Commit Graph

234 Commits

Author SHA1 Message Date
Dirk Wetter f6a59dc083 Properly premature exit for MacOS 2026-07-11 19:03:05 +02:00
Dirk ed07c763e1 Check on MacOS returned not ok 2026-07-11 17:12:50 +02:00
Dirk Wetter 49c26b7e36 perl-style grep for mac
so skip the while thing
2026-07-10 22:25:49 +02:00
Dirk 27c432e95d Add more checks
recommended by Claude Sonnet 5

The backtick pattern will fail in a comment. To be fixed later
2026-07-10 20:20:38 +02:00
Dirk 0c16ebd6b9 Small check for semantic check
Staring with a simple pattern for checking for non-variables at left hand
side like [[ LHS == $value ]]. The file is supposed be amended in the future.

This fixes #3074 .

Upon commit it fails first as there are two instances which will be detected
(one is deliberate but will be changed too) .
2026-07-10 19:33:08 +02:00
Dirk Wetter d1da2c1dea fix spelling 2026-07-10 13:55:33 +02:00
Dirk Wetter d7f5095042 Exempt MacOS with LibreSSL to run STARTTLS via LDAP 2026-07-10 13:40:03 +02:00
Dirk Wetter 50966dc1d6 Merge branch '3.3dev' into https_rr 2026-06-22 16:26:38 +02:00
Dirk Wetter bb408fd7d5 reflect renaming the variable
and u+x the script
2026-06-20 17:17:36 +02:00
potato-20 391f6a6b2b ui: replace raw API value 'unknown' with 'no entry' in HSTS preload output 2026-06-17 15:10:51 +05:30
potato-20 57fc5850d1 Add HSTS preload list check via the hstspreload.org API (#1248)
Revives and rebases #1809 by @tosticated (Jim Blankendaal) onto 3.3dev. When --phone-out is set, run_hsts now queries https://hstspreload.org/api/v2/status and reports whether the domain is on the browser HSTS preload list (preloaded/pending/rejected/unknown), cross-referenced with the served header, the same-domain check and the bulk flag.

Addresses the review comments on #1809: the API-response matching uses native bash string matching instead of forking grep, the JSON quoting is handled inside check_hsts_preloadlist_match() so callers pass plain values, and the value arrays use 'local -a'. The output decision table is kept as-is (per maintainer feedback). Adds t/53_hsts_preload.t. Original design and decision table by @tosticated.
2026-06-17 15:10:51 +05:30
Dirk 8e25163625 Remove QUIC from runner 2026-06-10 10:03:25 +02:00
Dirk 457f8fd0a0 Provide better debugging means
This is just to assist debugging of the runners, so that
we can grab in a case needed the screen and stderr .

* there's a script t/03_debug.t.DISABLED which needs to be renamed then
* it utilises IPC::Run3
- also showing the PATH is added for both runners
- Readme amended accordingly
2026-06-09 13:43:43 +02:00
Dirk Wetter e365ccf03f try to squash the baseline comparison check 2026-05-31 19:59:01 +02:00
Dirk Wetter e0c0a6658f Provide HTTPS RR functionality
This is a fresh start for #2484 as the PR wasn't ready yet for 3.2 by the time it was released. And it continues #2866
which was kind of messed up by accident.

The info for the HTTPS RR shows up in the very beginning, i.e. in `service_detection()`. All keys are listed now in bold, values in a regular font.

`get_https_rrecord()` was introduced by copying and modifying `get_caa_rr_record()`.

There's a similar obstacle as with CAA RRs: older binaries show the  resource records binary encoded. Thus a new set of global vars is introduced HAS_*_HTTPS which check whether the binaries support decoding the RR directly. As of now raw decoding doesn't work completely.

Todo:
- Add logic in QUIC
    - if RR is detected and not QUIC is possible
    - add time for QUIC detection when RR is retrieved
- show full HTTPS RR record, at least when having a new DNS client
- coninue with raw decoding, if possible (otherwise problematic for MacOS)
- shorten the comments in `get_https_rrecord()`
- man page
- when ASSUME_HTTP is set and no services was detected: this needs to be handled
- The placement of the output should be reconsidered and/or cached when multiple IPs belong to a FQDN
2026-05-30 17:40:34 +02:00
Dirk 209e76541e Using a compariable Linux distro in the firstplace for updating handshake would have been great ;-) 2026-05-29 15:20:17 +02:00
Dirk cff2c0810c Add Linux, not Mac baseline ;-) 2026-05-28 20:41:00 +02:00
Dirk Wetter 01d58f5e9c update client simulation data 2026-05-28 19:07:28 +02:00
Dirk 7871d800f9 adjust baseline runner output 2026-05-18 21:30:57 +02:00
Dirk ee316ef7ee Google has KEMs wjhich openssl doesn't show 2026-02-11 20:06:24 +01:00
Dirk ca55c5b180 Exempt the debug statement "Extended master secret extension detected" 2026-01-15 11:20:01 +01:00
Dirk Wetter 8ed4b4218c this may fix it 2025-11-29 18:43:00 +01:00
Dirk Wetter d92769d15c trying again to make Mac work 2025-11-29 13:45:00 +01:00
Dirk 17896a44a5 move unlink 2025-11-28 17:23:50 +01:00
Dirk 4bc0a5ccba Change back to google.com, avoid 0-RTT for Mac
... as we can't make it to get proper results unless
on the laptop
2025-11-28 16:26:25 +01:00
Dirk Wetter d3c33867d7 Rather try cloudflare...
instead of google.com. Maybe google's edge server to github has
different configuration and thus has not 0-RTT.

On my Mac it worked fine before.
2025-11-28 13:28:58 +01:00
Dirk 2b06c97f19 Add 0-RTT, more in line with other files
... and simplyfied
2025-11-28 03:20:10 +01:00
Dirk b1d79b6d72 change style to be in line w others 2025-11-28 01:21:19 +01:00
Dirk 3a0a6eaf88 re-add $ 2025-11-27 22:17:54 +01:00
Dirk 7823699982 json and html unit tests more seamless
- html_file / json_file
- file name comes in command, not earlier
- Both a title
- avoid fixed string for file names over and over
2025-11-27 20:38:12 +01:00
Dirk 964e8924a4 define file var before using it 2025-11-27 19:45:39 +01:00
Dirk Wetter a4b6d1fca0 spellcheck 2025-11-27 18:49:12 +01:00
Dirk Wetter f3ebf0e971 Add autoflush thingy for MAcOS 2025-11-27 18:46:19 +01:00
Dirk Wetter 853da2a9de term pattern seems better than the "colorized list" 2025-11-27 18:39:52 +01:00
Dirk Wetter 3591f70a17 reorder lines 2025-11-27 18:31:43 +01:00
Dirk Wetter 8103a0e24d Make this work undeer MacOS
- URI is now example.com bc Akamai doesn't block too many checks
  (MacOS runner was delayed and often hiccuped here)
- failed to flush message --prevention
- term pattern seems better than the "colorized list"
2025-11-27 18:24:15 +01:00
Dirk Wetter 7e97fef030 remove LFs and comment 2025-11-27 18:22:48 +01:00
Dirk Wetter 0ef742a17a Just add comments, reorder lines 2025-11-27 17:44:31 +01:00
Dirk Wetter 4582bd8d73 Merge branch '3.3dev' into address_2952 2025-11-27 16:37:16 +01:00
Dirk Wetter de6e92826a Add stdout flush 2025-11-27 14:23:27 +01:00
Dirk Wetter 5111804b75 Try to remove the "failed to flush stdout" messages 2025-11-25 00:23:13 +01:00
Dirk Wetter e8098fc1d2 fix remainder from old os definition 2025-11-24 12:03:03 +01:00
Dirk Wetter d359e1108d proper definition of os variable 2025-11-24 11:07:16 +01:00
Dirk Wetter 7ba99cd1e9 For MacOS we rather use homebrew's OpenSSL 2025-11-24 11:04:59 +01:00
Dirk Wetter 7b2804df41 remove STARTTLS 2025-11-24 10:48:41 +01:00
Dirk 1ce514d95f Shorten badssl GHA as they fail too often
* Remove checks which aren't needed in t/51_badssl.com.t t/33_isJSON_severitylevel_valid.t
* tryying to make some files more readable
2025-10-30 18:35:43 +01:00
Dirk 6201627298 Fix unit test for Mac and Ubuntu Linux 2025-10-09 13:29:36 +02:00
Dirk Wetter 6af5377507 Ignore MLKEMs for TLS 1.3 2025-10-08 23:15:49 +02:00
Dirk Wetter f081db83e1 Update baseline 2025-10-08 23:14:54 +02:00
Dirk a4b6ded123 Update basline scan for unit test
This PR updates the baseline after switching to the new server.
2025-10-08 10:03:19 +02:00