Commit Graph

4190 Commits

Author SHA1 Message Date
Dirk Wetter 5627211add Merge pull request #556 from dcooper16/run_pfs_sockets
run_pfs() speedup + sockets
2016-12-29 22:18:28 +01:00
Dirk c3b300c5fb - cleanup ignore_no_or_lame()
- reorder get_install_dir in main() so that warnings are not displayed before --help
- tweak missing ~/etc msg
2016-12-29 22:02:07 +01:00
David Cooper 3884f30821 Merge branch '2.9dev' into run_std_cipherlists_sockets 2016-12-29 11:58:38 -05:00
David Cooper 912db2fc95 Merge branch '2.9dev' into run_freak_sockets 2016-12-29 11:57:43 -05:00
David Cooper f0f3918b0f Merge branch '2.9dev' into run_ssl_poodle_sockets 2016-12-29 11:56:43 -05:00
David Cooper 9513ed4d99 Merge branch '2.9dev' into test_just_one_sockets 2016-12-29 11:55:52 -05:00
David Cooper de61f0cbf3 Merge branch '2.9dev' into run_beast_sockets 2016-12-29 11:55:01 -05:00
David Cooper 2350eaa9f5 Merge branch '2.9dev' into run_server_preference_sockets 2016-12-29 11:54:00 -05:00
David Cooper e18b5a4709 Merge branch '2.9dev' into run_pfs_sockets 2016-12-29 11:52:29 -05:00
David Cooper 802af274d9 Merge branch '2.9dev' into cipher_order_sockets 2016-12-29 11:51:15 -05:00
Dirk Wetter b8e1ede08c Merge pull request #572 from dcooper16/run_logjam_sockets
Use sockets for run_logjam()
2016-12-29 15:38:54 +01:00
Dirk c3671928ae fix for 83d2a63 2016-12-29 00:09:44 +01:00
Dirk 83d2a63e0f - Stronger warning if ~/etc is missing, also requires more explicit consent to continue
- fix lfs for -e -E if openssl has not DH/ECDH
- further minor output corrections
2016-12-28 23:47:35 +01:00
David Cooper 88f4c77078 Merge branch '2.9dev' into run_std_cipherlists_sockets 2016-12-28 11:27:22 -05:00
David Cooper 324a78a47d Merge branch '2.9dev' into run_logjam_sockets 2016-12-28 11:26:20 -05:00
David Cooper 6ed620d740 Merge branch '2.9dev' into run_freak_sockets 2016-12-28 11:25:26 -05:00
David Cooper 322703d39f Merge branch '2.9dev' into run_ssl_poodle_sockets 2016-12-28 11:24:44 -05:00
David Cooper 44c766b993 Merge branch '2.9dev' into test_just_one_sockets 2016-12-28 11:23:54 -05:00
David Cooper 88658f8b89 Merge branch '2.9dev' into run_beast_sockets 2016-12-28 11:23:05 -05:00
David Cooper 1b70bc5994 Merge branch '2.9dev' into run_server_preference_sockets 2016-12-28 11:22:18 -05:00
David Cooper da217f2136 Merge branch '2.9dev' into run_pfs_sockets 2016-12-28 11:21:30 -05:00
David Cooper ccebf47f56 Merge branch '2.9dev' into cipher_order_sockets 2016-12-28 11:19:32 -05:00
Dirk Wetter 5e43739224 Merge pull request #575 from dcooper16/fix_run_protocols
Minor bug fixes in run_protocols()
2016-12-27 23:08:38 +01:00
David Cooper fd2e52c396 Minor bug fixes in run_protocols()
In a few places `run_protocols()` specifies the wrong TLS version as the "ID" when calling `fileout()`.
2016-12-27 14:14:20 -05:00
David Cooper fddc8a012e Merge branch '2.9dev' into run_std_cipherlists_sockets 2016-12-23 14:32:08 -05:00
David Cooper b88cc4af71 Merge branch '2.9dev' into run_logjam_sockets 2016-12-23 14:31:13 -05:00
David Cooper 2bdc63e47d Merge branch '2.9dev' into run_freak_sockets 2016-12-23 14:28:18 -05:00
David Cooper 6084968b7a Merge branch '2.9dev' into run_ssl_poodle_sockets 2016-12-23 14:27:18 -05:00
David Cooper 3050a4c1fc Merge branch '2.9dev' into test_just_one_sockets 2016-12-23 14:25:23 -05:00
David Cooper ba2f07bc0b Merge branch '2.9dev' into run_beast_sockets 2016-12-23 14:24:14 -05:00
David Cooper 64bd786daf Merge branch '2.9dev' into run_server_preference_sockets 2016-12-23 14:22:47 -05:00
David Cooper 48f33fff5a Merge branch '2.9dev' into run_pfs_sockets 2016-12-23 14:21:23 -05:00
David Cooper fba1793c5a Merge branch '2.9dev' into cipher_order_sockets 2016-12-23 14:20:16 -05:00
Dirk Wetter 725488449c Merge pull request #574 from dcooper16/run_http2_sockets
Use sockets for run_http2()
2016-12-23 18:31:03 +01:00
David Cooper dc98371ed0 Use sockets for run_http2()
This PR changes `run_http2()` so that it uses `tls_sockets()` rather than failing, if `$OPENSSL` does not support the `-alpn` option. If `$OPENSSL` supports the `-alpn` option (or if `$SSL_NATIVE` is true), then this PR has no effect.
2016-12-23 11:02:31 -05:00
David Cooper 90812a2732 Use sockets for run_std_cipherlists()
This PR change `run_std_cipherlists()` to use sockets. As noted in isse #554, I have some questions about the definitions of the cipher lists, but I wrote the code so that the ciphers that are tested when using sockets are the same as those that are tested when using OpenSSL. For a few of the cipherlists, the sockets version tests a few additional ciphers; but these are ciphers that are not supported by OpenSSL, and whose definitions are consistent with the ciphers that OpenSSL includes.

As written, `std_cipherlists` will use sockets for testing by default, except in two cases:
* If the `$SSL_NATIVE` is true, then only OpenSSL is used, and if OpenSSL doesn't support any ciphers in the cipherlist, then the test is skipped.
* If `$FAST` is true (but `$SSL_NATIVE` is false), then OpenSSL is used whenever it supports at least one cipher from the cipherlist, and `tls_sockets()` (or `sslv2_sockets()`) is only used when OpenSSL doesn't support any ciphers from the cipherlist.
2016-12-22 15:46:01 -05:00
David Cooper 0d75bae195 Use sockets for run_logjam()
This PR changes `run_logjam()` to use sockets.
2016-12-21 14:55:01 -05:00
David Cooper 815e21e9b5 Use sockets for run_freak()
This PR changes `run_freak()` to use sockets.

I added two ciphers to `$exportrsa_cipher_list`: EXP1024-RC4-MD5 (0x00,0x60) and EXP1024-RC2-CBC-MD5 (0x00,0x61). So, the list is now as follows:
```
      0x00,0x62 - EXP1024-DES-CBC-SHA            TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA                SSLv3      Kx=RSA(1024)   Au=RSA     Enc=DES(56)                    Mac=SHA1     export    
      0x00,0x61 - EXP1024-RC2-CBC-MD5            TLS_RSA_EXPORT1024_WITH_RC2_56_MD5                 SSLv3      Kx=RSA(1024)   Au=RSA     Enc=RC2(56)                    Mac=MD5      export    
      0x00,0x64 - EXP1024-RC4-SHA                TLS_RSA_EXPORT1024_WITH_RC4_56_SHA                 SSLv3      Kx=RSA(1024)   Au=RSA     Enc=RC4(56)                    Mac=SHA1     export    
      0x00,0x60 - EXP1024-RC4-MD5                TLS_RSA_EXPORT1024_WITH_RC4_56_MD5                 SSLv3      Kx=RSA(1024)   Au=RSA     Enc=RC4(56)                    Mac=MD5      export    
      0x00,0x14 - EXP-EDH-RSA-DES-CBC-SHA        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA              SSLv3      Kx=DH(512)     Au=RSA     Enc=DES(40)                    Mac=SHA1     export    
      0x00,0x08 - EXP-DES-CBC-SHA                TLS_RSA_EXPORT_WITH_DES40_CBC_SHA                  SSLv3      Kx=RSA(512)    Au=RSA     Enc=DES(40)                    Mac=SHA1     export    
      0x00,0x06 - EXP-RC2-CBC-MD5                TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5                 SSLv3      Kx=RSA(512)    Au=RSA     Enc=RC2(40)                    Mac=MD5      export    
 0x04,0x00,0x80 - EXP-RC2-CBC-MD5                SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5               SSLv2      Kx=RSA(512)    Au=RSA     Enc=RC2(40)                    Mac=MD5      export    
      0x00,0x0E - EXP-DH-RSA-DES-CBC-SHA         TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA               SSLv3      Kx=DH/RSA      Au=DH      Enc=DES(40)                    Mac=SHA1     export    
      0x00,0x03 - EXP-RC4-MD5                    TLS_RSA_EXPORT_WITH_RC4_40_MD5                     SSLv3      Kx=RSA(512)    Au=RSA     Enc=RC4(40)                    Mac=MD5      export    
 0x02,0x00,0x80 - EXP-RC4-MD5                    SSL_CK_RC4_128_EXPORT40_WITH_MD5                   SSLv2      Kx=RSA(512)    Au=RSA     Enc=RC4(40)                    Mac=MD5      export
```
2016-12-21 13:16:10 -05:00
David Cooper f450bc66cd Use sockets for run_ssl_poodle()
This PR changes `run_ssl_poodle()` to use sockets. This PR is particularly useful when $OPENSSL is OpenSSL 1.1.0, since OpenSS 1.1.0 does not support SSLv3 by default. But, it is also useful if $OPENSSL supports some, but not all, of the CBC ciphers.

As with `run_beast()`, there is a small change to `$cbc_cipher_list`. The following two ciphers were added:
```
          0x00,0x0B - EXP-DH-DSS-DES-CBC-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=DES(40)   Mac=SHA1 export
          0x00,0x0E - EXP-DH-RSA-DES-CBC-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=DES(40)   Mac=SHA1 export
```
The ciphers that were removed are all SSLv2 ciphers:
```
     0x07,0x00,0xC0 - DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5 
     0x06,0x00,0x40 - DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5 
     0x04,0x00,0x80 - EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
     0x05,0x00,0x80 - IDEA-CBC-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=MD5 
     0x03,0x00,0x80 - RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
```
(EXP-RC2-CBC-MD5 is both an SSLv2 and an SSLv3 cipher. Previously it was listed twice in `$cbc_cipher_list`, now it appears once.)
2016-12-21 10:36:09 -05:00
David Cooper b04bb8d82a Merge branch '2.9dev' into test_just_one_sockets 2016-12-21 09:07:13 -05:00
David Cooper 09aad7489d Merge branch '2.9dev' into run_beast_sockets 2016-12-21 09:06:21 -05:00
David Cooper a387566fb7 Merge branch '2.9dev' into run_server_preference_sockets 2016-12-21 09:05:17 -05:00
David Cooper eaf5671b17 Merge branch '2.9dev' into run_pfs_sockets
Conflicts:
	testssl.sh
2016-12-21 09:04:11 -05:00
David Cooper 9d44bb6abd Merge branch '2.9dev' into cipher_order_sockets 2016-12-21 09:01:47 -05:00
Dirk Wetter 7a4c6294ac Merge pull request #567 from dcooper16/run_rc4_e
Mark export ciphers in run_rc4()
2016-12-21 12:56:26 +01:00
Dirk Wetter 298ed4e67e Merge pull request #569 from dcooper16/fix_hang
testssl.sh hangs on local testing
2016-12-21 12:54:27 +01:00
David Cooper 378f4439a3 testssl.sh hangs on local testing
In a few places testssl.sh tries to determine $OPENSSL s_client's capabilities by calling `$OPENSSL s_client` without specifying a host to which to connect. For example:
```
$OPENSSL s_client -no_ssl2 2>&1
```
This idea is that `$OPENSSL s_client` should reveal something about its capabilities without actually trying to connect to a host.

This works in most cases. However, the manual pages for s_client states:
```
-connect host:port
    This specifies the host and optional port to connect to. If not specified then an attempt is made to connect to the local host on port 4433.
```
So, the above call is actually trying to connect to the local host on port 4433. If the local host is running `$OPENSSL s_server`, then `$OPENSSL s_server` will by default be listening on port 4433, and the connection attempt will most likely succeed. Since the `OPENSSL s_client` command does not include a `< /dev/null`, the `OPENSSL s_client` will just hang waiting for additional input.

Adding `-connect x` to the `$OPENSSL s_client` prevents $OPENSSL from trying to connect to a host, but seems to still provide the necessary information about OpenSSL's capabilities.
2016-12-20 14:02:29 -05:00
David Cooper 4af01a6c1b test_just_one() sockets
This PR implements `test_just_one()` in a similar manner to `run_allciphers()`
2016-12-20 13:14:40 -05:00
David Cooper 1a7d1f73d2 Mark export ciphers in run_rc4()
This PR adds ",exp" to the bits column when `run_rc4()` is run in the "--wide" mode and the cipher is an export cipher. This makes the wide mode of `run_rc4()` align with other functions, such as `run_allciphers()`.
2016-12-20 13:11:03 -05:00
David Cooper cfaeb51395 Show "exp" bits column for export ciphers 2016-12-20 12:59:26 -05:00