As reported a longer while back in #2083 there were trailing bytes when receiving a TLS alert by the ROBOT check.
This PR corrects and thus normalizes the length of the TLS alert message to the correct value, supposed the length in the TLS alert is two bytes and it is an TLS alert. PR for 3.3dev was #2969 .
Also this PR now uses a separate variable for the timeout. Using a separate global variable may offer some possibility for tuning the check when the latency to the target is high. This is still subject of research.
The variable is 10 seconds here to be in line with MAX_WAITSOCK which (name) was used previously.
We missed somehow to add in the big while loop to add the fact that ROBOT is a vulnerability which became
apparent with #2967 (3.3dev).
This PR adds that for 3.2 also. See #2968.
This commit fixes#2959 by modifying TLS12_CIPHER, TLS12_CIPHER_2ND_TRY, and TLS12_CIPHER_3RD_TRY so that they each have 118 ciphers (including "00,ff"). It also modifies run_cipherlists(), run_server_defaults(), and run_beast() so that, when $SERVER_SIZE_LIMIT_BUG is true, no more than 125 ciphers are sent.
`grep -w` matches also `string1-whatsoever` so that entries like
```
192.168.0.10 anystring anystring-apache
192.168.0.11 anystring-tomcat
```
matched 3 entries over 2 lines.
This PR fixes#2937 for 3.2 by improving the pattern, so that `string1` needs a trailing whitespace or an EOL -- besides a leading whitespace..
The new block making sure that rust coreutils work properly (PR #2913)
introduced a new check in order to determine which date functions
to use.
The function however parsed only for English error messages ("No such file").
This PR fixes#2929 that for 3.2 by setting LC_ALL to C.
Ubuntu 25.10 has transitionned from GNU Core-utils to Rust Core-utils. That changes the testing
results which date version to use for displaying / conversion of dates like in certificates.
Probably more Linux distriutions will follow. See also #2909 .
For maintenance reasons it is advised also the stable version will get this patched. For
3.3dev, see #2913 .
This PR ist similar to #2905 for 3.3dev . However for the stable brnach it's
important to note that this is a breaking change as it modifies the output.
That happens only tough when `ciphers_by_strength()` is being used --equivalent
to the command line `./testssl.sh -E` = `./testssl.sh --cipher-per-proto`. As
this is seldom used and was basically succeeded by `-P, --server-preference`
this looks acceptable as it provides consistency which was overdue.
Details:
* keys now always with `v`, like `supportedciphers_TLSv1_2` and also ciphers
(e.g. `TLSv1.2 x35 AES256-SHA`)
* add word "server" to file output so that it reads "NOT a server cipher order configured"
Fixes#2884 for 3.2 .
This commit fixes#2896. This commit avoids modifying the ADDTL_CA_FILES environment variable, and instead substitutes spaces for commas whenever the variable is used.
... to avoid repeated failures because of heise.de . Looks like there are
server side measures which made some tests fail. Often the MacOS CI runner
is slower and seems to run into that.
See also 56c1e585
