Commit Graph

1641 Commits

Author SHA1 Message Date
David Cooper 1dc132c6a4 Option to show RFC cipher names
When a list of cipher suites is being displayed using `neat_list()`, testssl.sh shows the cipher suite's OpenSSL name and (in most cases) the RFC name as well. However, in all other cases only the OpenSSL name is shown.

This PR adds the option to have cipher suite's RFC names shown instead of the OpenSSL name, by including `--mapping rfc` in the command line. [Note: if the cipher-mapping.txt file cannot be found, then the `--mapping rfc` option is ignored and the OpenSSL names are shown.]

This PR seems to be related to issue #9, but #9 may be been referring to the output created by `neat_list()`.
2017-02-13 16:07:25 -05:00
Dirk Wetter 971c8e8b63 Update Readme.md 2017-02-13 09:33:50 +01:00
Dirk Wetter c252d5ab28 Update Readme.md 2017-02-13 09:33:03 +01:00
Dirk 7d6f1eb46f polishing #628, mostly make sure we automatically align to terminal width 2017-02-13 09:06:10 +01:00
Dirk Wetter 21cd97b08a Merge pull request #628 from dcooper16/format_long_lines
Wrap long lines
2017-02-13 08:52:07 +01:00
Dirk d2f688e925 CAA RR belongs also in JSON, see #588 2017-02-11 14:16:18 +01:00
Dirk 8dabc28280 also made sure that all old dns binaries work (SLES 11, FreeBSD 9) 2017-02-11 14:01:51 +01:00
David Cooper 45379ce1f9 Fix subjectAltName indendation
The PR didn't account for the indentation of the subjectAltName differing depending on whether the server has one or more than one certificate.
2017-02-09 13:29:22 -05:00
David Cooper c92131c072 Don't collect number of bits in run_pfs()
The `bits` array is no longer needed in `run_pfs()` since the information collected is not being used.
2017-02-09 11:45:29 -05:00
David Cooper d4455081f0 Wrap long lines
This PR addresses the issue raised in #623. This PR is based on the function `out_row_aligned_max_width()` that I proposed in #623, but the `out_row_aligned_max_width()` in this PR is a little different. It takes a fourth parameter, which is the function to use to print each word in the text string to be printed. This is used in `run_pfs()` so that the "Elliptic curves offered" can be printed using this function (some servers support 25 curves), while still having the curves printed using color-coding to indicate the quality of each curve.

I somewhat arbitrarily have each line wrap at 120 characters, but that could be changed (e.g., to `$TERM_WIDTH`).
2017-02-09 11:36:24 -05:00
Dirk 386aa92448 keep detected status of WSL / bash on windows in a variable, see also #620 2017-02-08 09:08:05 +01:00
Dirk 0200100750 see #620 2017-02-08 08:58:28 +01:00
Dirk Wetter 0b7e9b18b8 Merge pull request #620 from teward/2.9dev
Attempt to force system binaries for WSL
2017-02-08 08:54:20 +01:00
Dirk Wetter 0810f2a719 Merge pull request #609 from dcooper16/handle_supported_groups
Handle renaming of the Supported Elliptic Curves Extension
2017-02-08 08:11:23 +01:00
Dirk 0d993427a3 - enabling TLS 1.2 via sockets
- enabling sockets in run_protocols STARTTLS per default
- minor output polishing
2017-02-07 23:08:29 +01:00
Thomas Ward 6140aa8b8c Attempt to force system binaries for WSL 2017-02-07 15:59:09 -05:00
Dirk Wetter edb358b3e0 Merge pull request #595 from dcooper16/rename_ephemeral_DH_ciphers
Rename cipher lists for run_logjam()
2017-02-07 17:51:07 +01:00
David Cooper 4fab1830cb Merge branch '2.9dev' into handle_supported_groups 2017-02-06 13:49:05 -05:00
David Cooper f03ae865d8 Merge branch '2.9dev' into rename_ephemeral_DH_ciphers 2017-02-06 13:48:35 -05:00
Dirk 48e264a193 fixed regression #611 2017-02-06 17:47:17 +01:00
David Cooper f519e42507 Merge branch '2.9dev' into rename_ephemeral_DH_ciphers 2017-02-06 08:48:45 -05:00
David Cooper 321d5e0c9d Merge branch '2.9dev' into handle_supported_groups 2017-02-06 08:47:11 -05:00
Dirk 54e0395969 Reverse #600 but leave the hook in here, ANSI code for strikethru 2017-02-06 11:06:59 +01:00
Dirk Wetter 03daa1be35 Merge pull request #608 from dcooper16/neat_list_camelliagcm
Fix neat_list() for Camellia GCM
2017-02-06 10:41:01 +01:00
Dirk a9cddd7afb see #611 2017-02-04 15:11:03 +01:00
Dirk Wetter e95f9a8d0a Merge pull request #611 from dcooper16/print_two_CRL_or_OCSP_URI
Fix Two CRL and/or two OCSP URLs
2017-02-04 15:06:18 +01:00
Dirk 3a21097cc5 HTTP/1.1 GET handler for #254 2017-02-04 14:13:33 +01:00
Dirk Wetter 59c3286775 Merge pull request #612 from dcooper16/update_fix_587
Update fix to 587
2017-02-04 12:14:09 +01:00
Dirk 5046b80414 first draft of LUCKY13 (128 cipher limit has to be addressed) 2017-02-03 22:36:04 +01:00
David Cooper e18f5821d2 Merge branch '2.9dev' into rename_ephemeral_DH_ciphers 2017-02-03 13:42:04 -05:00
Dirk cb1d133528 preparing for lucky13 2017-02-03 17:40:35 +01:00
David Cooper 79bfe1103c Merge branch '2.9dev' into update_fix_587 2017-02-03 08:47:29 -05:00
David Cooper b2de5c4ac9 Merge branch '2.9dev' into print_two_CRL_or_OCSP_URI 2017-02-03 08:46:40 -05:00
David Cooper f273b5ed8c Merge branch '2.9dev' into handle_supported_groups 2017-02-03 08:45:40 -05:00
David Cooper da59ea11c2 Merge branch '2.9dev' into neat_list_camelliagcm 2017-02-03 08:44:36 -05:00
David Cooper 1079a05d42 Merge branch '2.9dev' into rename_ephemeral_DH_ciphers 2017-02-03 08:44:07 -05:00
Dirk 925e1061b2 - renamed pr_svrty_minor --> pr_svrty_low to reflect the level literally
- minor polishing
2017-02-03 13:03:22 +01:00
Dirk b9232fd5d0 Fix TLS_FALLBACK_SCSV detection for non RFC compliants F5 loadbalancers. They pass now the test but get additonally penalized for their non compliance, see also https://github.com/drwetter/testssl.sh/issues/121#issuecomment-113790270 2017-02-03 11:47:21 +01:00
David Cooper e7c7e7ba19 Update fix to 587
In the revised code that was created to address #587, nothing is printed after "OCSP URI" if there is neither an OCSP URI nor a CRL URI. Instead, "--" should be printed.

I still believe that there is an inconsistency in the reporting of the output, however. At the moment, the "Certificate Revocation List" and "OCSP URI" lines indicate it is acceptable as long as the certificate contains either a CRL URI or an OCSP URI. However, the "OCSP stapling" line reports a minor finding if an OCSP response was not included in the server's reply. Shouldn't we just assume that if the certificate doesn't include an OCSP URI, then it wouldn't be possible for the server to obtain an OCSP response to staple to its reply? If so, then it seems that no OCSP stapling should only be considered a finding if an OCSP URI is present.
2017-02-02 15:52:32 -05:00
David Cooper e9d6ac8ad1 Fix Two CRL and/or two OCSP URLs
This PR fixes issue #601.

The fix for OCSP URLs was easy. I don't entirely understand the first `awk` command in the line to extract the CRL URLs, but I tested it on several certificates and it seems to work correctly (ensuring that the only "URI" lines in the input to the second `awk` command are from the CRL Distribution Points extension).
2017-02-02 13:04:49 -05:00
David Cooper 7a378c44dc Merge branch '2.9dev' into handle_supported_groups 2017-02-02 09:13:33 -05:00
David Cooper 898438ec17 Merge branch '2.9dev' into neat_list_camelliagcm 2017-02-02 09:12:42 -05:00
David Cooper a9ffc5f61f Merge branch '2.9dev' into rename_ephemeral_DH_ciphers 2017-02-02 09:12:03 -05:00
Dirk ec7aa2481a - SWEET32. Note this is still NOT COMPLETE (ciphers!) and needs more testing 2017-02-02 14:42:06 +01:00
David Cooper f1eb3b85de Handle renaming of the Supported Elliptic Curves Extension
RFC 4492 introduced the Supported Elliptic Curves Extension, but this extension was renamed Supported Groups in RFC 7919. Following RFC 7919 (and TLSv1.3), `parse_tls_serverhello()` refers to this extension as "supported groups/#10". Since, at the moment, OpenSSL's s_client refers to this extension as "elliptic curves/#10", the extension sometimes appears twice in the "TLS extensions" line, if it is detected by both OpenSSL (in `get_server_certificate()`) and `tls_sockets()` (in `determine_tls_extensions()`):
```
 TLS extensions (standard)    "renegotiation info/#65281" "elliptic curves/#10" "EC point formats/#11" "supported groups/#10"
```
This PR fixes the problem of the extension appearing twice in the "TLS extensions" line by replacing any instances of "elliptic curves/#10" with "supported_groups/#10" in the `$tls_extensions` line extracted from `$OPENSSL s_client`. This PR also changes "supported groups/#10" to "supported_groups/#10" in `parse_tls_serverhello()`, since the current development branch of OpenSSL uses "supported_groups" to refer to this extension (see https://github.com/openssl/openssl/pull/1825).
2017-02-01 15:43:15 -05:00
David Cooper d93f7031ac Fix neat_list() for Camellia GCM
This PR increases the width of the "Encryption" column printed by `neat_list()` in order to allow room to print "CamelliaGCM."

This is the alternative fix to the problem that was first addressed in #524. This PR obsoletes PR #530.
2017-02-01 13:31:58 -05:00
David Cooper 11b5e00602 Merge branch '2.9dev' into rename_ephemeral_DH_ciphers 2017-01-30 13:36:12 -05:00
Dirk Wetter c0cf622aff Merge pull request #600 from dcooper16/unsupported_ciphers_in_litegrey
Print unsupported ciphers in light grey
2017-01-30 18:29:57 +01:00
David Cooper 392dac0e39 Just print entire line in light grey 2017-01-30 09:32:47 -05:00
David Cooper 17db208756 Merge branch '2.9dev' into unsupported_ciphers_in_litegrey 2017-01-30 09:02:15 -05:00