Commit Graph

4449 Commits

Author SHA1 Message Date
Dirk ef78aec50b FIX #490 2016-10-15 22:56:53 +02:00
Dirk 5e5edd5c89 FIX #490 2016-10-15 22:55:24 +02:00
Dirk Wetter 6abca0c598 Merge pull request #495 from mailsvb/minor_display_fix_ssl3_offer
remove additional pr_off at the end of sslv2 check
2016-10-14 22:07:19 +02:00
mailsvb 4ce4d922ac remove additional pr_off at the end of sslv2 check 2016-10-12 22:32:35 +02:00
Dirk d32dbdaff3 Updating MS store, sill small, still not automated/cumbersome not sure if ok 2016-10-12 21:15:37 +02:00
Dirk 6723622024 - do not do HTTP2+SPDY checks if non-STARTTLS but also non-HTTP
- ASSUMING_HTTP --> ASSUME_HTTP
- minor cleanups
2016-10-11 22:30:30 +02:00
David Cooper 3c55eec654 Remove test of version tolerance
PR #346 added a test for version tolerance to `run_protocols()`, but I think it may now be more appropriate to remove that test. Draft -16 of TLS 1.3, which was posted on September 22, changed the way that version negotiation is handled for TLS 1.3 and above. The current version tolerance test sends a ClientHello with the version field set to "03, 05", to represent a TLS 1.4 ClientHello. While this was consistent with RFC 5246 and with drafts of TLS 1.3 up to -15, draft -16 changed the version field to `legacy_version` and declared that its value should be "03, 03" for TLS 1.2 and above. (For TLS 1.3 and above a Supported Versions extension is included to inform the server which versions of TLS the client supports.) The change in draft -16 was made as a result of the problems with servers not handling version negotiation correctly.

Since the current draft suggests that a server should never be presented with a ClientHello with a version higher than "03, 03" (even for clients that support TLS versions higher than 1.2), it seems there is no reason to include the version tolerance test anymore.

For servers that do not support TLS 1.2, the additional checks that were added by PR #346 will already detect if the server cannot perform version negotiation correctly.
2016-10-11 11:01:04 -04:00
David Cooper 140ff91c60 Use printf in asciihex_to_binary_file
Use `printf` in `asciihex_to_binary_file()` rather than `echo -e -n`
2016-10-11 10:08:59 -04:00
Dirk Wetter d59c581700 Update Readme.md 2016-10-11 12:17:33 +02:00
Dirk 77f98e73e2 medium only for "Secure Client-Initiated Renegotiation" != HTTP 2016-10-10 23:27:34 +02:00
Dirk Wetter 51912944ec Merge pull request #492 from mailsvb/CA_BUNDLES_PATH
fix usage of CA_BUNDLES_PATH env for local ca_bundles
2016-10-09 10:22:22 +02:00
mailsvb 5a967302dc fix usage of CA_BUNDLES_PATH env for local ca_bundles 2016-10-08 22:50:44 +02:00
Dirk Wetter db4cbd1276 Merge pull request #487 from dcooper16/full_parse_sslv2
Add option for extract data from SSLv2 ServerHello
2016-10-07 09:16:19 +02:00
Dirk 1c5eb17729 (saving work): major cleanups for output readability and code 2016-10-06 18:53:25 +02:00
Dirk bd64fb4214 minor putput cleanup for headers 2016-10-03 21:17:29 +02:00
Dirk Wetter f9d44484af Merge branch 'master' of github.com:drwetter/testssl.sh 2016-10-03 21:01:54 +02:00
Dirk Wetter 9fe87223cc fix anchor 2016-10-03 20:48:32 +02:00
Dirk Wetter 248351eef5 Update Readme.md 2016-10-03 20:29:50 +02:00
Dirk Wetter bf1d3933bf Update Readme.md 2016-10-03 20:28:44 +02:00
Dirk 878ab519c0 update 2016-10-03 20:21:38 +02:00
Dirk Wetter 19b63aa8a9 duplicate headers fixed, #FIX 488, outstanding: proper treatment of simulatenous Public-Key-Pins|Public-Key-Pins-Report-Only 2016-10-03 18:52:48 +02:00
Dirk e2023f51ac evaluate env TESTSSL_INSTALL_DIR and CA_BUNDLES_PATH for CA bundles and/or RFC/IANA mapping, FIX #475, #435 2016-10-02 18:15:13 +02:00
Dirk eb1f6e05bb update, thanks to Niko78, see #371 2016-10-02 10:04:25 +02:00
Dirk fd6e2c0682 cleanup of #489 2016-10-01 22:25:14 +02:00
Dirk 09c19b4654 FIX #489, clear warning if >=1 HSTS headers are present 2016-10-01 10:04:33 +02:00
David Cooper 76a79a1f42 Merge branch '2.9dev' into full_parse_sslv2 2016-09-30 11:30:14 -04:00
Dirk fd83509ae5 update 2016-09-29 23:23:44 +02:00
Dirk 5115055895 update 2016-09-29 21:44:54 +02:00
Dirk 15f9315cd0 fix last build 2016-09-29 21:27:24 +02:00
Dirk a5adb2f3ec fixing last T CI run 2016-09-29 21:20:13 +02:00
Dirk 68697b822e fixing last run, hopfully 2016-09-29 21:19:09 +02:00
Dirk c785087d15 - save 1x sed in count_lines/words 2016-09-29 21:03:48 +02:00
Dirk 05a0e555a7 - save 1x sed in count_lines/words 2016-09-29 20:59:13 +02:00
Dirk Wetter 83e6bf6760 Merge pull request #486 from dcooper16/no_mapping_file
Don't use mapping-rfc.txt
2016-09-29 20:34:19 +02:00
David Cooper 0676866e91 Add option for extract data from SSLv2 ServerHello
This PR adds the option for `parse_sslv2_serverhello()` to extract information from the ServerHello (server key size and cipher suites supported) and write the information to `$TMPFILE` as well as to write the server's certificate to `$HOSTCERT`.
2016-09-28 17:15:37 -04:00
David Cooper 1dddad20c9 Don't use mapping-rfc.txt
The mapping file is now only used in `show_rfc_style()`. This PR changes `show_rfc_style()` to use the `$TLS_CIPHER_HEXCODE` and `$TLS_CIPHER_RFC_NAME` arrays.

Note that `get_install_dir()` still searches for the mapping-rfc.txt in order to determine `$INSTALL_DIR`. `$INSTALL_DIR` is only used to determine the location of the CA bundles in `determine_trust()`:
```
     local ca_bundles="$INSTALL_DIR/etc/*.pem"
```
2016-09-28 15:36:49 -04:00
Dirk Wetter dfe1c09a9d Merge pull request #485 from dcooper16/sslv2_sockets
Allow cipher list to be passed to sslv2_sockets()
2016-09-28 20:34:33 +02:00
Dirk d786a94a8c output + code polishing, phrasing. lf still has space for improvements 2016-09-28 20:32:01 +02:00
David Cooper 4751a58d56 Allow cipher list to be passed to sslv2_sockets()
This PR changes `sslv2_sockets()` so that a list of ciphers may optionally be passed as an argument. This will support the use of `sslv2_sockets()` in some places where `$OPENSSL s_client` is currently used.
2016-09-28 13:46:43 -04:00
Dirk a54df8a55b fix if statement 2016-09-28 08:00:56 +02:00
Dirk 9f313f15ea added --openssl-timeout in help 2016-09-27 23:38:47 +02:00
Dirk 4d1303f5b9 TLS 1.2 sockets not anymore experimental 2016-09-27 23:33:38 +02:00
Dirk e1f9209c23 corrected version 2016-09-27 23:32:24 +02:00
Dirk aab0487a96 Merge branch 'dcooper16-openss2rfc_rfc2openssl' into 2.9dev 2016-09-27 22:55:54 +02:00
Dirk 15843c6475 Merge branch 'openss2rfc_rfc2openssl' of https://github.com/dcooper16/testssl.sh into dcooper16-openss2rfc_rfc2openssl 2016-09-27 22:50:05 +02:00
Dirk Wetter b238fab3c1 Merge pull request #443 from dcooper16/remove_sockread
Replace sockread() with sockread_serverhello()
2016-09-27 22:34:17 +02:00
Dirk c028ec4ed6 Merge branch 'dcooper16-remove_sockread' into 2.9dev 2016-09-27 22:33:53 +02:00
Dirk 7eeb9876d0 Merge branch 'remove_sockread' of https://github.com/dcooper16/testssl.sh into dcooper16-remove_sockread 2016-09-27 22:33:24 +02:00
Dirk 2036e1e9e0 #414 polish: filename fix for windows, handling of existence and type of timeout 2016-09-27 22:15:57 +02:00
Dirk c6da054418 Merge branch 'TKCERT-master' into 2.9dev 2016-09-27 21:48:59 +02:00