Commit Graph

4190 Commits

Author SHA1 Message Date
manuel 1a3c01899f fix basicauth bug where a newline was added to the user:password string 2020-03-17 14:34:00 +01:00
Dirk Wetter 32df6b8bef
Merge pull request #1533 from drwetter/breach_output31
Fix output for BEAST when no SSL3 or TLS
2020-03-07 12:16:11 +01:00
Dirk 8242607d94 Fix output for BEAST when no SSL3 or TLS
LF added
2020-03-06 22:06:13 +01:00
Dirk Wetter 9cd4cf3eb9
Merge pull request #1531 from dcooper16/fix_typo_emphasize_stuff_in_headers
Fix typo in emphasize_stuff_in_headers()
2020-03-06 21:28:28 +01:00
David Cooper 58353d3522 Fix typo in emphasize_stuff_in_headers()
This commit fixes a typo in emphasize_stuff_in_headers() wherer ${yellow} was used rather than ${html_yellow} in the creation of the HTML output.
2020-03-06 14:25:07 -05:00
Dirk Wetter 5aadc1951d
Merge pull request #1523 from drwetter/pwdfix3.1
Avoid external "/bin/pwd"
2020-03-06 14:59:15 +01:00
Dirk Wetter 6f02101ae0
Merge pull request #1499 from dcooper16/fix_printing_percent
Fix printing percent characters
2020-03-06 14:35:31 +01:00
David Cooper 37dbe14def Fix printing percent characters
As noted in #1481, testssl.sh has a problem with printing percent ('%') characters.

At one point, the function out() was implemented as `/usr/bin/printf -- "${1//%/%%}"`. When this was the case, any '%' needed to be replaced with '%%' since '$1' was being used as the format string. This was changed, however, by 8a2fe5915a. Since the format string is now "%b" rather than '$1', the replacement is not needed anymore. Instead, the replacement now causes any '%' to be printed to be duplicated.

This problem does not happen very often, but does sometimes occur when a '%' character appears in a URI, such as in an HTTP redirect, a certificate revocation list, or an OCSP URI.
2020-03-06 08:28:52 -05:00
Dirk Wetter 466f08c846
Merge pull request #1481 from dcooper16/fix_html
Fix HTML generation
2020-03-06 13:40:41 +01:00
Dirk Wetter 0469d6a2b1 Avoid external "/bin/pwd"
.. as it may not be available everywhere, see #1521 (NixOS).

This commit replaces all instances from pwd or /bin/pwd by $PWD.
It is a bash internal and the fastest. Also it added some quotes
to PWD a it may contain white spaces in the future (currently
there's a check for it that it won't)
2020-03-06 13:24:56 +01:00
Dirk Wetter b8d1a3506a
Merge pull request #1525 from drwetter/update_template
Update ISSUE_TEMPLATE.md
2020-03-06 13:01:03 +01:00
Dirk Wetter 9f1fa04e07
Update ISSUE_TEMPLATE.md 2020-03-03 21:18:09 +01:00
Dirk Wetter 1fb96df369 Avoid external "/bin/pwd"
.. as it may not be everywhere available, see #1521 (NixOS).

This commit replaces all instances from pwd or /bin/pwd by `pwd -P`
(-P -> no symbolic link)
2020-03-03 12:36:22 +01:00
David Cooper 83e76a442b Fix handling of \n in strings 2020-02-27 13:59:05 -05:00
David Cooper b92f0de2c9 Fix HTML generation
This PR fixes two issues related to the generation of HTML files.

First, text that is to appear in the HTML file is first passed through html_reserved() to replace reserved characters with their corresponding entity names (e.g., '>' becomes '>'). html_reserved() seems to work correctly on Ubuntu Linux, but it does not work as expected on MacOS. On MacOS, rather than converting '>' to '>', it gets converted to '\>', and the backslash is rendered by browsers.

This PR appears to fix the problem. However, given that the original version of html_reserved() was not portable, this revised version should be tested on multiple platforms.

I also noticed that in almost every case in which a string is passed to html_out(), it is first run through html_reserved(), but for some reason that is not the case in out() and outln(). I can't see any reason why html_reserved() is not called first in these two cases, so this PR adds in the calls.
2020-02-27 13:59:05 -05:00
Dirk Wetter e0c83b2a38
add more filters 2020-02-24 14:21:28 +01:00
Dirk Wetter 02b83cc092
Merge pull request #1516 from dcooper16/min_hsts
Fix use of HSTS_MIN
2020-02-21 09:59:32 +01:00
David Cooper f342031844 Fix use of HSTS_MIN
This commit fixes two minor issues related to HSTS_MIN:

* If there is a misconfiguration the recommended max-age should be based on $HSTS_MIN rather than being hardcoded to 15552000 seconds = 180 days.

* If max-age is exactly $HSTS_MIN, testssl.sh shouldn't say that max-age is too short while also say that >= $HSTS_MIN seconds is recommended.
2020-02-20 14:17:49 -05:00
Dirk Wetter 64fea03f66
Merge pull request #1510 from drwetter/rDNS_fixes
Fix for non compliant DNS PTR records
2020-02-15 15:22:22 +01:00
Dirk Wetter 95b6189076
Merge pull request #1509 from drwetter/container1
remove jq and beautify last line
2020-02-15 14:08:43 +01:00
Dirk Wetter b81c409135 Fix for non compliant DNS PTR records
This commit addresses two bugs: #1506 and #1508.

First, the variable rDNS can contain multiple lines due to multiple PTR DNS
records, though this is not recommended.  In those cases the multiple PTR DNS
were concatenated on the screen, without any blank.

Secondly - depending on the name server entries and on the output of the DNS
binaries used it can contain non-printable characters or characters which are
printable but later on interpreted on the output device (\032 was mentioned
in #1506) which on the screen was interpreted as octal 32 (decimal 26 = ▒,
try echo "\032"), so basically a terminal escape sequence was smuggled
from the DNS server to the screen of the users. In JSON pretty output we
had also this escape sequence which was fine for jsonlint but caused jq
to hiccup.

Fix: we use a loop to check for each FQDN returned. There we remove chars which
under those circumstances can show up. The blacklist is taken from RFC 1912
("Allowable characters in a label for a host name are only ASCII, letters, digits,
and the `-' character").
2020-02-15 13:43:37 +01:00
Dirk Wetter 75be8d9f38 remove jq and beautify last line 2020-02-15 12:09:33 +01:00
Dirk Wetter f01c1196c0
Merge pull request #1505 from dcooper16/fix_1504
Fix #1504
2020-02-13 17:52:06 +01:00
David Cooper 8d3640ca20 Fix #1504 by moving the description of the test out of the section that describes vulnerability tests. 2020-02-13 10:57:48 -05:00
Dirk Wetter d549c833c8
Merge pull request #1501 from dcooper16/cipher_order_wide
Wide output for cipher order
2020-02-13 09:34:40 +01:00
David Cooper 6c88a26861
Wide output for cipher order
Since, in cases in which the server enforces a cipher order, both run_cipher_per_proto() and run_server_preference() list every cipher supported by the server for each protocol, there was a discussion at one point about eliminating run_cipher_per_proto() and extending run_server_preference().

This PR takes a step in that direction by providing the option to present the "Cipher order" in wide mode.
2020-02-12 11:05:20 -05:00
Dirk Wetter b0cce84a7f
Merge pull request #1500 from dcooper16/shellcheck_SC2197
Fix Shellcheck SC2197
2020-02-10 20:45:16 +01:00
David Cooper 28d65247b0
Fix Shellcheck SC2197
This PR fixes one Shellcheck issue:

      In testssl_3.1dev_20200208.sh line 2395:
                HEADERVALUE="$(fgrep -Fai "$key:" $HEADERFILE | head -1)"
                               ^-- SC2197: fgrep is non-standard and deprecated. Use grep -F instead.

The man page for grep states that fgrep is the same a grep -F and that grep is deprecated. So, fgrep -F is just redundant.
2020-02-10 13:51:08 -05:00
Dirk Wetter 6da6335e5b
Merge pull request #1498 from dcooper16/minor_code_cleanup
Minor code cleanup
2020-02-08 10:32:46 +01:00
David Cooper 2af5fa72d1
Minor code cleanup
This PR makes some minor changes to the code in order to clean it up a little.
2020-02-07 17:21:22 -05:00
Dirk Wetter 8bdad385d5
Merge pull request #1497 from dcooper16/neat_list_export
neat_list() and export
2020-02-07 18:14:11 +01:00
David Cooper d916f048be
neat_list() and export
Currently, the function neat_list() uses the variable "export", but does not define it. The result is that "export" variable in the calling function is used.

This PR fixes that by defining "export" as a local variable in neat_list() and by setting its value via a new parameter to the function.

This PR also removes a "FIXME" from run_rc4() since the problem has already been fixed.
2020-02-06 14:33:13 -05:00
Dirk Wetter 9a0325875e
Merge pull request #1495 from dcooper16/fix_pub_key_length_calculation
Fix public key length calculation
2020-02-04 21:45:52 +01:00
David Cooper 3025d92ebf
Fix public key length calculation
This PR fixes a minor bug in get_pub_key_size(). If the key size is being determined manually and length encoding requires 4 bytes, then the current code computes the length incorrectly. This is a very insignificant bug, since does not apply to RSA or ECC keys, and the key would have to be at least 16 megabytes long for it to require 4 bytes to encode.

This PR also cleans up get_pub_key_size() a bit by replacing `i=$i+...` with `i+=...` and by enclosing math in `$(( ... ))`.
2020-02-04 14:55:53 -05:00
Dirk Wetter e9430bdd23
Merge pull request #1490 from drwetter/dotasurl_fix
Fix URL when hostname with trailing dot supplied
2020-02-04 16:20:23 +01:00
Dirk Wetter 77398af399
Merge pull request #1492 from dcooper16/fix_typos
Fix typos
2020-02-04 16:18:46 +01:00
David Cooper f756080a01
Fix typos
I noticed two places that had a single "&" rather than "&&". I didn't try to do any testing, but these certainly seem like typos.
2020-02-04 09:52:44 -05:00
Dirk c2df2f1fc0 Fix URL when hostname with trailing dot supplied
Hostnames can contain a trailing dot (and sometimes they should).
If they are supplied to testssl.sh however they will be also interpreted
as a URL PATH when the servive is HTTP.

This commit fixes that.
2020-02-03 22:26:01 +01:00
Dirk Wetter ccafd9125b
Merge pull request #1488 from dcooper16/fix_client_simulation
Fix client simulation
2020-01-31 20:23:58 +01:00
David Cooper 46c05c6732 Fix client simulation
replace ciphers with ch_ciphers and sni with ch_sni in client simulation data file.
2020-01-31 10:52:50 -05:00
Dirk Wetter 7c85b44a9f
Merge pull request #1482 from dcooper16/shellcheck_SC2178
Suppress shellcheck issue SC2178
2020-01-31 09:23:06 +01:00
Dirk Wetter e8b7a04e53
Merge pull request #1487 from simondeziel/dup-cipher
Remove (harmless) AESGCM dup in the strong ciphers list
2020-01-31 09:22:03 +01:00
Dirk Wetter 2f54613d6d
Merge pull request #1484 from dcooper16/tls13_post_handshake
TLS 1.3 post-handshake messages
2020-01-31 08:55:08 +01:00
Dirk Wetter 7443a532cf
Merge pull request #1486 from drwetter/fix_ids_friendly
Fix --ids-friendly
2020-01-31 08:48:01 +01:00
Dirk Wetter 89fd902b18
Merge pull request #1483 from dcooper16/minor_code_cleanup
Minor code cleanup
2020-01-31 08:41:43 +01:00
Simon Deziel 772713f497 Remove (harmless) AESGCM dup in the strong ciphers list
Signed-off-by: Simon Deziel <simon@sdeziel.info>
2020-01-30 17:29:44 -05:00
Dirk Wetter c4920f61e4 rename query_globals() --> count_do_variables()
.. and fix one problem instroduced with last patch (testssl.sh
din't work correclty if only an URI was supplied)
2020-01-30 22:25:10 +01:00
Dirk Wetter 073d383f76 Fix switch --ids-friendly
This switch had no effect. There was probably a regression
problem as it worked before.

Besides fixing that the large case statement in parse_cmd_line()
was simplified, in a sense that banner and help functions were
moved to a separate case statement.
2020-01-30 21:49:56 +01:00
David Cooper aba544b188
TLS 1.3 post-handshake messages
This PR adds support for post-handshake messages when using sockets with TLS 1.3 connections. If a TLS 1.3 connection is established and the connection is to remain open after tls_sockets() finishes, then after the client's Finished message is sent the master secret and the application traffic keys are computed. This PR also adds two new functions to send and receive application data over a TLS 1.3 connection.

This PR also includes two proofs-of-concept for the use of the new functions. receive_app_data() is called immediately after the client's Finished message is sent. Some server's will send new session tickets immediately after the handshake is complete. If they do, then the code will decrypt and parse the session ticket messages.

This PR also modifies service_detection() to try using sockets if the server only supports TLS 1.3 and $OPENSSL does not support TLS 1.3. After the handshake is complete, this code sends an HTTP GET request and reads the response. The code is fairly slow and it doesn't always work. However, since it is only used in cases in which $OPENSSL cannot work, it can't hurt to try using sockets.
2020-01-30 15:20:25 -05:00
David Cooper 5d2978fdbe
Minor code cleanup
This PR cleans up the code in a few places by using "case" statements in a few places where the value of a variable is checked multiple times.
2020-01-30 14:00:46 -05:00