Commit Graph

4190 Commits

Author SHA1 Message Date
Dirk Wetter 56e6fa4bb7 Remove FTP as a "service" from Firefox' client simulation
... as firefox never supported FTP over TLS or SSL, see

https://bugzilla.mozilla.org/show_bug.cgi?id=85464

In general browsers tend to remove noaways cleartext FTP from
browsers.
2020-01-13 23:11:59 +01:00
Dirk Wetter 89275f7ea9 Redefine numbering scheme 2020-01-13 23:00:10 +01:00
Dirk Wetter 8cc3a5f514 Add firefox 71
... and
* deprecate openssl 1.0.1
* enable Chrome 74 instead of Chrome 65
2020-01-13 22:57:10 +01:00
Dirk Wetter be5a258383
Merge pull request #1441 from dcooper16/fix_run_server_preference
Fix run_server_preference() in --ssl-native mode
2020-01-13 17:41:02 +01:00
Dirk Wetter 91f8f33a6c add new basic checks, rename ca_hashes_up_to_date 2020-01-13 17:36:40 +01:00
Dirk Wetter ddbfe2d79d
Merge pull request #1440 from dcooper16/fix_client_sim
Fix Safari 13.0 Client Simulation
2020-01-13 17:14:43 +01:00
David Cooper 855758b3af
Fix run_server_preference() in --ssl-native mode
This PR fixes two problems that occur when testing a server that supports TLSv1.3 using OpenSSL 1.1.1 in --ssl-native mode.

First, when testing whether the server has a cipher order, the value of $sclient_success is checked after each call to tls_sockets(), but $sclient_success. As the goal is just to verify that the connection was successful (and didn't downgrade), $? can be checked rather than $sclient_success. [When not in --ssl-native mode, this problem is masked since $sclient_success is set to 0 earlier in the function.]

The second problem is that line 6646 tries to copy "$TEMPDIR/$NODEIP.parse_tls13_serverhello.txt", but this file is currently only created (on line 6287) if tls_sockets() is used to determine the negotiated protocol. This PR fixes the problem by also populating "$TEMPDIR/$NODEIP.parse_tls13_serverhello.txt" when OpenSSL is used to determine the negotiated protocol.
2020-01-13 10:51:34 -05:00
David Cooper 420fa73f5a Fix Safari 13.0 Client Simulation
The ciphersuites string for Safari 13.0 ends with a colon (':'). which causes OpenSSL to reject the command line when client simulation testing is performed in --ssl-native mode. This PR fixes the problem by removing the trailing colon.
2020-01-13 10:31:20 -05:00
Dirk Wetter a7b0a04480 remove redundant lines 2020-01-13 16:26:05 +01:00
Dirk Wetter 88ec92d622 Add recent Chrome and Opera handshakes
Chrome 78 and 79, Opera 65 and 66

Remove FTP from Chrome
2020-01-13 16:02:39 +01:00
Dirk Wetter a714aec912 Clarify / correct a few bits 2020-01-13 16:01:27 +01:00
Dirk Wetter 69acd00731 Add file to check whether ~/etc/client-simulation.txt is parsable 2020-01-13 15:52:17 +01:00
Dirk Wetter b8e2b35165
Merge pull request #1437 from drwetter/avoid_1435
Avoid conflict of parallel mass scanning + connect timeouts
2020-01-13 11:50:02 +01:00
Dirk Wetter cf8cb541d5 Update Thunderbird simulation to v68.3 2020-01-13 11:35:58 +01:00
Dirk Wetter 0911d1ae31 For better recognition put readme in a separate file 2020-01-13 11:34:25 +01:00
Dirk Wetter 5c2a9772ea Avoid conflict of parallel mass scanning + connect timeouts
As stated in #1435 when specifying ``-connect-timeout=20`` AND
``--parallel`` there  asa problem with the file handles of child
processes (__testssl.sh: line 10454: 5: Bad file descriptor__).

This commit mitigates that in a sense that both switches can't
be used together. There's a check now in parse_cmd_line().

In addition it addresses a problem when fatal() is called and
e.g. JSON files haven't been created yet (error message ~
__testssl.sh: line 825: : No such file or directory__). It
introduces a global CMDLINE_PARSED which remembers the state
whether ``parse_cmd_line()`` has been fully executed or
not. Only when the former is the case it allows writing to files.
That implies that in main parse_cmd_line() has to be followed
by json_header() and similar.
2020-01-13 10:58:25 +01:00
Dirk Wetter c375403482
Merge pull request #1436 from drwetter/update_CAstores
Update CA stores
2020-01-11 16:00:16 +01:00
Dirk Wetter a244ef7990 Needed update after putting all CA store here 2020-01-11 11:45:27 +01:00
Dirk Wetter 88e670ab1f Update store
According to MS this is the latest which is from July 2019.
This is the biggest CA store (probably a lot of intermediate
certificates in there).

This was pulled from MS as described in the Readme.md . It
is exactly the same whether CertUtil will be run from Windows 7
(almost: RIP) or Windows 10.
2020-01-11 11:42:30 +01:00
Dirk 40155ed222 Update Java store
Other than before teh Java store was extracted directly from a keystore
from a Java JRE from https://jdk.java.net/.

The Debian keystore used previously used the certificates from the Debian
machine itself (installation script in ``/etc/ca-certificates/update.d/``.
Check with ``keytool -list -rfc -keystore /etc/ssl/certs/java/cacerts | grep -i 'alias'``

As a consequence this store contains less certificates:

etc/Java.pem:90
etc/Linux.pem:128

and needs some testing whether it really should be still included.
2020-01-10 09:17:57 +01:00
Dirk Wetter 0880e97ab0
Merge pull request #1432 from drwetter/fix_1429
Fix HTTP time for recent OpenBSD
2020-01-09 15:39:31 +01:00
Dirk Wetter b70407352d
Merge branch '3.0' into fix_1429 2020-01-09 14:00:11 +01:00
Dirk Wetter 34784b6c6a Fix HTTP time for recent OpenBSD
See #1429.
OpenBSD 6.6 had an offset with the HTTP header time of  -3600 seconds.
This PR fixes that by adding the GMT time zone to parse_date()'s
HAS_FREEBSDDATE incarnation. That doesn't matter to FreeBSD.

Also now for older OpenBSDs the local and remote time are now
in the same format:

```
HTTP clock skew              remote: Thu, 09 Jan 2020 12:52:32 GMT
                             local:  Thu, 09 Jan 2020 12:52:02 GMT
``

so that a time difference is easier to spot.
2020-01-09 13:52:28 +01:00
Dirk Wetter 7341cac3c2 -add-ca amended 2020-01-09 10:34:07 +01:00
Dirk Wetter 3ff93b4fa6 Update for 3.0 2020-01-09 10:27:09 +01:00
Dirk Wetter 427341cc9b
Merge pull request #1431 from drwetter/fix_1430
Fixes missing display of HTTP headers under OpenBSDs
2020-01-08 16:50:33 +01:00
Dirk Wetter 21f87d7266 Fixes missing display of HTTP headers under OpenBSDs
OpenBSD's grep seems to interpret "-w <EXPR>:" differently
than Linux or MacOSX/FreeBSD in a sense that this doesn't
matchs, see #1430.

This PR fixes that by squashing the w option in all occuorrences.

In addition it removes the SOCKETHEADER if-statement which was
introduced looking forward a while back. It's not happening soon
at least and the variable was not initialized either.
2020-01-08 15:51:21 +01:00
Dirk Wetter e319d6c01f
Merge pull request #1428 from drwetter/correct_warningsoption
Remove --warnings=false from documenation
2020-01-08 14:33:37 +01:00
Dirk Wetter 256d4d32ab
Merge pull request #1427 from drwetter/825_days
Check for certificates with a life time >825 days when issued after 2018/03/01
2020-01-08 14:31:19 +01:00
Dirk Wetter c228b578dd Remove --warnings=false from documenation
... and reorder manpages also so that --warnings, --connect-timeout
and --openssl-timeout appear in the "input parameter" section.

The HTML manpage looks in the diff view quite different as previously
another computer was used for converting the source format with ronn(1).

The manpage in (g)roff format was manually edited with .RE / .RS
for provide indented bulletpoints.

See also #1419
2020-01-08 14:24:41 +01:00
Dirk Wetter 25913cfa4f
Merge pull request #1426 from drwetter/fix_1425
Fix bits errors in OpenBSDs
2020-01-08 11:43:07 +01:00
Dirk b2680db162 Finalize 825 day check, add more OpenBSD date improvements
* It'll be a warning now when a host certificate was issued after
  March 1st, 2018 which has a lifetime >825 days, independent
  whether it is an internal certificate or not. This can
  change later, as browsers treat those certificates different
  as "official ones"
* Still the 5 or 10 year threshold overrides this
* For older OpenBSDs there's now a better date format support
  used in the expiration and validity period of a host certificate.
  It mimics in bash the conversion of other date binaries. It is
  not accurate so it might be off a day or at maximum two, probably
  as a month has 30.42 days and not 30.
* The date output for OpenBSD is now in line with other OS. Previously
  we just echoed the lines in openssl x509 output whereas now we
  convert that
2020-01-08 11:23:11 +01:00
Dirk 554b49bc75 Add David's downgrade checks, Dirk's improvements for OpenBSD 2020-01-08 11:22:09 +01:00
Dirk Wetter 35e6adccc4 Fix bits errors in OpenBSDs
The expression 'grep -aw "Public-Key:"' hiccuped on the colon
under OpenBSD, so that any bitsize on a certificate had wrong
values, see #1425. (FreeBSD was fine)

This PR fixes that. It updates the expression by using awk and
bash internal functions.

The same problem occured in run_robot(). The strong typing of
pubkeybits had to be relaxed to a dynamic typing, unless we
choose to define a second string variable.
2020-01-08 10:56:45 +01:00
Dirk a42b98c0ff Save work
* old OpenBSD kinda works
* let's encrypt section moved so that OpenBSD can use it too

* Days are wrong
* Date format is not the same as with e.g. GNUdate (but should be)
* variables y m d not declared
* date warning for openbsd completely missing
2020-01-07 13:56:08 +01:00
Dirk 7ff4ebfc0c fix travis 2020-01-04 16:52:38 +01:00
Dirk e9108baf93 correct comment 2020-01-04 11:22:45 +01:00
Dirk c80a1307bf Detect 825 days threshold for certificates issued >2018/03/01
... as mentioned #1422

Open
* testing
* openbsd
2020-01-04 11:18:46 +01:00
Dirk Wetter 1fa0094b3b
Merge pull request #1423 from fbacchella/3.0
cert_validityPeriod is wrong.
2020-01-04 10:41:47 +01:00
Fabrice Bacchella 0e5376042b cert_validityPeriod is wrong. 2020-01-03 16:30:40 +01:00
Dirk Wetter 1bc50bb7d3
Merge pull request #1421 from drwetter/fix_1418
Fix s_client capability test for LLMNR, add HAS_PKEY
2020-01-02 17:21:48 +01:00
Dirk Wetter f99959a228
Merge pull request #1420 from vitaliytv/patch-2
Dockerfile: Alpine 3.11
2020-01-02 17:03:11 +01:00
Dirk Wetter accdb3d4f6 Fix s_client capability tet for LLMNR, add HAS_PKEY
As noted in #1418 LLMNR (Link-Local Multicast Name Resolution)
resolution times out when using x as an argument to "-connect".

This commit fixes that by replacing "-connect x" by "-connect invalid."
which is supposedly also generally more "DNS query friendly", see
https://tools.ietf.org/html/rfc6761#section-6.4 .

In addition this commit adds a check in get_common_prime() whether
the openssl version used has pkey support. If not with old openssl
versions and previously testssl.sh terminated after presenting garbledoutput.
(This was found as tested how very old version of openssl versions
handle "-connect invalid.")
2020-01-02 16:16:54 +01:00
Vitalii Tverdokhlib fbc2661fbe
Dockerfile: Alpine 3.11 2020-01-02 13:52:30 +02:00
Dirk Wetter 45683f3452
Merge pull request #1378 from dcooper16/unsupported_ossl_protocols
Don't call s_client for unsupported protocol versions
2020-01-02 12:12:43 +01:00
David Cooper 7c1b8139b2 Minor tweak to run_tls_fallback_scsv()
If the server is known not to support TLS 1.3 (as well as TLS 1.2, TLS 1.1, and TLS 1), then mention TLS 1.3 in the list of not supported protocols. While lack of TLS 1.3 support is not part of the reason that no fallback is possible, it is part of the reason that the result is reported as prln_svrty_high.
2019-12-27 09:33:08 -05:00
David Cooper a0b2fb5d56 Minor tweak to run_tls_fallback_scsv()
Don't report "OK" if the server may be TLS 1.3-only or SSLv3-only, as one is very good and one is very bad.
2019-12-27 09:33:08 -05:00
David Cooper 3f25bcc6d4 Minor tweaks to run_tls_fallback_scsv() 2019-12-27 09:33:08 -05:00
David Cooper e457ff8cc1 Improve check for $low_proto in run_tls_fallback_scsv()
If $high_proto is set to something other than SSLv3, support for SSLv3 will not have been determined by determine_optimal_sockets_params(), but it may have been determined later (e.g., by run_protocols()). So, this commit changes the loop to always check for SSLv3 support (without calling "$OPENSSL s_client" if $HAS_SSL3 is false). The check for whether the fallback test can be performed is moved until after the loop
2019-12-27 09:33:08 -05:00
David Cooper 00f613f62d WIP: Don't call s_client for unsupported protocol versions
This PR fixes a couple of places where "$OPENSSL s_client" is called with "-ssl3" even if SSLv3 is not supported.

The fix in ciphers_by_strength() is easy, as the issue only occurs if "$using_sockets" is true. If SSLv3 (or TLSv1.3) is not supported, then testing using "$OPENSSL s_client" is skipped and all of the supported ciphers are found using tls_sockets().

The fix for run_tls_fallback_scsv() is more complicated. While it is easy to avoid calling "$OPENSSL s_client" with "-ssl3" if SSLv3 is not supported, it is not easy to determine the correct message to present to the user if support for SSLv3 (and possibly also TLSv1.3) is unknown.

For the case in which $high_proto cannot be set, I believe that I have covered all of the possibilities, but an not sure if the correct message/rating is used in every case.

For the case in which it is not possible to determine whether SSLv3 is the $low_proto, more could be done. If $high_proto is TLS 1.1 or TLS 1, then this PR is okay, as it is possible that SSLv3 would be the fallback protocol, but there is no way to tell. However, it seems unlikely that a server would support TLS 1.2 and SSLv3, but not TLS 1.1 or TLS 1. So, perhaps if $high_proto is TLS 1.2 and the server does not support TLS 1.1 or TLS 1, it should just be assumed that SSLv3 is not supported, even if it cannot be tested.
2019-12-27 09:33:08 -05:00