Commit Graph

4449 Commits

Author SHA1 Message Date
Dirk Wetter 950772cb23 Clarify client sim data 2019-04-23 10:26:30 +02:00
Dirk 31c5107a64 Remove a few redundant quotes in run_client_simulation() 2019-04-20 20:23:50 +02:00
Dirk c183c213e5 Add client simulations
.. for Android 8.1 and Firefox 66.

Add ciphersuites to the existing handshakes and update
the documentation accordingly.
2019-04-20 20:21:25 +02:00
Dirk 5f047db92f Add client simlation data and provide howto
While we are thankful that Ivan Ristic permitted to use the client
data from SSLlabs, it became of bit outdated now (see #1158). Also
as sslhaf [1] was used, the data comes from HTTP traffic only.

This is a start to address it. It provides data from Android 9
(connecting to the play store, so that it is sure we don't capture
a ClientHello from an application having an own TLS stack.

Also it provides documentation how to grab data yourself, and
provide it back to testssl.sh.

Aim is at least for testssl.sh 3.0 to add Android 8 and OpenSSL 1.1.1 (@drwetter).

My hope others can assist with  Safari on OSX 11 and 12. Java 10 and 11,
and a recent Opera and Edge version. (Firefox and Chrome are out of
date too)

Mail clients to follow later.

[1] https://github.com/ssllabs/sslhaf
2019-04-18 10:06:01 +02:00
Dirk e768ab3f7b Remove file as Not needed 2019-04-18 10:04:08 +02:00
Dirk Wetter 9c08a9df8c
Merge pull request #1239 from drwetter/add_travis_json
clarify failed test, add new test
2019-04-17 09:07:09 +02:00
Dirk Wetter edcd9d7bd0 clarify failed test, add new test 2019-04-17 09:04:39 +02:00
Dirk Wetter c74f253b5c
Merge pull request #1238 from drwetter/docker_minor
Docker minor
2019-04-17 08:16:06 +02:00
Dirk Wetter d3c43fce2d Make the Dockerfile work again
As a result of #1225 every Linux binary needed was not allowed
to come from busybox. Which caused the Dockerfile in this repo
and the image @ dockerhub to fail.

This PR relaxes that so that busybox binaries which proved to
work can be used. A whitelist was defined.
2019-04-17 08:09:58 +02:00
Dirk Wetter e4a08b3ed5 Use specific Alpine version
... and not latest which is unspecific. Atm
it's the same
2019-04-17 08:08:12 +02:00
Dirk Wetter a7e9aa9a7f
Merge pull request #1237 from drwetter/json_validate
Fix travis
2019-04-15 10:50:55 +02:00
Dirk d25aca7ce3 Fix travis
.. add validator in travis.yml
2019-04-15 10:49:36 +02:00
Dirk Wetter c792372c70
Merge pull request #1236 from drwetter/json_validate
PoC added for JSON validation unit test
2019-04-15 10:35:43 +02:00
Dirk Wetter 1d558228b7 PoC added
Current catch: "JSON::Validator" cannot swallow "--json-pretty". Other
validators tried had issues too.

Improvements welcome!

See #1227
2019-04-15 10:34:03 +02:00
Dirk Wetter d1e14634bf
Merge pull request #1235 from drwetter/mx_ip1
make --mx and --ip=one to work together
2019-04-13 18:22:07 +02:00
Dirk Wetter 32b8c70db4 make --mx and --ip=one to work together
which fixes #1234

Also one cat was removed :-) in sclient_connect_successful as it is faster
2019-04-13 18:18:38 +02:00
Dirk Wetter 044be5b1e2
Merge pull request #1233 from drwetter/remove_opera
Remove opera client simulation
2019-04-12 18:19:57 +02:00
Dirk Wetter ba204047e7 Remove opera client simulation
... as it may indicate this is a recent version
but version 17 is infact 5,5 years old.

If you configure the server side this is misleading!
2019-04-12 18:15:34 +02:00
Dirk Wetter 260051aa80
Merge pull request #1232 from dcooper16/shellcheck_SC2128
Fix shellcheck issue SC2128
2019-04-11 18:24:34 +02:00
David Cooper 2f4ce4a276
Fix shellcheck issue SC2128
This PR addresses the following issues raised by shellcheck:

In ../github/testssl_2.9dev_20190409b.sh line 1133:
if [[ "$BASH_VERSINFO" == 3 ]]; then
       ^-- SC2128: Expanding an array without an index only gives the first element.

In ../github/testssl_2.9dev_20190409b.sh line 4301:
          tmpfile_handle $FUNCNAME.dd
                         ^-- SC2128: Expanding an array without an index only gives the first element.

In ../github/testssl_2.9dev_20190409b.sh line 4388:
     tmpfile_handle $FUNCNAME.dd
                    ^-- SC2128: Expanding an array without an index only gives the first element.

In ../github/testssl_2.9dev_20190409b.sh line 4657:
     tmpfile_handle $FUNCNAME$1.txt
                    ^-- SC2128: Expanding an array without an index only gives the first element.

In ../github/testssl_2.9dev_20190409b.sh line 5327:
     tmpfile_handle $FUNCNAME.${debugname}.txt
                    ^-- SC2128: Expanding an array without an index only gives the first element.

In ../github/testssl_2.9dev_20190409b.sh line 5943:
          tmpfile_handle $FUNCNAME.byID.log $tmpfile || \
                         ^-- SC2128: Expanding an array without an index only gives the first element.

In ../github/testssl_2.9dev_20190409b.sh line 5944:
          tmpfile_handle $FUNCNAME.byticket.log $tmpfile
                         ^-- SC2128: Expanding an array without an index only gives the first element.

In ../github/testssl_2.9dev_20190409b.sh line 12410:
     tmpfile_handle $FUNCNAME.dd $SOCK_REPLY_FILE
                    ^-- SC2128: Expanding an array without an index only gives the first element.

In ../github/testssl_2.9dev_20190409b.sh line 13164:
               tmpfile_handle $FUNCNAME.dd
                              ^-- SC2128: Expanding an array without an index only gives the first element.

In ../github/testssl_2.9dev_20190409b.sh line 13284:
     tmpfile_handle $FUNCNAME.dd $SOCK_REPLY_FILE
                    ^-- SC2128: Expanding an array without an index only gives the first element.

In ../github/testssl_2.9dev_20190409b.sh line 13388:
     tmpfile_handle $FUNCNAME.dd $SOCK_REPLY_FILE
                    ^-- SC2128: Expanding an array without an index only gives the first element.
--
In ../github/testssl_2.9dev_20190409b.sh line 13801:
               [[ "$DEBUG" -ge 1 ]] && echo $tls_hello_ascii >$TEMPDIR/$FUNCNAME.tls_hello_ascii${i}.txt
                                                                       ^-- SC2128: Expanding an array without an index only gives the first element.
2019-04-11 12:05:10 -04:00
Dirk Wetter 9d4f7977c0 Fix possible compression method misinterpretation
... introduced in 742e01e7cd

Kudos @dcooper16
2019-04-09 18:45:12 +02:00
Dirk Wetter ef63fd6a18 Addition to e0f8a2eea6 2019-04-09 12:59:14 +02:00
Dirk Wetter e0f8a2eea6 Strict check on binaries needed: no busybox
When users try to reinvent the wheel and write an own dockerfile
this PR checks when binaries come from busybox -- as it is the
case with Alpine Linux.
2019-04-09 12:54:40 +02:00
Dirk Wetter a73fda7cf9 Fix travis
.. see previous commit
2019-04-09 12:47:12 +02:00
Dirk Wetter e92b7326bc Extra warning for certificates >= 5yrs, italics handling for BSDs
This PR fixes #803 and emit an extra warning if the certificate
has a lifetime longer or equal of five years which happens often
on appliances with self signed certificates. (CAs do not offer
such a long certificate lifetime.) This was tested under Linux,
FreeBSD and OpenBSD. On the latter however we only check the
years as opposed to other OS where we have a finer granularity
(seconds).

On the screen there's only an output if the lifetime is too long,
using JSON or CSV formats, it is always displayed (ID: cert_validityPeriod).

Also this PR changes the ID cert_expiration_status to cert_expirationStatus.

Older FreeBSD and OpenBSD can't deal with italics characters but it output
the escape codes which could result in a different markup. This PR detects
such OS and just doesn't dsiplay the escape sequence.

Also the manpage is reflecting the change and has updates in the server
defaults and standard cipher checks section.
2019-04-09 11:46:53 +02:00
Dirk 0e8807217d Fix JSON (pretty) regression
... after introducing pre-check for 128 cipher limit, see #1226.
2019-04-05 21:30:40 +02:00
Dirk 5b1fdfa675 fix numbering 2019-04-02 09:29:13 +02:00
Dirk ff527f524e Safely create the CSVFILE
... before writing to it. (see #1219)
2019-04-01 21:36:00 +02:00
Dirk Wetter f1c6bc09d5
Merge pull request #1224 from dcooper16/fix_1223
Fix #1223
2019-04-01 20:36:48 +02:00
David Cooper 9d2061fdf9
Fix #1223
This PR fixes #1223 by checking whether the stapled OCSP response from the server is an error message.

Another way to fix #1223 would be to just change line 8510 to:
```
if grep -a "OCSP Response Status" <<< "$ocsp_response_status" | grep -q successful || \
     [[ "$ocsp_response" =~ Responder\ Error: ]]; then 
```
However, I believe this alternative would lead to confusing results, testssl.sh would print

     offered, error querying OCSP responder (tryLater)

I'm not sure whether it makes sense to say "offered" when the stapled response that is provided is just an error message, but I think it is important to make clear that the error response was received from the TLS server, and that it wasn't testssl.sh that tried querying the OCSP responder.
2019-04-01 14:21:45 -04:00
Dirk Wetter 4b05e39133
Merge pull request #1222 from andrewbonney/2.9dev
Fix escaping error in JSON output for OCSP stapling check
2019-04-01 14:10:56 +02:00
Andrew Bonney bf2a8f4cf1 Fix escaping error in JSON output for OCSP stapling check 2019-04-01 12:45:41 +01:00
Dirk 221ad861bc Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2019-03-30 11:30:32 +01:00
Dirk b46fdccbd1 Fix travis
.. for HTML check after introducing "Pre-tests"

In ~/t/32_http.t a statement failied because the debug output has deliberately a line
"Pre-test: No 128 cipher limit bug."

This and ONE additional LF are now being filtered before comparing.

Unclear why the other additional line introduced
makes no problems.
2019-03-30 11:27:22 +01:00
Dirk Wetter 50de0ccdc2 Fix ~/.digrc
A private ~/.digrc overrides the commandline options from dig. So
we need to make sure that the output is still what is expected.

This commit addresses it by adding additional parameters, mostly
to existing awk commands so that only the fields we want are returned.

see #1220
2019-03-29 17:16:07 +01:00
Dirk Wetter afc4f5e4e6 Related to 128 bit cipher limit
- write to log file if there's a SERVER_SIZE_LIMIT_BUG
- write to screen if $DEBUG > 1

It's 128 + 00ff when the CISCO ACE hiccups (#1204)

Some minor improvements like removing redundant double quotes
2019-03-29 00:28:57 +01:00
Dirk Wetter 3a02843f09 redo, add docker 2019-03-28 17:20:30 +01:00
Dirk Wetter 6a64b5f964 UX improvement for conflicting file out options
As in #1219 reported it was possible to specify e.g.
--csv and --csvfile which was not intended.

This PR detects those conflicting options and
exists.

Also it removes 637812a022
"&& JSONHEADER=false" as it seems errorneous.
2019-03-28 16:50:02 +01:00
Dirk 742e01e7cd Fix some shellcheck issues
- egrep --> grep -E (modernized)
- replace let at some places --> (modernized)
- removal of ununsed vars
- errors for out{fF}ile= fixed
2019-03-25 00:12:55 +01:00
Dirk Wetter 68540c5ee8 Merge branch '2.9dev' of github.com:/drwetter/testssl.sh into 2.9dev 2019-03-23 22:27:08 +01:00
Dirk Wetter ae7b8988b9 Fixes related to session tickets and resumption
This commit fixes a the regression "Session Ticket RFC 5077 hint missing/incomplete" #1218.
Reason was that in some case where the ticket lifetime hint was not restrieved before, later
$OPENSSL s_client -connect with -cipher ALL:COMPLEMENTOFALL didn't get the ticket either.
Just using "$OPTIMAL_PROTO" instead  of -cipher ALL:COMPLEMENTOFALL fixed it in the cases
tested so far.

Then a global variable is instroduced -- TLS_TICKETS. Which keeps in any case the
state whether session tickets are supported. This is being used to fix #1089. It
remains a bit unclear what is meant in https://tools.ietf.org/html/rfc5077#section-5.6
by "TLS clients MAY be given a hint of the lifetime of the ticket". We use this information
to chck for resumption by ticket which seems realistically the best solution.

Sessin resumption was also made a bit more reliably: The ServerHello is now
being tested for "New" also. If this and "Reused" wasn't detected, an error
is raised.

In general we could do better in keeping and reusing information of a ServerHello
in TMPDIR.
2019-03-23 22:16:34 +01:00
Dirk 44881d5eba Revert change for MacOSX as hinted 2019-03-19 10:00:13 +01:00
Dirk Wetter 7b2a2174e4
Merge pull request #1215 from dcooper16/determine_optimal_proto_sockets_bugfix
determine_optimal_proto_sockets_helper() speedup and bug fix
2019-03-18 12:35:22 +01:00
David Cooper 9ec70fa4d9
determine_optimal_proto_sockets_helper() speedup and bug fix
There is currently a bug in determine_optimal_proto_sockets_helper(). In two places there is code of the form:

   tls_sockets ...
   if [[ $? -eq 0 ]]; then
        ...
   elif [[ $? -eq 2 ]]; then
        ...
   fi

This code does not work as intended since the second check ("elif [[ $? -eq 2 ]]") is actually comparing the results of the first check to 2 rather than the results of the call to tls_sockets().

This PR fixes that problem and also speeds up the code. Since tls_sockets() sets $DETECTED_TLS_VERSION to the protocol version that was negotiated, there is no need to scan $TEMPDIR/$NODEIP.parse_tls_serverhello.txt for this information.
2019-03-13 16:17:50 -04:00
Dirk Wetter bc6b2c6f94
Merge pull request #1213 from capncrunch/fix_starttls_imap
fix IMAP STARTTLS regexp
2019-03-10 10:02:47 +01:00
Bodo Bellut f5bf2e0e22 fix IMAP STARTTLS regexp 2019-03-09 18:05:51 +01:00
Dirk Wetter 053a2265ab editing of comments 2019-03-06 19:48:21 +01:00
Dirk ee72e9deae Reset APPEND var if the file doesn't exist
...as otherwise it won't be created, fixes #1210.
2019-03-06 16:37:32 +01:00
Dirk Wetter a0d51611d2 Housekeeping
* changed = to ==
* fixed emphasize errors in emphasize_stuff_in_headers()
* add new debian version
* prospectively add Alt-Svc header, see #1209 (won't show up in output yet)
2019-03-05 17:43:04 +01:00
Dirk Wetter 4442c6c236 Determine $SERVER_SIZE_LIMIT_BUG upfront
In order to handle better Cisco ACE loadbalancers (almost extinct species) which
have a problem with ClientHellos >127 ciphers we have had introduced a variable which
needs to be filled better with some sense.

This commit does that by introducing the function determine_sizelimitbug() which
is called in lets_roll().

It also removes then redundant code in cipher_pref_check().

Open:
* handle run_grease()
* do we want this information at least in a logfile
* or maybe eben on screen?

See also #1202 .
2019-03-05 16:47:19 +01:00