Commit Graph

3383 Commits

Author SHA1 Message Date
Dirk Wetter 1e0ef23c81 Rename add_tls_offered --> add_proto_offered
... last but not least SSLv2 and SSLv3 are no TLS protocols
2020-04-27 17:12:25 +02:00
Dirk Wetter 8938c21703 Renaming proto variables in cipher_pref_check()
... to be consistent with ciphers_by_strength:

- proto --> proto_text
- proto_ossl --> proto
2020-04-27 17:08:43 +02:00
Dirk Wetter 3b92b0cf85 Remember better protocol settings in ciphers_by_strength() / cipher_pref_check()
... in cases where the protcol section has not been run before.

Also add " -\n" on the screen/html if protocol is not supported. Also for
SSLv2 which can be supported but at the same time not offer any ciphers
mention there will be an output on the screen.
2020-04-27 16:51:45 +02:00
Dirk Wetter 0a859d7b98 rename $p --> $proto_ossl in cipher_pref_check()
plus remove redundant quotes for that
2020-04-27 15:32:43 +02:00
Dirk Wetter 3e54f4e4cd Further changes to run_server_preference()
In order not to provide redundant information run_allciphers() is
now not being run via default (1). Therefore run_server_preference()
runs always in wide mode.

In order to archieve that cipher_pref_check() was modified to
accept a fifth argument whether it'll run in wide mode. As
of now cipher_pref_check() is only called by run_server_preference(),
so the code referring to non-wide mode in cipher_pref_check() may also
be deleted in the future.

To provide a better view the run_fs() section is now being run after
run_server_preference().

(1) saves also 5-6 seconds
2020-04-24 13:32:26 +02:00
Dirk Wetter a86ccb6968 First round of polish of David's PR to extend run_server_preference()
See #1580.

This commit brings:

* If there's no cipher for a protocol it adds a "\n - \n" (also for run_cipher_per_proto() )
* further output improvements
* Cipher order --> Cipher listing per protocol
* make some conditional statement easier to read (at least for me)

New open points:
- cipher_pref_check() doesn't save to PROTOS_OFFERED (was there before)
  (just stumbled over this but how about we also use get_protocol() / parse_tls_serverhello()
- do we want run_allciphers() to be started by default?
- $WIDE per default for run_cipher_per_proto() ?
- probably better not to display text in round square brackets when there's no cipher:

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2 (listed by strength)
SSLv3 (server order)
TLSv1 (server order)
TLSv1.1 (server order)
TLSv1.2 (server order)
 xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[..]

- when a server has no preference at all it shows in wide mode:

Has server cipher order?     no (NOT ok) -- only for TLS 1.3
 Negotiated protocol          TLSv1.3
 Negotiated cipher            TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
 Cipher listing per protocol

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
 -
SSLv3
 -
TLSv1 (no server order, thus listed by strength)
 xc014   ECDHE-RSA-AES256-SHA              ECDH 521   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[..]

e.g. dev.testssl.sh
2020-04-23 14:11:33 +02:00
Dirk Wetter c6dfe05874 Merge branch 'extend_run_server_preference' of git://github.com/dcooper16/testssl.sh into dcooper16-extend_run_server_preference 2020-04-23 12:01:03 +02:00
Dirk Wetter a45e9f52d5
Merge pull request #1582 from drwetter/fix_1581
Update documentation (ADDITIONAL_CA_FILES ->  ADDTL_CA_FILES)
2020-04-23 11:25:03 +02:00
Dirk Wetter a9ab2bcd91 Update documentation (ADDITIONAL_CA_FILES -> ADDTL_CA_FILES)
which happened in d44a643fab in
testssl.sh .

This fixes it in the related files. See also #1581
2020-04-23 11:20:46 +02:00
David Cooper f5aa20ceb1 Extended run_server_preference()
This commit extends run_server_preference() to list every cipher supported by each protocol even in cases in which the server does not enforce a preference order.

For protocols where the server enforces a cipher order the list of supported ciphers is ordered by server preference (as now). For protocols where the server does not enforce a cipher order, the ciphers are listed by encryption strength (as run_cipher_per_proto() does).

In order to implement this, ciphers_by_strength() was extended to offer a non-wide mode.
2020-04-22 12:31:45 -04:00
Dirk Wetter 591edb9300
Merge pull request #1579 from drwetter/1571_31dev
Fix misleading phrasing in run of standard ciphers
2020-04-21 20:30:31 +02:00
Dirk Wetter 8c7dcbbc3b Fix misleading phrasing in run of standard ciphers
see #1571. Bit size doesn't matter. It only matters to the
user which ciphers they are.

Additionally phrased the output better (FS + strong enc) and
do less indentation.

Renamed average_ciphers -> obsoleted_ciphers to refect what's
on the output.
2020-04-21 19:22:16 +02:00
Dirk Wetter e0d7945c8a
Merge pull request #1570 from petecooper/3.1dev
README version bump for .zip download
2020-04-15 17:16:06 +02:00
Pete Cooper 0a1b632ddc
Update Readme.md
Bump version for zip download
2020-04-15 16:10:11 +01:00
Dirk Wetter 8ce781c71d
Merge pull request #1567 from drwetter/renamed_to_fs
Rename PFS/perfect forward secrecy - ->  FS/forward secrecy
2020-04-14 20:21:52 +02:00
Dirk Wetter 150fd156bb
Merge pull request #1565 from drwetter/cvs_remove
Polishing
2020-04-14 16:41:50 +02:00
Dirk Wetter 8c466bf2ee Rename PFS/perfect forward secrecy to FS/forward secrecy
In all instances:

* command line (will break things)
* JSON IDs (will break things)
* in the documentation
* in the travis checks where used
* everywhere in the code: variables, functions, comments
2020-04-14 15:53:05 +02:00
Dirk 67cfe013b1 Polishing
* remove CVS variables
* add 2x https links instead of http in code doc
2020-04-14 13:35:26 +02:00
Dirk Wetter 663d592466
Merge pull request #1526 from dcooper16/fix1514
Fix #1514
2020-04-14 12:52:38 +02:00
Dirk e345abb023 Merge branch 'multiflexi-3.1dev' into 3.1dev 2020-04-13 23:01:15 +02:00
Dirk ae7b74cf73 Tuning multiflexi's fixes 2020-04-13 22:59:13 +02:00
Dirk Wetter 9d2901edd0
Merge pull request #1471 from drwetter/docu_update
Documention update
2020-04-09 19:57:10 +02:00
Jaroslav Svoboda 7eba0fbb41 FIxed links
Links in comments with http:// changed to https://. Some non working links fixed.
2020-04-09 16:18:33 +02:00
David Cooper 04e51db402 Fix #1514
This commit is an attempt to fix #1514. The commit is mostly based on a suggestion at https://unix.stackexchange.com/questions/57940/trap-int-term-exit-really-necessary. Even with that change, it seemed that if testssl.sh were in the middle of executing run_cipher_per_proto() when it received a signal, it would not stop until that function had completed. This seems to have something to do with subshells. Changing the while loop in run_cipher_per_proto() seems to have fixed that issue. So, I also made similar changes to the while loops in prettyprint_local().
2020-04-02 08:03:45 -04:00
Dirk Wetter dbff4a3706
Merge pull request #1554 from dcooper16/align_run_cipherlists
Align run_cipherlists() with pr_cipher_quality()
2020-04-02 13:53:54 +02:00
Dirk Wetter f16c7af687
Merge pull request #1553 from dcooper16/pr_cipher_quality_gost
Handle GOST ciphers in pr_cipher_quality()
2020-04-02 13:53:28 +02:00
Dirk Wetter d5d702104f
Merge pull request #1556 from dcooper16/fix1551
Fix #1551
2020-04-01 22:28:25 +02:00
David Cooper b6050e68de Fix #1551
This commit fixes #1551 by changing get_cipher() to recognize RFC names that begin with SSL_*. It also modifies run_beast() so that it does not get stuck in an infinite loop if get_cipher() doesn't return a valid cipher name.
2020-04-01 13:34:29 -04:00
David Cooper 08d5146223 Align run_cipherlists() with pr_cipher_quality()
This commit modifies run_cipherlists() to align with pr_cipher_quality().

The biggest change made by this commit is that it breaks the current list of STRONG ciphers into two lists: one for AEAD ciphers that offer forward secrecy (STRONG) and one for AEAD ciphers that do not offer forward secrecy (GOOD).

The remaining changes are just minor tweaks:

* A few ciphers that use MD5 are moved from AVERAGE and 3DES to LOW.

* '!AECDH' was added to the OpenSSL description for LOW to catch one cipher in OpenSSL 1.0.2-chacha that offers no authentication that was being included in the LOW list.

This commit also changes sub_cipherlists() to change the output when a cipherlist with a rating of 6 is not present. There was a "FIXME" associated with this output, but it didn't matter before since there were no cipherlists with a rating of 6.
2020-04-01 11:27:24 -04:00
David Cooper 40dfd8b53b Handle GOST ciphers in pr_cipher_quality()
This PR modifes pr_cipher_quality() as proposed in #1548 so that GOST ciphers are handled correctly. It changes pr_cipher_quality() so that the OpenSSL name is used in cases in which no RFC name is defined. It also adds a case statement for GOST so that GOST ciphers (that do not use MD5 or Null encryption) are marked as pr_svrty_low (as they are in run_cipherlists) rather than just being assigned the default rating (5).
2020-04-01 11:18:50 -04:00
Dirk Wetter 061732a5fb
Merge pull request #1552 from drwetter/drwetter-patch-1
Badges from shields.io / Monitoring Links
2020-04-01 12:41:16 +02:00
Dirk Wetter 333ccdfb41
Badges from shields.io / Monitoring Links 2020-04-01 12:40:56 +02:00
Dirk Wetter d32743b2eb
Merge pull request #1548 from dcooper16/adjust_pr_cipher_quality
Adjust pr_cipher_quality ratings
2020-03-31 14:09:47 +02:00
David Cooper 72dae035b5 Remove redundant entries
This commit removes two entries from a "case" test that were already covered by a previous entry.
2020-03-25 16:07:22 -04:00
David Cooper e15aea4790 Modify pr_cipher_quality to handle ARIA
This commit fixes the way pr_cipher_quality handles the OpenSSL names of some ARIA ciphers that either provide no authentication or that use CBC padding.
2020-03-25 15:57:00 -04:00
David Cooper d177a90bbe Adjust pr_cipher_quality ratings
This commit makes several changes to the way that ciphers are rated by pr_cipher_quality:

* It upgrades SEED ciphers to considered as strong as the corresponding AES ciphers.

* It downgrades ciphers that use AEAD, but that use a non-FS key exchange (TLS_DH_*, TLS_ECDH*, TLS_PSK_WITH_*) from best to good, thus giving them the same rating as AEAD ciphers that use static RSA (TLS_RSA_*).

* It downgrades some CBC ciphers to low (4) that are currently rated as neither good nor bad (5).

* It modifies the ratings created using OpenSSL names to provide the same ratings as those created using RFC names.
2020-03-25 15:28:08 -04:00
Dirk Wetter 8ff45208c3
Merge pull request #1546 from dcooper16/display_ciphernames_bug
Fix bug in setting DISPLAY_CIPHERNAMES
2020-03-25 18:28:03 +01:00
David Cooper 5ab73d1a1a Fix bug in setting DISPLAY_CIPHERNAMES
The permitted values for $DISPLAY_CIPHERNAMES are "rfc-only", "openssl-only", "openssl", and "rfc". However, get_install_dir() incorrectly sets $DISPLAY_CIPHERNAMES to "no-rfc" if it cannot find the $CIPHERS_BY_STRENGTH_FILE. ("no-rfc" is the string users would specify at the command line for the --mapping option, but not the value that $DISPLAY_CIPHERNAMES is set to internally).
2020-03-25 12:53:28 -04:00
Dirk Wetter 1e94d5a2f6
Merge pull request #1544 from mkauschi/replace-printf-with-tm_out
Replace printf with tm_out
2020-03-24 10:56:10 +01:00
manuel 31a9dafe94 replace printf with tm_out one further place 2020-03-23 17:39:14 +01:00
manuel e7c89cb264 replace printf with tm_out 2020-03-23 16:53:32 +01:00
Dirk Wetter 3a003d9ab9
Merge pull request #1538 from mkauschi/fix_bug_with_basicauth_generation
Fix basicauth bug where a newline is added to the user:password string before encoding
2020-03-18 14:51:18 +01:00
manuel 7fffe53d0a replace echo with the safe_echo function 2020-03-18 13:53:58 +01:00
manuel 1a3c01899f fix basicauth bug where a newline was added to the user:password string 2020-03-17 14:34:00 +01:00
Dirk Wetter 32df6b8bef
Merge pull request #1533 from drwetter/breach_output31
Fix output for BEAST when no SSL3 or TLS
2020-03-07 12:16:11 +01:00
Dirk 8242607d94 Fix output for BEAST when no SSL3 or TLS
LF added
2020-03-06 22:06:13 +01:00
Dirk Wetter 9cd4cf3eb9
Merge pull request #1531 from dcooper16/fix_typo_emphasize_stuff_in_headers
Fix typo in emphasize_stuff_in_headers()
2020-03-06 21:28:28 +01:00
David Cooper 58353d3522 Fix typo in emphasize_stuff_in_headers()
This commit fixes a typo in emphasize_stuff_in_headers() wherer ${yellow} was used rather than ${html_yellow} in the creation of the HTML output.
2020-03-06 14:25:07 -05:00
Dirk Wetter 5aadc1951d
Merge pull request #1523 from drwetter/pwdfix3.1
Avoid external "/bin/pwd"
2020-03-06 14:59:15 +01:00
Dirk Wetter 6f02101ae0
Merge pull request #1499 from dcooper16/fix_printing_percent
Fix printing percent characters
2020-03-06 14:35:31 +01:00