Commit Graph

4605 Commits

Author SHA1 Message Date
Emmanuel Fusté 35496e5c5f Clean up watchdog file logic 2024-03-04 19:16:48 +01:00
Emmanuel Fusté 81167dc908 Fixes:
- Add safety gards againts infinite sleep loop
- correct the for loop test
- reverse the watchdog file logic for sleep loop. No timing dependance.
2024-03-04 18:48:21 +01:00
Emmanuel Fusté 8627ba518f Kill the heuristic an count the real number of renegociations
The heuristic is too fragile and timing dependant.

- As for the initial TLS negociation, wait for the result of the
  renegociation request before sending the next one.
- Remove the result ratio calculation and message as we now reach the
  timeout in case of exponential backoff or connection hang.

This commit depend on the fix of the timeout, broken by the zombi fix.
2024-03-01 22:02:00 +01:00
Emmanuel Fusté 2bdbdec5d9 Do not wait on pid you are not a parent.
The zombi fix did too much modifications breaking the global time-out
function.
As the wait $pid failed, we no longer create the watchdog file.
Fix by reverting unnecessary changes.
2024-03-01 17:40:43 +01:00
Dirk Wetter a2fdfb011e
Merge pull request #2474 from drwetter/mtls_beta
Polish PR2461 (mTLS) + label as beta
2024-02-28 10:22:11 +01:00
Dirk 55ae9bf248 Polish PR2461 (mTLS) + label as beta
also revert #1383
2024-02-27 15:59:16 +01:00
Dirk Wetter 94ef475255
Merge pull request #2461 from akabe1/3.2
Add mTLS new feature to support scans with client authentication
2024-02-27 15:47:03 +01:00
Dirk Wetter f84e8c05f5
Merge pull request #2470 from Tazmaniac/renego_timing_fix
Correct client_renego timing bug.
2024-02-21 17:17:51 +01:00
Dirk Wetter 32a279730f
Merge pull request #2472 from Tazmaniac/zombies-fix-3.2
Fix subshell killing to avoid zombies
2024-02-20 10:03:19 +01:00
Emmanuel Fusté af20952b86 Fix subshell killing to avoid zombies
Learned from the rest of the code ...
2024-02-19 16:19:23 +01:00
Dirk Wetter 19607d7c2c
Merge pull request #2467 from Tazmaniac/mongodb-detection-fix
MongoDB identification fix
2024-02-13 17:15:01 +01:00
Emmanuel Fusté 6277613906 Usual spell fixes. 2024-02-13 15:41:35 +01:00
Emmanuel Fusté 4066766de5 MongoDB identification fix
The actual code grep for "MongoDB" keyword in the head of the HTTP
session.
In case of "compressed" HTML, a big page is on one line.
On a IT page, we could encounter the "MongoDB" keyword and
miss-identify the application protocol.

Fixed by matching on a longuer string taken from a live MogoDB
server.
2024-02-13 15:00:19 +01:00
Emmanuel Fusté faae91edbc Correct client_renego timing bug.
OpenSSL will buffer only the first command till the establishment of the
session.
In case of slow session establishment, we could:
  * loose some renego trys missing proper mitigation implementation
  * loose some renego trys missing a real vulnerable host if 2/3 of the
    tries are lost during session establishment (very slow startup).

Wait for the session to be fully establised before starting the renego
loop.
2024-02-13 14:40:53 +01:00
Dirk Wetter 62b5859d52
Merge pull request #2465 from Odinmylord/3.2
Add SNI to ticketbleed check
2024-02-09 09:56:58 +01:00
Odinmylord eb661dadb8 Add SNI to ticketbleed check 2024-02-08 15:01:12 +01:00
Dirk Wetter c30e541658
Merge pull request #2463 from janbrasna/fix-docker-md-quotes
Fix Dockerfile.md formatting
2024-02-02 20:25:46 +01:00
Jan Brasna 1db2df333f
Fix Dockerfile.md formatting 2024-02-02 19:33:08 +01:00
Dirk Wetter 7ec7f8cf32
Merge pull request #2460 from Tazmaniac/client-renego-regression
Fixed regression in printing results
2024-01-22 09:51:11 +01:00
Maurizio S 51ab05e651
Update testssl.1.html 2024-01-20 11:49:56 +01:00
Maurizio S 55ef4c09fe
Update testssl.1.md 2024-01-20 11:49:50 +01:00
Maurizio S 83fb9b5b3a
Update CHANGELOG.md 2024-01-20 11:49:41 +01:00
Maurizio S bdab5f665c
Update CREDITS.md 2024-01-20 11:49:32 +01:00
Maurizio S ec4ceb2c20
Add mTLS feature
Added new feature to support mutual TLS via client certificate and private key, when a remote server requires client authentication.
2024-01-20 11:49:05 +01:00
Emmanuel Fusté 4cc02a63ef One more spell fix... 2024-01-19 17:09:44 +01:00
Emmanuel Fusté 02a3c2cc14 Fixed regression in printing results
And improve it with the effective number of renego before disconnection
as it is now tracked.
2024-01-19 16:22:50 +01:00
Dirk Wetter ad04a90b2a
Merge pull request #2459 from Tazmaniac/client-renego-fix
Secure Client-Initiated Renegotiation : fixes/enhancements
2024-01-18 18:37:58 +01:00
Emmanuel Fusté 67c362c89a One more spell fix 2024-01-15 10:07:09 +01:00
Emmanuel Fusté de364b0c84 Introduce SSL_REGEG_WAIT and reduce wait to 0.25s
Reduce wait between reneg test to 0.25s. Still robust and accelerates
the test as now we do up to 10 renego tests.

With the global loop timeout, the backoff identification seem unneeded.
But if we switch to 0.25s, we no longuer trigger the global timeout so
it is still valuable.
Adjust write out messages as bash do not support floating point number
arithmetic.
2024-01-12 11:30:35 +01:00
Emmanuel Fusté 9b79e3917a Bump SSL_RENEG_ATTEMPTS=10 for Stormshield
Stormshield allows 9x and then blocks. So then 10x should be tested.
Example: https://ems.ocapiat.fr
2024-01-11 18:34:47 +01:00
Emmanuel Fusté b793f54c3e Add timeout for the client initiated renego loop
Some site hang/block the connection after some renego reties
Example: https://feedback.amadeus.com

Hand written timeout logic because:
- we want to get the result of the command in case of normal exit
- we want to have working log fd redirection
- we want to known the timeout condition
2024-01-11 18:30:44 +01:00
Dirk Wetter b6fdfb1986
Merge pull request #2458 from drwetter/drwetter-patch-1
Create pull_request_template.md
2024-01-10 19:28:22 +01:00
Dirk Wetter 6e84f5f139
Fill pull_request_template.md 2024-01-10 19:27:24 +01:00
Dirk Wetter 9a494b135c
Create pull_request_template.md 2024-01-10 19:03:23 +01:00
Emmanuel Fusté d30d8e09f2 tab/space corrections and "grep -ac" in place of "grep -a | wc -l" 2024-01-10 18:31:41 +01:00
Dirk Wetter 7c0c06641c
Merge pull request #2437 from drwetter/disclaimer
Disclaimer
2024-01-10 12:22:34 +01:00
Dirk Wetter 810e870d16
Merge pull request #2454 from Odinmylord/3.2
Make cert_keysize output consistent
2024-01-10 12:21:42 +01:00
Dirk Wetter 69664cbabf
Merge pull request #2455 from Odinmylord/fix_intermediate_cert
add utf8 support to intermediate cert names
2024-01-06 20:38:32 +01:00
Odinmylord e404cf8bdb add utf8 support to intermediate cert names 2024-01-03 14:27:11 +01:00
Odinmylord f4b1bb28a0 Update certificate_info function to include key algorithm in error messages 2024-01-02 14:06:18 +01:00
Dirk Wetter 3f9cc7b6a5
Merge pull request #1871 from dcooper16/quit_on_cmd_line_errors
Quit testssl.sh on all command line errors
2023-12-24 15:34:00 +01:00
Dirk Wetter bbf770ac7f
Merge pull request #2447 from Odinmylord/3.2
Add Brainpool signature algorithms to output
2023-12-24 14:00:42 +01:00
Dirk 23c2b24c3d MUST update hashes 2023-12-24 14:00:34 +01:00
Dirk Wetter 3d63b62c24
Merge pull request #2450 from drwetter/fix_stupid_umaskerror
Bail out if user error bc of umask
2023-12-23 15:02:20 +01:00
Dirk Wetter c5265e33b7 fix wrong temp file var 2023-12-23 13:13:16 +01:00
Dirk Wetter 3b5f2022b3 fix typo 2023-12-23 13:03:57 +01:00
Dirk Wetter 8e517e0a70 Bail out if user error bc of umask
If a user chose a broken umask testssl.sh will start but emits
subsequent errors.

This patch adds two sanity checks whether it is allowed to create
and read files in the temp directory.

Fixes #2449
2023-12-23 12:58:05 +01:00
Odinmylord 90272f1d12 Add Brainpool signature algorithms to output 2023-12-13 14:23:28 +01:00
Dirk Wetter 7829821010
Merge pull request #2441 from drwetter/dependabot/github_actions/docker/build-push-action-5.1.0
Bump docker/build-push-action from 5.0.0 to 5.1.0
2023-12-09 18:13:24 +01:00
Emmanuel Fusté 2c84a525cc Fix mitigation detection with debug level 0 2023-12-07 18:58:58 +01:00