Commit Graph

4190 Commits

Author SHA1 Message Date
Dirk Wetter 1f388d8b94
Merge pull request #1686 from magnuslarsen/3.1dev
[Rating] Added complete json/csv output
2020-07-20 11:28:35 +02:00
Magnus Larsen 0d9ca76f37 Added complete json/csv output for rating 2020-07-18 21:14:38 +02:00
Dirk Wetter 00779eb639
Merge pull request #1685 from dcooper16/bad_ocsp
Check for bad OCSP intermediate certificates
2020-07-16 19:50:48 +02:00
David Cooper bd856e2ada Save intermediate certificates for more use
As there as suggestions to check intermediate certificates for things such as expiration date, this commit saves the text versions of each of the intermediate certificates so that they are available to extract additional information.
2020-07-16 07:57:27 -04:00
David Cooper 17ee0245b5 Speed up intermediate certificate extraction
This commit speeds up extraction of intermediate certificates by using Bash commands rather than awk.
2020-07-15 11:56:31 -04:00
David Cooper 851cd564e6 Check for bad OCSP intermediate certificates
This commit checks whether any intermediate certificates provided by the server include an extended key usage extension that asserts the OCSP Signing key purpose.

This commit replaces #1680, which checks for such certificates by comparing the server's intermediate certificates against a fixed list of known bad certificates.
2020-07-15 11:56:20 -04:00
Dirk Wetter 19f2c2872a
Merge pull request #1680 from drwetter/badocspcert
Implementation of hanno's bad OCSP intermediate CA detector
2020-07-15 11:51:34 +02:00
Dirk d07d1f102e Works now
* open: generation of intermediate certificate files. We do that
  at several places. But for some reasons I do not understand currently
  we remove those files.
* we don't name the offending certificate
2020-07-14 23:42:06 +02:00
Dirk eb7b0c9644 add hash file 2020-07-14 22:26:23 +02:00
Dirk 903eeec97b Start of implementing of hanno's bad OCSP intermediate CA detector
see https://github.com/hannob/badocspcert
2020-07-14 22:23:11 +02:00
Dirk Wetter 41ac04ef27
Merge pull request #1677 from drwetter/breach2medium
Revised risk for BREACH --> medium
2020-07-10 19:56:53 +02:00
Dirk cec5726f30 Revised risk for BREACH --> medium 2020-07-10 19:52:47 +02:00
Dirk Wetter b941d7db4a
Merge pull request #1674 from dcooper16/rate_ciphers_in_json
Include cipher quality in JSON and CSV
2020-07-10 12:34:06 +02:00
David Cooper 6c8df4529c Include cipher quality in JSON and CSV
run_cipherlists() checks for support for different groups of ciphers, but does not indicate which ciphers in each group are supported. So, for example, if the JSON file indicates that there is a problem with severity level "HIGH" because the "LOW" ciphers are available, there is no clear indication of which of these ciphers are supported by the server.

If run_server_preference() is run with "--color 3", then there will be a visual indication (via color) of the ciphers the server supports that are considered bad, but this information does not appear in the JSON (or CSV) output. The JSON (or CSV) output will include information about every cipher that is supported, but the severity level is always "INFO".

This commit addresses this problem by changing the fileout() calls in ciphers_by_strength() and cipher_pref_check() that output each supported cipher individually so that the "severity" argument is an indication of the quality of the cipher. With this, information about which bad ciphers are supported can easily be found in the JSON/CSV output.
2020-07-07 12:35:35 -04:00
Dirk Wetter 6071ae9883
Merge pull request #1672 from dcooper16/fix_unrecognized_option
Fix printing of unrecognized option
2020-07-07 15:53:49 +02:00
David Cooper 45eafd239f Fix printing of unrecognized option
When testssl.sh is called with an unknown option it prints something like:

     0: unrecognized option "--option"

It should be printing the name of the program rather than "0". This commit fixes that.
2020-07-07 07:30:48 -04:00
Dirk Wetter d881140cac
Merge pull request #1669 from dcooper16/separate_pr_cipher_quality
Separate pr_cipher_quality() into two functions
2020-07-07 08:36:31 +02:00
David Cooper 919064095f Separate pr_cipher_quality() into two functions
This commit separates pr_cipher_quality() into two functions, one that returns the quality of a cipher as a numeric rating (get_cipher_quality()) and one that prints a cipher based on its quality (pr_cipher_quality()). This separation allows get_cipher_quality() to be used to determine how good a cipher is without having to print anything. Having this ability would be helpful in implementing the changes suggested in #1311.
2020-07-06 15:45:36 -04:00
Dirk Wetter 9122ffec1d
Merge pull request #1668 from drwetter/1657_polish
Polish STARTTLS rating output
2020-06-26 10:02:23 +02:00
Dirk Wetter 7c75993746 remove unused spaces var 2020-06-25 20:54:43 +02:00
Dirk Wetter 288223c707 Polish STARTTLS rating output
Moved the sentence ~i "A grade better than T would lead to a false sense of security"
to the documentation. No reason for excuses in the output. ;-) Explanation fits
better in the doc.

See also #1657
2020-06-25 20:47:51 +02:00
Dirk Wetter ae72592959
Merge pull request #1666 from dcooper16/fix1665
Fix #1665
2020-06-25 20:45:19 +02:00
David Cooper 1f2b4a3f40 Fix #1665
This commit fixes #1665 by adding the certificate number to the JSON identifier for cert_eTLS.
2020-06-25 13:18:28 -04:00
Dirk Wetter b1f64a50df
Merge pull request #1663 from dcooper16/fix1662
Fix #1662
2020-06-25 13:39:58 +02:00
David Cooper 91ceaca1e9 Fix #1662
This commit fixes #1662 by changing the fileout to use the value of $cert_ext_keyusage rather than the string "cert_ext_keyusage".
2020-06-25 07:31:50 -04:00
Dirk Wetter b2d41330e0 port typo fixes to html and roff doc 2020-06-25 13:05:47 +02:00
Dirk Wetter 55f7f7d69a
Merge pull request #1657 from magnuslarsen/3.1dev
[Rating] STARTTLS output styling
2020-06-24 09:51:21 +02:00
Dirk Wetter 3c30887f39
Merge pull request #1659 from csett86/wireshark-android-7-0
Add wiresharked Android 7.0 (native)
2020-06-24 09:49:24 +02:00
Magnus Larsen f647ae8264 Change to grade cap 2020-06-23 19:24:24 +02:00
Christoph Settgast 82e939f2bd Add wiresharked Android 7.0 (native)
After being bitten by https://stackoverflow.com/questions/39133437/sslhandshakeexception-handshake-failed-on-android-n-7-0
I add a wiresharked Android 7.0 to reflect that bug in Android 7.0.
2020-06-23 15:26:31 +02:00
Magnus Larsen 069c5ae917 Spelling 2020-06-22 19:16:20 +02:00
Magnus Larsen 2bff63b7db Add a comment about STARTTLS connections in the docs 2020-06-22 19:14:25 +02:00
Magnus Larsen de14ec9f81 STARTTLS rating styling 2020-06-19 21:21:43 +02:00
Dirk Wetter e9d6462ee9
Merge pull request #1656 from magnuslarsen/3.1dev
[Rating] Clearer grade cap reasons
2020-06-19 09:50:24 +02:00
Magnus Larsen 21208f46cd Clearer grade cap reason regarding certificate errors 2020-06-18 21:15:28 +02:00
Dirk Wetter d19aed2345
Merge pull request #1652 from dcooper16/fix_wildcard
Fix and enhance CN matching
2020-06-09 10:48:59 +02:00
Dirk Wetter 4f13298938
Merge pull request #1651 from dcooper16/missing_space
Fix missing spaces
2020-06-09 09:17:37 +02:00
David Cooper a6c2168cd9 Fix and enhance CN matching
PR #1373 changed get_cn_from_cert() to handle certificate subject names that include more than one CN attribute. It did this by converting newline characters to spaces. It seems that this resulted in a space character being added to the end of the string returned by get_cn_from_cert() even in the case that the subject name only included one CN attribute. The presence of the space character in returned value caused compare_server_name_to_cert() to determine that the CN attribute did not contain a DNS name (since DNS names cannot include spaces), and so compare_server_name_to_cert() reports that the server name does not match against the CN in the subject. This may be the reason for the problem noted in #1555.

This commit fixes the above problem and also enhances the matching of the CN in the subject name against the server's name. Currently, compare_server_name_to_cert() assumes that the subject field contains at most one CN attribute. However, as noted in #1373, some certificates include subject names with more than one CN attribute, and RFC 6125 (Section 6.2.2) indicates that the certificate subject name include more than one CN, with each specifying a different DNS name.

So, in addition to fixing the problem with the space character, this commit also enhances the CN matching to work even if the certificate includes more than one CN attribute in the subject name.
2020-06-08 13:57:00 -04:00
David Cooper fe87192a80 Fix missing spaces
In some cases when the Trust finding is printed, there is no space between the results when SNI is used and the results without SNI (which appear in paraenthesis). This commit adds the missing space.
2020-06-08 13:54:36 -04:00
Dirk Wetter 6a91dadb31
Merge pull request #1637 from magnuslarsen/3.1dev
[Rating] simple DH group length
2020-06-02 16:48:45 +02:00
Magnus Larsen 55bbb98a02 small fixes 2020-06-02 16:28:24 +02:00
Magnus Larsen cce7566dc8 Moved grade_caps to run_rating() function; added KEY_EXCH_SCORE=20 back again 2020-06-02 16:26:55 +02:00
Dirk Wetter 9a22e9af1a
Merge pull request #1649 from dcooper16/SC2034
Fix Shellcheck SC2034 issues
2020-06-02 11:08:33 +02:00
David Cooper edefce5998 Fix Shellcheck SC2034 issues
This commit fixes several issues related to Shellcheck issue SC2034: unused variables.

In most cases variables are declared in a function, but are referenced later. The exceptions are:

* SESS_RESUMPTION is declared and values are assigned to it, but it us never used. (Same applies for not_new_reused in sub_seession_resumption().)

* In run_cipherlists(), there is a typo in the declaration of sslv2_tdes_ciphers.

* In get_caa_rr_record(), "hash", "len", and "line" are used but not declared.
2020-06-01 15:31:01 -04:00
Magnus Larsen 30d5710768 ephemeral is the word 2020-05-28 21:12:14 +02:00
Magnus Larsen dca50fc49a allow multiple equal key sizes 2020-05-28 21:00:45 +02:00
Magnus Larsen e6150a2348 Missed todo comment fix; cleanup output 2020-05-28 20:33:17 +02:00
Magnus Larsen 985e647cdf merge upstream 2020-05-28 20:20:32 +02:00
Dirk Wetter 4f9c5158dc
Merge pull request #1646 from drwetter/get_TXT_record
Add get_txt_record(), fix variable declaration in get_mx_record()
2020-05-25 21:31:18 +02:00
Dirk a4ae05c90c Add get_txt_record(), fix variable declaration in get_mx_record()
This commit adds a function for querying the TXT DNS record, so
that subsequently we'll can build on top of that a function for
checking MTA-STS, see #1073.

Also it modifies a local variable mxs in get_mx_record() which
was declared as mx but mxs was used. (That is pending an backport
to 3.0.)
2020-05-25 13:23:49 +02:00