Commit Graph

3115 Commits

Author SHA1 Message Date
Dirk Wetter
2cf8997635
Upgrade to Alpine 3.10 2019-12-03 23:10:06 +01:00
Dirk Wetter
37be442b2b
Merge pull request #1405 from dcooper16/fix_http_header_formatting
Fix formatting of HTTP security headers
2019-12-03 23:04:32 +01:00
David Cooper
0b94a14614 Indent subsequent rows of HTTP security headers by two spaces
When printing a long HTTP security header, this commit causes every row after the first one to be indented by two additional spaces. In the case of very long headers, this extra indentation makes it a little easier for readers to see where the next security header begins.
2019-12-03 16:19:01 -05:00
David Cooper
725fdc11cb
Fix formatting of HTTP security headers
When printing out HTTP security headers, run_security_headers() uses out_row_aligned_max_width(), since some headers are very long and need to be wrapped. At the moment, however, the first line is too long. The problem is that while "$header $HEADERVALUE" is printed in the indented area, only $HEADERVALUE is passed to out_row_aligned_max_width().

This PR fixes the problem by passing "$header $HEADERVALUE" to out_row_aligned_max_width() so that the the first line is wrapped at the correct place.
2019-12-03 15:38:16 -05:00
Dirk Wetter
9ee0feef3d
Merge pull request #1403 from drwetter/drwetter-patch-3
simplify Dockerfile
2019-12-03 12:05:23 +01:00
Dirk Wetter
c163f3ec99
simplify Dockerfile
.. according to  #1402 and #1142
2019-12-03 12:05:07 +01:00
Dirk Wetter
10fc1416b5
Merge pull request #1401 from drwetter/catch_someuser_errors
Catch user error using --json/--html and friends
2019-12-02 15:39:15 +01:00
Dirk Wetter
4c1bee181b Catch user error using --json/--html and friends
testssl.sh hiccups when a user supplied after --json*/--html/-csv
a filename instead of using the corresponding  --json*file/--htmlfile/-csvfile
arguments, see #1397.

This PR adresses that in a sense that it tries to detect to following
argument of --json*/--html/-csv. If that matches a suspected filename
it bails out using fatal().

This is not intended to be perfect (when the pattern doesn't match)
but catches the user error in an early stage. See also #1398
2019-12-02 15:32:06 +01:00
Dirk Wetter
58cfe1220b
Merge pull request #1396 from dcooper16/align_cipher_rating_numbers
Align cipher rating numbers
2019-12-02 14:26:00 +01:00
Dirk Wetter
b4f69fbdf6
Merge pull request #1400 from drwetter/drwetter-patch-2
Housekeeping
2019-11-27 09:50:02 +01:00
Dirk Wetter
8e563e5361
Housekeeping
* add --rm
* better description of output
2019-11-27 09:49:51 +01:00
Dirk Wetter
9ce04a6219
Merge pull request #1399 from max-wittig/patch-1
docs(readme): delete container after run
2019-11-27 09:35:47 +01:00
Max Wittig
57b46ba58c
docs(readme): delete container after run 2019-11-26 14:32:06 +01:00
David Cooper
9cb95e9f70 Align cipher rating numbers
Currently sub_cipherlists() and pr_cipher_quality() use different numbers for the same cipher quality ratings. sub_cipherlists() uses:

   -2 = pr_svrty_critical, -1= pr_svrty_high, 0 = pr_svrty_low, 1 = pr_svrty_good, 2 = pr_svrty_best

while pr_cipher_quality() uses:

   1 = pr_svrty_critical, 2 = pr_svrty_high, 3 = pr_svrty_medium, 4 = pr_svrty_low
   5 = neither good nor bad, 6 = pr_svrty_good, 7 = pr_svrty_best

This PR changes sub_cipherlists() (and run_cipherlists()) to use the same numbers for cipher quality as pr_cipher_quality(). It does not change any of the ratings assigned to ciphers by run_cipherlists() or pr_cipher_quality(), so the two are still not in alignment. But, hopefully using the same numbering in both functions will make it a bit easier to compare them and bring them into alignment.
2019-11-25 10:07:33 -05:00
Dirk Wetter
c645dc9f23
Merge pull request #1395 from drwetter/fix_get_caa
Fix getting CAA record
2019-11-24 20:33:52 +01:00
Dirk Wetter
61bd71bb14 Fix getting CAA record
This resolves a regression introduced with IDN support (see also #1370).

* in check_resolver_bins() the determination of HAS_DIG_NOIDNOUT=true was wrong
* in get_*_record() the check for the bool variable was wrong
* in get_*_record() we shouldn't use quotes as they might be expand to a quoted arg
2019-11-24 20:28:51 +01:00
Dirk Wetter
4eec2a0981
Merge pull request #1394 from drwetter/drwetter-postgres-gnmap
Fix #1392
2019-11-24 17:09:46 +01:00
Dirk Wetter
35da8c6fdf
Fix #1392
... postgres command building in ``ports2starttls()`` was missing a space.
This is only used when a lookup is performed when supplying a gnmap file.
2019-11-24 17:09:21 +01:00
Dirk Wetter
32da607acb
Merge pull request #1390 from dcooper16/fix_indentation
Fix indentation
2019-11-22 10:06:40 +01:00
David Cooper
2394dba9b2
Fix indentation
This PR fixes some indentation issues. The PR is a bit long, but it only makes changes to indentation (except for one comment line, where a trailing space character is removed).
2019-11-21 11:11:30 -05:00
Dirk Wetter
c28777aa65
Merge pull request #1383 from szycha76/client-cert-support
Quick'n'dirty client certificate support for s_client
2019-11-21 12:53:51 +01:00
Dirk Wetter
f50cf15bff
Merge pull request #1387 from drwetter/polish_output_session_resump_client_auth
Add minor output polish for session resumption and client auth
2019-11-20 20:50:34 +01:00
Dirk Wetter
1366b187d0 Add minor output polish for session resumption and client auth
* remove 2x resumption
* [[ ${SESS_RESUMPTION[2]} =~ clientauth ]] isn't needed.
  otherwise fileout needs also to be changed
2019-11-20 20:47:13 +01:00
Dirk Wetter
9ce152ba43
Merge pull request #1386 from dcooper16/fix1385
Fix #1385
2019-11-20 20:37:02 +01:00
David Cooper
084bf8fa75
Fix #1385
This PR fixes #1385.

sub_session_resumption() returns 3 when $CLIENT_AUTH is true. However, the comment at the beginning of the function indicates that 6 will be returned. run_server_defaults() is prepared to handle a return value of 6 (to indicate client auth), but is not expecting 3 as a possible return value.
2019-11-20 09:22:52 -05:00
Marcin Szychowski
9913c1137d Quick'n'dirty client certificate support for s_client
Usage:
$ export keyopts="-cert path/to/cert.pem -CAfile path/to/cert.pem"
$ ./testssl.sh [usual options]

cert.pem may be single file containing pem-encoded:
- certificate key (not encrypted)
- client certificate
- any number of intermediate certificates
2019-11-19 19:47:53 +01:00
Dirk Wetter
1e268eca01
Merge pull request #1381 from drwetter/drwetter-patch-1
add </b>
2019-11-19 12:39:09 +01:00
Dirk Wetter
dc658637a5
add </b>
.. so to speak in addition to #1376
2019-11-19 12:38:58 +01:00
Dirk Wetter
1c7fe03e20
Merge pull request #1376 from alexander-naumov/3.0
--html option looks like all others
2019-11-19 12:35:40 +01:00
Dirk Wetter
f1677c087b
Merge pull request #1380 from drwetter/modernize_isHTML_valid
Modernize 08_isHTML_valid.t a bit ...
2019-11-16 12:46:04 +01:00
Dirk Wetter
c643860701 Modernize 08_isHTML_valid.t
and make it similar to 07_isJSON_valid.t or 20_baseline_ipv4_http.t
in terms of output and readability
2019-11-16 12:41:44 +01:00
Dirk Wetter
325c67d5ef
Merge pull request #1379 from drwetter/ticketbleed_minorfix
Ticketbleed fix: shutting down the connection properly
2019-11-16 11:58:52 +01:00
Dirk Wetter
7747128c11 Ticketbleed fix: shutting down the connection properly
In cases where the probes for reading memory from the server side were not
successful (=not vulnerable) the TCP connection was not shut down properly --
leading to and undefined state and probably causing problems to a consecutive
check. The server side then assumably from time to time just didn't return
anything which caused a integration test (t/08_isHTML_valid.t) to fail
randomly.

This PR properly terminates the TCP socket connection. Also, as sending the
close notification before closing the socket was duplicated in testssl.sh
that went to a separate function.

See comment in #1375:
https://github.com/drwetter/testssl.sh/pull/1375#issuecomment-554424814
2019-11-16 11:48:22 +01:00
Dirk Wetter
fbca5d1b3e
Merge pull request #1375 from dcooper16/enhance_run_protocols_ssl_
Enhance run_protocols() in --ssl-native mode
2019-11-15 17:11:33 +01:00
Dirk Wetter
298628995e
Merge pull request #1377 from dcooper16/new_ossl_versions
Support new OpenSSL/LibreSSL versions
2019-11-15 17:00:45 +01:00
David Cooper
b15b39a5cb
Support new OpenSSL/LibreSSL versions
This PR enhances support for the latest versions of OpenSSL and LibreSSL.

The development version of OpenSSL at https://github.com/openssl/openssl/ is version 3.0.0-dev. So, checks for OpenSSL versions need to support this version as well. At the same time, the latest versions of LibreSSL are 3.0.0, 3.0.1, and 3.0.2, so version number alone will no longer be sufficient to distinguish between OpenSSL and LibreSSL.

In addition to checks for these new version numbers, this PR addresses a couple of other issues:

 - In LibreSSL, the "$OPENSSL ciphers" command will not accept any protocol version other than "-tls1" as a parameter (and even including "-tls1" as an option is described as "deprecated").  So, this PR ensures that "$OPENSSL ciphers" is not passed any protocol version option other than "-tls1" is LibreSSL is being used.
- In OpenSSL 3.0.0-dev, the "$OPENSSL dgst" can no longer be used to compute HMACs, but a new "$OPENSSL mac" function has been created. So, this PR changes hmac() to use "$OPENSSL mac" with OpenSSL 3.0.0-dev.

Note that I have not tested the modified version of sub_session_resumption(). I am just assuming that OpenSSL 3.0.0-dev works the same as OpenSSL 1.1.1 and that all versions of LibreSSL work the same as OpenSSL 1.1.0 and earlier.
2019-11-14 14:24:09 -05:00
Alexander Naumov
966b464802
--html option looks like all others 2019-11-13 21:23:33 +01:00
David Cooper
aab7e028c2
Enhance run_protocols() in --ssl-native mode
When tls_sockets() is used for run_protocols(), for each protocol version the results will indicate whether the server responded to a ClientHello for that protocol version with (1) a ServerHello for that same protocol version, (2) a ServerHello for a different (hopefully lower) protocol version, or (3) a handshake failure.

Currently, however, run_prototest_openssl() does not distinguish between cases in which the server responds with a ServerHello for a different (hopefully lower) protocol version and cases in which the server responds with a handshake failure. This PR changes run_prototest_openssl() so that it distinguishes between these two cases (as long as $OPENSSL supports the protocol version specified in the ServerHello).

Making use of the additional information provided by run_prototest_openssl(), this PR also modifies run_protocols() to check that version negotiation was performed correctly even if $using_sockets is false.

Note that one special case needed to be addressed. If an SSLv3-only server is being tested using an $OPENSSL that does not support SSLv3, then $latest_supported must not be set to SSLv3. In the case of a server like this, it is possible that support for SSLv3 will be determined by determine_optimal_sockets_params(), which will cause run_protocols() to report that the server supports SSLv3, even though $OPENSSL does not support SSLv3 and testing is being performed in --ssl-native mode. If $latest_supported were set, then later tests in run_protocols() would incorrectly report a version negotiation failure, even though the failure to connect was a result of a limitation of $OPENSSL rather than a fault of the server.
2019-11-13 10:46:51 -05:00
Dirk Wetter
93169a3123
Merge pull request #1374 from a666/a666-fix-missing-negation
Fix missing negation in check_resolver_bins
2019-11-11 22:00:26 +01:00
a666
1ab48b4a79
Fix missing negation in check_resolver_bins 2019-11-11 14:32:41 -06:00
Dirk Wetter
89dd26e043
Merge pull request #1373 from drwetter/cn+rsolver_fix
Move check_resolver_bins again, handle double CN
2019-11-10 12:55:38 +01:00
Dirk Wetter
90a1455570 Move check_resolver_bins again, handle double CN
When running in debugging mode, HAS_DIG and friends was
still false as check_resolver_bins() was called too late.
This amends basically bac0f66112 .

In cases where a certificate has two CNs, the output contained
a linefeed. This replaces the line feed by a space.
2019-11-10 12:52:12 +01:00
Dirk Wetter
5c39ceafe1
Merge pull request #1369 from dcooper16/run_protocols_ssl_native1
Fix issues with run_protocols() in --ssl-native mode
2019-11-09 19:57:03 +01:00
Dirk Wetter
29a2ecf88f
Merge pull request #1372 from drwetter/resolverbin_earlier
Earlier initialisation of DNS HAS_* related vars
2019-11-09 19:42:14 +01:00
Dirk Wetter
bac0f66112
Earlier initialisation of DNS HAS_* related vars
This fixes a bug e.g. when supplying a proxy by a DNS name, testssl couldn't resolve the name as the HAS_ variables initialized by ``check_resolver_bins()`` was done later than ``check_proxy()``.

The patch just puts ``check_resolver_bins()`` earlier in  "main"
2019-11-09 19:41:37 +01:00
David Cooper
a7fe481904
Don't ignore first call to $OPENSSL s_client
run_prototest_openssl() currently calls "$OPENSSL s_client" twice, once with $PROXY and once without. The problem is that the results of the first call are just ignored. This commit changes run_prototest_openssl() so that the attempt without $PROXY is only tried if the first attempt was unsuccessful.
2019-11-07 13:12:41 -05:00
David Cooper
8e729d1396
Missing line break
If --ssl-native is being used and the server supports SSLv2, but does not support any SSLv2 ciphers, there is a missing line break after the warning message is printed.
2019-11-07 13:03:42 -05:00
David Cooper
c607bf4d92
Check stderr for "no cipher list"
run_prototest_openssl() currently checks only stdout for the string "no cipher list", which is an indication that the server supports SSLv2, but no ciphers for that protocol. However, the output that includes "no cipher list" is sent to stderr.
2019-11-07 13:01:21 -05:00
David Cooper
9d97db85fc
Fix typos in comment 2019-11-07 12:57:58 -05:00
David Cooper
54fad800c0
Fix issue with run_protocols() in --ssl-native mode
This PR fixes a minor problem with run_protocols() in "--ssl-native" mode if $OPENSSL does not support TLS 1.3. Currently, the warning message that $OPENSSL does not support a protocol is printed when run_prototest_openssl() is called. This causes a problem for the output if $OPENSSL does not support TLS 1.3, since the run_prototest_openssl() is called before the results for TLS 1.2 are printed. The result is something like this:

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
Local problem: /home/cooper/Desktop/testssl.sh/bin/openssl.Linux.x86_64 doesn't support "s_client -tls1_3"
 TLS 1.2    offered (OK)
 TLS 1.3     NPN/SPDY   not offered
 ALPN/HTTP2 http/1.1 (offered)
2019-11-06 15:58:38 -05:00