.... by forbidding spaces in supplied CA files/directories
Also now we're sanitizing the cmd line parameter better `using safe_echo()`
See also #2647 .
When testing a TLS 1.3 host s_client_options used TLS 1.3 ciphers to test for NPN. As that is not implemented we nee dto make sure any other version is used.
This PR ensures that --after testing whether it's a TLS 1.3-only host where this test doesn't make any sense in the first place.
Fix for #2633
In some cases OpenSSL returns an "unsupported" message rather than a "not found" message if X25519 and X448 are not supported. This commit changes the check for whether X5519 and X448 are supported for checking for either response.
This commit fixes#2599 by not wrapping fileout() messages in a "clientProblem" wrapper if TLS13_ONLY is set. The TLS13_ONLY flag being set is an indicator that fileout_banner() has already been called.
In rare cases testssl.sh writes to the terminal output "likely not offered" but misses the "likely" in the json/csv output.
This fixes#2575 for the 3.0 branch by adding that word and amending the return value 4 with a comment.
* Upgrade both GHCR and Docker hub foile to alpine 3.2
* uses openssl version 3.3 as a alternative to option (default is still "ours"
* docker 3.0 yml hast now ubuntu-22.04 (not EOL) + "latest" omitted
... for readablity and bugs to be filed (see #2506)
This PR defines a short string for the OpenSSL banner as some suppliers have
makde them (unnecessarily) long so that it won't fit in the banner.
The banner also now omits the built line nad bash version when scanning
as for the user it is normally not important.
Same as #2528, only for the 3.0 branch.
- Mozilla: 2024-7-02
- Debian 12, ca-certificates from 20230311
- JDK 21.04
- Apple via https://github.com/apple-oss-distributions/security_certificates (according to git log latest change Fri Dec 15 00:44:35 2023)
- Microsoft via CertUtil (date of this PR)
Modified Readme to reflect that the Apple CA certificates are better to retrieve from GH and clarified minor things.
This also fixes#2525 (for 3.0), where >=2 certificates were missing.
Local and ULA and other IPv6 adresses were incorrectly filtered by ``awk '/^[0-9]/ { print $1 }'`` which searches in the first term for numeric values only.
This PR adds a-f and fixes#2529 for the 3.0 branch.
This commit fixes drwetter#2502 in the 3.0 branch by checking that the key_share extension is at least 4 bytes long (8 in ASCII-HEX). These 4 bytes encode the group value (2 bytes) and the length of the key (2 bytes).
The actual code grep for "MongoDB" keyword in the head of the HTTP
session.
In case of "compressed" HTML, a big page is on one line.
On a IT page, we could encounter the "MongoDB" keyword and
miss-identify the application protocol.
Fixed by matching on a longuer string taken from a live MogoDB
server.
Implemnation for 3.0, 3.2 see #2450
If a user chose a broken umask testssl.sh will start but emits subsequent errors.
This patch adds two sanity checks whether it is allowed to create and read files in the temp directory.
Fixes#2449
