From f8579ee2f7e52649b3a4c144ef78b2c4c3295f54 Mon Sep 17 00:00:00 2001 From: Florian Schuetz Date: Tue, 21 Jun 2016 08:57:39 +0200 Subject: [PATCH 1/2] Fix HSTS/HPKP includeSubDomains and preload being broken in file output. --- testssl.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/testssl.sh b/testssl.sh index cb8147e..61e7790 100755 --- a/testssl.sh +++ b/testssl.sh @@ -855,19 +855,19 @@ run_http_date() { includeSubDomains() { if grep -aiqw includeSubDomains "$1"; then pr_done_good ", includeSubDomains" - return 1 + return 0 else pr_litecyan ", just this domain" - return 0 + return -1 fi } preload() { if grep -aiqw preload "$1"; then pr_done_good ", preload" - return 1 - else return 0 + else + return -1 fi } From 18c5f273c3334c9869abf87b3a6ae6618ebf7b7a Mon Sep 17 00:00:00 2001 From: Florian Schuetz Date: Tue, 21 Jun 2016 21:24:24 +0200 Subject: [PATCH 2/2] HSTS: check if max-age is present and nonzero --- testssl.sh | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index 61e7790..e7ca22c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -885,9 +885,18 @@ run_hsts() { if [[ $? -eq 0 ]]; then grep -aciw '^Strict-Transport-Security' $HEADERFILE | egrep -waq "1" || out "(two HSTS header, using 1st one) " hsts_age_sec=$(sed -e 's/[^0-9]*//g' $TMPFILE | head -1) -#FIXME: test for number! - hsts_age_days=$(( hsts_age_sec / 86400)) - if [[ $hsts_age_days -gt $HSTS_MIN ]]; then + if [[ -n $hsts_age_sec ]]; then + hsts_age_days=$(( hsts_age_sec / 86400)) + else + hsts_age_days=-1 + fi + if [[ $hsts_age_days -eq -1 ]]; then + pr_svrty_medium "HSTS max-age is required but missing. Setting 15552000 s (180 days) or more is recommended" + fileout "hsts_time" "MEDIUM" "HSTS max-age missing. 15552000 s (180 days) or more recommnded" + elif [[ $hsts_age_days -eq 0 ]]; then + pr_svrty_medium "HSTS max-age is set to 0. HSTS is disabled" + fileout "hsts_time" "MEDIUM" "HSTS max-age set to 0. HSTS is disabled" + elif [[ $hsts_age_days -gt $HSTS_MIN ]]; then pr_done_good "$hsts_age_days days" ; out "=$hsts_age_sec s" fileout "hsts_time" "OK" "HSTS timeout $hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN days" else