Commit Graph

2920 Commits

Author SHA1 Message Date
David Cooper
af8f98a04d TLS 1.3 will be RFC 8446
According to https://www.theregister.co.uk/2018/06/19/ietf_calls_for_formal_tls_1_0_1_1_deprecation, TLS 1.3 will be published as RFC 8446. This seems to be confirmed by https://www.rfc-editor.org/auth48/rfc8446 and https://github.com/ietf/draft-ietf-tls-tls13.

This PR updates comments that refer to draft-ietf-tls-tls13 to instead refer to RFC 8446. It also makes minor changes to other comments related to TLS 1.3 drafts.

NOTE: This PR is a bit premature as it may be several weeks before RFC 8446 is actually published.
2018-06-19 14:19:34 -04:00
Dirk
f2944205b9 Fix output error when $HEADERFILE was empty 2018-06-19 10:27:42 +02:00
Dirk
d23241b8cd Fix to-be-expired-soon certificate
The certificate from self-signed.badssl.com was about to expire
which raises a MEDIUM type issue in testssl.

This commit does a workaround for this, so that those certificates
will be ok in Travis CI.

(Same problem exists in 2.9.5)
2018-06-13 14:30:35 +02:00
Dirk
b6cc01a558 Fix line feeds in vulnerabilty output when running in wide mode
This commit is a FIX for #1069, thus when running in
wide mode it corrects an additional line feed which
happened sometimes.

As @dcooper16 pointed out it also cleans up the needless
if-statements in run_rc4(), run_lucky13() and run_beast().

It also inserts for wide mode lines a blank so the alignment
is not at the left border anymore (check for leftovers
needed).
2018-06-13 13:25:02 +02:00
Dirk Wetter
1be25f9cf7
Merge pull request #1067 from dcooper16/revocation_checking_errors
Fix false "revoked" results for CRL and OCSP checking
2018-06-05 10:33:42 +02:00
David Cooper
02d1071b9c Reduce redundant code
Move some checks into functions so that the code doesn't have to be repeated.
2018-06-01 13:35:05 -04:00
David Cooper
998c2aa1f8
Fix false "revoked" results for CRL and OCSP checking
This PR fixes problems with check_revocation_crl() sometimes reporting that a certificate is revoked even when it isn't, and with check_revocation_ocsp() sometimes reporting "error querying OCSP responder" even if the OCSP responder provided a good response. The most common reason for this to happen is that OpenSSL cannot validate the server's certificate (even without status checking). PR #1051 attempted to get status checking to work even in cases in which the server's certificate could not be validated. This PR instead addresses the problem by not checking status if determine_trust() was unable to validate the server's certificate.

In some cases the server's certificate can be validated using some, but not all of the bundles of trusted certificates. For example, I have encountered some sites that can be validated using the Microsoft and Apple bundles, but not the Linux or Mozilla bundles.

This PR introduces GOOD_CA_BUNDLE to store a bundle that could be used to successfully validate the server's certificate. If there is no such bundle, then neither check_revocation_crl() nor check_revocation_ocsp() is run. When check_revocation_crl() and check_revocation_ocsp() are called, the status checks within them closely match the validation check in determine_trust(), which helps to ensure that if the check fails it is because of the status information.

As noted in #1057, at least one CA provides incorrect information when the CRL is downloaded, so validation could fail for a reason other than the certificate being revoked. So, this PR adds a check of the reason that validation failed and only reports "revoked" if the validation failed for that reason.

As noted in #1056, it is not possible to perform an OCSP query without access to the certificate issuer's public key. So, with this PR check_revocation_ocsp() is only called if the server's provided at least one intermediate certificate (i.e., the issuer's certificate, which contains the issuer's public key).
2018-05-29 16:39:46 -04:00
Dirk Wetter
626e0fc65a
Merge pull request #1066 from dcooper16/ocsp_error_responses
OCSP error handling
2018-05-25 22:28:05 +02:00
David Cooper
5e7f1b75f6
Check for HTTP errors
Added back in check for HTTP error codes.
2018-05-25 10:51:22 -04:00
David Cooper
feb48c0295
OCSP error handling
This PR improves the handling of error responses when checking status using OCSP. It can handle a few types of errors:

* When the responder just returns an error (e.g., "Responder error: unauthorized").

* When the response cannot be verified (e.g., invalid signature, expired certificate).

* When the response is valid ("Response verify OK"), but there is a problem with the response for the individual certificate (e.g., information is too old, or status is "unknown").
2018-05-24 17:00:27 -04:00
Dirk
c21ed3212e add a small hint how to use the tuning vars 2018-05-24 13:09:56 +02:00
Dirk
770f3ea832 fix typo in cmd line arg for -oA 2018-05-24 10:48:25 +02:00
Dirk Wetter
ec57b64339
Merge pull request #1064 from dcooper16/ocsp_checking
OCSP improvements
2018-05-23 22:38:50 +02:00
David Cooper
0e27cfeadd
OCSP improvements
This PR fixes two issues with OCSP checking. First, the syntax for specifying a host header changed in OpenSSL between versions 1.0.2 and 1.1.0. With OpenSSL 1.0.2-chacha, 1.0.2o, and LibreSSL the syntax needs to be "-header HOST <hostname>". With OpenSSL 1.1.0h and 1.1.1 the syntax needs to be "-header HOST=<hostname>". I have not been able to test other versions of OpenSSL 1.0.2 or 1.1.0, but am assuming that all versions of OpenSSL 1.1.0 use the same syntax as 1.1.0h.

This PR also fixes a typo in the case of an error, which was causing $code to be set to "empty ocsp response" if the response was not empty rather than if it was empty.
2018-05-23 14:32:51 -04:00
Dirk
f426a3bb21 Merge branch 'crl_ocsp' into 2.9dev
OCSP revocation checks ran with a 100% success rate for the Alexa ~Top 1000
(basis: all hosts supporting TLS and having an OCSP URI)
2018-05-23 15:09:03 +02:00
Dirk Wetter
d578adb05c
Merge pull request #1062 from dcooper16/certificate_validity_dates
Fix extraction of certificate validity dates
2018-05-23 10:51:29 +02:00
David Cooper
d272aff336
Fix extraction of certificate validity dates
The current code for extracting the validity dates for certificates assumes that the strings "Not Before" and "Not After" will appear exactly once in the pretty-print of the certificate. In most cases that works. However, there are a few server certificates that include the private key usage period extension, which also includes "Not Before" and "Not After" times. The result is that the current code does not correctly extract the start date and end date from any certificates that have private key usage period extensions.

This PR fixes the problem and also speeds up extraction of the dates by only using Bash internal functions.

The pretty-print of a certificate begins as follows:
   Certificate:
       Data:
           Version: 3 (0x2)
           Serial Number: ...
       Signature Algorithm: ...
           Issuer: ...
           Validity
               Not Before: ... GMT
               Not After : ... GMT
           ...

The code in this PR extracts the start date by first removing from the certificate everything that comes before "Not Before: ". It looks for the shortest string that includes ""Not Before: " in order to ensure it is not getting the date from the private key usage period extension. After that, the longest string that begins with "GMT" is removed so that only the notBefore date remains. 

The part that removes the string up to "Not Before: " actually looks for the first instance of "Not Before: " that comes after the "Validity". This is to protect against the unlikely possibility that the string "Not Before: " appears somewhere in the issuer's name.

The extraction of the notAfter date works similarly. It first looks for the first instance of "Not After :" that appears after both "Validity" and "Not Before: " and then takes the date string that appears immediately afterwards, with the assumption that the date string ends in "GMT".
2018-05-21 15:14:05 -04:00
Dirk
92eaa3e7d3 Merge #1047 before processing #1051 2018-05-18 22:39:19 +02:00
Dirk Wetter
31b26da691
Merge pull request #1060 from dcooper16/multicomponent_ocsp_uris
HTTP URLs with multiple components in path
2018-05-18 21:40:56 +02:00
David Cooper
6152592973
HTTP URLs with multiple components in path
In some cases the OCSP URI contains multiple components in the path (e.g., http://www.example.com/OCSP/myOCSPresponder).

This PR changes check_revocation_ocsp() to remove all components in the path, rather than just the final component, when extracting the host name from the URI for the host header.
2018-05-18 15:35:10 -04:00
Dirk
7d36734a96 Handle host header in OCSP request properly
My previous commit added a host header but didn't properly
format the host header (trailing slashes / path). This commit
corrects that so that the 305 times HTTP 400 in #1056
should now be gone (TBC), including Google CA responders.

One issue which needs to be addressed (same as in CRL
revocation checks): Not trusted certificates (zhanqi.tv,
taken from my Alexa scans) fail for obvious reasons.
2018-05-18 20:30:37 +02:00
Dirk
82aae158ba Minor additions to OCSP revocation check
Error from OCSP responder is now being displayed (and logged to JSON, ...)

Whole replay is kept in $tmpfile for debugging purposes

JSON output added for OCSP responderi query failures

Furtermore wget was replaced by "type -p" and grep by fgrep.
2018-05-16 19:52:10 +02:00
Dirk
fac65d82b0 Add host header to OCSP Request
Some OCSP responder seems to need a host header, see e.g.
https://blog.ivanristic.com/2014/02/checking-ocsp-revocation-using-openssl.html .

This commit adds this header.

It addresses not all errors though. E.g. "https://testssl.sh" is fine now,
"https://google.com" still returns "Code=400,Reason=Bad Request" which
needs further investigation,

Also this commit gives a warning if the OCSP request fails (fileout needs
to be added)
2018-05-16 15:51:45 +02:00
Dirk Wetter
567cc05fca
Merge pull request #1055 from dcooper16/ocsp_checking
Add OCSP checking
2018-05-16 11:11:00 +02:00
David Cooper
79c9536d47
Add OCSP checking
This commit adds the option to query the OCSP server(s) specified in a server's certificate for the certificate's revocation status.
2018-05-15 16:50:57 -04:00
Dirk Wetter
e68b1ce025
Merge pull request #1054 from dcooper16/fix1053
Fix #1053
2018-05-15 17:54:09 +02:00
David Cooper
a84d970f3d
Fix #1053
It appears that #1053 was caused by a typo that was introduced by 39647d1703.
2018-05-15 11:43:39 -04:00
Dirk Wetter
be743e0c9b
Merge pull request #1052 from dcooper16/draft28
TLS 1.3 draft 28
2018-05-07 10:58:49 +02:00
Dirk Wetter
a787ba0ec5
Merge pull request #1048 from dcooper16/ldap_get_failure
ldap_get() should fail if curl fails
2018-05-07 10:55:54 +02:00
David Cooper
1cfe4072b6
TLS 1.3 draft 28
https://github.com/tlswg/tls13-spec/wiki/implementations now lists a server that supports TLS 1.3 draft 28, so this PR adds supports for drafts 27 and 28.

Since run_protocols() now checks for 11 different drafts of TLS 1.3 in addition to the final version, performing a separate test for each draft had become far too time consuming. So, this PR rewrites the check for TLS 1.3 versions in run_protocols() so that the number of tests is proportional to the number of drafts that the server supports rather than the number of drafts that testssl.sh can check for.
2018-05-04 15:05:49 -04:00
David Cooper
87a7fa5df6 ldap_get() should fail if curl fails
ldap_get() incorrectly returns 0 if curl indicates an error.
2018-05-02 10:43:11 -04:00
Dirk Wetter
b6c527598b
Merge pull request #1049 from dcooper16/dont_offer_compression
Don't offer TLS compression by default
2018-05-02 11:08:51 +02:00
Dirk Wetter
4b39039209
Merge pull request #1050 from dcooper16/remove_extra_space
Remove extra space in BEAST output
2018-05-02 11:00:01 +02:00
David Cooper
76eca42ca0
Remove extra space in BEAST output
testssl.sh was inserting two spaces between the CBC ciphers detected by OpenSSL and those detected to tls_sockets(). This PR fixes the problem.

This issue was previously fixed by 87fe0c15da, but that fix was accidentally removed by the next commit: f3dc53f554.
2018-05-01 09:40:20 -04:00
David Cooper
85e7fd3a08
Don't offer TLS compression by default
There is at least one server that will fail under some circumstances if the ClientHello offers a compression method other than null.

In OpenSSL 1.1.0 and 1.1.1, s_client will not offer any other compression methods unless the "-comp" option is provided. However, in earlier versions of OpenSSL, s_client will by default offer the DEFLATE compression method, however, this can be disabled using the "-no_comp" option.

This PR addresses the flaw in this server by having s_client_options() add a "-no_comp" option to the command line if "-no_comp" is supported and the test doesn't require offering compression.

Since run_crime() requires compression to be offered, run_crime() was changed to always add "-comp" to the command line, and then s_client_options() was changed to remove "-comp" from the command line, if that option isn't supported.
2018-04-30 16:47:12 -04:00
Dirk
470f8b62e6 jsonID HTTP status code as variable 2018-04-28 22:38:53 +02:00
Dirk
168eec447a Merge branch 'crl_ocsp' into 2.9dev 2018-04-28 22:36:27 +02:00
Dirk
0851599a4e Polish existing CRL revocation check code
* Extra function for ldap_get()
  * Hint when curl is not installed and LDAP URI is encountered
  * Rename jsonID cert_cRLDistributionPoints to cert_crlDistributionPoints
  * Fix trailing _ in jsonID

Open/to be clarified:

   * Proxy for curl / proxy needs to come from testssl.sh
   * Proxy support for HTTP bash socket GET
   * cert_CRLrevoked comes before cert_cRLDistributionPoints
   * Unit tests

Still open: OCSP
2018-04-28 22:25:43 +02:00
Dirk
5ff9fe0f0d Merge branch 'dcooper16-ldap_urls' into crl_ocsp 2018-04-27 21:49:00 +02:00
Dirk
c3927d00c8 Document --phone-out 2018-04-27 21:37:44 +02:00
David Cooper
b4f76845ce
Support LDAP crLDistrubutionPoints
This PR adds support for retrieving CRLs from an LDAP URL in the cRLDistributionPoints extension if curl if available.
2018-04-26 15:20:53 -04:00
Dirk Wetter
da49603c46
Merge pull request #1042 from dcooper16/non_http_crldp
non-HTTP cRLDistributionPoints
2018-04-26 17:08:32 +02:00
David Cooper
0b8409e13a non-HTTP cRLDistributionPoints
At the moment the code for downloading a CRL seems to only work if URL is an HTTP or HTTP URL. It fails if the URL is an LDAP URL. The wget command does not support LDAP and when curl retrieves data from an LDAP URL it stores the result in LDIF format, which http_get() cannot currently convert into a PEM-encoded CRL.

This PR addresses the issue by skipping the revocation check for any URL that does not begin with "http".
2018-04-26 11:03:11 -04:00
Dirk Wetter
6d919de0ad
Merge pull request #1043 from dcooper16/expired_certs
Don't check expired certificates
2018-04-26 16:51:20 +02:00
David Cooper
78cb75543f
Don't check expired certificates
In general, a CA only needs to keep the status information for a certificate until it expires. So, once a certificate has expired, the information provided about it in a CRL or OCSP response may no longer be reliable. The certificate may no longer be listed as revoked, even it is had been revoked at some point before it expired.

So, this PR changes certificate_info() to only check CRLs for revocation status if the certificate has not expired.
2018-04-26 10:23:52 -04:00
Dirk
ddf5ff6bc9 Minor additions wrt --color=3 and fname prefix 2018-04-26 09:39:30 +02:00
Dirk Wetter
af2f6dd353
Merge pull request #1041 from dcooper16/server_preference_list
Update ciphers for server preference
2018-04-25 23:09:30 +02:00
Dirk
c4f42fd6c7 Experimental support for certificate check via CRL
In order to use it one has to use --phone-out  (PHONE_OUT
is the respective ENV) like

``./testssl.sh --phone-out --json-pretty -S wikipedia.org``

This makes use of curl (if available) or wget (if available) and
falls back to bash socket GET. The latter uses HTTP/1.0 as
chunked transfers by the server (used for bigger files normally)
can't be reasonably separated from their HTTP header. (HTTP/1.0
doesn't support chunked transfers).

curl and wget use the enviroment variables automatically. Probably
we want to use those proxies only if told by a switch to testssl.sh.

"-crl_download" would have been an option. Support would have
been needed to check beforehand. Alos information on proper
usage seems limited, so for now a solution which works is
preferred.

Open/to be clarified:

  * Documentation
  * Proxy for curl / proxy needs to come from testssl.sh
  * Proxy support for HTTP bash socket GET
  * JSON ID is cert_CRLrevoked_ (trailing underscore)
  * cert_CRLrevoked_ comes before cert_cRLDistributionPoints
  (* reconsider naming of cert_cRLDistributionPoints)
  * Unit tests

Still open: OCSP
2018-04-25 22:34:47 +02:00
David Cooper
d257dae5d5
Update ciphers for server preference
This PR was developed in response to #845. It adds to the list of ciphers used to determine whether the server has a cipher order in order to help avoid cases in which testssl.sh cannot determine a cipher order.

In order to create this list I scanned thousands of servers in order to determine what ciphers they support, including (1) about 20 thousand U.S. government web sites, (2) all of the sites listed at badssl.com, (3) all of the test servers listed at https://github.com/tlswg/tls13-spec/wiki/implementations, (4) about 30 additional non-U.S. government sites, and (5) one server configured as described in #845. I scanned each of these servers using OpenSSL 1.0.2-chacha, 1.0.2o, and 1.1.1.

Then I ran collection information through a script that created the updated list. For each scanned server, and for each of the 3 versions of OpenSSL, the script checked whether $list_fwd contained at least two ciphers from the list. If it didn't, then it would add one of the ciphers supported by the server (and by OpenSSL) to the list. In choosing among the ciphers supported by the server that were not already in $list_fwd, it would choose the cipher that was supported by the most other servers.

The list contain a few oddities as a result of the servers that I scanned. The script added two TLSv1.3 ciphers, since I scanned at least one server that only supports TLSv1.3. The list also includes ADH-AES256-GCM-SHA384 and AECDH-AES128-SHA, which may only be supported by null.badssl.com.

I made one manual change to the list - adding TLS_CHACHA20_POLY1305_SHA256. I did this since the number of TLSv1.3 servers scanned was so small, I didn't think it was safe to assume that all servers that support TLSv1.3 would support both TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256.

Since most of the servers that I scanned were U.S. government servers, it may not be a representative sample. However, since the new list only adds to the current list, it can only be an improvement. Also, the updated list still only includes 37 ciphers, so many more could be added without creating any problems.
2018-04-25 16:21:38 -04:00
Dirk
e84d0cf170 First prototype of CRL checker
As it would be a possible privacy violation a new flag PHONE_OUTSIDE
is introduced (later accompanied by a switch). It determines whether
the client is allowed to retrieve the CRL specified (HTTP only supported).

Tested ok against wikipedia.de and revoked.badssl.com.

To do:
  * look into -crl_download
  * fileout
 * Unit tests

OCSP verification
2018-04-24 17:52:01 +02:00