We missed somehow to add in the big while loop to add the fact that ROBOT is a vulnerability which became
apparent with #2967 (3.3dev).
This PR adds that for 3.2 also. See #2968.
This commit fixes#2959 by modifying TLS12_CIPHER, TLS12_CIPHER_2ND_TRY, and TLS12_CIPHER_3RD_TRY so that they each have 118 ciphers (including "00,ff"). It also modifies run_cipherlists(), run_server_defaults(), and run_beast() so that, when $SERVER_SIZE_LIMIT_BUG is true, no more than 125 ciphers are sent.
`grep -w` matches also `string1-whatsoever` so that entries like
```
192.168.0.10 anystring anystring-apache
192.168.0.11 anystring-tomcat
```
matched 3 entries over 2 lines.
This PR fixes#2937 for 3.2 by improving the pattern, so that `string1` needs a trailing whitespace or an EOL -- besides a leading whitespace..
The new block making sure that rust coreutils work properly (PR #2913)
introduced a new check in order to determine which date functions
to use.
The function however parsed only for English error messages ("No such file").
This PR fixes#2929 that for 3.2 by setting LC_ALL to C.
Ubuntu 25.10 has transitionned from GNU Core-utils to Rust Core-utils. That changes the testing
results which date version to use for displaying / conversion of dates like in certificates.
Probably more Linux distriutions will follow. See also #2909 .
For maintenance reasons it is advised also the stable version will get this patched. For
3.3dev, see #2913 .
This PR ist similar to #2905 for 3.3dev . However for the stable brnach it's
important to note that this is a breaking change as it modifies the output.
That happens only tough when `ciphers_by_strength()` is being used --equivalent
to the command line `./testssl.sh -E` = `./testssl.sh --cipher-per-proto`. As
this is seldom used and was basically succeeded by `-P, --server-preference`
this looks acceptable as it provides consistency which was overdue.
Details:
* keys now always with `v`, like `supportedciphers_TLSv1_2` and also ciphers
(e.g. `TLSv1.2 x35 AES256-SHA`)
* add word "server" to file output so that it reads "NOT a server cipher order configured"
Fixes#2884 for 3.2 .
This commit fixes#2896. This commit avoids modifying the ADDTL_CA_FILES environment variable, and instead substitutes spaces for commas whenever the variable is used.
As suggested in #2885 parsing of the server determined HTTP age var wasn't strict enough, this is a backport for 3.2.
https://www.rfc-editor.org/rfc/rfc7234#section-1.2.1 requires the variable to be a non-negative integer but testssl.sh assumed it was like that but did't check whether that really was the case. This was labled as a (potential) security problem. Potential as it didn't look exploitable after review -- the header as a whole was already sanitized.
This PR fixes the typs confusion and the garbled screen by checking the variable early in run_http_header() and reset it to NaN. That will be used later in run_http_date() to raise a low severity finding. Kudos to @Tristanhx for catching this and for the suggested PR.
Also, only when running in debug mode, this PR fixes that during service_detection() parts of the not-yet-sanitized header ended up on the screen. The fix just calls sanitze_http_header() for the temporary variable $TMPFILE.
For 3.2 sanitze_http_header() had to be modified to accept an argument and the callers needed to be changed.
The opossum patch improved http_get() , http_get_header/http_head()
in terms of readability. This was backported to improve maintainability.
Also in pwned keys if not pwned appear now in green/OK and not just
info level.
HAS_UDS2 was renamed to HAS2_UDS.
The logic was wrong when calling set_rating_state() in parse_cmd_line()
as do_rating was set before to true through set_scanning_defaults().
This PR fixes that by querying ${SKIP_TESTS[@]} instead and then calling
set_rating_state() when no --disable-rating was supplied .
In #2727 there were workarounds introduced which sped up processing decryption of
ChaCha20 and and AES-GCM by using OPENSSL2 when it is supporting such functions.
However when OPENSSL2 is called and OPENSSL_CONF still points to the autogenerated
file which works for `~/bin/openssl.$(uname -s).$(uname -m)` the decryption `$plaintext`
will be empty which later on caused a negative value, see #2780 .
This fixes#2780 by prepending `OPENSSL_CONF=''` to each OPENSSL2 instance. Also it
makes `chacha20()` and `gcm-decrypt()` more robust. It is now more readable now.
At other places $OPENSSL2 were prepended by `OPENSSL_CONF=''` also if there weren't
any obvious errors noticed.
Also now all OPENSSL2 vars will appear in /tmp/testssl.XXXXXX/environment.txt when
debugging.
It was also noticed that the `find_socat()` function had room for improvements, it was
not set in any case when `socat was in $PATH or supplied via env SOCAT.
This fixes a problem which was introduced @ 8d8f83ace5.
It caused for some hosts not to parse / display the issuer CN correctly.
Also it adds some code in testssl.sh and in a unit test to detect
this earlier. In general an output string FIXME will now cause a
unit test to fail. This can + should be used at other places too!
Fixes#2789
