Commit Graph

3921 Commits

Author SHA1 Message Date
Dirk Wetter f9605c4f35 - BEAST now also works in wide mode
- renamed --long in --wide
- added --show-each to help
- inserted help
2015-05-27 17:04:35 +02:00
Dirk Wetter a76ca52c4c - first candidate for logjam (missing the precomuted primes though)
- 1024 DH is now brown instead of red, 768 will be red, 512 bold red
- dumped calls to ok()
- further cosmetic stuff
2015-05-27 14:28:18 +02:00
Dirk f261884499 Merge branch 'master' of github.com:drwetter/testssl.sh
Conflicts:
	testssl.sh
2015-05-27 11:24:47 +02:00
Dirk ed38a365ae - fix regression on missing rfc cipher names
- cosmetic stuff
2015-05-27 11:19:30 +02:00
Dirk Wetter efffe9867b - FIX: cipher mapping
- adjust trailing spaces missing b4
2015-05-26 19:26:21 +02:00
Dirk Wetter c7a76d9b86 - typo/ c&p error with dh func
- fixed uninitialised var
2015-05-26 15:59:27 +02:00
Dirk d58f39d008 - logjam 2015-05-26 12:57:15 +02:00
Dirk 8ab0aef84b Merge branch 'master' of github.com:drwetter/testssl.sh 2015-05-26 12:56:17 +02:00
Dirk 060178071d - for pfs. allciphers and cipher_per_proto we WARN now because of weak DH param (if openssl supports it)
FIX #106, $85
- logjam not yet named *#105, #107) but addressed
- --openssl switch
- reorder find_openssl_binary / mybanner
- proper identation of help
2015-05-26 12:51:10 +02:00
Dirk Wetter 9b13160953 Update Readme.md 2015-05-25 21:41:45 +02:00
Dirk 3c161f9ce4 - blanks in headlines added 2015-05-25 21:22:21 +02:00
Dirk 9c7d385098 - omit 1xblank in almost all colored output (and adjust the functions using it)
- little bit more robust for strange keysize and dh bits
- added ecdsa-with-SHA256 to Signature Algorithm
- FIX: no TLS1+SSL3 resulted in no output for BEAST
2015-05-25 21:14:59 +02:00
Dirk e58b53eeae - dh key lenghth in negotiated cipher at first, see $85, #105, #106
- got rid of ok function calls in protocols
- detection of apache banner win32/win64
2015-05-25 15:10:09 +02:00
Dirk a7a19428d6 - FIX for #104: check for hpkp pin match failed if \" was present 2015-05-18 23:10:34 +02:00
Dirk 0c4a36121e - NEW / FIX #104: check for hpkp pin match 2015-05-18 21:51:45 +02:00
Dirk Wetter bf7b867d86 Update Readme.md 2015-05-17 22:56:38 +02:00
Dirk 7cc15e5d4d - 2.4 2015-05-17 22:43:53 +02:00
Dirk 43732ae53d Merge branch 'master' of github.com:drwetter/testssl.sh 2015-05-17 22:42:53 +02:00
Dirk 4e7bbb20a0 - 2.4 2015-05-17 22:41:58 +02:00
Dirk 1c509bf845 2015-05-17 22:34:50 +02:00
Dirk 2919a7c40e - 2.4!
- FIX #92
- FIX for TLS time (difftime was too small for local clock skew)
- warning for freebsd/macosx w/o ports need now a "yes"
- TLS 1.0 not offered is not bold anymore
- output weirdness fixed for cipher order in spdy
2015-05-17 22:30:49 +02:00
Dirk 6e74b3bd5c - FIX of output whene there's no CBC cipher in BEAST
- FIX: 2 occurrances of OPENSSL calls had a hostname instead of an IP address
- FIX: starttls protocol correctly displayed
- NEW added duplicate detection for header flags
- NEW: added four GOST cipher to standard socket handshake
- recommends if openssl 1.0.2 is used and results were strange and IIS6 --> run wqith openssl 1.0.1
- declared some global vars as readonly
2015-05-15 21:32:11 +02:00
Dirk Wetter 7741d99cc8 Update Readme.md 2015-05-12 13:42:42 +02:00
Dirk 7614ac6f87 Merge branch 'master' of github.com:drwetter/testssl.sh 2015-05-12 13:38:20 +02:00
Dirk 16d2b33459 - Workarounds for IIS6 #99 : some places where openssl 1.0.2 cannot connect (as opposed
to =< 1.0.1) finding the right protocol before
- hints for IIS6+openssl 1.0.2 non-conformity #99
- version bumped up to 2.4rc2
- better formatting for BSD in cipher order
- FIX: 2x bug for cipher order + sslv2
- preambel revisited
2015-05-12 13:37:39 +02:00
Dirk Wetter a7d7158c4b Update Readme.md 2015-05-12 10:21:31 +02:00
Dirk 3a64bd1005 - WONTFIX remarks for #103 and #102
- better warning for openssl < 1.0
2015-05-11 16:58:57 +02:00
Dirk 35d8469f67 URL_PATH regression fixed 2015-05-11 10:47:26 +02:00
Dirk 08fe890d5f - two fixes from #40 reported by @salt-lick 2015-05-11 08:52:40 +02:00
Dirk 19fc021587 - FIX: 30x with BigIP doesn't have a date, handled properly now
- generic GET/HEAD is now always with URL_PATH
2015-05-10 23:38:06 +02:00
Dirk 0050df5529 - informative header extended 2015-05-10 20:54:43 +02:00
Dirk 2f79ba52fc - NUMEROUS FreeBSD9/Darwin FIXES #40
- http date
  - cipher list in preferences
- GET_REQ11 now closes the connection
- openssl_age comes afeter the banner so that help doesn't need to go thru this
- uname -s ==> SYSTEM
2015-05-10 19:20:55 +02:00
Dirk 0aa8ac7e76 - more robust wrt IIS6 (some stuff better with IIS7)
- X-Powered-By is easy to remove (PHP, ASP.NET), thus labelled as yellow
- same X-AspNet-Version (version # itself is brown)
- better addressed address resolution failures ;-)
- bumped up version to 2.4rc1
2015-05-06 18:48:51 +02:00
Dirk f3f3967bd1 - FIX $87 (2), finally
- feature: integrated TLS+HTTP time into server defaults
- NEW: option: -U/vulnerable
- moved explanation for BREACH into result
- FREAK and CCS are not labled experimental anymore
- unifying of get request headers
- readability of help
2015-05-02 15:01:02 +02:00
Dirk Wetter 2aa82e5164 - partly FIX for #87 (removed SNI helps. Doesn't make sense anyway)
- changed order of Secure Renegotiation/Secure Client-Initiated Renegotiation
- readability improvements in renego
2015-05-01 12:18:43 +02:00
Dirk d766a0b459 - fix additional \n in RC4 if no RC4 ciphers were detected 2015-04-28 08:04:09 +02:00
Dirk Wetter ae1abda571 Update Readme.md 2015-04-24 16:52:08 +02:00
Dirk 150fb671bb - more thourough what has been done 2015-04-23 09:25:28 +02:00
Dirk Wetter b492031b95 Update Readme.md 2015-04-23 08:48:28 +02:00
Dirk 1ea7a0947f - RC4 has now 2 CVEs and cipher per default are displayed short
- introducng a variable name LONG which for certain funcs shows broad output with hexc, cipher, KX, etc.
- FIX: regression not showing security headers
- introducing VULN_THRESHLD
2015-04-22 18:24:39 +02:00
Dirk 3891f5b13b - FIX #83
- emphasize also OS names in HTTP headers
2015-04-22 15:22:53 +02:00
Dirk 06bd8b2517 - FIX for complete bailing out 2015-04-22 11:56:13 +02:00
Dirk bafce6edce - reordering code so that all attacks are together
- RC4 is now really omitted in PFS test
- cleanup of some comments
2015-04-22 10:33:44 +02:00
Dirk c751e9f459 typo 2015-04-21 08:14:36 +02:00
Dirk 5bec0a16c9 - better compatibility with windows 2003 server
- all long options are advertised now as with dashes and not underscore
- cosmetic stuff
2015-04-20 10:05:01 +02:00
Dirk 7b6dba6369 FIX for #82 2015-04-18 23:03:16 +02:00
Dirk Wetter 3f0f489f50 Indicated freeze 2015-04-16 21:05:23 +02:00
Dirk 5625ee536e - BUGFIX: IIS server lead to false pisitive if SSLv3 was enabled
(timeout was faster then socket resply)
- FIX: CORS header not labeled as green
- NEW: Now also STARTTLS works with all cmd line options and is absolutely doing the same stuff!
  (integrated starttls() into parse_hn_port() )
- option --mx needed to be changed because of starttls
- regression fix: exec for socket doesn't play nice with stderr redirect
  (probably bash bug)
- added some env options to cmd line as long args (--assuming-http,--ssl_native,
  --color, debug, --sneaky, --warnings)
- threw away getent as it doesn't work under Linux && not network && localhost
  (replaced by grep)
- SSL-POODLE is not labeled anymore experimental
- HB+CCS are called while checking STARTTLS but given a hint that its not yet supported
- added more env vars to debug output
- cleanups
2015-04-16 20:36:17 +02:00
Dirk f682c5ceea - FIX regression: more_flags execution was missing
- FIX regression: capitalized/all lowercase headers weren't detected
- if socksend is blocked (IDS) output looks better and is reported as test didn't succeed
- no secure cookie or Httponly will be marked as brown
- tput color yellow is now brown
2015-04-14 13:16:43 +02:00
Dirk 9d5168dbb5 - more robust grep >=2.20, e.g Debian 8.0 (thx @stevenb18)
- FIX: false positive for breach while testing google.com (referer header was hardcoded to google.com)
2015-04-14 10:15:07 +02:00