This is tha same update as #2740 (for 3.2).
Despite using ``./utils/create_ca_hashes.sh`` git claims ``ca_hashes.txt`` hasn't changed here too.
This fixes#2739.
On MacOS run_http_header() hiccuped when in any place of the web site unprintable chars were
returned, see https://github.com/testssl/testssl.sh/issues/2708#issuecomment-2738347784 .
This PR fixes that by moving the sanitization to a separate function and run it earlier before
any processing of the returned content (header plus body) takes place.
Output was:
``
'HTTP Status Code awk: towc: multibyte conversion failure on: '� disabilitato");
input record number 36, file /tmp/testssl.FHu8E0/AAA.BBB.CCC.DDD.http_header.txt
source line number 1
'wk: towc: multibyte conversion failure on: '� disabilitato");
input record number 36, file /tmp/testssl.FHu8E0/AAA.BBB.CCC.DDD.http_header.txt
source line number 1
200 OK
``
The current code for setting $host_header in check_revocation_ocsp() will not work for LibreSSL 3.*. In addition, the code uses $OPENSSL2, which is not defined. This commit fixes these issues.
As `--phone-out` sometimes doesn't work with our binary we switch transparently/automagically
to the vendor support openssl binary -- if available. This is the PR for 3.0, for 3.2 see #2695 .
This fixes at least #2516 where the issue has been explained/debugged in detail.
See also #2667 and #1275.
OpenSSL 3.X outputs a different error message than previous versions when $OPENSSL s_client -curves X ... is called with an unsupported curve. This was resulting in the check within find_openssl_binary() adding every curve to $OPENSSL_SUPPORTED_CURVES, even ones that were not supported. This commit changes to check in order to detect the new error message.
This commit fixes three lines of code that use Bash substring matching. In each case, a list of strings to match was enclosed in brackets. This resulted in a match if the string to test contained any character from any of the strings to match. This commit fixes the issue by removing the brackets.
(The bugs were introduced in b8e9b09ca7 and 8149c2d5cf)
.... by forbidding spaces in supplied CA files/directories
Also now we're sanitizing the cmd line parameter better `using safe_echo()`
See also #2647 .
When testing a TLS 1.3 host s_client_options used TLS 1.3 ciphers to test for NPN. As that is not implemented we nee dto make sure any other version is used.
This PR ensures that --after testing whether it's a TLS 1.3-only host where this test doesn't make any sense in the first place.
Fix for #2633
