The commit 51a35b0344 changed variable names but there were leftovers. Also
before the tiemout values were reduced, so that the check may run faster. What was left were that some
timeout values were still too long. Thus MAX_WAITSOCK is now completely changed to ROBOT_TIMEOUT .
Also when the ROBOT check identified something as potentially vulnerable, the timeout value ist increased to
8 seconds which is less than in 3.2 . Tests however showed so far that there were no false positives or
negatives.
Moreover it changes the local variable robottimeout to robot_timeout.
This PR fixes#2983 for 3.3dev .
This PR fixes#2806 and implements a feature request. TLS >=1.2 MUST support
support the extended_master_secret extension to address an attack resulting
from TLS session parameters not being properly authenticated in a Triple
Handshake scanario (https://ieeexplore.ieee.org/document/6956559).
Only if the extension is missing there will be a medium severity level
finding. JSON output will be generated in any case.
Also in determine_tls_extensions() some documenation about tls extensions
to be send were added.
This fixes#2973.
There was a while back an extra headline when one or a defined other
number of vulnerabilities were checked. The extra headline was removed
n #2967 but some leftover code needed to be removed as well.
In the aforementioned previous PR it seems run_starttls_injection()
and run_rc4() were forgotten. This PR removes extra headlines in
those functions as well.
.. as an UI improvement for the user.
Implemented for Ticketbleed and during startup in determine_optimal_proto() .
For the latter it could be considered later to automagically pick $OPENSSL2 .
As reported a longer while back in #2083 there were trailing bytes
when receiving a TLS alert by the ROBOT check.
This PR corrects and thus normalizes the length of the TLS alert message to the
correct value, supposed the length in the TLS alart is two bytes and it is an
TLS alert.
Also this PR now uses a separate variable for the timeout. In 2ce0110e the timeout
was changed by mistake as MAX_WAITSOCK was reduced from 10 to 5. For this check it
is still 5 which seemed fine (TBC). Using a separate global variable however may offer
some possibility for tuning the check when the latency to the target is high.
This commit fixes#2959 by modifying TLS12_CIPHER, TLS12_CIPHER_2ND_TRY, and TLS12_CIPHER_3RD_TRY so that they each have 118 ciphers (including "00,ff"). It also modifies run_cipherlists(), run_server_defaults(), and run_beast() so that, when $SERVER_SIZE_LIMIT_BUG is true, no more than 125 ciphers are sent.
This PR fixes an error when early data was empty
which caused testssl.sh to exit instead of marking
that there was no file returned.
Also it changes HEAD to GET as the latter is probably
more often supported.
There needs to be a unit test for 0-RTT / early data!
