Commit Graph

4190 Commits

Author SHA1 Message Date
Dirk Wetter 6b90152f52 Merge pull request #639 from dcooper16/must_staple
OCSP must staple
2017-02-20 12:31:16 +01:00
Dirk Wetter 52a0d44b90 Merge pull request #637 from dcooper16/print_negotiaed_cipher
Printing Negotiated cipher
2017-02-20 11:46:24 +01:00
Dirk bfbaba4ea7 - trying to address #640 . Better a bit pessimistic here... 2017-02-20 09:44:52 +01:00
Dirk c284185c56 - try to address #638 2017-02-18 13:22:17 +01:00
David Cooper 4b1435f958 Make link from redirect URL
If the HTTP Status Code includes a redirect URL, then make the URL a hyper link in the HTTP output.
2017-02-17 16:40:50 -05:00
David Cooper 8c607d425e OCSP must staple
RFC 7633 introduces the TLS Features certificate extension, which contains "Features:
> The object member "Features" is a sequence of TLS extension identifiers (features, in this specification's terminology) as specified in the IANA Transport Layer Security (TLS) Extensions registry.  If these features are requested by the client in its ClientHello message, then the server MUST return a ServerHello message that satisfies this request.

The main purpose of this certificate extension is to implement "must staple." If the extension is present in a TLS server's certificate and it includes status_request, then the server MUST include a stapled OCSP response if the client requests one. (The same applies for the status_request_v2 extension.)

This PR adds a check to `certificate_info()` of whether the server supports must staple (i.e., whether its certificate includes a TLS Features extension with "status_request"). It also changes the output for "OCSP stapling" in the case that the server did not staple an OCSP response. It indicates that:
* it is a critical issue if the certificate specifies "must staple"
* it is a low severity issue if the certificate does not specify "must staple," but the certificate does include an OCSP URI.
* it is not an issue at all if the certificate does not specify "must staple" and certificate does not include an OCSP URI.
2017-02-17 15:20:37 -05:00
David Cooper a26425af71 Printing Negotiated cipher
`run_server_preference()` prints out the server's Negotiated cipher in a different color depending on the quality of the cipher. However, there is a "FIXME" since CBC ciphers are supposed to be flagged, but it is not easy to identity all CBC ciphers from their OpenSSL names.

This PR partially addresses this. It creates a separate function for printing a cipher based on its quality. Whenever possible it determines the quality of the cipher based on the RFC name. However, if it is provided an OpenSSL name and no cipher-mapping.txt file is available, it will follow the current (imperfect) logic for determining the cipher's quality.

The function also returns a value that indicates the quality of the cipher provided, with higher numbers indicating better ciphers. This return value is used by `run_server_preference()` to determine how to populate the "severity" field when calling `fileout()`.
2017-02-17 11:20:11 -05:00
David Cooper 677a06d3aa Merge branch '2.9dev' into generate_html 2017-02-16 13:19:58 -05:00
David Cooper c8f3dd0db0 Merge branch '2.9dev' into negotiated_cipher 2017-02-16 13:19:07 -05:00
Dirk d2cbbaf0b1 - FIX #636
- polish
2017-02-16 19:10:59 +01:00
David Cooper 2eeeff6618 Merge branch '2.9dev' into generate_html
Conflicts:
	testssl.sh
2017-02-15 15:43:21 -05:00
David Cooper d1ab98c5e2 Merge branch '2.9dev' into negotiated_cipher 2017-02-15 15:41:37 -05:00
Dirk Wetter a973386c0a Merge pull request #635 from dcooper16/run_protocols_bugfix
run_protocols() bug fix
2017-02-15 19:44:53 +01:00
Dirk c204a0b942 --proxy=auto takes now the value from https_proxy
- made DNS lookups safe (CNAME) and awk'd them almost completely ;-)
- invocation of just testssl.sh shows help again
2017-02-15 19:40:06 +01:00
David Cooper 2456c80821 Fix early newline
In the case that `tls_sockets()` is being used and the server incorrectly fails the connection rather than downgrading, testssl.sh is printing "not offered" on one line and then the error message on the next line, but all the text should appear on one line (as it does when testing TLS 1 and TLS 1.1).
2017-02-15 11:47:11 -05:00
David Cooper efdb8c036d Merge branch '2.9dev' into run_protocols_bugfix 2017-02-15 08:45:01 -05:00
David Cooper 1cfd638345 Merge branch '2.9dev' into generate_html
Conflicts:
	testssl.sh
2017-02-15 08:44:09 -05:00
David Cooper 58f389b7cd Merge branch '2.9dev' into negotiated_cipher 2017-02-15 08:42:41 -05:00
Dirk Wetter 502601c95e Merge pull request #633 from k0ste/2.9dev_newfeature
DNS CAA: drill query support.
2017-02-15 14:01:36 +01:00
Konstantin Shalygin cdc5e89b64
DNS CAA: drill query support. 2017-02-15 19:50:08 +07:00
David Cooper 004cbad07b run_protocols() bug fix
Since the test for TLS 1.2 in `run_protocols()` now uses `tls_sockets()` whenever `$ssl_native` is `true` (i.e., there is no longer a requirement for `$EXPERIMENTAL` to be true as well), the `$EXPERIMENTAL` flag should no longer be checked if the return value is 1.
2017-02-14 16:43:46 -05:00
David Cooper e4aef3fdad Merge branch '2.9dev' into generate_html
Conflicts:
	testssl.sh
2017-02-14 16:27:46 -05:00
David Cooper 2e76dff0ea Merge branch '2.9dev' into negotiated_cipher 2017-02-14 16:25:27 -05:00
Dirk 4b193119b3 - made CCS I more robust, FIX #313
- removed cats ;-) FIX #352
2017-02-14 21:56:31 +01:00
Dirk 422171a0fa - fixed bug where terminal width was not inherited in file batch mode so that terminal wdith appeared to be 80 chars
- hint when URI is missing
- PFS_CIPHERs rather locally
2017-02-14 20:40:38 +01:00
David Cooper 7cbd4ade01 Merge branch '2.9dev' into generate_html
Conflicts:
	testssl.sh
2017-02-14 14:10:22 -05:00
David Cooper 8c165fd3da Merge branch '2.9dev' into negotiated_cipher 2017-02-14 14:06:18 -05:00
Dirk a22e4e5228 - fix heartbleed detection which sometimes case false psoitives over slow connections like sattelite links, partially addressing #352
- start revamping run)ccs_injection
- fix missing space in BEAST after protocol
2017-02-14 19:45:14 +01:00
David Cooper 48088bbceb Cleanup
Rearrange code so that in the case of just a single test, `parse_hn_port()` is not called earlier than it was previously unless it needs to be called in order to create the HTML file name.

Doing this ensures that the banner is displayed even if the `$URI` cannot be parsed (except in the case that the `$URI` needs to be parsed in order to create a file name) and that any error messages created by `parse_hn_port()` will be included in the HTML, if possible.
2017-02-14 13:44:03 -05:00
David Cooper 308b24cbe9 Let testssl.sh create HTML file name
Add option for testssl.sh to create the HTML file name. If testssl.sh creates the file name, then, in the case of mass testing, a separate HTML file is created for each test (i.e., for each line in the file provided to `--file`).
2017-02-14 13:19:12 -05:00
David Cooper e2161aef5e Rearrange code
Just a slight rearrangement of the code in order to remove some redundancy.
2017-02-14 10:04:42 -05:00
David Cooper 76c34dd148 Negotiated cipher per proto bugfix
I have a test server that I configured to support only SSLv3 and TLSv1.2. When I set `SSLHonorCipherOrder` to `off` I get the following results:
```
     ECDHE-RSA-AES256-SHA:          SSLv3     ECDHE-RSA-AES256-GCM-SHA384:   TLSv1.2
```
The current code, when printing TLSv1.2 checks whether `${cipher[4]}` is empty, and since it is assume no previous protocol (SSLv2, SSLv3, TLSv1, TLSv1.1) was supported and so doesn't output a newline before outputting the cipher and protocol for TLSv1.2.

This PR fixes that by changing to code to look at the previous non-empty cipher (if there is one), even if that does not come from the previous protocol.
2017-02-14 09:53:38 -05:00
David Cooper 61b5539ca6 Merge branch '2.9dev' into generate_html
Conflicts:
	testssl.sh
2017-02-14 08:50:56 -05:00
Dirk Wetter 67fb3feff8 Merge pull request #630 from dcooper16/show_rfc_
Option to show RFC cipher names
2017-02-14 09:28:15 +01:00
David Cooper 1dc132c6a4 Option to show RFC cipher names
When a list of cipher suites is being displayed using `neat_list()`, testssl.sh shows the cipher suite's OpenSSL name and (in most cases) the RFC name as well. However, in all other cases only the OpenSSL name is shown.

This PR adds the option to have cipher suite's RFC names shown instead of the OpenSSL name, by including `--mapping rfc` in the command line. [Note: if the cipher-mapping.txt file cannot be found, then the `--mapping rfc` option is ignored and the OpenSSL names are shown.]

This PR seems to be related to issue #9, but #9 may be been referring to the output created by `neat_list()`.
2017-02-13 16:07:25 -05:00
David Cooper e953c737d1 Merge branch '2.9dev' into generate_html
Conflicts:
	testssl.sh
2017-02-13 09:14:22 -05:00
Dirk Wetter 971c8e8b63 Update Readme.md 2017-02-13 09:33:50 +01:00
Dirk Wetter c252d5ab28 Update Readme.md 2017-02-13 09:33:03 +01:00
Dirk 7d6f1eb46f polishing #628, mostly make sure we automatically align to terminal width 2017-02-13 09:06:10 +01:00
Dirk Wetter 21cd97b08a Merge pull request #628 from dcooper16/format_long_lines
Wrap long lines
2017-02-13 08:52:07 +01:00
Dirk d2f688e925 CAA RR belongs also in JSON, see #588 2017-02-11 14:16:18 +01:00
Dirk 8dabc28280 also made sure that all old dns binaries work (SLES 11, FreeBSD 9) 2017-02-11 14:01:51 +01:00
David Cooper 376fb95d04 Follow $COLOR value in HTML output
Use the value of `$COLOR` to affect the HTML output in addition to the output to the terminal.
2017-02-10 17:08:49 -05:00
David Cooper fea2558b20 Show gray for COLOR=1
Gray should appear for COLOR=1 or COLOR=2.

Since `pr_grey()` is basically the same as `out()` for COLOR=0, `mybanner()` should just call `pr_grey()` without checking the value of `$COLOR`.
2017-02-10 16:30:14 -05:00
David Cooper f633ce67d6 Color change
Change `emphasize_stuff_in_headers()` to use olive and bold olive rather than brown and yellow. This matches what `aha` creates and appears similar to what is displayed in the terminal on a Mac. Also, yellow text is very difficult to read.
2017-02-10 15:05:43 -05:00
David Cooper 2652362ce0 Final fixes
Found more places where output should only go to terminal, or where it was only going to the terminal (e.g., printf) but should also be in the HTML. Also added the ability to include active URLs in the HTML output.

To Do: Handle automatic generation of HTML file name and support for parallel testing.
2017-02-10 14:47:49 -05:00
David Cooper 2b5324b8ef Fix emphasize_stuff_in_headers()
Changed `emphasize_stuff_in_headers()` so that the appropriate coloring would appear both in the terminal and in the HTML. It's slow, but it works.
2017-02-10 10:59:20 -05:00
David Cooper a50488c44f Handle --file option
Introduced "trick" so that if the `--file` option is used, `html_header()` will only be called once before anything is printed and `html_footer()` will only be called once after all printing is complete. With this, `html_header()` now delete the output file if it exists.

Also introduced the `html_reserved()`, which is called for all text to be sent to `out_html()`. `html_reserved()` converts any HTML reserved characters (", ', &, <, >) to their corresponding entity names (&quot;, &apos;, &amp;, &lt;, &gt;).
2017-02-09 17:03:21 -05:00
David Cooper 45379ce1f9 Fix subjectAltName indendation
The PR didn't account for the indentation of the subjectAltName differing depending on whether the server has one or more than one certificate.
2017-02-09 13:29:22 -05:00
David Cooper c92131c072 Don't collect number of bits in run_pfs()
The `bits` array is no longer needed in `run_pfs()` since the information collected is not being used.
2017-02-09 11:45:29 -05:00