Commit Graph

3911 Commits

Author SHA1 Message Date
Jaroslav Svoboda 7eba0fbb41 FIxed links
Links in comments with http:// changed to https://. Some non working links fixed.
2020-04-09 16:18:33 +02:00
David Cooper 04e51db402 Fix #1514
This commit is an attempt to fix #1514. The commit is mostly based on a suggestion at https://unix.stackexchange.com/questions/57940/trap-int-term-exit-really-necessary. Even with that change, it seemed that if testssl.sh were in the middle of executing run_cipher_per_proto() when it received a signal, it would not stop until that function had completed. This seems to have something to do with subshells. Changing the while loop in run_cipher_per_proto() seems to have fixed that issue. So, I also made similar changes to the while loops in prettyprint_local().
2020-04-02 08:03:45 -04:00
Dirk Wetter dbff4a3706
Merge pull request #1554 from dcooper16/align_run_cipherlists
Align run_cipherlists() with pr_cipher_quality()
2020-04-02 13:53:54 +02:00
Dirk Wetter f16c7af687
Merge pull request #1553 from dcooper16/pr_cipher_quality_gost
Handle GOST ciphers in pr_cipher_quality()
2020-04-02 13:53:28 +02:00
Dirk Wetter d5d702104f
Merge pull request #1556 from dcooper16/fix1551
Fix #1551
2020-04-01 22:28:25 +02:00
David Cooper b6050e68de Fix #1551
This commit fixes #1551 by changing get_cipher() to recognize RFC names that begin with SSL_*. It also modifies run_beast() so that it does not get stuck in an infinite loop if get_cipher() doesn't return a valid cipher name.
2020-04-01 13:34:29 -04:00
David Cooper 08d5146223 Align run_cipherlists() with pr_cipher_quality()
This commit modifies run_cipherlists() to align with pr_cipher_quality().

The biggest change made by this commit is that it breaks the current list of STRONG ciphers into two lists: one for AEAD ciphers that offer forward secrecy (STRONG) and one for AEAD ciphers that do not offer forward secrecy (GOOD).

The remaining changes are just minor tweaks:

* A few ciphers that use MD5 are moved from AVERAGE and 3DES to LOW.

* '!AECDH' was added to the OpenSSL description for LOW to catch one cipher in OpenSSL 1.0.2-chacha that offers no authentication that was being included in the LOW list.

This commit also changes sub_cipherlists() to change the output when a cipherlist with a rating of 6 is not present. There was a "FIXME" associated with this output, but it didn't matter before since there were no cipherlists with a rating of 6.
2020-04-01 11:27:24 -04:00
David Cooper 40dfd8b53b Handle GOST ciphers in pr_cipher_quality()
This PR modifes pr_cipher_quality() as proposed in #1548 so that GOST ciphers are handled correctly. It changes pr_cipher_quality() so that the OpenSSL name is used in cases in which no RFC name is defined. It also adds a case statement for GOST so that GOST ciphers (that do not use MD5 or Null encryption) are marked as pr_svrty_low (as they are in run_cipherlists) rather than just being assigned the default rating (5).
2020-04-01 11:18:50 -04:00
Dirk Wetter 061732a5fb
Merge pull request #1552 from drwetter/drwetter-patch-1
Badges from shields.io / Monitoring Links
2020-04-01 12:41:16 +02:00
Dirk Wetter 333ccdfb41
Badges from shields.io / Monitoring Links 2020-04-01 12:40:56 +02:00
Dirk Wetter d32743b2eb
Merge pull request #1548 from dcooper16/adjust_pr_cipher_quality
Adjust pr_cipher_quality ratings
2020-03-31 14:09:47 +02:00
David Cooper 72dae035b5 Remove redundant entries
This commit removes two entries from a "case" test that were already covered by a previous entry.
2020-03-25 16:07:22 -04:00
David Cooper e15aea4790 Modify pr_cipher_quality to handle ARIA
This commit fixes the way pr_cipher_quality handles the OpenSSL names of some ARIA ciphers that either provide no authentication or that use CBC padding.
2020-03-25 15:57:00 -04:00
David Cooper d177a90bbe Adjust pr_cipher_quality ratings
This commit makes several changes to the way that ciphers are rated by pr_cipher_quality:

* It upgrades SEED ciphers to considered as strong as the corresponding AES ciphers.

* It downgrades ciphers that use AEAD, but that use a non-FS key exchange (TLS_DH_*, TLS_ECDH*, TLS_PSK_WITH_*) from best to good, thus giving them the same rating as AEAD ciphers that use static RSA (TLS_RSA_*).

* It downgrades some CBC ciphers to low (4) that are currently rated as neither good nor bad (5).

* It modifies the ratings created using OpenSSL names to provide the same ratings as those created using RFC names.
2020-03-25 15:28:08 -04:00
Dirk Wetter 8ff45208c3
Merge pull request #1546 from dcooper16/display_ciphernames_bug
Fix bug in setting DISPLAY_CIPHERNAMES
2020-03-25 18:28:03 +01:00
David Cooper 5ab73d1a1a Fix bug in setting DISPLAY_CIPHERNAMES
The permitted values for $DISPLAY_CIPHERNAMES are "rfc-only", "openssl-only", "openssl", and "rfc". However, get_install_dir() incorrectly sets $DISPLAY_CIPHERNAMES to "no-rfc" if it cannot find the $CIPHERS_BY_STRENGTH_FILE. ("no-rfc" is the string users would specify at the command line for the --mapping option, but not the value that $DISPLAY_CIPHERNAMES is set to internally).
2020-03-25 12:53:28 -04:00
Dirk Wetter 1e94d5a2f6
Merge pull request #1544 from mkauschi/replace-printf-with-tm_out
Replace printf with tm_out
2020-03-24 10:56:10 +01:00
manuel 31a9dafe94 replace printf with tm_out one further place 2020-03-23 17:39:14 +01:00
manuel e7c89cb264 replace printf with tm_out 2020-03-23 16:53:32 +01:00
Dirk Wetter 3a003d9ab9
Merge pull request #1538 from mkauschi/fix_bug_with_basicauth_generation
Fix basicauth bug where a newline is added to the user:password string before encoding
2020-03-18 14:51:18 +01:00
manuel 7fffe53d0a replace echo with the safe_echo function 2020-03-18 13:53:58 +01:00
manuel 1a3c01899f fix basicauth bug where a newline was added to the user:password string 2020-03-17 14:34:00 +01:00
Dirk Wetter 32df6b8bef
Merge pull request #1533 from drwetter/breach_output31
Fix output for BEAST when no SSL3 or TLS
2020-03-07 12:16:11 +01:00
Dirk 8242607d94 Fix output for BEAST when no SSL3 or TLS
LF added
2020-03-06 22:06:13 +01:00
Dirk Wetter 9cd4cf3eb9
Merge pull request #1531 from dcooper16/fix_typo_emphasize_stuff_in_headers
Fix typo in emphasize_stuff_in_headers()
2020-03-06 21:28:28 +01:00
David Cooper 58353d3522 Fix typo in emphasize_stuff_in_headers()
This commit fixes a typo in emphasize_stuff_in_headers() wherer ${yellow} was used rather than ${html_yellow} in the creation of the HTML output.
2020-03-06 14:25:07 -05:00
Dirk Wetter 5aadc1951d
Merge pull request #1523 from drwetter/pwdfix3.1
Avoid external "/bin/pwd"
2020-03-06 14:59:15 +01:00
Dirk Wetter 6f02101ae0
Merge pull request #1499 from dcooper16/fix_printing_percent
Fix printing percent characters
2020-03-06 14:35:31 +01:00
David Cooper 37dbe14def Fix printing percent characters
As noted in #1481, testssl.sh has a problem with printing percent ('%') characters.

At one point, the function out() was implemented as `/usr/bin/printf -- "${1//%/%%}"`. When this was the case, any '%' needed to be replaced with '%%' since '$1' was being used as the format string. This was changed, however, by 8a2fe5915a. Since the format string is now "%b" rather than '$1', the replacement is not needed anymore. Instead, the replacement now causes any '%' to be printed to be duplicated.

This problem does not happen very often, but does sometimes occur when a '%' character appears in a URI, such as in an HTTP redirect, a certificate revocation list, or an OCSP URI.
2020-03-06 08:28:52 -05:00
Dirk Wetter 466f08c846
Merge pull request #1481 from dcooper16/fix_html
Fix HTML generation
2020-03-06 13:40:41 +01:00
Dirk Wetter 0469d6a2b1 Avoid external "/bin/pwd"
.. as it may not be available everywhere, see #1521 (NixOS).

This commit replaces all instances from pwd or /bin/pwd by $PWD.
It is a bash internal and the fastest. Also it added some quotes
to PWD a it may contain white spaces in the future (currently
there's a check for it that it won't)
2020-03-06 13:24:56 +01:00
Dirk Wetter b8d1a3506a
Merge pull request #1525 from drwetter/update_template
Update ISSUE_TEMPLATE.md
2020-03-06 13:01:03 +01:00
Dirk Wetter 9f1fa04e07
Update ISSUE_TEMPLATE.md 2020-03-03 21:18:09 +01:00
Dirk Wetter 1fb96df369 Avoid external "/bin/pwd"
.. as it may not be everywhere available, see #1521 (NixOS).

This commit replaces all instances from pwd or /bin/pwd by `pwd -P`
(-P -> no symbolic link)
2020-03-03 12:36:22 +01:00
David Cooper 83e76a442b Fix handling of \n in strings 2020-02-27 13:59:05 -05:00
David Cooper b92f0de2c9 Fix HTML generation
This PR fixes two issues related to the generation of HTML files.

First, text that is to appear in the HTML file is first passed through html_reserved() to replace reserved characters with their corresponding entity names (e.g., '>' becomes '>'). html_reserved() seems to work correctly on Ubuntu Linux, but it does not work as expected on MacOS. On MacOS, rather than converting '>' to '>', it gets converted to '\>', and the backslash is rendered by browsers.

This PR appears to fix the problem. However, given that the original version of html_reserved() was not portable, this revised version should be tested on multiple platforms.

I also noticed that in almost every case in which a string is passed to html_out(), it is first run through html_reserved(), but for some reason that is not the case in out() and outln(). I can't see any reason why html_reserved() is not called first in these two cases, so this PR adds in the calls.
2020-02-27 13:59:05 -05:00
Dirk Wetter e0c83b2a38
add more filters 2020-02-24 14:21:28 +01:00
Dirk Wetter 02b83cc092
Merge pull request #1516 from dcooper16/min_hsts
Fix use of HSTS_MIN
2020-02-21 09:59:32 +01:00
David Cooper f342031844 Fix use of HSTS_MIN
This commit fixes two minor issues related to HSTS_MIN:

* If there is a misconfiguration the recommended max-age should be based on $HSTS_MIN rather than being hardcoded to 15552000 seconds = 180 days.

* If max-age is exactly $HSTS_MIN, testssl.sh shouldn't say that max-age is too short while also say that >= $HSTS_MIN seconds is recommended.
2020-02-20 14:17:49 -05:00
Dirk Wetter 64fea03f66
Merge pull request #1510 from drwetter/rDNS_fixes
Fix for non compliant DNS PTR records
2020-02-15 15:22:22 +01:00
Dirk Wetter 95b6189076
Merge pull request #1509 from drwetter/container1
remove jq and beautify last line
2020-02-15 14:08:43 +01:00
Dirk Wetter b81c409135 Fix for non compliant DNS PTR records
This commit addresses two bugs: #1506 and #1508.

First, the variable rDNS can contain multiple lines due to multiple PTR DNS
records, though this is not recommended.  In those cases the multiple PTR DNS
were concatenated on the screen, without any blank.

Secondly - depending on the name server entries and on the output of the DNS
binaries used it can contain non-printable characters or characters which are
printable but later on interpreted on the output device (\032 was mentioned
in #1506) which on the screen was interpreted as octal 32 (decimal 26 = ▒,
try echo "\032"), so basically a terminal escape sequence was smuggled
from the DNS server to the screen of the users. In JSON pretty output we
had also this escape sequence which was fine for jsonlint but caused jq
to hiccup.

Fix: we use a loop to check for each FQDN returned. There we remove chars which
under those circumstances can show up. The blacklist is taken from RFC 1912
("Allowable characters in a label for a host name are only ASCII, letters, digits,
and the `-' character").
2020-02-15 13:43:37 +01:00
Dirk Wetter 75be8d9f38 remove jq and beautify last line 2020-02-15 12:09:33 +01:00
Dirk Wetter f01c1196c0
Merge pull request #1505 from dcooper16/fix_1504
Fix #1504
2020-02-13 17:52:06 +01:00
David Cooper 8d3640ca20 Fix #1504 by moving the description of the test out of the section that describes vulnerability tests. 2020-02-13 10:57:48 -05:00
Dirk Wetter d549c833c8
Merge pull request #1501 from dcooper16/cipher_order_wide
Wide output for cipher order
2020-02-13 09:34:40 +01:00
David Cooper 6c88a26861
Wide output for cipher order
Since, in cases in which the server enforces a cipher order, both run_cipher_per_proto() and run_server_preference() list every cipher supported by the server for each protocol, there was a discussion at one point about eliminating run_cipher_per_proto() and extending run_server_preference().

This PR takes a step in that direction by providing the option to present the "Cipher order" in wide mode.
2020-02-12 11:05:20 -05:00
Dirk Wetter b0cce84a7f
Merge pull request #1500 from dcooper16/shellcheck_SC2197
Fix Shellcheck SC2197
2020-02-10 20:45:16 +01:00
David Cooper 28d65247b0
Fix Shellcheck SC2197
This PR fixes one Shellcheck issue:

      In testssl_3.1dev_20200208.sh line 2395:
                HEADERVALUE="$(fgrep -Fai "$key:" $HEADERFILE | head -1)"
                               ^-- SC2197: fgrep is non-standard and deprecated. Use grep -F instead.

The man page for grep states that fgrep is the same a grep -F and that grep is deprecated. So, fgrep -F is just redundant.
2020-02-10 13:51:08 -05:00
Dirk Wetter 6da6335e5b
Merge pull request #1498 from dcooper16/minor_code_cleanup
Minor code cleanup
2020-02-08 10:32:46 +01:00