Merge branch '3.3dev' into fix_early_data_empty

t/00_testssl_help.t

@@ -13,7 +13,7 @@ my $out="";
 
 # Try to detect remainders from debugging:
 my $debug_regexp='^(\s)*set (-|\+)x';
-# Blacklists we use to trigger an error:
+# Patterns used to trigger an error:
 my $error_regexp1='(syntax|parse) (e|E)rror';
 my $error_regexp2='testssl.sh: line';
 my $error_regexp3='bash: warning';

t/01_testssl_banner.t

@@ -8,7 +8,7 @@ use Test::More;
 
 my $tests = 0;
 my $fileout="";
-# Blacklists we use to trigger an error:
+# Patterns used to trigger an error:
 my $error_regexp1='(syntax|parse) (e|E)rror';
 my $error_regexp2='testssl.sh: line';
 my $error_regexp3='bash: warning';

t/02_clientsim_txt_parsable.t

@@ -8,7 +8,7 @@ use Test::More;
 
 my $tests = 0;
 my $fileout="";
-# Blacklists we use to trigger an error:
+# Patterns used to trigger an error:
 my $error_regexp1='(syntax|parse) (e|E)rror';
 my $error_regexp2='client-simulation.txt:';
 

t/10_baseline_ipv4_http.t

@@ -1,8 +1,6 @@
 #!/usr/bin/env perl
 
-# baseline test for testssl, screen and JSON output
-
-# This is referred by the documentation.
+# Baseline test for testssl, screen and JSON output
 
 # We could also inspect the JSON for any problems for
 #    "id"           : "scanProblem"
@@ -15,13 +13,11 @@ use JSON;
 
 my $tests = 0;
 my $prg="./testssl.sh";
-my $tmp_json="tmp.json";
-my $check2run="-p -s -P --fs -S -h -U -q --ip=one --color 0 --jsonfile $tmp_json";
+my $json_file="";
+my $check2run="-p -s -P --fs -S -h -U -q --ip=one --color 0 --jsonfile";
 my $uri="google.com";
-my $socket_out="";
-my $openssl_out="";
-my $socket_json="";
-my $openssl_json="";
+my $terminal_out="";
+my $json_string="";
 #FIXME: Pattern we use to trigger an error, but likely we can skip that and instead we should?/could use the following??
 #       @args="$prg $check2run $uri >/dev/null";
 #       system("@args") == 0
@@ -29,6 +25,7 @@ my $openssl_json="";
 my $socket_errors='(e|E)rror|FIXME|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
 my $openssl_errors='(e|E)rror|FIXME|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
 my $json_errors='(id".*:\s"scanProblem"|severity".*:\s"FATAL"|"Scan interrupted")';
+my $os="$^O";
 
 # useful against "failed to flush stdout" messages
 STDOUT->autoflush(1);
@@ -36,37 +33,69 @@ STDOUT->autoflush(1);
 die "Unable to open $prg" unless -f $prg;
 
 # Provide proper start conditions
-unlink $tmp_json;
+$json_file="tmp.json";
+unlink $json_file;
 
 # Title
 printf "\n%s\n", "Baseline unit test IPv4 against \"$uri\"";
-$socket_out = `$prg $check2run $uri 2>&1`;
-$socket_json = json($tmp_json);
+
+
+# run the check
+$terminal_out = `$prg $check2run $json_file $uri 2>&1`;
+$json_string = json($json_file);
+
 
 #1
-unlike($socket_out, qr/$socket_errors≈/, "via sockets, checking terminal output");
+unlike($terminal_out, qr/$socket_errors≈/, "via sockets, checking terminal output");
 $tests++;
 
 #2
-unlike($socket_json, qr/$json_errors/, "via sockets checking JSON output");
+unlike($json_string, qr/$json_errors/, "via sockets checking JSON output");
 $tests++;
 
-unlink $tmp_json;
-
 #3
-$openssl_out = `$prg --ssl-native $check2run $uri 2>&1`;
-$openssl_json = json($tmp_json);
-unlike($openssl_out, qr/$openssl_errors/, "via (builtin) OpenSSL, checking terminal output");
+unlink $json_file;
+$terminal_out = `$prg --ssl-native $check2run $json_file $uri 2>&1`;
+$json_string = json($json_file);
+unlike($terminal_out, qr/$openssl_errors/, "via (builtin) OpenSSL, checking terminal output");
 $tests++;
 
 #4
-unlike($openssl_json, qr/$json_errors/, "via OpenSSL (builtin) checking JSON output");
+unlike($json_string, qr/$json_errors/, "via OpenSSL (builtin) checking JSON output");
 $tests++;
 
-unlink $tmp_json;
+if ( $os eq "linux" ){
+     #5 -- early data test. We just take the last check
+     my $found=0;
+     open my $fh, '<', $json_file or die "Can't open '$json_file': $!";
+     local $/;                    # undef slurp mode
+     my $data = decode_json(<$fh>);
+     close $fh;
+
+     # Check if the decoded data is an array
+     if (ref $data eq 'ARRAY') {
+          # Iterate through the array of JSON objects
+          foreach my $obj (@$data) {
+               # Check if the 'id' is "early_data" and 'severity' is "HIGH"
+               if ($obj->{id} eq 'early_data' && $obj->{severity} eq 'HIGH') {
+                    $found=1;
+                    last;          # we can leave the loop
+               }
+          }
+     }
+
+     if ($found) {
+         ok(1, "0‑RTT found in JSON from $uri");
+     } else {
+         fail("0‑RTT test for $uri failed");
+     }
+     $tests++;
+} elsif ( $os eq "darwin" ){
+     printf "%s\n", "Skipping test. The result of the check under MacOS is not understood" ;
+}
 
 done_testing($tests);
-printf "\n";
+printf "\n\n";
 
 
 sub json($) {
@@ -76,6 +105,5 @@ sub json($) {
 	return from_json($file);
 }
 
-
 # vim:ts=5:sw=5:expandtab
 

t/11_baseline_ipv6_http.t.DISABLED

@@ -1,6 +1,6 @@
 #!/usr/bin/env perl
 
-# disabled as IPv6 wasn't supported by Travis CI and isn't by GH action, see https://github.com/testssl/testssl.sh/issues/1177
+# disabled as IPv6 wasn't supported by Travis CI and isn't also supported by GH action, see https://github.com/testssl/testssl.sh/issues/1177
 
 # Just a functional test, whether there are any problems on the client side
 # Probably we could also inspect the JSON for any problems for
@@ -10,8 +10,8 @@
 use strict;
 use Test::More;
 use Data::Dumper;
+# if JSON it'll be needed to uncommented this and the lines below
 # use JSON;
-# if we need JSON we need to comment this and the lines below in
 
 my $tests = 0;
 my $prg="./testssl.sh";
@@ -19,7 +19,7 @@ my $check2run ="-p -s -P --fs -S -h -U -q --ip=one --color 0";
 my $uri="";
 my $socket_out="";
 my $openssl_out="";
-# Blacklists we use to trigger an error:
+# Patterns used to trigger an error:
 my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
 my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
 

t/12_diff_opensslversions.t

@@ -21,7 +21,7 @@ my $diff="";
 my $distro_openssl="/usr/bin/openssl";
 my @args="";
 # that can be done better but I am a perl n00b ;-)
-my $os=`perl -e 'print "$^O";'`;
+my $os="$^O";
 
 # useful against "failed to flush stdout" messages
 STDOUT->autoflush(1);

t/21_baseline_starttls.t

@@ -22,9 +22,11 @@ my $check2run="-q --ip=one --color 0";
 my $uri="";
 my $socket_out="";
 my $openssl_out="";
-# Blacklists we use to trigger an error:
+# Patterns used to trigger an error:
 my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
 my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
+my $openssl_fallback_cmd="";       # empty for Linux
+my $os="$^O";
 
 # useful against "failed to flush stdout" messages
 STDOUT->autoflush(1);
@@ -36,10 +38,26 @@ STDOUT->autoflush(1);
 
 die "Unable to open $prg" unless -f $prg;
 
-$uri="smtp-relay.gmail.com:587";
+if ( $os eq "darwin" ){
+     # MacOS silicon doesn't have ~/bin/openssl.Darwin.arm64 binary so we use the
+     # homebrew version which was moved to /opt/homebrew/bin/openssl.NOPE in
+     # .github/workflows/unit_tests_macos.yml . The LibreSSL version from MacOS
+     # sometimes have problems to finish the run, thus we use homebrew's version
+     # as fallback.
+     # If this will be run outside GH actions, i.e. locally, we provide a fallback to
+     # /opt/homebrew/bin/openssl or just leave this thing
+     if ( -x "/opt/homebrew/bin/openssl.NOPE" ) {
+          $openssl_fallback_cmd="--openssl /opt/homebrew/bin/openssl.NOPE";
+     }
+     elsif ( -x "/opt/homebrew/bin/openssl" ) {
+          $openssl_fallback_cmd="--openssl /opt/homebrew/bin/openssl";
+     }
+}
 
+$check2run_smtp="$check2run_smtp $openssl_fallback_cmd" ;
 
 #1
+$uri="smtp-relay.gmail.com:587";
 # unlink "tmp.json";
 # we will have client simulations later, so we don't need to run everything again:
 printf "\n%s\n", "STARTTLS SMTP unit test via sockets --> $uri ...";
@@ -49,16 +67,7 @@ unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
 #2
-# unlink "tmp.json";
-printf "\n%s\n", "STARTTLS SMTP unit tests via OpenSSL --> $uri ...";
-$openssl_out = `$prg --ssl-native $check2run_smtp -t smtp $uri 2>&1`;
-# $openssl_json = json('tmp.json');
-unlike($openssl_out, qr/$openssl_regex_bl/, "");
-$tests++;
-
 $uri="pop.gmx.net:110";
-
-#3
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS POP3 unit tests via sockets --> $uri ...";
 $socket_out = `$prg $check2run -t pop3 $uri 2>&1`;
@@ -66,16 +75,8 @@ $socket_out = `$prg $check2run -t pop3 $uri 2>&1`;
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
-#4
-printf "\n%s\n", "STARTTLS POP3 unit tests via OpenSSL --> $uri ...";
-$openssl_out = `$prg --ssl-native $check2run -t pop3 $uri 2>&1`;
-# $openssl_json = json('tmp.json');
-unlike($openssl_out, qr/$openssl_regex_bl/, "");
-$tests++;
-
+#3
 $uri="imap.gmx.net:143";
-
-#5
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS IMAP unit tests via sockets --> $uri ...";
 $socket_out = `$prg $check2run -t imap $uri 2>&1`;
@@ -83,16 +84,8 @@ $socket_out = `$prg $check2run -t imap $uri 2>&1`;
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
-#6
-printf "\n%s\n", "STARTTLS IMAP unit tests via OpenSSL --> $uri ...";
-$openssl_out = `$prg --ssl-native $check2run -t imap $uri 2>&1`;
-# $openssl_json = json('tmp.json');
-unlike($openssl_out, qr/$openssl_regex_bl/, "");
-$tests++;
-
+#4
 $uri="mail.tigertech.net:4190";
-
-#7
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS MANAGE(SIEVE) unit tests via sockets --> $uri ...";
 $socket_out = `$prg $check2run -t sieve $uri 2>&1`;
@@ -100,9 +93,8 @@ $socket_out = `$prg $check2run -t sieve $uri 2>&1`;
 unlike($openssl_out, qr/$openssl_regex_bl/, "");
 $tests++;
 
+#5
 $uri="jabber.org:5222";
-
-#8
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS XMPP unit tests via sockets --> $uri ...";
 $socket_out = `$prg $check2run -t xmpp $uri 2>&1`;
@@ -112,12 +104,6 @@ $tests++;
 
 # commented out, bc of travis' limits
 #
-#printf "\n%s\n", "STARTTLS XMPP unit tests via OpenSSL --> $uri ...";
-#$openssl_out = `$prg --ssl-native $check2run -t xmpp $uri 2>&1`;
-# $openssl_json = json('tmp.json');
-#unlike($openssl_out, qr/$openssl_regex_bl/, "");
-#$tests++;
-
 # $uri="jabber.ccc.de:5269";
 # printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ...";
 # $openssl_out = `$prg --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`;
@@ -125,10 +111,8 @@ $tests++;
 # unlike($openssl_out, qr/$openssl_regex_bl/, "");
 # $tests++;
 
-
+#6
 $uri="ldap.uni-rostock.de:21";
-
-#9
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS FTP unit tests via sockets --> $uri ...";
 $socket_out = `$prg $check2run -t ftp $uri 2>&1`;
@@ -138,35 +122,15 @@ $socket_out =~ s/ error querying OCSP responder .*\n//g;
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
-# commented out, bc of travis' limits
-#
-# printf "\n%s\n", "STARTTLS FTP unit tests via OpenSSL --> $uri ...";
-# $openssl_out = `$prg --ssl-native $check2run -t ftp $uri 2>&1`;
-# $openssl_json = json('tmp.json');
-# OCSP stapling fails sometimes with: 'offered, error querying OCSP responder (ERROR: No Status found)'
-# $openssl_out =~ s/ error querying OCSP responder .*\n//g;
-# unlike($openssl_out, qr/$openssl_regex_bl/, "");
-# $tests++;
-
-
+#7
 # https://ldapwiki.com/wiki/Public%20LDAP%20Servers
 $uri="db.debian.org:389";
-
-#10
 printf "\n%s\n", "STARTTLS LDAP unit tests via sockets --> $uri ...";
 $socket_out = `$prg $check2run -t ldap $uri 2>&1`;
 # $socket_json = json('tmp.json');
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
-#11
-printf "\n%s\n", "STARTTLS LDAP unit tests via OpenSSL --> $uri ...";
-$openssl_out = `$prg --ssl-native $check2run -t ldap $uri 2>&1`;
-# $openssl_json = json('tmp.json');
-unlike($openssl_out, qr/$openssl_regex_bl/, "");
-$tests++;
-
-
 # For NNTP there doesn't seem to be reliable host out there
 #$uri="144.76.182.167:119";
 
@@ -174,14 +138,7 @@ $tests++;
 #$socket_out = `$prg $check2run -t nntp $uri 2>&1`;
 #unlike($socket_out, qr/$socket_regex_bl/, "");
 #$tests++;
-
-# commented out, bc of travis' limits
-#
-#printf "\n%s\n", "STARTTLS NNTP unit tests via OpenSSL --> $uri ...";
-#$openssl_out = `$prg --ssl-native $check2run -t nntp $uri 2>&1`;
-# $openssl_json = json('tmp.json');
-#unlike($openssl_out, qr/$openssl_regex_bl/, "");
-#$tests++;
+# also: commented out, bc of travis' limits
 
 # IRC: missing
 # LTMP, mysql, postgres

t/23_client_simulation.t

@@ -1,15 +1,16 @@
 #!/usr/bin/env perl
 
 # Just a functional test, whether there are any problems on the client side
-# Probably we could also inspect the JSON for any problems for
+
+# We could also inspect the JSON for any problems for
 #    "id"           : "scanProblem"
 #    "finding"      : "Scan interrupted"
 
 use strict;
 use Test::More;
 use Data::Dumper;
+# if needed: comment this and the lines below in:
 # use JSON;
-# if we need JSON we need to comment this and the lines below in
 
 my $tests = 0;
 my $prg="./testssl.sh";
@@ -17,7 +18,7 @@ my $check2run ="--client-simulation -q --ip=one --color 0";
 my $uri="";
 my $socket_out="";
 my $openssl_out="";
-# Blacklists we use to trigger an error:
+# Pattern we use to trigger an error:
 my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
 my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
 
@@ -30,8 +31,8 @@ STDOUT->autoflush(1);
 
 die "Unable to open $prg" unless -f $prg;
 
+#1
 $uri="google.com";
-
 # unlink "tmp.json";
 printf "\n%s\n", "Client simulations unit test via sockets --> $uri ...";
 $socket_out = `$prg $check2run $uri 2>&1`;
@@ -39,6 +40,7 @@ $socket_out = `$prg $check2run $uri 2>&1`;
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
+#2 Makes little sense anymore but lets just keep this unit test
 # unlink "tmp.json";
 printf "\n%s\n", "Client simulations unit test via OpenSSL --> $uri ...";
 $openssl_out = `$prg $check2run --ssl-native $uri 2>&1`;
@@ -47,8 +49,8 @@ unlike($openssl_out, qr/$openssl_regex_bl/, "");
 $tests++;
 
 
+#3
 $uri="smtp-relay.gmail.com:587";
-
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS: Client simulations unit test via sockets --> $uri ...";
 $socket_out = `$prg $check2run -t smtp $uri 2>&1`;
@@ -56,18 +58,10 @@ $socket_out = `$prg $check2run -t smtp $uri 2>&1`;
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
-# commented out, bc of travis' limits
-#
 # unlink "tmp.json";
-#printf "\n%s\n", "STARTTLS: Client simulations unit test via OpenSSL --> $uri ...";
-#$openssl_out = `$prg --ssl-native $check2run -t smtp $uri 2>&1`;
-## $openssl_json = json('tmp.json');
-#unlike($openssl_out, qr/$openssl_regex_bl/, "");
-#$tests++;
 
 done_testing($tests);
-unlink "tmp.json";
-
+printf "\n";
 
 
 sub json($) {

t/31_isJSON_valid.t

@@ -1,6 +1,6 @@
 #!/usr/bin/env perl
 
-# This is more a PoC. Improvements welcome!
+# Checking whether both JSON outputs are valid
 #
 
 use strict;
@@ -9,50 +9,55 @@ use JSON;
 
 my $tests = 0;
 my $prg="./testssl.sh";
-my $check2run ="--ip=one --ids-friendly -q --color 0";
-my $uri="";
 my $json="";
+my $json_file="";
+my $check2run ="--ip=one --ids-friendly -q --color 0";
+my $uri="example.com";        # Cloudflare blocks too often
 my $out="";
 my $cmd_timeout="--openssl-timeout=10";
-# Blacklists we use to trigger an error:
+
+# Patterns used to trigger an error:
 my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
 my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
-# that can be done better but I am a perl n00b ;-)
-my $os=`perl -e 'print "$^O";'`;
+my $os="$^O";
+
+# useful against "failed to flush stdout" messages
+STDOUT->autoflush(1);
 
 die "Unable to open $prg" unless -f $prg;
 
-my $uri="cloudflare.com";
+# Provide proper start conditions
+$json_file="tmp.json";
+unlink $json_file;
 
+# Title
 printf "\n%s\n", "Unit testing JSON output ...";
-unlink 'tmp.json';
 
 #1
 printf "%s\n", ".. plain JSON --> $uri ";
-$out = `$prg $check2run --jsonfile tmp.json $uri`;
-$json = json('tmp.json');
-unlink 'tmp.json';
+$out = `$prg $check2run --jsonfile $json_file $uri`;
+$json = json($json_file);
+unlink $json_file;
 my @errors=eval { decode_json($json) };
 is(@errors,0,"no errors");
 $tests++;
 
-
 #2
 printf "%s\n", ".. pretty JSON --> $uri ";
-$out = `$prg $check2run --jsonfile-pretty tmp.json $uri`;
-$json = json('tmp.json');
-unlink 'tmp.json';
+$out = `$prg $check2run --jsonfile-pretty $json_file $uri`;
+$json = json($json_file);
+unlink $json_file;
 @errors=eval { decode_json($json) };
 is(@errors,0,"no errors");
 $tests++;
 
 
 #3
-my $uri = "smtp-relay.gmail.com:587";
+$uri = "smtp-relay.gmail.com:587";
 printf "%s\n", " .. plain JSON and STARTTLS --> $uri ...";
-$out = `$prg --jsonfile tmp.json $check2run -t smtp $uri`;
-$json = json('tmp.json');
-unlink 'tmp.json';
+$out = `$prg --jsonfile $json_file $check2run -t smtp $uri`;
+$json = json($json_file);
+unlink $json_file;
 @errors=eval { decode_json($json) };
 is(@errors,0,"no errors");
 $tests++;
@@ -65,9 +70,9 @@ if ( $os eq "linux" ){
      # This testssl.sh run deliberately does NOT work as github actions block port 25 egress.
      # but the output should be fine. The idea is to have a unit test for a failed connection.
      printf "%s\n", ".. plain JSON for a failed run: '--mx $uri' ...";
-     $out = `$prg --ssl-native --openssl-timeout=10 $check2run --jsonfile tmp.json --mx $uri`;
-     $json = json('tmp.json');
-     unlink 'tmp.json';
+     $out = `$prg --ssl-native --openssl-timeout=10 $check2run --jsonfile $json_file --mx $uri`;
+     $json = json($json_file);
+     unlink $json_file;
      @errors=eval { decode_json($json) };
      is(@errors,0,"no errors");
      $tests++;
@@ -75,9 +80,9 @@ if ( $os eq "linux" ){
      #5
      # Same as above but with pretty JSON
      printf "%s\n", ".. pretty JSON for a failed run '--mx $uri' ...";
-     $out = `$prg --ssl-native --openssl-timeout=10 $check2run --jsonfile-pretty tmp.json --mx $uri`;
-     $json = json('tmp.json');
-     unlink 'tmp.json';
+     $out = `$prg --ssl-native --openssl-timeout=10 $check2run --jsonfile-pretty $json_file --mx $uri`;
+     $json = json($json_file);
+     unlink $json_file;
      @errors=eval { decode_json($json) };
      is(@errors,0,"no errors");
      $tests++;
@@ -86,12 +91,13 @@ if ( $os eq "linux" ){
      printf "skipped two checks on MacOS\n\n";
 }
 
-printf "\n";
 done_testing($tests);
+printf "\n\n";
 
 sub json($) {
     my $file = shift;
     $file = `cat $file`;
+    unlink $file;
     return from_json($file);
 }
 

t/32_isHTML_valid.t

@@ -10,30 +10,38 @@ use Text::Diff;
 
 my $tests = 0;
 my $prg="./testssl.sh";
+my $html="";
+my $html_file="";
+my $check2run="--ip=one -4 --openssl /usr/bin/openssl --sneaky --ids-friendly --color 0 --htmlfile";
 my $uri="github.com";
 my $out="";
-my $html="";
 my $debughtml="";
 my $edited_html="";
-my $htmlfile="tmp.html";
 # Pick /usr/bin/openssl as we want to avoid the debug messages like "Your ./bin/openssl.Linux.x86_64 doesn't support X25519"
-my $check2run="--ip=one -4 --openssl /usr/bin/openssl --sneaky --ids-friendly --color 0 --htmlfile $htmlfile";
 my $diff="";
 my $ip="";
+
+# useful against "failed to flush stdout" messages
+STDOUT->autoflush(1);
+
 die "Unable to open $prg" unless -f $prg;
 
-printf "\n%s\n", "Doing HTML output checks";
-unlink $htmlfile;
+# Provide proper start conditions
+$html_file="tmp.html";
+unlink $html_file;
+
+# Title
+printf "\n%s\n", "Unit testing HTML output ...";
 
 #1
 printf "%s\n", " .. running $prg against \"$uri\" to create HTML and terminal outputs (may take ~2 minutes)";
 # specify a TERM_WIDTH so that the two calls to testssl.sh don't create HTML files with different values of TERM_WIDTH
-$out = `TERM_WIDTH=120 $prg $check2run $uri`;
-$html = `cat $htmlfile`;
+$out = `TERM_WIDTH=120 $prg $check2run $html_file $uri`;
+$html = `cat $html_file`;
 # $edited_html will contain the HTML with formatting information removed in order to compare against terminal output
 # Start by removing the HTML header.
-$edited_html = `tail -n +11 $htmlfile`;
-unlink $htmlfile;
+$edited_html = `tail -n +11 $html_file`;
+unlink $html_file;
 
 # Remove the HTML footer
 $edited_html =~ s/\n\<\/pre\>\n\<\/body\>\n\<\/html\>//;
@@ -66,9 +74,9 @@ if ( $^O eq "darwin" ){
 #2
 printf "%s\n", " .. running again $prg against \"$uri\", now with --debug 4 to create HTML output (may take another ~2 minutes)";
 # Redirect stderr to /dev/null in order to avoid some unexplained "date: invalid date" error messages
-$out = `TERM_WIDTH=120 $prg $check2run --debug 4 $uri 2>/dev/null`;
-$debughtml = `cat $htmlfile`;
-unlink $htmlfile;
+$out = `TERM_WIDTH=120 $prg $check2run $html_file --debug 4 $uri 2>/dev/null`;
+$debughtml = `cat $html_file`;
+unlink $html_file;
 
 # Remove date information from the Start and Done banners in the two HTML files, since they were created at different times
 $html =~ s/Start 2[0-9][0-9][0-9]-[0-3][0-9]-[0-3][0-9] [0-2][0-9]:[0-5][0-9]:[0-5][0-9]/Start XXXX-XX-XX XX:XX:XX/;
@@ -108,9 +116,8 @@ ok($debughtml eq $html, "Checking if HTML file created with --debug 4 matches HT
      diag ("\n%s\n", "$diff");
 $tests++;
 
-
-printf "\n\n";
 done_testing($tests);
+printf "\n\n";
 
 
 # vim:ts=5:sw=5:expandtab

t/33_isJSON_severitylevel_valid.t

@@ -5,30 +5,39 @@ use Test::More;
 use Data::Dumper;
 use JSON;
 
-my (
-    $out,
-    $json,
-    $json_pretty,
-    $found,
-    $tests
-);
+my $tests = 0;
+
 
-$tests = 0;
 
 my $prg="./testssl.sh";
+my $json="";
+my $json_file="";
 my $check2run = '-S --beast --sweet32 --breach --beast --lucky13 --rc4 --severity LOW --color 0';
 my $uri = 'badssl.com';
+my $out="";
+my $json_pretty="";
+my $found=1;
 
-printf "\n%s\n", "Doing severity level checks";
+
+
+
+# useful against "failed to flush stdout" messages
+STDOUT->autoflush(1);
 
 die "Unable to open $prg" unless -f $prg;
-unlink 'tmp.json';
+
+# Provide proper start conditions
+$json_file="tmp.json";
+unlink $json_file;
+
+# Title
+printf "\n%s\n", "Doing severity level checks";
 
 #1
 pass(" .. running testssl.sh against $uri to create a JSON report with severity level >= LOW (may take 2~3 minutes)"); $tests++;
-$out = `$prg $check2run --jsonfile tmp.json $uri`;
-$json = json('tmp.json');
-unlink 'tmp.json';
+$out = `$prg $check2run --jsonfile $json_file $uri`;
+$json = json($json_file);
+unlink $json_file;
 $found = 0;
 cmp_ok(@$json,'>',0,"At least 1 finding is expected"); $tests++;
 foreach my $f ( @$json ) {
@@ -41,9 +50,9 @@ is($found,0,"We should not have any finding with INFO level"); $tests++;
 
 #2
 pass(" .. running testssl.sh against $uri to create a JSON-PRETTY report with severity level >= LOW (may take 2~3 minutes)"); $tests++;
-$out = `$prg $check2run --jsonfile-pretty tmp.json $uri`;
-$json_pretty = json('tmp.json');
-unlink 'tmp.json';
+$out = `$prg $check2run --jsonfile-pretty $json_file $uri`;
+$json_pretty = json($json_file);
+unlink $json_file;
 $found = 0;
 my $vulnerabilities = $json_pretty->{scanResult}->[0]->{vulnerabilities};
 foreach my $f ( @$vulnerabilities ) {
@@ -54,8 +63,8 @@ foreach my $f ( @$vulnerabilities ) {
 }
 is($found,0,"We should not have any finding with INFO level"); $tests++;
 
-printf "\n";
 done_testing($tests);
+printf "\n\n";
 
 sub json($) {
     my $file = shift;

t/51_badssl.com.t

@@ -20,6 +20,9 @@ my (
 
 die "Unable to open $prg" unless -f $prg;
 
+# useful against "failed to flush stdout" messages
+STDOUT->autoflush(1);
+
 # Provide proper start conditions
 unlink 'tmp.json';
 

t/61_diff_testsslsh.t

@@ -3,7 +3,7 @@
 # Baseline diff test against testssl.sh (csv output)
 #
 # We don't use a full run yet and only the certificate section.
-# There we would need to blacklist more, like:
+# There we would need to block-list more, like:
 # cert_serialNumber, cert_fingerprintSHA1, cert_fingerprintSHA256, cert
 # cert_expirationStatus, cert_notBefore, cert_notAfter, cert_caIssuers, intermediate_cert
 #

testssl.sh

@@ -1971,8 +1971,9 @@ http_head_printf() {
                safe_echo "HEAD ${path} HTTP/1.1\r\nUser-Agent: ${useragent}\r\nHost: ${node}\r\nAccept: */*\r\n${extra_header}\r\n\r\n" >&33 2>$errfile
                ret=0
                touch $tmpfile
-               # This doesn't block
-               while IFS= read -r line <&33; do
+               # This doesn't block. A timeout seems necessary for MacOS 18 and e.g. Akamai
+               # but maybe it's due because the server side keeps the connection open
+               while IFS= read -t 4 -r line <&33; do
                     safe_echo "$line" >>$tmpfile
                done
                cat $tmpfile