Commit Graph

3921 Commits

Author SHA1 Message Date
Pete Cooper 0a1b632ddc
Update Readme.md
Bump version for zip download
2020-04-15 16:10:11 +01:00
Magnus Larsen e4cef5438d Added grading based on ssllabs 2020-04-15 15:06:08 +02:00
Dirk Wetter 8ce781c71d
Merge pull request #1567 from drwetter/renamed_to_fs
Rename PFS/perfect forward secrecy - ->  FS/forward secrecy
2020-04-14 20:21:52 +02:00
Dirk Wetter 150fd156bb
Merge pull request #1565 from drwetter/cvs_remove
Polishing
2020-04-14 16:41:50 +02:00
Dirk Wetter 8c466bf2ee Rename PFS/perfect forward secrecy to FS/forward secrecy
In all instances:

* command line (will break things)
* JSON IDs (will break things)
* in the documentation
* in the travis checks where used
* everywhere in the code: variables, functions, comments
2020-04-14 15:53:05 +02:00
Dirk 67cfe013b1 Polishing
* remove CVS variables
* add 2x https links instead of http in code doc
2020-04-14 13:35:26 +02:00
Dirk Wetter 663d592466
Merge pull request #1526 from dcooper16/fix1514
Fix #1514
2020-04-14 12:52:38 +02:00
Dirk e345abb023 Merge branch 'multiflexi-3.1dev' into 3.1dev 2020-04-13 23:01:15 +02:00
Dirk ae7b74cf73 Tuning multiflexi's fixes 2020-04-13 22:59:13 +02:00
Dirk Wetter 9d2901edd0
Merge pull request #1471 from drwetter/docu_update
Documention update
2020-04-09 19:57:10 +02:00
Jaroslav Svoboda 7eba0fbb41 FIxed links
Links in comments with http:// changed to https://. Some non working links fixed.
2020-04-09 16:18:33 +02:00
David Cooper 04e51db402 Fix #1514
This commit is an attempt to fix #1514. The commit is mostly based on a suggestion at https://unix.stackexchange.com/questions/57940/trap-int-term-exit-really-necessary. Even with that change, it seemed that if testssl.sh were in the middle of executing run_cipher_per_proto() when it received a signal, it would not stop until that function had completed. This seems to have something to do with subshells. Changing the while loop in run_cipher_per_proto() seems to have fixed that issue. So, I also made similar changes to the while loops in prettyprint_local().
2020-04-02 08:03:45 -04:00
Dirk Wetter dbff4a3706
Merge pull request #1554 from dcooper16/align_run_cipherlists
Align run_cipherlists() with pr_cipher_quality()
2020-04-02 13:53:54 +02:00
Dirk Wetter f16c7af687
Merge pull request #1553 from dcooper16/pr_cipher_quality_gost
Handle GOST ciphers in pr_cipher_quality()
2020-04-02 13:53:28 +02:00
Dirk Wetter d5d702104f
Merge pull request #1556 from dcooper16/fix1551
Fix #1551
2020-04-01 22:28:25 +02:00
David Cooper b6050e68de Fix #1551
This commit fixes #1551 by changing get_cipher() to recognize RFC names that begin with SSL_*. It also modifies run_beast() so that it does not get stuck in an infinite loop if get_cipher() doesn't return a valid cipher name.
2020-04-01 13:34:29 -04:00
David Cooper 08d5146223 Align run_cipherlists() with pr_cipher_quality()
This commit modifies run_cipherlists() to align with pr_cipher_quality().

The biggest change made by this commit is that it breaks the current list of STRONG ciphers into two lists: one for AEAD ciphers that offer forward secrecy (STRONG) and one for AEAD ciphers that do not offer forward secrecy (GOOD).

The remaining changes are just minor tweaks:

* A few ciphers that use MD5 are moved from AVERAGE and 3DES to LOW.

* '!AECDH' was added to the OpenSSL description for LOW to catch one cipher in OpenSSL 1.0.2-chacha that offers no authentication that was being included in the LOW list.

This commit also changes sub_cipherlists() to change the output when a cipherlist with a rating of 6 is not present. There was a "FIXME" associated with this output, but it didn't matter before since there were no cipherlists with a rating of 6.
2020-04-01 11:27:24 -04:00
David Cooper 40dfd8b53b Handle GOST ciphers in pr_cipher_quality()
This PR modifes pr_cipher_quality() as proposed in #1548 so that GOST ciphers are handled correctly. It changes pr_cipher_quality() so that the OpenSSL name is used in cases in which no RFC name is defined. It also adds a case statement for GOST so that GOST ciphers (that do not use MD5 or Null encryption) are marked as pr_svrty_low (as they are in run_cipherlists) rather than just being assigned the default rating (5).
2020-04-01 11:18:50 -04:00
Dirk Wetter 061732a5fb
Merge pull request #1552 from drwetter/drwetter-patch-1
Badges from shields.io / Monitoring Links
2020-04-01 12:41:16 +02:00
Dirk Wetter 333ccdfb41
Badges from shields.io / Monitoring Links 2020-04-01 12:40:56 +02:00
Dirk Wetter d32743b2eb
Merge pull request #1548 from dcooper16/adjust_pr_cipher_quality
Adjust pr_cipher_quality ratings
2020-03-31 14:09:47 +02:00
David Cooper 72dae035b5 Remove redundant entries
This commit removes two entries from a "case" test that were already covered by a previous entry.
2020-03-25 16:07:22 -04:00
David Cooper e15aea4790 Modify pr_cipher_quality to handle ARIA
This commit fixes the way pr_cipher_quality handles the OpenSSL names of some ARIA ciphers that either provide no authentication or that use CBC padding.
2020-03-25 15:57:00 -04:00
David Cooper d177a90bbe Adjust pr_cipher_quality ratings
This commit makes several changes to the way that ciphers are rated by pr_cipher_quality:

* It upgrades SEED ciphers to considered as strong as the corresponding AES ciphers.

* It downgrades ciphers that use AEAD, but that use a non-FS key exchange (TLS_DH_*, TLS_ECDH*, TLS_PSK_WITH_*) from best to good, thus giving them the same rating as AEAD ciphers that use static RSA (TLS_RSA_*).

* It downgrades some CBC ciphers to low (4) that are currently rated as neither good nor bad (5).

* It modifies the ratings created using OpenSSL names to provide the same ratings as those created using RFC names.
2020-03-25 15:28:08 -04:00
Dirk Wetter 8ff45208c3
Merge pull request #1546 from dcooper16/display_ciphernames_bug
Fix bug in setting DISPLAY_CIPHERNAMES
2020-03-25 18:28:03 +01:00
David Cooper 5ab73d1a1a Fix bug in setting DISPLAY_CIPHERNAMES
The permitted values for $DISPLAY_CIPHERNAMES are "rfc-only", "openssl-only", "openssl", and "rfc". However, get_install_dir() incorrectly sets $DISPLAY_CIPHERNAMES to "no-rfc" if it cannot find the $CIPHERS_BY_STRENGTH_FILE. ("no-rfc" is the string users would specify at the command line for the --mapping option, but not the value that $DISPLAY_CIPHERNAMES is set to internally).
2020-03-25 12:53:28 -04:00
Dirk Wetter 1e94d5a2f6
Merge pull request #1544 from mkauschi/replace-printf-with-tm_out
Replace printf with tm_out
2020-03-24 10:56:10 +01:00
manuel 31a9dafe94 replace printf with tm_out one further place 2020-03-23 17:39:14 +01:00
manuel e7c89cb264 replace printf with tm_out 2020-03-23 16:53:32 +01:00
Dirk Wetter 3a003d9ab9
Merge pull request #1538 from mkauschi/fix_bug_with_basicauth_generation
Fix basicauth bug where a newline is added to the user:password string before encoding
2020-03-18 14:51:18 +01:00
manuel 7fffe53d0a replace echo with the safe_echo function 2020-03-18 13:53:58 +01:00
manuel 1a3c01899f fix basicauth bug where a newline was added to the user:password string 2020-03-17 14:34:00 +01:00
Dirk Wetter 32df6b8bef
Merge pull request #1533 from drwetter/breach_output31
Fix output for BEAST when no SSL3 or TLS
2020-03-07 12:16:11 +01:00
Dirk 8242607d94 Fix output for BEAST when no SSL3 or TLS
LF added
2020-03-06 22:06:13 +01:00
Dirk Wetter 9cd4cf3eb9
Merge pull request #1531 from dcooper16/fix_typo_emphasize_stuff_in_headers
Fix typo in emphasize_stuff_in_headers()
2020-03-06 21:28:28 +01:00
David Cooper 58353d3522 Fix typo in emphasize_stuff_in_headers()
This commit fixes a typo in emphasize_stuff_in_headers() wherer ${yellow} was used rather than ${html_yellow} in the creation of the HTML output.
2020-03-06 14:25:07 -05:00
Dirk Wetter 5aadc1951d
Merge pull request #1523 from drwetter/pwdfix3.1
Avoid external "/bin/pwd"
2020-03-06 14:59:15 +01:00
Dirk Wetter 6f02101ae0
Merge pull request #1499 from dcooper16/fix_printing_percent
Fix printing percent characters
2020-03-06 14:35:31 +01:00
David Cooper 37dbe14def Fix printing percent characters
As noted in #1481, testssl.sh has a problem with printing percent ('%') characters.

At one point, the function out() was implemented as `/usr/bin/printf -- "${1//%/%%}"`. When this was the case, any '%' needed to be replaced with '%%' since '$1' was being used as the format string. This was changed, however, by 8a2fe5915a. Since the format string is now "%b" rather than '$1', the replacement is not needed anymore. Instead, the replacement now causes any '%' to be printed to be duplicated.

This problem does not happen very often, but does sometimes occur when a '%' character appears in a URI, such as in an HTTP redirect, a certificate revocation list, or an OCSP URI.
2020-03-06 08:28:52 -05:00
Dirk Wetter 466f08c846
Merge pull request #1481 from dcooper16/fix_html
Fix HTML generation
2020-03-06 13:40:41 +01:00
Dirk Wetter 0469d6a2b1 Avoid external "/bin/pwd"
.. as it may not be available everywhere, see #1521 (NixOS).

This commit replaces all instances from pwd or /bin/pwd by $PWD.
It is a bash internal and the fastest. Also it added some quotes
to PWD a it may contain white spaces in the future (currently
there's a check for it that it won't)
2020-03-06 13:24:56 +01:00
Dirk Wetter b8d1a3506a
Merge pull request #1525 from drwetter/update_template
Update ISSUE_TEMPLATE.md
2020-03-06 13:01:03 +01:00
Dirk Wetter 9f1fa04e07
Update ISSUE_TEMPLATE.md 2020-03-03 21:18:09 +01:00
Dirk Wetter 1fb96df369 Avoid external "/bin/pwd"
.. as it may not be everywhere available, see #1521 (NixOS).

This commit replaces all instances from pwd or /bin/pwd by `pwd -P`
(-P -> no symbolic link)
2020-03-03 12:36:22 +01:00
David Cooper 83e76a442b Fix handling of \n in strings 2020-02-27 13:59:05 -05:00
David Cooper b92f0de2c9 Fix HTML generation
This PR fixes two issues related to the generation of HTML files.

First, text that is to appear in the HTML file is first passed through html_reserved() to replace reserved characters with their corresponding entity names (e.g., '>' becomes '>'). html_reserved() seems to work correctly on Ubuntu Linux, but it does not work as expected on MacOS. On MacOS, rather than converting '>' to '>', it gets converted to '\>', and the backslash is rendered by browsers.

This PR appears to fix the problem. However, given that the original version of html_reserved() was not portable, this revised version should be tested on multiple platforms.

I also noticed that in almost every case in which a string is passed to html_out(), it is first run through html_reserved(), but for some reason that is not the case in out() and outln(). I can't see any reason why html_reserved() is not called first in these two cases, so this PR adds in the calls.
2020-02-27 13:59:05 -05:00
Dirk Wetter e0c83b2a38
add more filters 2020-02-24 14:21:28 +01:00
Dirk Wetter 02b83cc092
Merge pull request #1516 from dcooper16/min_hsts
Fix use of HSTS_MIN
2020-02-21 09:59:32 +01:00
David Cooper f342031844 Fix use of HSTS_MIN
This commit fixes two minor issues related to HSTS_MIN:

* If there is a misconfiguration the recommended max-age should be based on $HSTS_MIN rather than being hardcoded to 15552000 seconds = 180 days.

* If max-age is exactly $HSTS_MIN, testssl.sh shouldn't say that max-age is too short while also say that >= $HSTS_MIN seconds is recommended.
2020-02-20 14:17:49 -05:00
Dirk Wetter 64fea03f66
Merge pull request #1510 from drwetter/rDNS_fixes
Fix for non compliant DNS PTR records
2020-02-15 15:22:22 +01:00