Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2026-02-22 12:53:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
5,297 Commits 16 Branches 37 Tags
094c61caea4bb0cf08e68bc1da915f5962596804
Commit Graph

5297 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dirk
094c61caea Change banner back to 3.3dev 2026-02-13 14:25:58 +01:00
Dirk Wetter
cdc892e323 Merge pull request #2991 from testssl/3.3snap1 
Add "dev" to the version banner to clarify
v3.3dev-snapshot-2602 		2026-02-13 13:46:54 +01:00
Dirk
c895a5c268 Add "dev" to the version banner to clarify 
And modify the banner accordingly depending on whether it's a
snapshot release or not.
 2026-02-13 11:18:13 +01:00
Dirk Wetter
a9fc8a17c5 Merge pull request #2989 from testssl/3.3snap1 
Prepare for a snapshot release
 2026-02-13 08:36:20 +01:00
Dirk
c600b2cb38 Prepare for a snapshot release 
- "3.3" still signals it's not oldstable
- "snapshot-YYMM" speaks for itself
 2026-02-12 23:15:07 +01:00
Dirk Wetter
18a1264223 Merge pull request #2985 from testssl/fix_2983_robot_timeout 
Finalize renaming MAX_WAITSOCK --> ROBOT_TIMEOUT
 2026-02-11 21:36:17 +01:00
Dirk
ee316ef7ee Google has KEMs wjhich openssl doesn't show 2026-02-11 20:06:24 +01:00
Dirk
98d3c8399f Fix typo in ROBOT_TIMEOUT 
... which may led to false positives

Also in a number of tests the timeout was re-adjusted so that the robot check
performs ~25% faster -- on MacOS. On Linux it's about the same.
 2026-02-11 19:00:38 +01:00
Dirk
496373a60f Finalize renaming MAX_WAITSOCK --> ROBOT_TIMEOUT 
The commit 51a35b0344 changed variable names but there were leftovers. Also
before the tiemout values were reduced, so that the check may run faster. What was left were that some
timeout values were still too long. Thus MAX_WAITSOCK is now completely changed to ROBOT_TIMEOUT .
Also when the ROBOT check identified something as potentially vulnerable, the timeout value ist increased to
8 seconds which is less than in 3.2 . Tests however showed so far that there were no false positives or
negatives.

Moreover it changes the local variable robottimeout to robot_timeout.

This PR fixes #2983 for 3.3dev .
 2026-01-22 19:57:32 +01:00
Dirk Wetter
79db2763b6 Merge pull request #2982 from testssl/feature_2806 
Flag absence of extended master secret extension
 2026-01-15 15:19:45 +01:00
Dirk
ca55c5b180 Exempt the debug statement "Extended master secret extension detected" 2026-01-15 11:20:01 +01:00
Dirk
d78fae2dce Add extended_master_secret extension 2026-01-14 20:37:33 +01:00
Dirk
52ffa95696 Flag absence of extended master secret extension 
This PR fixes #2806 and implements a feature request. TLS >=1.2 MUST support
support the extended_master_secret extension to address an attack resulting
from TLS session parameters not being properly authenticated in a Triple
Handshake scanario (https://ieeexplore.ieee.org/document/6956559).

Only if the extension is missing there will be a medium severity level
finding. JSON output will be generated in any case.

Also in determine_tls_extensions() some documenation about tls extensions
to be send were added.
 2026-01-14 20:22:59 +01:00
Dirk Wetter
251d5ac02a Merge pull request #2981 from testssl/fix_2973 
Remove VULN_THRESHLD relic
 2026-01-13 20:05:44 +01:00
Dirk
cf77cd2ad4 fix spelling 2026-01-13 17:33:33 +01:00
Dirk
3e10b3a9a2 Remove VULN_THRESHLD relic 
This fixes #2973.

There was a while back an extra headline when one or a defined other
number of vulnerabilities were checked. The extra headline was removed
n #2967 but some leftover code needed to be removed as well.

In the aforementioned previous PR it seems run_starttls_injection()
and run_rc4() were forgotten. This PR removes extra headlines in
those functions as well.
 2026-01-13 17:24:27 +01:00
Dirk Wetter
4e10bd24da Merge pull request #2979 from testssl/drwetter-patch-1 
general remarks, check boxes
 2026-01-13 10:36:30 +01:00
Dirk Wetter
62934191d3 minor tweaking 2026-01-13 10:35:50 +01:00
Dirk Wetter
edbec494c6 Merge pull request #2980 from testssl/OPENSSL2_hint 
Suggest alternative $OPENSSL2 when $OPENSSL fails
 2026-01-13 10:30:31 +01:00
Dirk
45b27872c9 fix typo 2026-01-12 21:22:45 +01:00
Dirk
d360b27b83 Suggest alternative $OPENSSL2 when $OPENSSL fails 
.. as an UI improvement for the user.

Implemented for Ticketbleed and during startup in determine_optimal_proto() .
For the latter it could be considered later to automagically pick $OPENSSL2 .
 2026-01-12 21:07:15 +01:00
Dirk Wetter
2ea57ec490 typos 2025-12-26 20:28:28 +01:00
Dirk Wetter
c89a41e627 general remarks, check boxes 2025-12-26 20:26:26 +01:00
Dirk Wetter
6a5a69fcfd Merge pull request #2978 from testssl/drwetter-patch-1 
Polish
 2025-12-20 23:24:50 +01:00
Dirk Wetter
f16e270e6a Polish 2025-12-20 23:24:15 +01:00
Dirk Wetter
ee8055ef61 Merge pull request #2977 from testssl/drwetter-patch-1 
Add FAQ
 2025-12-20 23:19:59 +01:00
Dirk Wetter
1650b445ef Add FAQ 2025-12-20 23:19:22 +01:00
Dirk Wetter
4c27d8a8b9 Merge pull request #2975 from testssl/badges_patch 
Update badges
 2025-12-19 15:19:34 +01:00
Dirk Wetter
2274c6cd5b Merge pull request #2974 from testssl/robot_timeout_doc 
Add ROBOT_TIMEOUT to documentation
 2025-12-19 15:18:50 +01:00
Dirk
bca823a0cc Update badges 
- sort them better
- add forks+stars
- remove gitter
 2025-12-19 15:17:07 +01:00
Dirk
3ac39032fa Add ROBOT_TIMEOUT to documentation 
Also
* remove VULN_THRESHLD from docs

Note: pandoc was a different version, so the roff output has different
encodings for different special chars.
 2025-12-19 15:07:40 +01:00
Dirk Wetter
61d0189f8f Merge pull request #2969 from testssl/mitigate_2083 
Mitigate inconsistent test results for ROBOT
 2025-12-19 13:59:48 +01:00
Dirk Wetter
6cd5b4364c Merge branch '3.3dev' into mitigate_2083 2025-12-15 13:13:50 +01:00
Dirk Wetter
28baa6be44 Merge pull request #2968 from testssl/fix_missing_vulnHeadline 
ROBOT is also a vulnerability
 2025-12-15 13:12:56 +01:00
Dirk Wetter
81f25a6674 Mitigate inconsistent test results for ROBOT 
As reported a longer while back in #2083 there were trailing bytes
when receiving a TLS alert by the ROBOT check.

This PR corrects and thus normalizes the length of the TLS alert message to the
correct value, supposed the length in the TLS alart is two bytes and it is an
TLS alert.

Also this PR now uses a separate variable for the timeout. In 2ce0110e the timeout
was changed by mistake as MAX_WAITSOCK was reduced from 10 to 5. For this check it
is still 5 which seemed fine (TBC). Using a separate global variable however may offer
some possibility for tuning the check when the latency to the target is high.
 2025-12-15 12:52:41 +01:00
Dirk Wetter
51a35b0344 ROBOT is also a vulnerability 
We missed somehow to add in the big while loop to add the fact that
ROBOT is a vulnerability which become apparent with #2967.

This PR adds that.
 2025-12-15 11:44:42 +01:00
Dirk Wetter
08398b3ac2 Merge pull request #2967 from testssl/address_2943 
Remove underlined headline for each vulnerability
 2025-12-15 11:07:17 +01:00
Dirk Wetter
26e90d44c3 Remove underlined headline for each vulnerability 
This PR removes this legacy feature. There's a single
headline for vulnerabilties instead.

Fixes #2943.
 2025-12-14 21:24:30 +01:00
Dirk Wetter
3430bd97d2 Merge pull request #2965 from testssl/fix_2944 
Add missing LF after pwnkeys DB check
 2025-12-14 21:03:51 +01:00
Dirk Wetter
eeb8e7dbf1 Add missing LF after pwnkeys DB check 
This fixes #2940 .
 2025-12-14 17:43:44 +01:00
Dirk Wetter
651ddc1876 Merge pull request #2963 from dcooper16/fix2959 
Fix #2959
 2025-12-13 15:37:16 +01:00
David
2b93c9e6bb Fix #2959 
This commit fixes #2959 by modifying TLS12_CIPHER, TLS12_CIPHER_2ND_TRY, and TLS12_CIPHER_3RD_TRY so that they each have 118 ciphers (including "00,ff"). It also modifies run_cipherlists(), run_server_defaults(), and run_beast() so that, when $SERVER_SIZE_LIMIT_BUG is true, no more than 125 ciphers are sent.
 2025-12-11 08:00:32 -08:00
Dirk Wetter
7a0b62e689 Merge pull request #2961 from testssl/fix_2960 
Label missing KEMs as LOW severity
 2025-12-09 12:43:05 +01:00
Dirk Wetter
03f43ecd68 Label missing KEMs as LOW severity 2025-12-09 10:15:50 +01:00
Dirk Wetter
1250d6f853 Merge pull request #2958 from testssl/fix_early_data_empty 
Fix error when early data empty
 2025-11-29 22:38:18 +01:00
Dirk
ece7bce138 Merge branch '3.3dev' into fix_early_data_empty 2025-11-29 20:55:56 +01:00
Dirk Wetter
2b73544efc Merge pull request #2954 from testssl/address_2952 
Address 2952
 2025-11-29 20:53:43 +01:00
Dirk Wetter
8ed4b4218c this may fix it 2025-11-29 18:43:00 +01:00
Dirk Wetter
d92769d15c trying again to make Mac work 2025-11-29 13:45:00 +01:00
Dirk
17896a44a5 move unlink 2025-11-28 17:23:50 +01:00