Commit Graph

3637 Commits

Author SHA1 Message Date
tosticated ad8a52ec4f Updated changelog and credits 2020-09-08 15:34:30 +02:00
Dirk Wetter fe7b51a3e2 remove hint in winshock 2020-09-08 13:42:50 +02:00
Dirk Wetter a1a0605082 add winshock 2020-09-08 13:42:33 +02:00
Dirk Wetter a511da4ce8 New feature: winshock
This commit implements a detection of Winshock from 2014 (aka MS14-066, CVE-2014-6321).

It does that by analyzing
* the ciphers supported -- MS' rollup patch introduced new GCM ciphers
* AND grabbing the server banner which should match IIS 8.0 oder IIS 8.5

Admittedly this is not a strong detection. But it worked in the cases I tested
(no RDP  yet). The other known method remotely testing for it against IIS is
using a patched openssl binary (see https://github.com/drwetter/testssl.sh/issues/331#issuecomment-211534954)
-- the diff "jules" (hi) provided a while back. That seems to stem from securitysift
albeit his decription was not complete and he didn't provide a PoC (I've
seen also polarssl +  a little bit of python here: https://vimeo.com/112089813

The catch is securitysift's method, is not as trivial to implement and it dosses the
sass.exe process, see: http://www.securitysift.com/exploiting-ms14-066-cve-2014-6321-aka-winshock/.

* Todo: man page

This commit also removes -BB from the help. We haven't settled yet finally
where we go with short options for the cmd line for vulnerabilities. One
is for sure though: Using one letter uppercase doesn't scale. As winshock
can be executed with --WS and --winshock --BB brings that in line. For now
also -BB works (as -WS) but it isn't advertised anymore.
2020-09-08 12:37:50 +02:00
Dirk Wetter b6bab1e1b5
Merge pull request #1715 from drwetter/not_run_allciphers_et_al
Modify default for full 9 yrds run
2020-09-07 21:17:01 +02:00
Dirk Wetter e5d0b3eeac Modify default for full 9 yrds run
We don't need to execute run_cipher_per_proto() in addition here
2020-09-07 09:54:34 +02:00
Dirk Wetter d424b0c649
Merge pull request #1711 from dcooper16/fix1699
Fix #1699
2020-08-31 17:08:10 +02:00
David Cooper 3973bc3364 Fix #1699
This commit fixes #1699 by setting FIRST_FINDING to true in fileout_banner() if $do_json_pretty is true.

When $do_json_pretty is true, fileout_banner() calls fileout_pretty_json_banner(), which starts a new sectio in the JSON file. Setting FIRST_FINDING to true ensures that a comma is not placed before the first entry in this new section. This is the same as is done in other places when a new section is stated: fileout_section_header() and fileout_insert_warning().
2020-08-31 10:35:19 -04:00
tosticated 47e9814baa Added check for certificate validity longer than 398 days 2020-08-31 16:21:32 +02:00
tosticated e3b62341ba Merge branch '3.1dev' of https://github.com/tosticated/testssl.sh into 3.1dev 2020-08-31 16:20:59 +02:00
tosticated 63620276cd Added check for certificate validity longer than 398 days 2020-08-31 16:20:27 +02:00
tosticated b315f5ac03 Added check for certificate validity longer than 398 days 2020-08-31 16:11:30 +02:00
Dirk Wetter 09fb279510
Merge pull request #1707 from geert-hendrickx-be/3.1dev
`hostname` is not defined by POSIX, use portable `uname -n` instead.
2020-08-26 18:59:43 +02:00
Geert Hendrickx 09c276ffa2 `hostname` is not defined by POSIX, use portable `uname -n` instead. 2020-08-26 18:40:47 +02:00
Dirk Wetter b4cbe7674a
Merge pull request #1704 from drwetter/add_ca_dir
Allow dir with PEM files for --add-CA
2020-08-20 09:19:25 +02:00
Dirk Wetter ecc6cd8160 Allow dir with PEM files for --add-CA
Idea which popped up while following #1700
2020-08-18 21:52:59 +02:00
Dirk Wetter 565c93e53b
Merge pull request #1703 from drwetter/rapydblok
Add https://inspect.rapydblok.com
2020-08-14 10:21:36 +02:00
Dirk Wetter 7830a22b27
Merge pull request #1702 from drwetter/unrecognized_option--version
Phrase cmd line option "--version" & friends as standalone
2020-08-14 10:20:48 +02:00
Dirk e76de12047 Add https://inspect.rapydblok.com
Fixes #1689
2020-08-13 20:58:15 +02:00
Dirk Wetter 1d954233bd Document is in utf-8
See #1701
2020-08-13 20:43:54 +02:00
Dirk Wetter 953e1bd0ff Phrase --version & friends as standalone
This PR fixes #1671.

Primarily there's now an additional case statement in the main while loop
which just calls fatal() when it detects --help -b --banner -v or --version.

The documentation was also updated to reflect that.

(Some grammar and other errors which I stumbled over were corrected too)
2020-08-13 20:41:57 +02:00
Dirk Wetter a2929211b2
Merge pull request #1697 from drwetter/no_starttls_detection2
Trying to address no STARTTLS offerings (2)
2020-08-11 16:27:24 +02:00
Dirk Wetter ee7a21ef76
Merge pull request #1698 from drwetter/mitigate_javastore4rating
Don't penalize rating for CAs which aren't in the Java store
2020-08-11 16:25:25 +02:00
Dirk Wetter 1915a7b624 STARTTLS 2020-08-11 15:41:20 +02:00
Dirk Wetter 4653613211 Add mitigate_javastore4rating 2020-08-11 15:36:43 +02:00
Dirk Wetter c4841c83eb Don't penalize rating for CAs which aren't in the Java store
This fixes #1648.

Java store doesn't seem to be as complete. No downgrading of trust rating
to T but we still need to raise a red flag for some Java clients
2020-08-11 15:30:53 +02:00
Dirk Wetter ac6b64ce36 Trying to address no STARTTLS offerings (2)
This PR will replace #1566. It addresses that if the server side doesn't show STARTTLS
testssl.sh should exit and label it accordingly (see #1536).

For this to achieve starttls_just_send() was were changed so that a return value from of 3
signals the STARTTLS pattern wasn't found is passed back to the parent fd_socket() whcih
will then act accordingly.

Also:
  * starttls_full_read() + starttls_just_send() were improved for readability and debugging.
  * The caller of starttls_full_read() + starttls_just_send() had redundant indentations which were moved to the callee
  * minor bugs were squashed (e.g. ``fd_socket()``'s return values =!0 always  were referring to STARTTLS also when no STARTTLS was requested)

This was tested (negative + test and positive) for FTP and SMTP which worked as expected. For POP, IMAP and NNTP it should work
accordingly but I had trouble finding a server whcih DID NOT support STARTTLS.

All other protocols basically should also cause testssl.sh to bail out but haven't been tested either. However
here starttls_io() won't return 3. It returns 1 in a case of problems. It uses NR_STARTTLS_FAIL. If it's encountered 2+
times that STARTTLS fails it early exists using fatal(). So we maybe want to consider changing starttls_io() in the future
to also use return 3 in the case STARTTLS is not offered.
2020-08-11 12:01:28 +02:00
Dirk Wetter 186dcfa735
Merge pull request #1696 from dcooper16/fewer_external_function_calls
Use fewer external function calls
2020-08-07 13:17:38 +02:00
David Cooper fd5928af47 Use fewer external function calls
This commit modifies a few functions to use fewer external function calls. In most cases this involves replacing external function calls with Bash internal functions, but in one case it involves replacing multiple external function calls with one call to awk.

This commit makes a few changes to the way that some functions work.

is_ipv4addr() and is_ipv6addr() will now strictly only accept a string that is an IPv4 (or IPv6) address and nothing else.

A couple of changes were also made to match_ipv4_httpheader(). First, lines that match $excluded_header (formerly $whitelisted_header) are not processed in the while loop. This prevents the excluded header from being output in the case that $HEADERFILE includes a non-excluded header with an IPv4 address and an excluded header with a string that looks like an IPv4 address.

The list of excluded headers was also modified to exclude any line that begins "Server: " rather than just lines that begin "Server: PRTG". According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server, the "Server" header describes the software used by the server, so it seems reasonable to expect that this header line will never contain an IPv4 address. Also, looking at some old test results I found cases in which Oracle software version numbers in the Server header were mistakenly matched as IPv4 addresses.
2020-08-06 07:50:01 -04:00
Dirk Wetter d2a44122f2
Merge pull request #1693 from drwetter/more_verbose_starttls
Better debugging of STARTTLS commands
2020-08-04 22:12:36 +02:00
Dirk Wetter 2e6f912cef
Merge pull request #1694 from dcooper16/alpn_grease
Align ALPN GREASE test with RFC 8701
2020-08-04 22:11:12 +02:00
Dirk Wetter 4da37d9ece
Merge pull request #1695 from dcooper16/etls_ossl30
Update ETSI ETS test
2020-08-04 22:06:23 +02:00
David Cooper 7f99ffa55d Update ETSI ETS test
The commit updates the test for the "Visibility Information" certificate extension used in the ETSI Enterprise Transport Security protocol.

The main change is to support OpenSSL 3.0.0, which prints more information about subject alternative names that are encoded as otherName. For otherName types for the OpenSSL has no information, it prints "otherName: <OID>::<unsupported>" rather than just "otherName: <unsupported>". So, testssl.sh needs to account for the possibility that the OID for the visibility information certificate extension will be printed.

This commit also updates the reference for this extension and changes the name of the function from etsi_etls_visibility_info() to etls_ets_visibility_info() since the name of the protocol was changed from Enterprise TLS (eTLS) to Enterprise Transport Security (ETS).

This commit does not change the output to the terminal or to JSON/CSV, even though those outputs use the previous name of eTLS rather than ETS.
2020-08-04 08:29:22 -04:00
David Cooper 9d62647226 Align ALPN GREASE test with RFC 8701
The ALPN GREASE test was written based on draft-ietf-tls-grease-01, which reserved all ALPN identifiers beginning with the prefix "ignore/". This commit changes the test to align with RFC 8701, which instead reserves {0x0A,0x0A}, {0x1A,0x1A}, ..., {0xFA,0xFA}.
2020-08-04 07:35:05 -04:00
Dirk e8a930088c Better debugging of STARTTLS commands
Improved:

* readability of my old code
* readability of debugging statements
* honor $SNEAKY for SMTP greeting
* hook (arg2 to starttls_smtp_dialog() ), if we plan to add / replace SMTP greeting at some point
2020-08-03 23:11:00 +02:00
Dirk Wetter c3fbc52c07
Merge pull request #1692 from dcooper16/grease_update
Update GREASE reference
2020-08-03 17:17:58 +02:00
David Cooper 5b17bbcf87 Add RFC 8701 to list of RFCs
This commit adds RFC 8701 to the list of RFCs in the documentation.
2020-08-03 11:14:10 -04:00
David Cooper 57c4913260 Update GREASE reference
The GEASE Internet Draft is now RFC 8701. This commit updates the references.
2020-08-03 10:43:15 -04:00
Dirk Wetter 57c2ab1ba1
Merge pull request #1690 from a1346054/3.1dev
Fix minor spelling issue
2020-08-03 08:29:45 +02:00
a1346054 e6c5507b20
Fix grammar 2020-08-02 21:54:27 +00:00
a1346054 e8d2992add
Fix grammar 2020-08-02 21:48:15 +00:00
a1346054 5b44e43ec4
Fix grammar 2020-08-02 21:47:40 +00:00
Dirk Wetter 7f071ddbb9
Merge pull request #1688 from drwetter/squash_GOST_msg
Squash "No engine or GOST support via engine..."
2020-07-20 20:14:37 +02:00
Dirk 161567f9d2 add quotes 2020-07-20 20:13:41 +02:00
Dirk Wetter 43c62b13d9
Merge pull request #1687 from drwetter/polish_1686
Polish completion of json/csv output
2020-07-20 15:54:56 +02:00
Dirk a51a0a73a7 Squash "No engine or GOST support via engine..."
This is a legacy warning and seems only needed in a very few cases
whereas in other few cases we don't issue such warnings. So to be
consistent it's right to remove this message as it confuses users
unnecessarily,

It'll appear in debug mode though.

See https://github.com/drwetter/testssl.sh/issues/1119#issuecomment-656271849
2020-07-20 11:43:52 +02:00
Dirk 86c730b74e Polish completion of json/csv output
To be more consistent with the screen output:

* grade --> overall grade
* add rating doc url
2020-07-20 11:34:44 +02:00
Dirk Wetter 1f388d8b94
Merge pull request #1686 from magnuslarsen/3.1dev
[Rating] Added complete json/csv output
2020-07-20 11:28:35 +02:00
Magnus Larsen 0d9ca76f37 Added complete json/csv output for rating 2020-07-18 21:14:38 +02:00
Dirk Wetter 00779eb639
Merge pull request #1685 from dcooper16/bad_ocsp
Check for bad OCSP intermediate certificates
2020-07-16 19:50:48 +02:00