Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-07 09:10:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
4,419 Commits 15 Branches 30 Tags 212 MiB
2d8fbe2302
Commit Graph

2584 Commits

Author SHA1 Message Date
Dirk
e2448ea95d - NEW: tells how many certificates provides (and grabs them with DEBUG=1) 
- COLOR for no cipher order is red now
- "VULNERABLE" comes now always with "NOT ok"
 2015-02-21 11:47:12 +01:00
Dirk
bacb3b69ba - FIXED: #38, new openssl from peter mosmans makes the workaround unneccessary 2015-02-21 10:38:04 +01:00
Dirk
b261c1079a - Fix #55 (302 detection for URL) 2015-02-15 14:00:13 +01:00
Dirk
f203b8b299 - Fix #46 (preload lists HPKP and HSTS) 
- word match for includeSubDomains (useful if one specified the keyword wrong)
 2015-02-15 13:37:44 +01:00
Dirk
b0a40ae1e8 - FIX #60: mod_security CRS doesn't complain anymore 2015-02-15 13:14:11 +01:00
Dirk
ab48c66f74 - certificate sha2 fingerprint added (#59, @@kyhwana) 
- sha1 fp: removed colons as long serials after it look ugly (lf)
 2015-02-15 12:58:51 +01:00
Dirk
e5a015b842 - workaround for issue #58, same in http_header 
- FIX: if a web site returned IMAP e.g. in HTML code it may have led to the assumption IMAP is the service ;-/
 2015-02-13 16:01:46 +01:00
Dirk
d15d5b0c6f - FIX regression: CRIME check 
- FIX: port ended up sometimes as URL part
- also if it runs http a line is displayed as confirmation that HTTP was detected
 2015-02-12 13:40:53 +01:00
Dirk
d9e4873fda - WORKAROUND for bug in PeterMosmans OPENSSL chacha/poly version: not testing EXPORT40/EXPORT then 2015-02-12 09:32:47 +01:00
Dirk
d98aa626e7 - NEW: check for Secure Client-Initiated Renegotiation 
- debugging #1: PS4 and debugme
- debugging statement tmpfile_handle where missing #2
 2015-02-11 09:43:04 +01:00
Dirk
ed04b636da - starttls for ldap now also supported 2015-02-09 14:02:02 +01:00
Marc Schütz
4fc8111c0a Trivial typo fix 
noone => none
 2015-02-07 17:30:36 +01:00
Dirk
f30d7568e7 - checking protoype of tls sockets but not called/working yet 
- small fixes $DEBUG
 2015-02-04 09:48:34 +01:00
Dirk
1b8d96f1d8 - NEW: certificate fingerprints + serial 2015-02-03 23:46:47 +01:00
Dirk
d2b833b2fa - TLS 1.0/1.1 is not green anymore, only TLS 1.2 is the real one! 
- no bold for 3DES and medium
- nslookup for MSYS2 etc. having no hosts (and fixing error message if host doesn't exist)
 2015-02-03 23:20:59 +01:00
Dirk
4f1ca24bd2 FIX: experiration threshold < 30 days 2015-01-30 16:26:55 +01:00
Dirk
85bc14c946 - FIX: STARTTLS is the criteria for using bash sslv2 or not, not the service 2015-01-29 23:24:49 +01:00
Dirk
16c804d4ca FIX: BEAST (supports higher protocols only when CBC ciphers detected) 
- FIX: URL in app banner
 - cosmetic issue: display also if one cookie was issue the number 1
 2015-01-29 23:20:58 +01:00
Dirk
89012a7a42 * NEW: protocol check SSLv2 in bash sockets per default (HTTP) 
(fallback to openssl with SSL_NATIVE=1)
 2015-01-29 10:46:16 +01:00
Dirk
5e864c28b4 * NEW: emphasize any numbers in http header output 
* internal renaming of color functions ( --> pr_*)
* new color switches (tput)
* $COLOR is treated as integer not string
* for some issues color adjusted accordingly (red --> brown/yellow)
 2015-01-29 09:33:35 +01:00
Dirk
3abaad5eb1 Merge branch 'master' of github.com:drwetter/testssl.sh 2015-01-28 15:31:13 +01:00
NV
e3a66f5a70 Fix GOST handling in LibreSSL 2015-01-28 14:17:27 +09:00
Dirk
d35e2f95b8 fix for wrong # of HttpOnly cookie 2015-01-23 15:09:35 +01:00
Dirk
84caf9ffd1 fix for double line and double application banner 2015-01-23 12:17:27 +01:00
Dirk
baadfd0492 BREACH is not labeled as experimental anymore as it works reliably 
- so is heartbleed
 - FIX: shopt is removed in rc4 as most of the bash shells segfault here (bug!)
 - not tested anymore for HTTP within starttls, instead displaying here a line
 2015-01-23 12:01:32 +01:00
Dirk
6c6511ddb2 - VERBOSE -eq 1 is now DEBUG -eq 2 (VERBOSE completely removed) 
- DEBUG has now four modes 1: just keep files 2: VERBOSE -eq 1 3: head hexdumps and other stuff, 4: full debugging
- env and internal stuff $TEMPDIR
 2015-01-21 12:53:00 +01:00
Dirk
d5924eedc4 - BEAST finally works 
- handling of spaces in output
- different ciphers
- FIX: setopt also for RC4 (proper handling of ret value)
 2015-01-20 21:59:21 +01:00
Dirk
28330dc6fc first prototype BEAST | FIX: maketempf in initialize_engine | FIX: exit statements in main w/ more meaning/shorter 2015-01-20 21:51:49 +01:00
Dirk
5853202efd fine tuning on banner 2015-01-15 20:29:46 +01:00
Dirk
4c6f0d9a50 - FIX: grep -a if we hit binary content with http_header (also if otherwise specified) 
- NEW: can specify URL (used for header matters and breach)
- FIX: better handling of >1 cookies
 2015-01-14 12:23:53 +01:00
Dirk
3d81a7b5ec * NEW: cookie flags (experimental) [URL is missing] 
* FIX: 30x handling for http_header (hint for final URL if stalled)
* FIX: proper display of app-banners if >1
 2015-01-14 09:48:44 +01:00
Dirk
cedeff2b42 typo in tempdir led to missing gost cipher 2015-01-08 14:16:22 +01:00
Dirk
8a3e0267ba safer bacth processing if port isn't available 2015-01-06 16:25:19 +01:00
Lars Windolf
d1ab23c146 Change question logic on non-SSL port 
Idea is to bail out per default (with WARNINGS=off) this makes batch processing possible
as often testssl.sh hangs for minutes or endless on non-SSL ports.
 2015-01-03 11:41:35 +01:00
Dirk
eae1b2810f - check for CN wrt SNI / no SNI 
- fix different responses for CACert
 2014-12-23 09:59:03 +01:00
Dirk
4aa674d138 - Negotiated cipher per proto 
- nr_ciphers of used openssl version in banner
- spdy_pre check
- -testversion_new --> -testversion
 2014-12-21 23:22:50 +01:00
Dirk
a570d907e9 - Cipher order check! (also for starttls) 
- includes a remark 4 default_cipher (limited sense as client will pick)
- selfsigned certs: error!
- number of local ciphers in check with allciphers
 2014-12-21 00:47:23 +01:00
Dirk
21493fb788 - tempfile handling: every function leaves one, if DEBUG is set 
- FIX*2: OPENSSL_CONF/GOST_CONF
 2014-12-19 17:02:26 +01:00
Dirk
8635012cf5 - subjectAltName 2014-12-19 07:12:20 +01:00
Dirk
521a7160a9 - NEW: certificate info, details: 
- NEW: CN, SAN
- NEW: OCSP URI
- NEW: CRL distr point
- NEW: Issuer
- NEW: expiration
- NEW: signature algo
- renamed cmdline --simple_preference to --server_defaults
- now we have a TEMPDIR where all files are written toA
- function or handling/removing TMPFILE
 2014-12-18 09:33:24 +01:00
Dirk
b40c0b7178 - RELEASE: final 2.2 
- change of cmd line order for STARTTLS
- help more clear
 2014-12-08 10:32:51 +01:00
Dirk
b3efb3c4b0 - BUGFIX: potential stalling in HTTP Header query 
- BUGFIX: HTTP specific vuln. won't be checked if service is not http (we still
check crime and also spdy => gmail has spdy for pop and imap)
- Feature: service detection: HTTP, IMAP, POP, SMTP
- alignment in rDNS output corrected
- minor cleanup / improvements
 2014-11-30 01:30:20 +01:00
Dirk
27f06f8d50 - BUGFIX: BSD now has proper heartbleed and ccs injection detection 
- significant code improvement of hex-byte parser <-> socket sender
- BUGFIX: BSD now doesn't put an extra \n if rfc map file is missing
- bumped to 2.1rc3, hoping that'll be the last
 2014-11-27 21:33:33 +01:00
Dirk
c034cd8a95 - for colors: double square brackets (might save a fork to "[ or "test" 
- in terms of debugging cleaned up listciphers/std_cipherlists
- in other terms too
 2014-11-25 13:12:24 +01:00
Yuri
19f936bece Fixed the problem when COLOR=0 caused 'printf' to break due to leading dashes interpreted as command line options. 2014-11-22 12:15:47 -08:00
Peter Mosmans
c3ab016164 Fixed minor redirection typo for 'which' command 2014-11-22 12:57:36 +10:00
Dirk
d4265742b1 color codes for protocols and default ciphers reflect better a rating 
- fix: heartbleed function needed a $TMPFILE for determining the TLS protocol
 - version bumped to 2.1rc2
 2014-11-20 10:46:55 +01:00
Dirk
5dd4a8f3fa - fix in cleanup (while debug) 
- wrong cmd line option --> help instread of error
 2014-11-19 22:23:13 +01:00
Dirk
05877dca93 - protocol check stream lined: similar now for every protocol 
- NPN/SPDY is not green anymore
 2014-11-19 18:04:43 +01:00
Dirk
d77b667489 - protocol w/o cipher (only SSLv2 so far) 
- for EVERY protocol now check whether $openssl supports it
- better fail for PFS if there are no local ciphers
 2014-11-19 17:08:59 +01:00
Dirk
99e472ac01 - banner (opensssl version build date, platform) slightly changed 
- even clearer warning upon old openssl version (MacOSX!)
- oparoz hexdump patch
- heartbleed doenst do a precheck anymore --> just sockets as it may lead to false negatives
  if the client was complied with it disabled (FreeBSD)
 2014-11-19 13:22:22 +01:00
Dirk
f2c44803ed - FreeBSD fixes (getent, printf) 2014-11-18 23:14:17 +01:00
Dirk
41a480abb4 small cleanup 2014-11-18 20:23:17 +01:00
Dirk
8756151a26 Merge branch 'master' of github.com:drwetter/testssl.sh 2014-11-18 16:40:14 +01:00
Dirk
049a945abc - prettyprint_local now also can do word pattern matching 
- help improved
- put the stripping of leading 0 into normalize_cipher_code where it belonged
- the latter makes a modified mapping-rfc.txt necessary!
 2014-11-18 11:03:03 +01:00
Dirk
f45d85617b - hexcode in neat list now w/o leading 0 
- help cleaned up and clearer (& removing tabs)
- test_just_one with headline
 2014-11-18 10:29:11 +01:00
Peter Mosmans
de0b4313b8 Make sure that cleanup() function is always called 
Added {HEADERFILE_BREACH} to temporary files that should be removed
Removed obsolete cleanup calls
 2014-11-18 14:30:48 +11:00
Dirk
cf8fa2c3f3 - version bumped to 2.1rc1, better layout for chacha (albeit bit ugly), better layout for all ciphers, test_just_one w/ headline 2014-11-18 01:36:29 +01:00
Dirk
16279267ea - sockread w/ sleep 
- ccs better documented + more verbose during debug
 2014-11-18 00:26:58 +01:00
Dirk
7414b5b310 next step in color handling: 2=full color, 1: b/w, 0: no ESC codes at all 2014-11-17 18:49:56 +01:00
Dirk
fc4c2e5446 - omit the "**" in non colored mode 
- query COLOR properly (env)
 2014-11-17 17:43:59 +01:00
Dirk
a7bbc6c39a warning upon "no ssl enabled server" clearer; we check only for return code of s_client. Fails if certificate needed 2014-11-17 17:05:43 +01:00
Dirk
481af083a3 NEW: first working implementation of "-x <list_of_csv_hexcodes> server" with a catch: none a/v local cipher 2014-11-02 23:37:17 +01:00
Dirk
5984e86f81 FIX for RUN_DIR, bumped up version to 2.1beta 2014-10-30 21:12:18 +01:00
Dirk
f56f81090a NEW: HPKP 2014-10-29 21:24:43 +01:00
Dirk
b49b1451c4 FIX: for FreeBSD and spaces in "Local problem ..." 2014-10-29 20:23:21 +01:00
Dirk
ef5bf00094 FIXED: too much spaces in "Local problem: No .. configured" 2014-10-23 15:52:06 +02:00
Dirk
6737cd230c FIXED: When there is no support in openssl for SSLv2 the error message and the next protocol test get on the same line 2014-10-23 15:40:15 +02:00
Dirk
1720fed5fe be clear that no TLS_FALLBACK_SCSV support yet 2014-10-17 22:16:37 +02:00
Dirk
86e0141f72 POODLE hack 2014-10-15 13:10:06 +02:00
Dirk
192867554e - FIX for getent line 2014-10-15 11:56:40 +02:00
Dirk
5e76322840 - regression on libressl fix fdor openssl fixed 2014-10-14 16:28:18 +02:00
Dirk
df06f45432 - mm: patch for libressl 2014-10-14 16:08:11 +02:00
Dirk
905e1540ab another error message suppressed (DNS) and properly handled internally 2014-10-09 11:22:23 +02:00
Dirk
08202a5768 - FIX: socket reset (ccs, hb) made formatting look not ok 2014-10-08 14:30:31 +02:00
Dirk
4ae510650d - for seldom cases of two hsts header we don't throw an error but take the first one 2014-10-08 01:03:14 +02:00
Dirk
e06251a1d3 - removed netcat dependency, availability check with bash sockets only. Should work on RH'ish distros better now 2014-10-07 12:04:21 +02:00
Dirk
723ab08258 - BUGFIX: supplying ip addresses only works again 2014-10-07 11:14:39 +02:00
Dirk Wetter
3dee100ac2 - clearer output 2014-09-25 16:24:21 +02:00
Dirk
455cd2fe62 - only numbers for hsts (thx to Olivier) 2014-09-24 11:17:28 +02:00
Dirk
fb40dad089 - jobcontrol for heartbleed and CCS test --> no blocking anymore 2014-09-16 22:18:09 +02:00
Dirk
a7fe0b48b5 * added ocsp stapling in server defaults test 
* non-working prototype of testing a single cipher via hexcode
 2014-08-29 14:57:20 +02:00
Dirk Wetter
93503a1b43 - except minor points now compatible to MacOSX and *BSD 
- Russian GOST cipher support added
- more see CHANGELOG.txt
 2014-07-16 19:04:15 +02:00
Dirk Wetter
9a689bbffc - first try to commit here 2014-07-01 16:28:16 +02:00