Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2026-06-03 06:58:43 +02:00
Code Issues Packages Projects Releases Wiki Activity
4,787 Commits 16 Branches 37 Tags
093e8ddd10b7768cdad20292ccc12fc0e6d292a5
Commit Graph

4787 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dirk 093e8ddd10 Remove redundant statements 2025-03-31 17:54:01 +02:00
Dirk Wetter 2dfd192f27 Typos / when needed 2025-03-30 19:59:23 +02:00
Dirk 3a414d60bf Comment the removal of binaries 2025-03-30 18:14:41 +02:00
Dirk f208c09803 Rename file 2025-03-30 18:11:21 +02:00
Dirk 0e765986dc Remove output from openssl Kerberos binary 
... as we don't supply the kerberos binary anymore
 2025-03-30 18:08:58 +02:00
Dirk 1852ef6a1d Remove 32 Bit Linux binary 
... as it is a niche thing. It might be available @ the contibuted
build directory @ https://testssl.sh
 2025-03-30 18:06:58 +02:00
Dirk 5a1d90f310 Fix link 2025-03-28 18:33:14 +01:00
Dirk 9817041519 Fix typo 2025-03-06 13:41:56 +01:00
Dirk 696ec07a42 Start working on a set of new binaries 
* Update Readme
* Remove Kerberos binary (will go to https://testssl.sh/)
* Remove other old files
 2025-03-06 13:36:31 +01:00
Dirk Wetter 9807bc327a Merge pull request #2679 from testssl/banner_change 
Banner change
 2025-03-05 16:28:29 +01:00
Dirk e6cfe8c3b0 Resolve merge conflict by incorporating both suggestions 2025-03-05 15:35:18 +01:00
Dirk e2ee8b24b4 fix typo in comment 2025-03-05 15:06:41 +01:00
Dirk 5ffcd086eb Add missing local vars 2025-03-05 15:02:15 +01:00
Dirk 3152cdf864 Banner change + minor fix for curve detection 
In order to tell openssl binaries better apart the short banner below the
hash tag signs contain now also the date. That is the short version of the
build date unless it is not supplied which is the case of opensuse. Then
the name contains the date and it's taken from there.

The start and end banner lines have the same length now.

"sieve" was added in a comment and the sequence where sieve appears in
a pattern was trying to match other occurences (i.e. after nntp)

While testing the banners it appeared under Linux that a) the vendor
supplied openssl sometimes hangs during startup when determining the
supported curves using -connect b) a pattern was missing to detect
whether the curve was not supported which falsely labeled all supplied curves
as supported when using /usr/bin/openssl . The pattern for the latter
was added (b). For a) there needs to be a follow up PR to avoid the
long delays.
 2025-03-05 14:41:12 +01:00
Dirk Wetter f555fb050e Merge pull request #2678 from dcooper16/fix_typo 
Fix typo
 2025-03-05 09:13:12 +01:00
David Cooper bbdf19df85 Fix typo 
This commit fixes a typo that was introduced by #2656.
 2025-03-04 14:01:50 -08:00
Dirk Wetter 3ae276497d Merge pull request #2677 from testssl/dependabot/github_actions/docker/setup-qemu-action-3.6.0 
Bump docker/setup-qemu-action from 3.5.0 to 3.6.0
 2025-03-03 09:49:25 +01:00
dependabot[bot] 4d43d97622 Bump docker/setup-qemu-action from 3.5.0 to 3.6.0 
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3.5.0 to 3.6.0.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](https://github.com/docker/setup-qemu-action/compare/v3.5.0...v3.6.0)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-03-03 00:22:11 +00:00
Dirk Wetter 4fde2e7e49 Merge pull request #2674 from testssl/dependabot/github_actions/docker/build-push-action-6.15.0 
Bump docker/build-push-action from 6.14.0 to 6.15.0
 2025-02-27 10:32:27 +01:00
Dirk Wetter 105c19e4ef Merge pull request #2675 from testssl/dependabot/github_actions/docker/setup-qemu-action-3.5.0 
Bump docker/setup-qemu-action from 3.4.0 to 3.5.0
 2025-02-27 10:32:03 +01:00
Dirk Wetter c9d1ba4fcc Merge pull request #2673 from dcooper16/avoid_subshell 
Avoid subshell overhead
 2025-02-27 10:31:04 +01:00
dependabot[bot] c37e171424 Bump docker/setup-qemu-action from 3.4.0 to 3.5.0 
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3.4.0 to 3.5.0.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](https://github.com/docker/setup-qemu-action/compare/v3.4.0...v3.5.0)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-02-27 00:03:48 +00:00
dependabot[bot] 5bfe6d63bd Bump docker/build-push-action from 6.14.0 to 6.15.0 
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.14.0 to 6.15.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v6.14.0...v6.15.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-02-27 00:03:46 +00:00
Dirk Wetter 78dd0a13c9 Merge pull request #2671 from javabrett/javabrett/improve-ev-detection 
Improved (experimental) Extended Validation (EV) certificate identification
 2025-02-26 22:56:21 +01:00
David Cooper c38f46880f Avoid subshell overhead 
This commit removes the use of parenthesis in two expressions in run_fs() in order to avoid subshell overhead.
 2025-02-26 13:25:49 -08:00
David Cooper 102e4fb9b7 Merge pull request #2620 from Odinmylord/fix_curves 
fix curves findings in TLS1.2 and prior versions
 2025-02-26 13:15:34 -08:00
Dirk Wetter 04e5bc4be9 Merge pull request #2672 from javabrett/patch-1 
Update CONTRIBUTING.md
 2025-02-26 10:23:26 +01:00
Brett Randall 5f548b4214 Update CONTRIBUTING.md 
Fixed typo complains -> complaints.
 2025-02-26 13:02:16 +11:00
Brett Randall 352ed61a2e Improved (experimental) Extended Validation (EV) certificate identification. 
Three changes:

- added grep for "EV TLS" in addition to "EV SSL", as some issuers are
  using this.  This grep link actually picks-up most EV policies.
- Added policy detection for 2.23.140.1.1.  This is from CA Browser
  Forum https://cabforum.org/resources/object-registry/ extended-validation(1).
- Added policy detection for 1.3.6.1.4.1.38064.1.3.1.4 , which is SSL.com's EV policy.
 2025-02-26 10:10:21 +11:00
Dirk Wetter ff41cbbb89 Merge pull request #2669 from magnuslarsen/3.1dev 
fix(rating): explicit enable rating if required vuln-checks are enabled
 2025-02-23 14:29:18 +01:00
Magnus Larsen 9429afade1 fix(rating): explicit enable rating if required tests are ran 2025-02-23 11:48:41 +01:00
Dirk Wetter 69e2067b99 Merge pull request #2666 from krufab/fix/fix-typo-in-help-message 
Corrected typo in the help message
 2025-02-22 16:00:31 +01:00
Fabio Kruger 1539148f0b Corrected typo in the help message 
Signed-off-by: Fabio Kruger <10956489+krufab@users.noreply.github.com>
 2025-02-22 00:55:08 +01:00
Riccardo Germenia b3609603f9 remove unnecessary "if" statements and remove break from "if" statements 2025-02-20 15:45:05 +01:00
Dirk Wetter ffa3e19764 Merge pull request #2662 from dcooper16/fix_ossl_supported_curve_check 
Fix check for OpenSSL supported curves
 2025-02-20 11:30:10 +01:00
Dirk Wetter 94ff89671f Merge pull request #2664 from testssl/dependabot/github_actions/docker/build-push-action-6.14.0 
Bump docker/build-push-action from 6.13.0 to 6.14.0
 2025-02-20 11:29:28 +01:00
dependabot[bot] ec220e7c27 Bump docker/build-push-action from 6.13.0 to 6.14.0 
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.13.0 to 6.14.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v6.13.0...v6.14.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-02-20 00:56:34 +00:00
David Cooper 5c7e7bcbc7 Fix check for OpenSSL supported curves 
OpenSSL 3.X outputs a different error message than previous versions when $OPENSSL s_client -curves X ... is called with an unsupported curve. This was resulting in the check within find_openssl_binary() adding every curve to $OPENSSL_SUPPORTED_CURVES, even ones that were not supported. This commit changes to check in order to detect the new error message.
 2025-02-19 12:47:35 -08:00
Dirk Wetter 74209e05de Merge pull request #2660 from testssl/rm_comment 
Remove obsolete comment that SNI is not needed for ticketbleed
 2025-02-17 15:39:26 +01:00
Dirk Wetter 2baaf61cc5 Merge pull request #2657 from dcooper16/fix_pattern_match 
Fix pattern matches
 2025-02-15 14:14:38 +01:00
Dirk Wetter f085fd1880 Merge pull request #2659 from dcooper16/npn_sockets 
Enable run_npn() to use tls_sockets()
 2025-02-15 13:47:13 +01:00
Dirk e79dc8161e Remove obsolete comment that SNI is not needed for ticketbleed 
See also https://github.com/testssl/testssl.sh/pull/2656/files/aa5d4917cfc04f5fb2f6b57c3726237cca6735b9#r1954824502
 2025-02-15 13:33:52 +01:00
Dirk Wetter 4b57f4c9f9 Merge pull request #2656 from dcooper16/ticketbleed 
Enhance ticketbleed testing
 2025-02-15 13:31:15 +01:00
David Cooper 96bd3072de Enable run_npn() to use tls_sockets() 
LibreSSL does not support the -nextprotoneg option. This commit enhances run_npn() to use tls_sockets() when $HAS_NPN is false, rather than reporting that the check can not be performed.
 2025-02-14 12:25:39 -08:00
David Cooper acf48977c2 Fix pattern matches 
This commit fixes three lines of code that use Bash substring matching. In each case, a list of strings to match was enclosed in brackets. This resulted in a match if the string to test contained any character from any of the strings to match. This commit fixes the issue by removing the brackets.

(The bugs were introduced in https://github.com/testssl/testssl.sh/commit/b8e9b09ca78832b1608dbce48305e65762368a0d and https://github.com/testssl/testssl.sh/commit/8149c2d5cf56d9874c91923e236b9feb5264b88b)
 2025-02-13 14:21:26 -08:00
David Cooper aa5d4917cf Enhance ticketbleed testing 
Some versions of OpenSSL/LibreSSL do not support TLS 1.1 and earlier, either because they do not support the protocol (e.g, `$OEPNSSL s_client -tls1` results in a "unknown option" error) or because the cryptography needed to support these protocol versions (e.g., MD5/SHA1) is not available.

Given the limitations of some versions of $OPENSSL, this commit enhances ticketbleed testing in two ways. First, it performs the testing using the newest (non-TLS 1.3) version supported by the server, so that TLS 1 and TLS 1.1 aren't used unless TLS 1.2 is not supported. Second, it adds tests for whether the protocol version to be used is supported by $OPENSSL and for whether connection attempts were successful, rather than assuming connection attempts succeed.
 2025-02-13 07:59:36 -08:00
Dirk Wetter 4b4260831e Merge pull request #2653 from testssl/address_addCA_issue 
Address CA file parsing problem (3.2)
 2025-02-07 14:18:51 +01:00
Dirk Wetter ebc43ddafe Add previously added line from 3.0 in change log 
for consistency reasons
 2025-02-07 12:40:06 +01:00
Dirk Wetter 5e1db5f0a1 Address CA file parsing problem (3.2) 
.... by forbidding spaces in supplied CA files/directories

Also now we're sanitizing the cmd line parameter better using `safe_echo()`

See also #2647 .
 2025-02-07 12:30:41 +01:00
Dirk Wetter 21a89e40e8 Merge pull request #2650 from testssl/drwetter-patch-1 
Update Readme.md
 2025-02-07 10:01:31 +01:00