Dimitri Papadopoulos
parent
3dddcbf445
commit
fcb282e3c3
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
name: Codespell
|
||||
on: [push, pull_request]
|
||||
jobs:
|
||||
codespell:
|
||||
name: Check for spelling errors
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: codespell-project/actions-codespell@master
|
||||
with:
|
||||
skip: ca_hashes.txt,tls_data.txt,*.pem,OPENSSL-LICENSE.txt
|
||||
ignore_words_list: borken,gost,ciph,ba,bloc,isnt,chello,fo,alle
|
||||
|
|
@ -507,7 +507,7 @@ Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
|
|||
* as a courtesy I am providing 64+32 Linux binaries for testing 56 Bit ciphers
|
||||
|
||||
1.11
|
||||
* Hint for howto enable 56 Bit ciphers fpr testing
|
||||
* Hint for howto enable 56 Bit ciphers for testing
|
||||
* possible to specify where openssl is (hardcoded, $ENV, last resort: auto)
|
||||
* warns if netcat is not there
|
||||
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ cryptographic flaws.
|
|||
* Machine readable output (CSV, two JSON formats)
|
||||
* No need to install or to configure something. No gems, CPAN, pip or the like.
|
||||
* Works out of the box: Linux, OSX/Darwin, FreeBSD, NetBSD, MSYS2/Cygwin, WSL (bash on Windows). Only OpenBSD needs bash.
|
||||
* A Dockerfile is provided, there's also an offical container build @ dockerhub.
|
||||
* A Dockerfile is provided, there's also an official container build @ dockerhub.
|
||||
* Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only web servers at port 443.
|
||||
* Toolbox: Several command line options help you to run *your* test and configure *your* output.
|
||||
* Reliability: features are tested thoroughly.
|
||||
|
|
|
|||
|
|
@ -641,7 +641,7 @@ MAX_SOCKET_FAIL: A number which tells testssl\.sh how often a TCP socket connect
|
|||
MAX_OSSL_FAIL: A number which tells testssl\.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates\. The default is 2\. You can increase it to a higher value if you frequently see a message like \fIFatal error: repeated TCP connect problems, giving up\fR\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
MAX_HEADER_FAIL: A number which tells testssl\.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates\. The default is 3\. Also here you can incerase the threshold when you spot messages like \fIFatal error: repeated HTTP header connect problems, doesn\'t make sense to continue\fR\.
|
||||
MAX_HEADER_FAIL: A number which tells testssl\.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates\. The default is 3\. Also here you can increase the threshold when you spot messages like \fIFatal error: repeated HTTP header connect problems, doesn\'t make sense to continue\fR\.
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
|
|
|
|||
|
|
@ -236,7 +236,7 @@ containing files with a .pem extension, a single file or multiple files as a com
|
|||
|
||||
<p><code>-E, --cipher-per-proto</code> is similar to <code>-e, --each-cipher</code>. It checks each of the possible ciphers, here: per protocol. If you want to display each cipher tested you need to add <code>--show-each</code>. The output is sorted by security strength, it lists the encryption bits though.</p>
|
||||
|
||||
<p><code>-s, --std, --categories</code> tests certain lists of cipher suites / cipher catagories by strength. (<code>--standard</code> is deprecated.) Those lists are (<code>openssl ciphers $LIST</code>, $LIST from below:)</p>
|
||||
<p><code>-s, --std, --categories</code> tests certain lists of cipher suites / cipher categories by strength. (<code>--standard</code> is deprecated.) Those lists are (<code>openssl ciphers $LIST</code>, $LIST from below:)</p>
|
||||
|
||||
<ul>
|
||||
<li><code>NULL encryption ciphers</code>: 'NULL:eNULL'</li>
|
||||
|
|
@ -486,7 +486,7 @@ Rating automatically gets disabled, to not give a wrong or misleading grade, whe
|
|||
<li>CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl.sh will use. Please note that it overrides completely the builtin path of testssl.sh which means that you will only test against the bundles you point to. Also you might want to use <code>~/utils/create_ca_hashes.sh</code> to create the hashes for HPKP.</li>
|
||||
<li>MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like <em>Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue</em>.</li>
|
||||
<li>MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like <em>Fatal error: repeated TCP connect problems, giving up</em>.</li>
|
||||
<li>MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can incerase the threshold when you spot messages like <em>Fatal error: repeated HTTP header connect problems, doesn't make sense to continue</em>.</li>
|
||||
<li>MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can increase the threshold when you spot messages like <em>Fatal error: repeated HTTP header connect problems, doesn't make sense to continue</em>.</li>
|
||||
</ul>
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -161,7 +161,7 @@ Any single check switch supplied as an argument prevents testssl.sh from doing a
|
|||
|
||||
`-E, --cipher-per-proto` is similar to `-e, --each-cipher`. It checks each of the possible ciphers, here: per protocol. If you want to display each cipher tested you need to add `--show-each`. The output is sorted by security strength, it lists the encryption bits though.
|
||||
|
||||
`-s, --std, --categories` tests certain lists of cipher suites / cipher catagories by strength. (`--standard` is deprecated.) Those lists are (`openssl ciphers $LIST`, $LIST from below:)
|
||||
`-s, --std, --categories` tests certain lists of cipher suites / cipher categories by strength. (`--standard` is deprecated.) Those lists are (`openssl ciphers $LIST`, $LIST from below:)
|
||||
|
||||
* `NULL encryption ciphers`: 'NULL:eNULL'
|
||||
* `Anonymous NULL ciphers`: 'aNULL:ADH'
|
||||
|
|
@ -396,7 +396,7 @@ Except the environment variables mentioned above which can replace command line
|
|||
* CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl.sh will use. Please note that it overrides completely the builtin path of testssl.sh which means that you will only test against the bundles you point to. Also you might want to use `~/utils/create_ca_hashes.sh` to create the hashes for HPKP.
|
||||
* MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like *Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue*.
|
||||
* MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like *Fatal error: repeated TCP connect problems, giving up*.
|
||||
* MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can incerase the threshold when you spot messages like *Fatal error: repeated HTTP header connect problems, doesn't make sense to continue*.
|
||||
* MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can increase the threshold when you spot messages like *Fatal error: repeated HTTP header connect problems, doesn't make sense to continue*.
|
||||
|
||||
### RATING
|
||||
This program has a near-complete implementation of SSL Labs's '[SSL Server Rating Guide](https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide)'.
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ If you want to check trust against e.g. a company internal CA you need to use ``
|
|||
|
||||
* ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS
|
||||
|
||||
* ``curves-mapping.txt`` contains information about all of the eliptic curves defined by IANA
|
||||
* ``curves-mapping.txt`` contains information about all of the elliptic curves defined by IANA
|
||||
|
||||
* ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. Use
|
||||
``~/utils/create_ca_hashes.sh`` for an update
|
||||
|
|
|
|||
|
|
@ -19,6 +19,6 @@ The whole process is done manually.
|
|||
* Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true
|
||||
* Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle
|
||||
* For "ciphers" mark the cipher suites --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2cipher.sh`
|
||||
* "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ``~/utils/hexstream2cipher.sh``
|
||||
* "ciphersuites" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ``~/utils/hexstream2cipher.sh``
|
||||
* Figure out the services by applying a good piece of human logic
|
||||
* Before submitting a PR: test it yourself! You can also watch it again via wireshark
|
||||
|
|
|
|||
32
testssl.sh
32
testssl.sh
|
|
@ -1056,7 +1056,7 @@ set_grade_cap() {
|
|||
# Always set special attributes. These are hard caps, due to name mismatch or cert being invalid
|
||||
if [[ "$1" == T || "$1" == M ]]; then
|
||||
GRADE_CAP="$1"
|
||||
# Only keep track of the lowest grade cap, since a higher grade cap wont do anything (F = lowest, A = highest)
|
||||
# Only keep track of the lowest grade cap, since a higher grade cap won't do anything (F = lowest, A = highest)
|
||||
elif [[ ! "$GRADE_CAP" > "$1" ]]; then
|
||||
GRADE_CAP="$1"
|
||||
fi
|
||||
|
|
@ -2044,7 +2044,7 @@ wait_kill(){
|
|||
|
||||
# Convert date formats -- we always use GMT=UTC here
|
||||
# argv1: source date string
|
||||
# argv2: dest date sting
|
||||
# argv2: dest date string
|
||||
if "$HAS_GNUDATE"; then # Linux and NetBSD
|
||||
parse_date() {
|
||||
LC_ALL=C TZ=GMT date -d "$1" "$2"
|
||||
|
|
@ -2402,7 +2402,7 @@ run_http_header() {
|
|||
debugme echo "NOW_TIME: $NOW_TIME | HTTP_TIME: $HTTP_TIME"
|
||||
|
||||
# Quit on first empty line to catch 98% of the cases. Next pattern is there because the SEDs tested
|
||||
# so far seem not to be fine with header containing x0d x0a (CRLF) which is the usal case.
|
||||
# so far seem not to be fine with header containing x0d x0a (CRLF) which is the usual case.
|
||||
# So we also trigger also on any sign on a single line which is not alphanumeric (plus _)
|
||||
sed -e '/^$/q' -e '/^[^a-zA-Z_0-9]$/q' $HEADERFILE >$HEADERFILE.tmp
|
||||
# Now to be more sure we delete from '<' or '{' maybe with a leading blank until the end
|
||||
|
|
@ -7672,19 +7672,19 @@ get_server_certificate() {
|
|||
local success ret
|
||||
local npn_params="" line
|
||||
local ciphers_to_test=""
|
||||
# Cipher suites that use a certifiate with an RSA (signature) public key
|
||||
# Cipher suites that use a certificate with an RSA (signature) public key
|
||||
local -r a_rsa="cc,13, cc,15, c0,30, c0,28, c0,14, 00,9f, cc,a8, cc,aa, c0,a3, c0,9f, 00,6b, 00,39, c0,77, 00,c4, 00,88, c0,45, c0,4d, c0,53, c0,61, c0,7d, c0,8b, 16,b7, 16,b9, c0,2f, c0,27, c0,13, 00,9e, c0,a2, c0,9e, 00,67, 00,33, c0,76, 00,be, 00,9a, 00,45, c0,44, c0,4c, c0,52, c0,60, c0,7c, c0,8a, c0,11, c0,12, 00,16, 00,15, 00,14, c0,10"
|
||||
# Cipher suites that use a certifiate with an RSA (encryption) public key
|
||||
# Cipher suites that use a certificate with an RSA (encryption) public key
|
||||
local -r e_rsa="00,b7, c0,99, 00,ad, cc,ae, 00,9d, c0,a1, c0,9d, 00,3d, 00,35, 00,c0, 00,84, 00,95, c0,3d, c0,51, c0,69, c0,6f, c0,7b, c0,93, ff,01, 00,ac, c0,a0, c0,9c, 00,9c, 00,3c, 00,2f, 00,ba, 00,b6, 00,96, 00,41, c0,98, 00,07, 00,94, c0,3c, c0,50, c0,68, c0,6e, c0,7a, c0,92, 00,05, 00,04, 00,92, 00,0a, 00,93, fe,ff, ff,e0, 00,62, 00,09, 00,61, fe,fe, ff,e1, 00,64, 00,60, 00,08, 00,06, 00,03, 00,b9, 00,b8, 00,2e, 00,3b, 00,02, 00,01, ff,00"
|
||||
# Cipher suites that use a certifiate with a DSA public key
|
||||
# Cipher suites that use a certificate with a DSA public key
|
||||
local -r a_dss="00,a3, 00,6a, 00,38, 00,c3, 00,87, c0,43, c0,57, c0,81, 00,a2, 00,40, 00,32, 00,bd, 00,99, 00,44, c0,42, c0,56, c0,80, 00,66, 00,13, 00,63, 00,12, 00,65, 00,11"
|
||||
# Cipher suites that use a certifiate with a DH public key
|
||||
# Cipher suites that use a certificate with a DH public key
|
||||
local -r a_dh="00,a5, 00,a1, 00,69, 00,68, 00,37, 00,36, 00,c2, 00,c1, 00,86, 00,85, c0,3f, c0,41, c0,55, c0,59, c0,7f, c0,83, 00,a4, 00,a0, 00,3f, 00,3e, 00,31, 00,30, 00,bc, 00,bb, 00,98, 00,97, 00,43, 00,42, c0,3e, c0,40, c0,54, c0,58, c0,7e, c0,82, 00,10, 00,0d, 00,0f, 00,0c, 00,0b, 00,0e"
|
||||
# Cipher suites that use a certifiate with an ECDH public key
|
||||
# Cipher suites that use a certificate with an ECDH public key
|
||||
local -r a_ecdh="c0,32, c0,2e, c0,2a, c0,26, c0,0f, c0,05, c0,79, c0,75, c0,4b, c0,4f, c0,5f, c0,63, c0,89, c0,8d, c0,31, c0,2d, c0,29, c0,25, c0,0e, c0,04, c0,78, c0,74, c0,4a, c0,4e, c0,5e, c0,62, c0,88, c0,8c, c0,0c, c0,02, c0,0d, c0,03, c0,0b, c0,01"
|
||||
# Cipher suites that use a certifiate with an ECDSA public key
|
||||
# Cipher suites that use a certificate with an ECDSA public key
|
||||
local -r a_ecdsa="cc,14, c0,2c, c0,24, c0,0a, cc,a9, c0,af, c0,ad, c0,73, c0,49, c0,5d, c0,87, 16,b8, 16,ba, c0,2b, c0,23, c0,09, c0,ae, c0,ac, c0,72, c0,48, c0,5c, c0,86, c0,07, c0,08, c0,06"
|
||||
# Cipher suites that use a certifiate with a GOST public key
|
||||
# Cipher suites that use a certificate with a GOST public key
|
||||
local -r a_gost="00,80, 00,81, 00,82, 00,83"
|
||||
local using_sockets=true
|
||||
|
||||
|
|
@ -7849,7 +7849,7 @@ get_server_certificate() {
|
|||
"ssl3") DETECTED_TLS_VERSION="0300" ;;
|
||||
esac
|
||||
# When "$2" is empty, get_server_certificate() is being called with SNI="".
|
||||
# In case the extensions returned by the server differ depending on wheter
|
||||
# In case the extensions returned by the server differ depending on whether
|
||||
# SNI is provided or not, don't collect extensions when SNI="" (unless
|
||||
# no DNS name was provided at the command line).
|
||||
[[ -z "$2" ]] && extract_new_tls_extensions $TMPFILE
|
||||
|
|
@ -8891,7 +8891,7 @@ certificate_info() {
|
|||
fileout "cert_fingerprintSHA256${json_postfix}" "INFO" "${cert_fingerprint_sha2}"
|
||||
outln "${spaces}SHA256 ${cert_fingerprint_sha2}"
|
||||
|
||||
# " " needs to be converted back to lf in JSON/CSV output. watch out leading/ending line containting "CERTIFICATE"
|
||||
# " " needs to be converted back to lf in JSON/CSV output. watch out leading/ending line containing "CERTIFICATE"
|
||||
fileout "cert${json_postfix}" "INFO" "$hostcert"
|
||||
|
||||
[[ -z $CERT_FINGERPRINT_SHA2 ]] && \
|
||||
|
|
@ -11026,7 +11026,7 @@ fd_socket() {
|
|||
fi
|
||||
((NR_STARTTLS_FAIL++))
|
||||
# This are mostly timeouts here (code >=128). We give the client a chance to try again later. For cases
|
||||
# where we have no STARTTLS in the server banner however - ret code=3 - we don't neet to try again
|
||||
# where we have no STARTTLS in the server banner however - ret code=3 - we don't need to try again
|
||||
connectivity_problem $NR_STARTTLS_FAIL $MAX_STARTTLS_FAIL "STARTTLS handshake failed (code: $ret)" "repeated STARTTLS problems, giving up ($ret)"
|
||||
return 6 ;;
|
||||
esac
|
||||
|
|
@ -11083,7 +11083,7 @@ socksend_clienthello() {
|
|||
}
|
||||
|
||||
|
||||
# ARG1: hexbytes -- preceeded by x -- separated by commas, with a leading comma
|
||||
# ARG1: hexbytes -- preceded by x -- separated by commas, with a leading comma
|
||||
# ARG2: seconds to sleep
|
||||
socksend() {
|
||||
local data line
|
||||
|
|
@ -16684,7 +16684,7 @@ run_sweet32() {
|
|||
fileout "SWEET32" "LOW" "uses 64 bit block ciphers" "$cve" "$cwe" "$hint"
|
||||
"$tls1_1_vulnerable" && set_grade_cap "C" "Uses 64 bit block ciphers with TLS 1.1 (vulnerable to SWEET32)"
|
||||
elif "$ssl2_sweet"; then
|
||||
pr_svrty_low "VULNERABLE"; out ", uses 64 bit block ciphers wth SSLv2 only"
|
||||
pr_svrty_low "VULNERABLE"; out ", uses 64 bit block ciphers with SSLv2 only"
|
||||
fileout "SWEET32" "LOW" "uses 64 bit block ciphers with SSLv2 only" "$cve" "$cwe" "$hint"
|
||||
else
|
||||
pr_svrty_best "not vulnerable (OK)";
|
||||
|
|
@ -21947,7 +21947,7 @@ set_rating_state() {
|
|||
"${!gbl}" && let nr_enabled++
|
||||
done
|
||||
|
||||
# ... atleast one of these has to be set
|
||||
# ... at least one of these has to be set
|
||||
[[ "$do_allciphers" || "$do_cipher_per_proto" ]] && let nr_enabled++
|
||||
|
||||
# ... else we can't do rating
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# no early data, but TLS 1.3 with debian:buster (sid simlar in Feb 2019)
|
||||
# no early data, but TLS 1.3 with debian:buster (sid similar in Feb 2019)
|
||||
|
||||
image=${1:-"debian:buster"}
|
||||
docker pull "$image"
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# Utility which converts grepable nmap outout to testssl's file input
|
||||
# Utility which converts grepable nmap output to testssl's file input
|
||||
# It is just borrowed from testssl.sh
|
||||
# License see testssl.sh
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# simple check for seesion resumption 1) by SID, 2) by tickets
|
||||
# simple check for session resumption 1) by SID, 2) by tickets
|
||||
# Author: Dirk Wetter, GPLv2 see https://testssl.sh/LICENSE.txt
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@ yellow=$(tput setaf 3; tput bold)
|
|||
normal=$(tput sgr0)
|
||||
|
||||
send_clienthello() {
|
||||
local -i len_ch=216 # len of clienthello, exlcuding TLS session ticket and SID (record layer)
|
||||
local -i len_ch=216 # len of clienthello, excluding TLS session ticket and SID (record layer)
|
||||
local session_tckt_tls="$1"
|
||||
local -i len_tckt_tls="${#1}"
|
||||
local xlen_tckt_tls=""
|
||||
|
|
@ -269,7 +269,7 @@ trap "cleanup" QUIT EXIT
|
|||
"$DEBUG" && ( echo; echo )
|
||||
echo "##### 2) Sending 1 to 3 ClientHello(s) (TLS version 03,$TLSV) with this ticket and a made up SessionID"
|
||||
|
||||
# we do 3 client hellos, and see whether different memmory is returned
|
||||
# we do 3 client hellos, and see whether different memory is returned
|
||||
for i in 1 2 3; do
|
||||
fd_socket $PORT
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue