There's a check for >825 days certificate lifetime. That
check emits a debug statement when the lifetime is within
this limit. It does that also when the certificate expired.
This commit adds now the word "total"
DEBUG: all is fine with total certificate life time
to make sure the life time left not is what should be understood.
... by adding the formerly intruoced "DEBUG" statement as a filter.
Note: "DEBUG" can now / should now be taken preferably for extra
output on debug level 1.
Replacing badssl.com by testssl.net. The former needed almost 5 min
for a run, whereas one IP of testssl.net needs ~80 secs. With --fast
even less.
Several vulnerability checks add a time penalty when the server
side only support TLS 1.3 as The TLS 1.3 RFC 8446 and implementations
known so far don't support the flaws being checked for.
This PR adds "shortcut" checks for all TLS 1.3, assuming that the
TLS 1.3 implementation is correct which seems at this time a valid
assumpution. That either saves a TCP connect or at least some logic to
be executed. Also in some cases a TLS 1.3 only server emitted unnecessary
warnings, see #1444.
If $DEBUG -eq 1 then it outputs information that a shortcut was
used. It doesn't do that in other cases because the screen output
seems too obtrusive.
It also adds a shortcut for beast when SSL 3 or TLS 1.0 is is known
not to be supported.
This commit radds 747fb039ed which
was accidenially reverted in 45f28d8166.
It fixes#1462.
See also #1459.
This also makes a short exit when the server side
supports TLS 1.3 only as this protocol doesn't support
TLS renegotiation or compression.
Also it fixes the logic flaw from the previous
commit that "-no_tls1_3" has to be supplied.
Furthermore, it unifies the output presented to the user.
As noted in #1444 a few vulnerability checks don't make sense
or aren't working. This commit addresses the renegotiation checks.
Also a few redundant quotes in parse_tls_serverhello() and
run_crime() were removed.
* Replace "! -z" with "-n"
* Replace "openssl' with "$OPENSSL"
* Redirect stderr output of $OPENSSL to /dev/null to supress "WARNING: can't open config file: /usr/local/etc/ssl/openssl.cnf" message (see #833)
* Remove unnecessary spaces from $GET_REQ11 string.
The CA browser form agreed on a validity period of 825 days or less
(https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.3-redlined.pdf,
p4).
PR #1427 addressed that. However when an issuer signed/issued a certificate
with exactly 825 days, the check reported incorrectly that the life time
is too long.
This commit addressed that by adding a second to the calulation. Also the
output takes into account that it must be over ('>') 825 days, not '>='.
See #1070, kudos @poupas.
In addition it checks whether the first result was positive (in
terms of a finding). If so it does 4 rounds and checks the
result. So that other servers won't be penalized with 4 seconds.
derive-handshake-traffic-keys() uses the variables `derived_secret`, `server_write_key`, and `server_write_iv`, but they are not declared as local variables of the function. This PR fixes that.
Dirk
David Cooper
manuel