -f $prg;
|
||||||
|
|
||||||
@ -44,7 +44,7 @@ $tests++;
|
|||||||
|
|
||||||
|
|
||||||
#3
|
#3
|
||||||
# This testss.sh run deliberately does NOT work as travis-ci.org blocks port 25 egress.
|
# This testssl.sh run deliberately does NOT work as travis-ci.org blocks port 25 egress.
|
||||||
# but the output should be fine. The idea is to have a unit test for a failed connection.
|
# but the output should be fine. The idea is to have a unit test for a failed connection.
|
||||||
printf "%s\n", ".. plain JSON for a failed run: '--mx $uri' ...";
|
printf "%s\n", ".. plain JSON for a failed run: '--mx $uri' ...";
|
||||||
$out = `./testssl.sh --ssl-native --openssl-timeout=10 $check2run --jsonfile tmp.json --mx $uri`;
|
$out = `./testssl.sh --ssl-native --openssl-timeout=10 $check2run --jsonfile tmp.json --mx $uri`;
|
@ -15,7 +15,7 @@ my $out="";
|
|||||||
my $html="";
|
my $html="";
|
||||||
my $debughtml="";
|
my $debughtml="";
|
||||||
my $edited_html="";
|
my $edited_html="";
|
||||||
my $check2run="--ip=one --color 0 --htmlfile tmp.html";
|
my $check2run="--ip=one --ids-friendly --color 0 --htmlfile tmp.html";
|
||||||
my $diff="";
|
my $diff="";
|
||||||
die "Unable to open $prg" unless -f $prg;
|
die "Unable to open $prg" unless -f $prg;
|
||||||
|
|
@ -15,13 +15,18 @@ my (
|
|||||||
|
|
||||||
$tests = 0;
|
$tests = 0;
|
||||||
|
|
||||||
|
my $prg="./testssl.sh";
|
||||||
|
my $check2run = '-S -e --ids-friendly -U --severity LOW --color 0';
|
||||||
|
my $uri = 'badssl.com';
|
||||||
|
|
||||||
printf "\n%s\n", "Doing severity level checks";
|
printf "\n%s\n", "Doing severity level checks";
|
||||||
|
|
||||||
|
die "Unable to open $prg" unless -f $prg;
|
||||||
unlink 'tmp.json';
|
unlink 'tmp.json';
|
||||||
|
|
||||||
#1
|
#1
|
||||||
pass(" .. running testssl.sh against badssl.com to create a JSON report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++;
|
pass(" .. running testssl.sh against $uri to create a JSON report with severity level >= LOW (may take 2~3 minutes)"); $tests++;
|
||||||
$out = `./testssl.sh -S -e -U --jsonfile tmp.json --severity LOW --color 0 badssl.com`;
|
$out = `$prg $check2run --jsonfile tmp.json $uri`;
|
||||||
$json = json('tmp.json');
|
$json = json('tmp.json');
|
||||||
unlink 'tmp.json';
|
unlink 'tmp.json';
|
||||||
$found = 0;
|
$found = 0;
|
||||||
@ -35,8 +40,8 @@ foreach my $f ( @$json ) {
|
|||||||
is($found,0,"We should not have any finding with INFO level"); $tests++;
|
is($found,0,"We should not have any finding with INFO level"); $tests++;
|
||||||
|
|
||||||
#2
|
#2
|
||||||
pass(" .. running testssl.sh against badssl.com to create a JSON-PRETTY report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++;
|
pass(" .. running testssl.sh against $uri to create a JSON-PRETTY report with severity level >= LOW (may take 2~3 minutes)"); $tests++;
|
||||||
$out = `./testssl.sh -S -e -U --jsonfile-pretty tmp.json --severity LOW --color 0 badssl.com`;
|
$out = `$prg $check2run --jsonfile-pretty tmp.json $uri`;
|
||||||
$json_pretty = json('tmp.json');
|
$json_pretty = json('tmp.json');
|
||||||
unlink 'tmp.json';
|
unlink 'tmp.json';
|
||||||
$found = 0;
|
$found = 0;
|
@ -14,7 +14,7 @@ my (
|
|||||||
);
|
);
|
||||||
# OK
|
# OK
|
||||||
pass("Running testssl.sh against badssl.com to create a baseline (may take 2~3 minutes)"); $tests++;
|
pass("Running testssl.sh against badssl.com to create a baseline (may take 2~3 minutes)"); $tests++;
|
||||||
my $okout = `./testssl.sh -S -e --freak --logjam --drown --rc4 --sweet32 --breach --crime --jsonfile tmp.json --color 0 badssl.com`;
|
my $okout = `./testssl.sh -S -e --freak --logjam --drown --rc4 --sweet32 --breach --winshock --crime --jsonfile tmp.json --color 0 badssl.com`;
|
||||||
my $okjson = json('tmp.json');
|
my $okjson = json('tmp.json');
|
||||||
unlink 'tmp.json';
|
unlink 'tmp.json';
|
||||||
cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); $tests++;
|
cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); $tests++;
|
||||||
|
64
t/61_diff_testsslsh.t
Executable file
64
t/61_diff_testsslsh.t
Executable file
@ -0,0 +1,64 @@
|
|||||||
|
#!/usr/bin/env perl
|
||||||
|
|
||||||
|
# Baseline diff test against testssl.sh (csv output)
|
||||||
|
#
|
||||||
|
# We don't use a full run yet and only the certificate section.
|
||||||
|
# There we would need to blacklist at least:
|
||||||
|
# cert_serialNumber, cert_fingerprintSHA1, cert_fingerprintSHA256, cert
|
||||||
|
# cert_expirationStatus, cert_notBefore, cert_notAfter, cert_caIssuers, intermediate_cert
|
||||||
|
#
|
||||||
|
# help is apreciated here
|
||||||
|
|
||||||
|
use strict;
|
||||||
|
use Test::More;
|
||||||
|
use Data::Dumper;
|
||||||
|
use Text::Diff;
|
||||||
|
|
||||||
|
my $tests = 0;
|
||||||
|
my $prg="./testssl.sh";
|
||||||
|
my $master_socket_csv="./t/baseline_data/default_testssl.csvfile";
|
||||||
|
my $socket_csv="tmp.csv";
|
||||||
|
my $check2run="-p -s -P --fs -h -U -c -q --ip=one --color 0 --csvfile $socket_csv";
|
||||||
|
#my $check2run="-p --color 0 --csvfile $socket_csv";
|
||||||
|
my $uri="testssl.sh";
|
||||||
|
my $diff="";
|
||||||
|
|
||||||
|
die "Unable to open $prg" unless -f $prg;
|
||||||
|
die "Unable to open $master_socket_csv" unless -f $master_socket_csv;
|
||||||
|
|
||||||
|
|
||||||
|
# Provide proper start conditions
|
||||||
|
unlink "tmp.csv";
|
||||||
|
|
||||||
|
# Title
|
||||||
|
printf "\n%s\n", "Diff unit test IPv4 against \"$uri\"";
|
||||||
|
|
||||||
|
#1 run
|
||||||
|
`$prg $check2run $uri 2>&1`;
|
||||||
|
|
||||||
|
|
||||||
|
$diff = diff $socket_csv, $master_socket_csv;
|
||||||
|
|
||||||
|
$socket_csv=`cat tmp.csv`;
|
||||||
|
$master_socket_csv=`cat $master_socket_csv`;
|
||||||
|
|
||||||
|
# Filter, for now only HTTP_clock_skew
|
||||||
|
$socket_csv=~ s/HTTP_clock_skew.*\n//g;
|
||||||
|
$master_socket_csv=~ s/HTTP_clock_skew.*\n//g;
|
||||||
|
|
||||||
|
# Compare the differences to the master file -- and print differences if there were detected.
|
||||||
|
# Filtering takes place later, so if there will be a difference detected it'll also show HTTP_clock_skew :-(
|
||||||
|
#
|
||||||
|
cmp_ok($socket_csv, "eq", $master_socket_csv, "Check whether CSV output matches master file from $uri") or
|
||||||
|
diag ("\n%s\n", "$diff");
|
||||||
|
|
||||||
|
$tests++;
|
||||||
|
|
||||||
|
unlink "tmp.csv";
|
||||||
|
|
||||||
|
done_testing($tests);
|
||||||
|
printf "\n";
|
||||||
|
|
||||||
|
|
||||||
|
# vim:tw=95:ts=5:sw=5:et
|
||||||
|
|
@ -1,10 +1,10 @@
|
|||||||
### Naming scheme
|
### Naming scheme
|
||||||
|
|
||||||
* 00-05: Does the bare testssl.sh work at all?
|
* 00-05: Does the bare testssl.sh work at all?
|
||||||
* 06-09: Does the reporting work at all?
|
* 10-29: Do scans work fine (client side)?
|
||||||
* 20-39: Do scans work fine (client side)?
|
* 30-39: Does reporting work?
|
||||||
* 50-69: Are the results what I expect (server side)?
|
* 50-69: Are the results what I expect (server side)?
|
||||||
|
|
||||||
Please help to write Travis/CI tests! Documentation can be found [here](https://perldoc.perl.org/Test/More.html).
|
Please help to write Travis/CI tests! Documentation can be found [here](https://perldoc.perl.org/Test/More.html).
|
||||||
You can consult the existing code here. Feel free to use `20_baseline_ipv4_http.t` or `23_client_simulation.t` as a
|
You can consult the existing code here. Feel free to use `10_baseline_ipv4_http.t` or `23_client_simulation.t` as a
|
||||||
template.
|
template.
|
||||||
|
137
t/baseline_data/default_testssl.csvfile
Normal file
137
t/baseline_data/default_testssl.csvfile
Normal file
@ -0,0 +1,137 @@
|
|||||||
|
"id","fqdn/ip","port","severity","finding","cve","cwe"
|
||||||
|
"service","testssl.sh/81.169.166.184","443","INFO","HTTP","",""
|
||||||
|
"pre_128cipher","testssl.sh/81.169.166.184","443","INFO","No 128 cipher limit bug","",""
|
||||||
|
"SSLv2","testssl.sh/81.169.166.184","443","OK","not offered","",""
|
||||||
|
"SSLv3","testssl.sh/81.169.166.184","443","OK","not offered","",""
|
||||||
|
"TLS1","testssl.sh/81.169.166.184","443","LOW","offered (deprecated)","",""
|
||||||
|
"TLS1_1","testssl.sh/81.169.166.184","443","LOW","offered (deprecated)","",""
|
||||||
|
"TLS1_2","testssl.sh/81.169.166.184","443","OK","offered","",""
|
||||||
|
"TLS1_3","testssl.sh/81.169.166.184","443","OK","offered with final","",""
|
||||||
|
"NPN","testssl.sh/81.169.166.184","443","INFO","offered with h2, http/1.1 (advertised)","",""
|
||||||
|
"ALPN_HTTP2","testssl.sh/81.169.166.184","443","OK","h2","",""
|
||||||
|
"ALPN","testssl.sh/81.169.166.184","443","INFO","http/1.1","",""
|
||||||
|
"cipherlist_NULL","testssl.sh/81.169.166.184","443","OK","not offered","","CWE-327"
|
||||||
|
"cipherlist_aNULL","testssl.sh/81.169.166.184","443","OK","not offered","","CWE-327"
|
||||||
|
"cipherlist_EXPORT","testssl.sh/81.169.166.184","443","OK","not offered","","CWE-327"
|
||||||
|
"cipherlist_LOW","testssl.sh/81.169.166.184","443","OK","not offered","","CWE-327"
|
||||||
|
"cipherlist_3DES_IDEA","testssl.sh/81.169.166.184","443","INFO","not offered","","CWE-310"
|
||||||
|
"cipherlist_AVERAGE","testssl.sh/81.169.166.184","443","LOW","offered","","CWE-310"
|
||||||
|
"cipherlist_GOOD","testssl.sh/81.169.166.184","443","OK","offered","",""
|
||||||
|
"cipherlist_STRONG","testssl.sh/81.169.166.184","443","OK","offered","",""
|
||||||
|
"cipher_order","testssl.sh/81.169.166.184","443","OK","server","",""
|
||||||
|
"protocol_negotiated","testssl.sh/81.169.166.184","443","OK","Default protocol TLS1.3","",""
|
||||||
|
"cipher_negotiated","testssl.sh/81.169.166.184","443","OK","TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)","",""
|
||||||
|
"cipher-tls1_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
|
||||||
|
"cipher-tls1_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
|
||||||
|
"cipher-tls1_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1 x88 DHE-RSA-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
|
||||||
|
"cipher-tls1_x45","testssl.sh/81.169.166.184","443","LOW","TLSv1 x45 DHE-RSA-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA","",""
|
||||||
|
"cipher-tls1_x39","testssl.sh/81.169.166.184","443","LOW","TLSv1 x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA","",""
|
||||||
|
"cipher-tls1_x33","testssl.sh/81.169.166.184","443","LOW","TLSv1 x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
|
||||||
|
"cipher-tls1_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA","",""
|
||||||
|
"cipherorder_TLSv1","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","",""
|
||||||
|
"cipher-tls1_1_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1.1 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
|
||||||
|
"cipher-tls1_1_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1.1 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
|
||||||
|
"cipher-tls1_1_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1.1 x88 DHE-RSA-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
|
||||||
|
"cipher-tls1_1_x45","testssl.sh/81.169.166.184","443","LOW","TLSv1.1 x45 DHE-RSA-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA","",""
|
||||||
|
"cipher-tls1_1_x39","testssl.sh/81.169.166.184","443","LOW","TLSv1.1 x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA","",""
|
||||||
|
"cipher-tls1_1_x33","testssl.sh/81.169.166.184","443","LOW","TLSv1.1 x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
|
||||||
|
"cipher-tls1_1_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1.1 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA","",""
|
||||||
|
"cipherorder_TLSv1_1","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","",""
|
||||||
|
"cipher-tls1_2_xc030","testssl.sh/81.169.166.184","443","OK","TLSv1.2 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","",""
|
||||||
|
"cipher-tls1_2_xc02f","testssl.sh/81.169.166.184","443","OK","TLSv1.2 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","",""
|
||||||
|
"cipher-tls1_2_x9f","testssl.sh/81.169.166.184","443","OK","TLSv1.2 x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","",""
|
||||||
|
"cipher-tls1_2_x9e","testssl.sh/81.169.166.184","443","OK","TLSv1.2 x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","",""
|
||||||
|
"cipher-tls1_2_xc028","testssl.sh/81.169.166.184","443","LOW","TLSv1.2 xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","",""
|
||||||
|
"cipher-tls1_2_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1.2 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
|
||||||
|
"cipher-tls1_2_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1.2 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
|
||||||
|
"cipher-tls1_2_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1.2 x88 DHE-RSA-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
|
||||||
|
"cipher-tls1_2_x45","testssl.sh/81.169.166.184","443","LOW","TLSv1.2 x45 DHE-RSA-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA","",""
|
||||||
|
"cipher-tls1_2_x6b","testssl.sh/81.169.166.184","443","LOW","TLSv1.2 x6b DHE-RSA-AES256-SHA256 DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256","",""
|
||||||
|
"cipher-tls1_2_x39","testssl.sh/81.169.166.184","443","LOW","TLSv1.2 x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA","",""
|
||||||
|
"cipher-tls1_2_x67","testssl.sh/81.169.166.184","443","LOW","TLSv1.2 x67 DHE-RSA-AES128-SHA256 DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256","",""
|
||||||
|
"cipher-tls1_2_x33","testssl.sh/81.169.166.184","443","LOW","TLSv1.2 x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
|
||||||
|
"cipher-tls1_2_x9d","testssl.sh/81.169.166.184","443","OK","TLSv1.2 x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384","",""
|
||||||
|
"cipher-tls1_2_x9c","testssl.sh/81.169.166.184","443","OK","TLSv1.2 x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256","",""
|
||||||
|
"cipher-tls1_2_x3d","testssl.sh/81.169.166.184","443","LOW","TLSv1.2 x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256","",""
|
||||||
|
"cipher-tls1_2_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1.2 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA","",""
|
||||||
|
"cipherorder_TLSv1_2","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES256-SHA","",""
|
||||||
|
"cipher-tls1_3_x1302","testssl.sh/81.169.166.184","443","OK","TLSv1.3 x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384","",""
|
||||||
|
"cipher-tls1_3_x1303","testssl.sh/81.169.166.184","443","OK","TLSv1.3 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256","",""
|
||||||
|
"cipher-tls1_3_x1301","testssl.sh/81.169.166.184","443","OK","TLSv1.3 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256","",""
|
||||||
|
"cipherorder_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256","",""
|
||||||
|
"FS","testssl.sh/81.169.166.184","443","OK","offered","",""
|
||||||
|
"FS_ciphers","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA","",""
|
||||||
|
"FS_ECDHE_curves","testssl.sh/81.169.166.184","443","OK","prime256v1 secp384r1 secp521r1 X25519 X448","",""
|
||||||
|
"DH_groups","testssl.sh/81.169.166.184","443","OK","Unknown DH group (2048 bits)","",""
|
||||||
|
"HTTP_status_code","testssl.sh/81.169.166.184","443","INFO","200 OK ('/')","",""
|
||||||
|
"HTTP_clock_skew","testssl.sh/81.169.166.184","443","INFO","0 seconds from localtime","",""
|
||||||
|
"HSTS_time","testssl.sh/81.169.166.184","443","OK","362 days (=31337000 seconds) > 15465600 seconds","",""
|
||||||
|
"HSTS_subdomains","testssl.sh/81.169.166.184","443","INFO","only for this domain","",""
|
||||||
|
"HSTS_preload","testssl.sh/81.169.166.184","443","INFO","domain is NOT marked for preloading","",""
|
||||||
|
"HPKP","testssl.sh/81.169.166.184","443","INFO","No support for HTTP Public Key Pinning","",""
|
||||||
|
"banner_server","testssl.sh/81.169.166.184","443","INFO","Never trust a banner","",""
|
||||||
|
"banner_application","testssl.sh/81.169.166.184","443","INFO","X-Powered-By: A portion of humor","",""
|
||||||
|
"cookie_count","testssl.sh/81.169.166.184","443","INFO","0 at '/'","",""
|
||||||
|
"X-Frame-Options","testssl.sh/81.169.166.184","443","OK","DENY","",""
|
||||||
|
"X-Content-Type-Options","testssl.sh/81.169.166.184","443","OK","nosniff","",""
|
||||||
|
"Content-Security-Policy","testssl.sh/81.169.166.184","443","OK","script-src 'unsafe-inline'; style-src 'unsafe-inline' 'self'; default-src 'self' ; child-src 'none'; object-src 'self'; frame-ancestors 'self'; upgrade-insecure-requests","",""
|
||||||
|
"Expect-CT","testssl.sh/81.169.166.184","443","OK","max-age=86400, enforce","",""
|
||||||
|
"X-XSS-Protection","testssl.sh/81.169.166.184","443","INFO","1; mode=block","",""
|
||||||
|
"banner_reverseproxy","testssl.sh/81.169.166.184","443","INFO","--","","CWE-200"
|
||||||
|
"heartbleed","testssl.sh/81.169.166.184","443","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
|
||||||
|
"CCS","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2014-0224","CWE-310"
|
||||||
|
"ticketbleed","testssl.sh/81.169.166.184","443","OK","no session ticket extension","CVE-2016-9244","CWE-200"
|
||||||
|
"ROBOT","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081 CVE-2017-6168","CWE-203"
|
||||||
|
"secure_renego","testssl.sh/81.169.166.184","443","OK","supported","","CWE-310"
|
||||||
|
"secure_client_renego","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2011-1473","CWE-310"
|
||||||
|
"CRIME_TLS","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2012-4929","CWE-310"
|
||||||
|
"BREACH","testssl.sh/81.169.166.184","443","OK","not vulnerable, no gzip/deflate/compress/br HTTP compression - only supplied '/' tested","CVE-2013-3587","CWE-310"
|
||||||
|
"POODLE_SSL","testssl.sh/81.169.166.184","443","OK","not vulnerable, no SSLv3","CVE-2014-3566","CWE-310"
|
||||||
|
"fallback_SCSV","testssl.sh/81.169.166.184","443","OK","supported","",""
|
||||||
|
"SWEET32","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2016-2183 CVE-2016-6329","CWE-327"
|
||||||
|
"FREAK","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2015-0204","CWE-310"
|
||||||
|
"DROWN","testssl.sh/81.169.166.184","443","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310"
|
||||||
|
"DROWN_hint","testssl.sh/81.169.166.184","443","INFO","Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://censys.io/ipv4?q=B95B85E87BA020CD25A95DF53CDD16C7DCEA96EFE7FEF9411529D511B39015B3","CVE-2016-0800 CVE-2016-0703","CWE-310"
|
||||||
|
"LOGJAM","testssl.sh/81.169.166.184","443","OK","not vulnerable, no DH EXPORT ciphers,","CVE-2015-4000","CWE-310"
|
||||||
|
"LOGJAM-common_primes","testssl.sh/81.169.166.184","443","OK","--","CVE-2015-4000","CWE-310"
|
||||||
|
"BEAST_CBC_TLS1","testssl.sh/81.169.166.184","443","MEDIUM","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","CVE-2011-3389","CWE-20"
|
||||||
|
"BEAST","testssl.sh/81.169.166.184","443","LOW","VULNERABLE -- but also supports higher protocols TLSv1.1 TLSv1.2 (likely mitigated)","CVE-2011-3389","CWE-20"
|
||||||
|
"LUCKY13","testssl.sh/81.169.166.184","443","LOW","potentially vulnerable, uses TLS CBC ciphers","CVE-2013-0169","CWE-310"
|
||||||
|
"winshock","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2014-6321","CWE-94"
|
||||||
|
"RC4","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2013-2566 CVE-2015-2808","CWE-310"
|
||||||
|
"clientsimulation-android_442","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
|
||||||
|
"clientsimulation-android_500","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256","",""
|
||||||
|
"clientsimulation-android_60","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256","",""
|
||||||
|
"clientsimulation-android_70","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
|
||||||
|
"clientsimulation-android_81","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
|
||||||
|
"clientsimulation-android_90","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
|
||||||
|
"clientsimulation-android_X","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
|
||||||
|
"clientsimulation-chrome_74_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
|
||||||
|
"clientsimulation-chrome_79_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
|
||||||
|
"clientsimulation-firefox_66_win81","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
|
||||||
|
"clientsimulation-firefox_71_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
|
||||||
|
"clientsimulation-ie_6_xp","testssl.sh/81.169.166.184","443","INFO","No connection","",""
|
||||||
|
"clientsimulation-ie_8_win7","testssl.sh/81.169.166.184","443","INFO","TLSv1.0 ECDHE-RSA-AES256-SHA","",""
|
||||||
|
"clientsimulation-ie_8_xp","testssl.sh/81.169.166.184","443","INFO","No connection","",""
|
||||||
|
"clientsimulation-ie_11_win7","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 DHE-RSA-AES256-GCM-SHA384","",""
|
||||||
|
"clientsimulation-ie_11_win81","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 DHE-RSA-AES256-GCM-SHA384","",""
|
||||||
|
"clientsimulation-ie_11_winphone81","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-SHA","",""
|
||||||
|
"clientsimulation-ie_11_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
|
||||||
|
"clientsimulation-edge_15_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
|
||||||
|
"clientsimulation-edge_17_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
|
||||||
|
"clientsimulation-opera_66_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
|
||||||
|
"clientsimulation-safari_9_ios9","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
|
||||||
|
"clientsimulation-safari_9_osx1011","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
|
||||||
|
"clientsimulation-safari_10_osx1012","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
|
||||||
|
"clientsimulation-safari_121_ios_122","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
|
||||||
|
"clientsimulation-safari_130_osx_10146","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
|
||||||
|
"clientsimulation-apple_ats_9_ios9","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
|
||||||
|
"clientsimulation-java_6u45","testssl.sh/81.169.166.184","443","INFO","No connection","",""
|
||||||
|
"clientsimulation-java_7u25","testssl.sh/81.169.166.184","443","INFO","TLSv1.0 ECDHE-RSA-AES128-SHA","",""
|
||||||
|
"clientsimulation-java_8u161","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
|
||||||
|
"clientsimulation-java1102","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
|
||||||
|
"clientsimulation-java1201","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
|
||||||
|
"clientsimulation-openssl_102e","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
|
||||||
|
"clientsimulation-openssl_110l","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
|
||||||
|
"clientsimulation-openssl_111d","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
|
||||||
|
"clientsimulation-thunderbird_68_3_1","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
|
31
testssl.sh
31
testssl.sh
@ -162,6 +162,7 @@ QUIET=${QUIET:-false} # don't output the banner. By doing this
|
|||||||
SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native"
|
SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native"
|
||||||
ASSUME_HTTP=${ASSUME_HTTP:-false} # in seldom cases (WAF, old servers, grumpy SSL) service detection fails. "True" enforces HTTP checks
|
ASSUME_HTTP=${ASSUME_HTTP:-false} # in seldom cases (WAF, old servers, grumpy SSL) service detection fails. "True" enforces HTTP checks
|
||||||
BASICAUTH=${BASICAUTH:-""} # HTTP basic auth credentials can be set here like user:pass
|
BASICAUTH=${BASICAUTH:-""} # HTTP basic auth credentials can be set here like user:pass
|
||||||
|
REQHEADER=${REQHEADER:-""} # HTTP custom request header can be set here like Header: content. Can be used multiple times.
|
||||||
BUGS=${BUGS:-""} # -bugs option from openssl, needed for some BIG IP F5
|
BUGS=${BUGS:-""} # -bugs option from openssl, needed for some BIG IP F5
|
||||||
WARNINGS=${WARNINGS:-""} # can be either off or batch
|
WARNINGS=${WARNINGS:-""} # can be either off or batch
|
||||||
DEBUG=${DEBUG:-0} # 1: normal output the files in /tmp/ are kept for further debugging purposes
|
DEBUG=${DEBUG:-0} # 1: normal output the files in /tmp/ are kept for further debugging purposes
|
||||||
@ -382,6 +383,7 @@ TLS_NOW="" # Similar
|
|||||||
TLS_DIFFTIME_SET=false # Tells TLS functions to measure the TLS difftime or not
|
TLS_DIFFTIME_SET=false # Tells TLS functions to measure the TLS difftime or not
|
||||||
NOW_TIME=""
|
NOW_TIME=""
|
||||||
HTTP_TIME=""
|
HTTP_TIME=""
|
||||||
|
REQHEADERS=()
|
||||||
GET_REQ11=""
|
GET_REQ11=""
|
||||||
START_TIME=0 # time in epoch when the action started
|
START_TIME=0 # time in epoch when the action started
|
||||||
END_TIME=0 # .. ended
|
END_TIME=0 # .. ended
|
||||||
@ -893,6 +895,15 @@ is_ipv6addr() {
|
|||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
join_by() {
|
||||||
|
# joins an array using a custom delimiter https://web.archive.org/web/20201222183540/https://stackoverflow.com/questions/1527049/how-can-i-join-elements-of-an-array-in-bash/17841619#17841619
|
||||||
|
local d=$1
|
||||||
|
shift
|
||||||
|
local f=$1
|
||||||
|
shift
|
||||||
|
printf %s "$f" "${@/#/$d}";
|
||||||
|
}
|
||||||
|
|
||||||
###### END universal helper function definitions ######
|
###### END universal helper function definitions ######
|
||||||
|
|
||||||
###### START ServerHello/OpenSSL/F5 function definitions ######
|
###### START ServerHello/OpenSSL/F5 function definitions ######
|
||||||
@ -4822,7 +4833,6 @@ run_client_simulation() {
|
|||||||
outln
|
outln
|
||||||
debugme echo
|
debugme echo
|
||||||
|
|
||||||
if "$WIDE"; then
|
|
||||||
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then
|
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then
|
||||||
out " Browser Protocol Cipher Suite Name (OpenSSL) "
|
out " Browser Protocol Cipher Suite Name (OpenSSL) "
|
||||||
( "$using_sockets" || "$HAS_DH_BITS") && out "Forward Secrecy"
|
( "$using_sockets" || "$HAS_DH_BITS") && out "Forward Secrecy"
|
||||||
@ -4836,7 +4846,6 @@ run_client_simulation() {
|
|||||||
fi
|
fi
|
||||||
( "$using_sockets" || "$HAS_DH_BITS") && out "----------------------"
|
( "$using_sockets" || "$HAS_DH_BITS") && out "----------------------"
|
||||||
outln
|
outln
|
||||||
fi
|
|
||||||
if ! "$using_sockets"; then
|
if ! "$using_sockets"; then
|
||||||
# We can't use the connectivity checker here as of now the openssl reply is always empty (reason??)
|
# We can't use the connectivity checker here as of now the openssl reply is always empty (reason??)
|
||||||
save_max_ossl_fail=$MAX_OSSL_FAIL
|
save_max_ossl_fail=$MAX_OSSL_FAIL
|
||||||
@ -4947,13 +4956,11 @@ run_client_simulation() {
|
|||||||
[[ -z "$cipher" ]] && cipher=$(get_cipher $TMPFILE)
|
[[ -z "$cipher" ]] && cipher=$(get_cipher $TMPFILE)
|
||||||
fi
|
fi
|
||||||
out "$proto "
|
out "$proto "
|
||||||
"$WIDE" && out " "
|
|
||||||
if [[ "$COLOR" -le 2 ]]; then
|
if [[ "$COLOR" -le 2 ]]; then
|
||||||
out "$cipher"
|
out "$cipher"
|
||||||
else
|
else
|
||||||
pr_cipher_quality "$cipher"
|
pr_cipher_quality "$cipher"
|
||||||
fi
|
fi
|
||||||
if "$WIDE"; then
|
|
||||||
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then
|
if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then
|
||||||
for (( j=${#cipher}; j < 34; j++ )); do
|
for (( j=${#cipher}; j < 34; j++ )); do
|
||||||
out " "
|
out " "
|
||||||
@ -4963,10 +4970,8 @@ run_client_simulation() {
|
|||||||
out " "
|
out " "
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
fi
|
|
||||||
if [[ -n "$what_dh" ]]; then
|
if [[ -n "$what_dh" ]]; then
|
||||||
[[ -n "$curve" ]] && curve="($curve)"
|
[[ -n "$curve" ]] && curve="($curve)"
|
||||||
"$WIDE" || out ", "
|
|
||||||
if [[ "$what_dh" == ECDH ]]; then
|
if [[ "$what_dh" == ECDH ]]; then
|
||||||
pr_ecdh_quality "$bits" "$(printf -- "%-12s" "$bits bit $what_dh") $curve"
|
pr_ecdh_quality "$bits" "$(printf -- "%-12s" "$bits bit $what_dh") $curve"
|
||||||
else
|
else
|
||||||
@ -4974,7 +4979,6 @@ run_client_simulation() {
|
|||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if "$HAS_DH_BITS" || ( "$using_sockets" && [[ -n "${handshakebytes[i]}" ]] ); then
|
if "$HAS_DH_BITS" || ( "$using_sockets" && [[ -n "${handshakebytes[i]}" ]] ); then
|
||||||
"$WIDE" || out ", "
|
|
||||||
out "No FS"
|
out "No FS"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -19354,6 +19358,7 @@ tuning / connect options (most also can be preset via environment variables):
|
|||||||
--phone-out allow to contact external servers for CRL download and querying OCSP responder
|
--phone-out allow to contact external servers for CRL download and querying OCSP responder
|
||||||
--add-ca <CA files|CA dir> path to <CAdir> with *.pem or a comma separated list of CA files to include in trust check
|
--add-ca <CA files|CA dir> path to <CAdir> with *.pem or a comma separated list of CA files to include in trust check
|
||||||
--basicauth <user:pass> provide HTTP basic auth information.
|
--basicauth <user:pass> provide HTTP basic auth information.
|
||||||
|
--reqheader <header> add custom http request headers
|
||||||
|
|
||||||
output options (can also be preset via environment variables):
|
output options (can also be preset via environment variables):
|
||||||
--quiet don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner
|
--quiet don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner
|
||||||
@ -19509,6 +19514,7 @@ SHOW_EACH_C: $SHOW_EACH_C
|
|||||||
SSL_NATIVE: $SSL_NATIVE
|
SSL_NATIVE: $SSL_NATIVE
|
||||||
ASSUME_HTTP $ASSUME_HTTP
|
ASSUME_HTTP $ASSUME_HTTP
|
||||||
BASICAUTH: $BASICAUTH
|
BASICAUTH: $BASICAUTH
|
||||||
|
REQHEADER: $REQHEADER
|
||||||
SNEAKY: $SNEAKY
|
SNEAKY: $SNEAKY
|
||||||
OFFENSIVE: $OFFENSIVE
|
OFFENSIVE: $OFFENSIVE
|
||||||
PHONE_OUT: $PHONE_OUT
|
PHONE_OUT: $PHONE_OUT
|
||||||
@ -20634,6 +20640,7 @@ determine_service() {
|
|||||||
local ua
|
local ua
|
||||||
local protocol
|
local protocol
|
||||||
local basicauth_header=""
|
local basicauth_header=""
|
||||||
|
local reqheader=""
|
||||||
|
|
||||||
# Check if we can connect to $NODEIP:$PORT. Attention: This ALWAYS uses sockets. Thus timeouts for --ssl-=native do not apply
|
# Check if we can connect to $NODEIP:$PORT. Attention: This ALWAYS uses sockets. Thus timeouts for --ssl-=native do not apply
|
||||||
if ! fd_socket 5; then
|
if ! fd_socket 5; then
|
||||||
@ -20661,7 +20668,10 @@ determine_service() {
|
|||||||
if [[ -n "$BASICAUTH" ]]; then
|
if [[ -n "$BASICAUTH" ]]; then
|
||||||
basicauth_header="Authorization: Basic $(safe_echo "$BASICAUTH" | $OPENSSL base64 2>/dev/null)\r\n"
|
basicauth_header="Authorization: Basic $(safe_echo "$BASICAUTH" | $OPENSSL base64 2>/dev/null)\r\n"
|
||||||
fi
|
fi
|
||||||
GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\n${basicauth_header}Accept-Encoding: identity\r\nAccept: text/*\r\nConnection: Close\r\n\r\n"
|
if [[ -n "$REQHEADERS" ]]; then
|
||||||
|
reqheader="$(join_by "\r\n" "${REQHEADERS[@]}")\r\n" #Add all required custom http headers to one string with newlines
|
||||||
|
fi
|
||||||
|
GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\n${basicauth_header}${reqheader}Accept-Encoding: identity\r\nAccept: text/*\r\nConnection: Close\r\n\r\n"
|
||||||
# returns always 0:
|
# returns always 0:
|
||||||
service_detection $OPTIMAL_PROTO
|
service_detection $OPTIMAL_PROTO
|
||||||
else # STARTTLS
|
else # STARTTLS
|
||||||
@ -22326,6 +22336,11 @@ parse_cmd_line() {
|
|||||||
BASICAUTH="$(parse_opt_equal_sign "$1" "$2")"
|
BASICAUTH="$(parse_opt_equal_sign "$1" "$2")"
|
||||||
[[ $? -eq 0 ]] && shift
|
[[ $? -eq 0 ]] && shift
|
||||||
;;
|
;;
|
||||||
|
--reqheader|--reqheader=*)
|
||||||
|
REQHEADER="$(parse_opt_equal_sign "$1" "$2")"
|
||||||
|
[[ $? -eq 0 ]] && shift
|
||||||
|
REQHEADERS+=("$REQHEADER")
|
||||||
|
;;
|
||||||
(--) shift
|
(--) shift
|
||||||
break
|
break
|
||||||
;;
|
;;
|
||||||
|
36
utils/hexstream2curves.sh
Executable file
36
utils/hexstream2curves.sh
Executable file
@ -0,0 +1,36 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
hs="$1"
|
||||||
|
len=${#hs}
|
||||||
|
echo "# curves: $((len/4))"
|
||||||
|
|
||||||
|
mapfile="etc/curves-mapping.txt"
|
||||||
|
[ -s $mapfile ] || mapfile="../$mapfile"
|
||||||
|
[ -s $mapfile ] || exit 255
|
||||||
|
|
||||||
|
cur=""
|
||||||
|
first=true
|
||||||
|
|
||||||
|
for ((i=0; i<len ; i+=4)); do
|
||||||
|
printf "%02d" "$i"
|
||||||
|
echo -n ": ${hs:$i:4}"
|
||||||
|
grepstr="0x${hs:$i:2},0x${hs:$((i+2)):2}"
|
||||||
|
echo -n " --> $grepstr --> "
|
||||||
|
cur=$(grep -i -E "^ *${grepstr}" $mapfile | awk '{ print $3 }')
|
||||||
|
if [[ $grepstr == 0x00,0xff ]]; then
|
||||||
|
echo TPM_ECC_NONE
|
||||||
|
else
|
||||||
|
echo $cur
|
||||||
|
fi
|
||||||
|
if "$first"; then
|
||||||
|
curves="$cur"
|
||||||
|
first=false
|
||||||
|
else
|
||||||
|
curves="$curves:$cur"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
echo
|
||||||
|
# remove leading : because of GREASE, and trailing because of TPM_ECC_NONE
|
||||||
|
curves="${curves%:}"
|
||||||
|
echo ${curves#:}
|
Loading…
Reference in New Issue
Block a user