Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,585 Commits 15 Branches 30 Tags 211 MiB
1e16ac8ad6
Commit Graph

1585 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dirk Wetter
1e16ac8ad6 Merge pull request #603 from AlGreed/2.9dev 
Better output for --MX in JSON-PRETTY
 2017-01-29 10:40:23 +01:00
AlGreed
f07c723d59 added mx hostname for json-pretty output 2017-01-28 18:11:39 +01:00
AlGreed
80314f0602 Merge branch 'drwetter/2.9dev' into 2.9dev 2017-01-28 15:12:23 +01:00
Dirk Wetter
2ea3789b91 Merge pull request #602 from AlGreed/2.9dev 
Support of multiple servers for JSON-PRETTY
 2017-01-28 10:27:45 +01:00
AlGreed
fcd208b2c9 ... 2017-01-28 08:09:02 +01:00
AlGreed
04c653646e ... 2017-01-28 07:54:58 +01:00
AlGreed
29d6cbc125 Added support of multiple servers to json-pretty format; added fileout for smtp 2017-01-28 07:17:58 +01:00
AlGreed
ae6462fe65 Merge branch 'drwetter/2.9dev' into 2.9dev 2017-01-28 00:13:22 +01:00
Dirk Wetter
0bb792225e Merge pull request #599 from dcooper16/fix_tls_sockets_typo 
Fix typo in tls_sockets()
 2017-01-25 15:00:33 +01:00
David Cooper
1ee75689e0 Fix typo in tls_sockets() 
This PR just fixes a minor bug in `tls_sockets()`, changing
```
debugme "stuck on sending: $ret"
```
to
```
debugme echo "stuck on sending: $ret"
```
 2017-01-25 08:57:20 -05:00
Dirk Wetter
bc31639179 Merge pull request #545 from dcooper16/cipher_order_sockets 
Use sockets to determine cipher order
 2017-01-24 20:26:05 +01:00
David Cooper
db4108cec5 Merge branch '2.9dev' into cipher_order_sockets 2017-01-24 08:46:40 -05:00
Dirk
2a5d56a9d6 help aviod misunderstanding, see #594 and some reordering 2017-01-24 08:37:19 +01:00
David Cooper
156787adec Merge branch '2.9dev' into cipher_order_sockets 2017-01-23 11:22:42 -05:00
Dirk
4911aaf05b Fix #593 2017-01-23 11:33:18 +01:00
Dirk Wetter
8988411fbc Merge pull request #565 from dcooper16/run_server_preference_sockets 
Use sockets in run_server_preference()
 2017-01-21 19:55:37 +01:00
Dirk
f80e1ecfdb - enable CAA per default (#588) 
- hex2ascii() for converting strings
- swap quoted output in -S to italic (mostly)
 2017-01-21 19:43:07 +01:00
Dirk
f2303a0d79 - poodle output polishing 
- minor polish of #552
 2017-01-21 18:08:31 +01:00
Dirk Wetter
d448ebbc77 Merge pull request #552 from dcooper16/run_beast_sockets 
run_beast() speedup + sockets
 2017-01-21 18:01:55 +01:00
Dirk
2b440f15ea - polishing #570 
- run_logjam() terminates if no local DH export ciphers are configured
 2017-01-21 16:52:02 +01:00
Dirk Wetter
20cc3bc435 Merge pull request #570 from dcooper16/run_ssl_poodle_sockets 
Use sockets for run_ssl_poodle()
 2017-01-21 14:37:36 +01:00
Dirk
f3666a13c5 - add crypotsense prefined DH groups 
- final FIX #589
 2017-01-20 18:14:48 +01:00
Dirk
e083fab130 - run_logjam(): run_logjam(0 fixed error where logjam couldn't parse "ServerKeyExchange" message using SSL_NATIVE -- if TLS != 1.2 was returned 
- run_logjam(): determine dh bit size and based on this mark the common primes as more or less vulnerable
- run_logjam(): renamed remaining dhe variable to dh
- further house keeping in run_logjam()
 2017-01-19 14:45:19 +01:00
Dirk Wetter
9c3ab427b6 Merge pull request #590 from dcooper16/dhe_cipher_list 
Generate list of all DHE ciphers
 2017-01-18 22:08:43 +01:00
Dirk
e3d183e909 -output correction run_logjam 
- rename dhe to dh
 2017-01-18 22:05:27 +01:00
David Cooper
dcd37729f4 Generate list of all DHE ciphers 
This PR adds a function that generates a list of all DHE ciphers for `run_logjam()`.
 2017-01-18 15:16:13 -05:00
David Cooper
211ce0b3fd Merge branch '2.9dev' into run_ssl_poodle_sockets 2017-01-18 15:00:32 -05:00
David Cooper
0cdbe95302 Merge branch '2.9dev' into run_beast_sockets 2017-01-18 14:59:53 -05:00
David Cooper
a016b946fd Merge branch '2.9dev' into run_server_preference_sockets 2017-01-18 14:59:07 -05:00
David Cooper
86ac32cd0d Merge branch '2.9dev' into cipher_order_sockets 2017-01-18 14:57:59 -05:00
Dirk
05d27ff1be - FIX for the last mess submitted ;-) 2017-01-18 18:09:39 +01:00
Dirk
61b16a078a - file etc/common-primes was not edited correctly! 2017-01-18 16:38:09 +01:00
Dirk
8bf7b6b31b forgot to save work, followup to 4433345b16 , #120, #589 2017-01-18 16:23:18 +01:00
Dirk
4433345b16 - first implementation (draft) of LOGJAM common primes, see #589, #120 
- output polishing of run_drown()
- polishing of run_logjam()
- decrease severity to high for LOGJAM, see CVE rating
 2017-01-18 15:53:01 +01:00
Dirk
b1c80512e6 first bunch of common primes, see #589 + #576 + #120. License of nmap is also GPLv2: no conflicts 2017-01-18 12:44:15 +01:00
David Cooper
643b80c541 Merge branch '2.9dev' into run_ssl_poodle_sockets 2017-01-17 09:07:21 -05:00
David Cooper
149c822f38 Merge branch '2.9dev' into run_beast_sockets 2017-01-17 09:05:52 -05:00
David Cooper
b8953fa31f Merge branch '2.9dev' into run_server_preference_sockets 2017-01-17 09:04:40 -05:00
David Cooper
76f1cb18d0 Merge branch '2.9dev' into cipher_order_sockets 2017-01-17 09:03:13 -05:00
Dirk
e9916dd1f4 - FIX #566 
- reorder get_<DNS>_record() for better overview
- move CMDLINE__IP away from main into determine_ip_addresses() where it belongs to
 2017-01-17 13:57:14 +01:00
Dirk
e7a35934ae add lf before -E 2017-01-17 12:00:18 +01:00
Dirk Wetter
5ea5ae5a53 Merge pull request #571 from dcooper16/run_freak_sockets 
Use sockets for run_freak()
 2017-01-17 11:41:50 +01:00
Dirk
a3a30c7fa5 - CAA RR (expertimental) 
- replace some sed+grep by awk in get_mx_record()
 2017-01-17 11:19:57 +01:00
Dirk
cdbdc51f5d fix #587 2017-01-16 14:06:32 +01:00
Dirk Wetter
350c2e09bb Merge pull request #576 from dcooper16/extend_logjam_phase_1 
Extend logjam phase 1
 2017-01-14 21:40:29 +01:00
Dirk Wetter
ad7eeddb96 Merge pull request #579 from dcooper16/run_crime_sockets 
Use sockets for run_crime()
 2017-01-14 13:18:22 +01:00
Dirk Wetter
354e0ed31a Merge pull request #585 from dcooper16/show_selected_curve 
Show selected curve
 2017-01-14 12:12:33 +01:00
Dirk Wetter
32ef531cd1 Merge pull request #586 from dcooper16/find_encrypt_then_mac_extension 
Detect support for encrypt-then-mac extension
 2017-01-14 12:02:10 +01:00
David Cooper
c5dcaf476f Remove redundant setting to success to 0 2017-01-13 12:18:32 -05:00
David Cooper
91e0da3485 Detect support for encrypt-then-mac extension 
In some cases, the "TLS extensions" line output for the "--server-defaults" option will not show `"encrypt-then-mac/#22"` even if the server supports this extension. The reason is that a server will only include this extension in the ServerHello message if it supports the extension and the selected cipher is a CBC cipher. So, if `determine_tls_extensions()` connects to the server with a non-CBC cipher, then it will not detect if the server supports the encrypt-then-mac extension.

It is possible that support for the extension will be detected by `get_server_certificate()`, but only if one of the calls to that function results in a CBC cipher being selected and OpenSSL 1.1.0 is being used (as prior versions did not support the encrypt-then-mac extension).

In this PR, if `determine_tls_extensions()` is called and `$TLS_EXTENSIONS` does not already contain `"encrypt-then-mac/#22"`, then an attempt will be made to connect to the server with only CBC ciphers specified in the ClientHello. If the connection is not successful (presumably because the server does not support any CBC ciphers), then a second connection attempt will be made with the "default" ciphers being specified in the ClientHello.

en.wikipedia.org is an example of a server that supports the encrypt-then-mac extension, but for which the support is not currently detected (unless OpenSSL 1.1.0 is used) since in the call to `determine_tls_extension()` a non-CBC cipher is selected.
 2017-01-13 12:13:20 -05:00