Commit Graph

1192 Commits

Author SHA1 Message Date
David Cooper b7fbd13f1a Merge branch 'master' into remove_sockread 2016-09-14 14:37:14 -04:00
Dirk Wetter 05fe064763 Merge pull request #472 from knweiss/referenced_but_not_assigned3
run_rp_banner(), run_application_banner(): Three issues
2016-09-14 16:33:47 +02:00
Karsten Weiss 42e9406ee1 run_rp_banner(): Fix indentation. 2016-09-14 12:24:54 +02:00
Karsten Weiss 6a6d4880d6 run_application_banner(): Fix modified in subshell bug.
Refactor the while loop so it doesn't use a subshell anymore. Also use
"read -r" to prevent backslash escaping.

```
In testssl.sh line 1193:
               app_banners="$app_bannersline"
               ^-- SC2030: Modification of app_banners is local (to subshell caused by pipeline).

In testssl.sh line 1195:
          fileout "app_banner" "WARN" "Application Banners found: $app_banners"
                                                                  ^-- SC2031: app_banners was modified in a subshell. That change might be lost.
```

Found by ShellCheck.
2016-09-14 12:24:44 +02:00
Karsten Weiss beae0ce195 run_{rp,application}_banner(): Fix unassigned variables.
This commit fixes the following two instances of referenced but not assigned
variables:

```
In testssl.sh line 1159:
               rp_banners="$rp_bannersline"
                           ^-- SC2154: rp_bannersline is referenced but not assigned.

In testssl.sh line 1193:
               app_banners="$app_bannersline"
                            ^-- SC2154: app_bannersline is referenced but not assigned.
```

Found by ShellCheck.
2016-09-14 12:24:28 +02:00
Dirk Wetter 10b3e7db55 Merge pull request #471 from nachtgeist/issue-467
quote argument for s_client's -nextprotoneg parameter
2016-09-14 07:24:29 +02:00
Daniel Reichelt 2a926609ca quote argument for s_client's -nextprotoneg parameter
The argument to -nextprotoneg is provided in sometimes empty an unquoted
variables. Because of the missing quotes, the next word on the line "-status"
gets parsed as "-nextprotoneg"'s argument instead of enabling the OCSP status
check.

This fixes #467.
2016-09-13 21:22:35 +02:00
Dirk cca1b49890 - fixing wrong cipher order for URL=ipaddress 2016-09-12 21:54:51 +02:00
Dirk Wetter 4158372ab7 Merge pull request #468 from knweiss/referenced_but_not_assigned
compare_server_name_to_cert(): Fix unassigned vars.
2016-09-12 16:51:34 +02:00
Dirk Wetter 93c240278a Merge pull request #469 from knweiss/referenced_but_not_assigned2
certificate_info(): Fix unassigned variable.
2016-09-12 16:49:33 +02:00
Karsten Weiss b9d9a909b1 certificate_info(): Fix unassigned variable.
Fix referenced but not assigned variable 'sign_algo'.

In testssl.sh line 4309:
               fileout "${json_prefix}algorithm" "DEBUG" "Signature Algorithm: $sign_algo"
                                                                               ^-- SC2154: sign_algo is referenced but not assigned.

Found by ShellCheck.
2016-09-12 16:20:05 +02:00
Karsten Weiss 7dbbe42ea0 compare_server_name_to_cert(): Fix unassigned vars.
Two instances of referenced but not assigned variables ('req' instead of
'ret').

In testssl.sh line 4130:
     if [[ $req -eq 0 ]]; then
           ^-- SC2154: req is referenced but not assigned.

Found by ShellCheck.
2016-09-12 16:12:18 +02:00
Dirk f0132dcb7f stringer usabiliy warning for SHA1 + HTTP 2016-09-07 21:34:27 +02:00
David Cooper 3b3d16849d Merge branch 'master' into remove_sockread
Conflicts:
	testssl.sh
2016-09-06 11:38:54 -04:00
Dirk d1cc7b3755 FIX #426 2016-09-06 08:32:05 +02:00
Dirk c00c98caa2 warning for SHA1 sig algo and web servers 2016-09-05 10:01:46 +02:00
David Cooper 44c37e3177 Merge branch 'master' into remove_sockread 2016-09-02 10:50:28 -04:00
Dirk Wetter 228296e175 Merge pull request #290 from andreild/issue-289-domain-resolution-etc-hosts
Fix #289 - the grep that decides whether a domain is a local address …
2016-09-02 15:38:28 +02:00
Dirk Wetter fdcdad3faa Merge pull request #345 from dcooper16/more_sslv2_sslv3_fixes
More SSLv2 (and SSLv3) related fixes
2016-09-02 09:06:52 +02:00
Dirk Wetter caec8029f2 Merge pull request #461 from dcooper16/tls_sockets_and_no_SNI
Fix tls_sockets() when SNI empty
2016-09-02 08:50:35 +02:00
David Cooper a9002ba6e6 Fix tls_sockets() when SNI empty
`socksend_tls_clienthello()` always includes a server name extension in the ClientHello (for TLS 1.0 and above), even if `$SNI` is empty. If `$NODE` is an IP address, then the IP address is placed in the extension, even though RFC 6066 says that only DNS names are supported in the extension.

This PR changes `socksend_tls_clienthello()` so that the server name extension is only included in the ClientHello is `$SNI` is not empty.
2016-09-01 13:22:39 -04:00
Dirk 2313aee22d fix for previously borken HPKP_MIN value 2016-09-01 19:09:12 +02:00
Dirk 1c53160348 ups ;-) 2016-09-01 19:04:47 +02:00
David Cooper 305c8c0063 Merge branch 'master' into remove_sockread 2016-09-01 10:57:43 -04:00
David Cooper 59d4acec11 Merge branch 'master' into more_sslv2_sslv3_fixes 2016-09-01 10:56:57 -04:00
Dirk d665f69c72 fix #436 2016-09-01 12:42:56 +02:00
David Cooper 9ef0d1f4ea 20 lines is 320 bytes, not 160 2016-08-31 17:07:53 -04:00
David Cooper a2f968d4ad Undo changed behavior for CCS 2016-08-31 17:03:50 -04:00
David Cooper d9578bb975 Merge branch 'master' into remove_sockread 2016-08-31 17:02:18 -04:00
Dirk Wetter 2613d20375 Merge pull request #460 from dcooper16/certificate_info
Display SNI information in "Server Certificate" line
2016-08-31 18:26:45 +02:00
David Cooper e79e980336 Display SNI information in "Server Certificate" line
This PR is an attempt to address issue #447. If more than one certificate is being displayed, then a parenthetical saying "(in response to request w/o SNI)" is added for any certificate that was obtained using `$SNI=""`.

In addition, if the certificate was obtained without SNI, then `certificate_info()` doesn't call `$OPENSSL s_client` in order to obtain the non-SNI host certificate and it does not display a separate "Trust (hostname)" finding for the non-SNI certificate.
2016-08-30 15:22:46 -04:00
David Cooper 1b548cee10 Follow https://github.com/Tripwire/OpenSSL-CCS-Inject-Test
Attempt to rewrite `run_ccs_injection()` to follow the logic from https://github.com/Tripwire/OpenSSL-CCS-Inject-Test.
2016-08-30 11:38:43 -04:00
David Cooper 6e6fdf6410 Merge branch 'master' into more_sslv2_sslv3_fixes 2016-08-29 15:02:40 -04:00
David Cooper 9bcf232f0f Check for empty byte6 2016-08-29 14:10:16 -04:00
David Cooper 3dc8754a0e Merge branch 'master' into remove_sockread 2016-08-29 14:07:43 -04:00
Dirk Wetter ba1ea6dcba Merge pull request #455 from dcooper16/unsupported_purpose
Output correct error for unsupported certificate purpose
2016-08-29 17:39:00 +02:00
David Cooper 957225595f Merge branch 'master' into unsupported_purpose 2016-08-29 10:17:27 -04:00
David Cooper 2abf6fc7c7 Fix merge 2016-08-29 10:14:21 -04:00
David Cooper dea2b1a761 Merge branch 'master' into remove_sockread
Conflicts:
	testssl.sh
2016-08-29 10:05:01 -04:00
David Cooper 97b8dd1959 Merge branch 'master' into more_sslv2_sslv3_fixes
Conflicts:
	testssl.sh
2016-08-29 09:57:36 -04:00
Dirk f5792a1e8d 1st important fixes ;-) 2016-08-28 21:43:48 +02:00
Dirk 54a66b9d88 - minor output fixes
- removed "experimental" from TLS_FALLBACK_SCSV + DROWN
- bumped up version to rc2
2016-08-28 21:41:30 +02:00
Dirk Wetter 1e5b619a19 Merge pull request #427 from dcooper16/server_preference_sslv2_fixes
SSLv2 fixes for server preference
2016-08-28 19:15:22 +02:00
Dirk Wetter dbb7d6f4be Merge pull request #444 from dcooper16/sslv2_sockets
Move printing of results out of sslv2_sockets()
2016-08-28 18:27:29 +02:00
Dirk Wetter f4d9a638ba Merge pull request #449 from dcooper16/poodle_no_ssl3
Warning on Poodle test when no local SSLv3 support
2016-08-28 18:10:50 +02:00
Dirk Wetter a76e67cbbe Merge pull request #450 from dcooper16/determine_optimal_proto_fix
Fix SSLv2-only test in determine_optimal_proto()
2016-08-28 18:08:01 +02:00
Dirk Wetter 1d83e220bf Merge pull request #456 from dcooper16/dh_keys
Support DH server keys
2016-08-28 18:04:22 +02:00
Dirk Wetter 8da00a8025 Merge pull request #445 from dcooper16/devel_option
Fix "--devel" with SSLv2
2016-08-28 18:03:17 +02:00
Dirk Wetter dfa0cfd0b4 Merge pull request #453 from dcooper16/no_ssl2
OpenSSL 1.1.0 doesn't have "-no_ssl2" option
2016-08-28 17:58:56 +02:00
Dirk Wetter b9c0ac9ee3 Merge pull request #451 from dcooper16/beast_no_ssl3
Warning on BEAST when no local SSLv3 support
2016-08-28 17:57:39 +02:00