Commit Graph

128 Commits

Author SHA1 Message Date
a1346054 54dcecd184 Make text file not executable 2021-09-03 22:19:39 +00:00
Alexander Troost 7029ada0ba fixing typo in md file 2020-11-28 14:06:26 +01:00
Alexander Troost 57ffe08dd4 Adding a hex2curves util. 2020-11-28 14:04:00 +01:00
Dirk Wetter ce802634b6 Update remaining: Apple / Java / Microsoft
* also ca_hashes.txt

* Used Java SDK 15 instead of JRE 8
* Used Windows 20H2
* Java Keystore has added 5 certificates (90 --> 95)

Updated Readme and make it more reproducible
2020-11-13 22:01:17 +01:00
Dirk Wetter 33ea2c710c updated Linux.pem + Mozilla.pem 2020-11-11 18:15:56 +01:00
David Cooper 851cd564e6 Check for bad OCSP intermediate certificates
This commit checks whether any intermediate certificates provided by the server include an extended key usage extension that asserts the OCSP Signing key purpose.

This commit replaces #1680, which checks for such certificates by comparing the server's intermediate certificates against a fixed list of known bad certificates.
2020-07-15 11:56:20 -04:00
Dirk eb7b0c9644 add hash file 2020-07-14 22:26:23 +02:00
Christoph Settgast 82e939f2bd Add wiresharked Android 7.0 (native)
After being bitten by https://stackoverflow.com/questions/39133437/sslhandshakeexception-handshake-failed-on-android-n-7-0
I add a wiresharked Android 7.0 to reflect that bug in Android 7.0.
2020-06-23 15:26:31 +02:00
Dirk Wetter a9ab2bcd91 Update documentation (ADDITIONAL_CA_FILES -> ADDTL_CA_FILES)
which happened in d44a643fab in
testssl.sh .

This fixes it in the related files. See also #1581
2020-04-23 11:20:46 +02:00
David Cooper 46c05c6732 Fix client simulation
replace ciphers with ch_ciphers and sni with ch_sni in client simulation data file.
2020-01-31 10:52:50 -05:00
Dirk Wetter eeb1acd749 Android 9 still has 2 signature hash algos: x0201 + x0203 2020-01-22 11:41:42 +01:00
Dirk Wetter 7c66ed47c0 All self retrieved Android handshakes modified to service ANY 2020-01-22 10:58:00 +01:00
Dirk Wetter a50a660d6c Add Android 10 client simulation 2020-01-22 10:54:50 +01:00
Dirk Wetter ddc7a56ab0
fix language 2020-01-17 11:59:41 +01:00
Dirk Wetter ac7a20f018
Update client-simulation.wiresharked.md 2020-01-16 22:46:43 +01:00
Dirk Wetter 86afeabf8f
Merge pull request #1438 from drwetter/update_clienthandshakes
Update clienthandshakes
2020-01-16 22:26:21 +01:00
Dirk Wetter 13aa6aa433 Readd TLS 1.0 and TLS 1.1 to openssl 1.1.1d (Debian)
... see previous commit
2020-01-14 18:17:44 +01:00
Dirk Wetter 09eda2aa97 Update openssl handshakes
to 1.1.0l and 1.1.1d. Seems that for the latter TLS 1.0 and 1.1
are disabled now, looking at the supported version extension.
However on the command line an s_client connect works. So
this commit need to be amended.
2020-01-14 18:02:43 +01:00
Dirk Wetter 56e6fa4bb7 Remove FTP as a "service" from Firefox' client simulation
... as firefox never supported FTP over TLS or SSL, see

https://bugzilla.mozilla.org/show_bug.cgi?id=85464

In general browsers tend to remove noaways cleartext FTP from
browsers.
2020-01-13 23:11:59 +01:00
Dirk Wetter 8cc3a5f514 Add firefox 71
... and
* deprecate openssl 1.0.1
* enable Chrome 74 instead of Chrome 65
2020-01-13 22:57:10 +01:00
David Cooper 420fa73f5a Fix Safari 13.0 Client Simulation
The ciphersuites string for Safari 13.0 ends with a colon (':'). which causes OpenSSL to reject the command line when client simulation testing is performed in --ssl-native mode. This PR fixes the problem by removing the trailing colon.
2020-01-13 10:31:20 -05:00
Dirk Wetter 88ec92d622 Add recent Chrome and Opera handshakes
Chrome 78 and 79, Opera 65 and 66

Remove FTP from Chrome
2020-01-13 16:02:39 +01:00
Dirk Wetter a714aec912 Clarify / correct a few bits 2020-01-13 16:01:27 +01:00
Dirk Wetter cf8cb541d5 Update Thunderbird simulation to v68.3 2020-01-13 11:35:58 +01:00
Dirk Wetter 0911d1ae31 For better recognition put readme in a separate file 2020-01-13 11:34:25 +01:00
Dirk Wetter a244ef7990 Needed update after putting all CA store here 2020-01-11 11:45:27 +01:00
Dirk Wetter 88e670ab1f Update store
According to MS this is the latest which is from July 2019.
This is the biggest CA store (probably a lot of intermediate
certificates in there).

This was pulled from MS as described in the Readme.md . It
is exactly the same whether CertUtil will be run from Windows 7
(almost: RIP) or Windows 10.
2020-01-11 11:42:30 +01:00
Dirk 40155ed222 Update Java store
Other than before teh Java store was extracted directly from a keystore
from a Java JRE from https://jdk.java.net/.

The Debian keystore used previously used the certificates from the Debian
machine itself (installation script in ``/etc/ca-certificates/update.d/``.
Check with ``keytool -list -rfc -keystore /etc/ssl/certs/java/cacerts | grep -i 'alias'``

As a consequence this store contains less certificates:

etc/Java.pem:90
etc/Linux.pem:128

and needs some testing whether it really should be still included.
2020-01-10 09:17:57 +01:00
Dirk Wetter 7341cac3c2 -add-ca amended 2020-01-09 10:34:07 +01:00
Dirk Wetter 3ff93b4fa6 Update for 3.0 2020-01-09 10:27:09 +01:00
Christoph Settgast 23b845c11b Update Safari to 13.0 and macOS to 10.14
manually wiresharked, now with TLS1.3 for macOS as well.
2019-10-16 20:36:08 +02:00
David Cooper 80a725541b Allow TLS12_CIPHER to be changed
In some rare cases a server does not support any of the ciphers in $TLS12_CIPHER, but does support at least one cipher in $TLS12_CIPHER_2ND_TRY. In such cases, TLS12_CIPHER should be changed to $TLS12_CIPHER_2ND_TRY so that subsequent tests using $TLS12_CIPHER will succeed.
2019-09-23 15:54:44 -04:00
Dirk d5f90218d1 Deprecation of more clients
* Tor 17
* Android 4.2.2
* IE 7 Vista
2019-05-08 23:12:45 +02:00
Dirk Wetter 7238a0167a Change the platform for Java from Ubuntu to OpenJDK 2019-05-07 19:39:20 +02:00
Dirk Wetter 174f4ee527
Merge pull request #1268 from csett86/safari-macos
Add Safari 12.1 on macOS 10.13.6
2019-05-07 19:35:09 +02:00
Christoph Settgast c41b1f0055 Revert diff noise at end of file 2019-05-06 21:35:58 +02:00
Christoph Settgast fa77a9c80e Deprecate Java 9, its EOL since March 2018
No current distro (Ubuntu, Debian, Fedora) is still shipping it,
Oracle has EOLed it in March 2018 according to

https://www.oracle.com/technetwork/java/java-se-support-roadmap.html
2019-05-06 21:26:30 +02:00
Christoph Settgast a17f45b563 Add Safari 12.1 on macOS 10.13.6
manually wiresharked
2019-05-06 21:19:46 +02:00
Christoph Settgast 8c8a626b49 Remove erroneous DES-CBC-MD5 from Java 11 and 12
DES-CBC-MD5 was included by utils/hexstream2cipher.sh,
heres the relevant snippet, line 160:

148: c025 --> 0xc0,0x25 --> ECDH-ECDSA-AES128-SHA256
152: c029 --> 0xc0,0x29 --> ECDH-RSA-AES128-SHA256
156: 0067 --> 0x00,0x67 --> DHE-RSA-AES128-SHA256
160: 0040 --> 0x00,0x40 --> DHE-DSS-AES128-SHA256 DES-CBC-MD5
164: c009 --> 0xc0,0x09 --> ECDHE-ECDSA-AES128-SHA
168: c013 --> 0xc0,0x13 --> ECDHE-RSA-AES128-SHA
172: 002f --> 0x00,0x2f --> AES128-SHA
176: c004 --> 0xc0,0x04 --> ECDH-ECDSA-AES128-SHA

Unfortunately I don't know how to fix utils/hexstream2cipher.sh,
but I have manually removed the erroneous cipher and space from
the client-sim.
2019-05-06 18:07:43 +02:00
Christoph Settgast 11416790cd Add Java 12 from Ubuntu 19.04
manually wiresharked, detailed version info:

$ java -version
openjdk version "12.0.1" 2019-04-16
OpenJDK Runtime Environment (build 12.0.1+12-Ubuntu-1)
OpenJDK 64-Bit Server VM (build 12.0.1+12-Ubuntu-1, mixed mode, sharing)
2019-05-04 22:30:46 +02:00
Christoph Settgast c4b5f33532 Add Java 11 from Ubuntu 18.04
manually wiresharked, detailed version info:

$ java -version
openjdk version "11.0.2" 2019-01-15
OpenJDK Runtime Environment (build 11.0.2+9-Ubuntu-3ubuntu118.04.3)
OpenJDK 64-Bit Server VM (build 11.0.2+9-Ubuntu-3ubuntu118.04.3, mixed mode)
2019-05-04 22:20:53 +02:00
Dirk Wetter bfd6caa624 Fix error + round brackets
PR #1260 missed a 'current' line which caused an output problem.

I'd like to add round brackets to the displayed name so that we remember
what comes from wireshark and waht from SSLlabs
2019-05-04 11:05:57 +02:00
Christoph Settgast 67c0dd106e Add Safari 12.1 from iOS 12.2
Manually Wiresharked
2019-05-04 00:58:31 +02:00
Dirk Wetter 79a0345213 Fix typo in handshake simulation with openssl 1.1x
"protos" contained "-no-ssl3" instead of "-no_ssl3"
which lead to an error message "Oops: openssl s_client connect problem"
-- which wasn't caught by the STARTTLS unit test either :-(
2019-05-02 09:53:51 +02:00
Dirk 955265afa0 Update to chrome 74 2019-04-25 09:17:23 +02:00
Dirk Wetter 64c2bcc949 Add Thunderbird 60.6.1 to client simulation 2019-04-23 13:37:50 +02:00
Dirk Wetter 3f99c2d2c8 Add Opera 60 + Chrome 73
Chrome 74 update pending
2019-04-23 11:33:47 +02:00
Dirk Wetter d2f5c2633c Add a few MS client hellos
* Edge 17 Win 10
* Firefox 66 Win 10

Disable 'Edge 13 Win Phone 10' per default and 'Firefox 62 Win 7'.
2019-04-23 10:32:17 +02:00
Dirk Wetter 950772cb23 Clarify client sim data 2019-04-23 10:26:30 +02:00
Dirk c183c213e5 Add client simulations
.. for Android 8.1 and Firefox 66.

Add ciphersuites to the existing handshakes and update
the documentation accordingly.
2019-04-20 20:21:25 +02:00