For not vulnerable hosts the low level starttls_* functions
returned an error when the STARTTLS injection was tested which
confused Travis/CI ( "Oops: STARTTLS handshake failed (code: 2)" )
* Ensured the random char generation worked under every OS supported
* Got POP3 and IMAP working
* always define SERVICE so that we can us it also for SMTP starttls injection
* fixed error in starttls_smtp_dialog where arg1 was taken as payload instead of arg2
* squashed error msg when killed socat or openssl process to avoid mess on screen
when processes already terminated
(* removed some redundant quotes at RHS if [[]] expressions)
todo:
* more tests for positives
* are tests for negatives sufficent? ("prove" is happy except one issue which
is probably not related but still need to understand)
For the record: t/25_baseline_starttls.t line 50 and 67:
"Oops: STARTTLS handshake failed (code: 2)"
This commit fixes#1699 by setting FIRST_FINDING to true in fileout_banner() if $do_json_pretty is true.
When $do_json_pretty is true, fileout_banner() calls fileout_pretty_json_banner(), which starts a new sectio in the JSON file. Setting FIRST_FINDING to true ensures that a comma is not placed before the first entry in this new section. This is the same as is done in other places when a new section is stated: fileout_section_header() and fileout_insert_warning().
* todo: parse the return strings for detection
* test ;-)
* check whether the random char thing works under every OS supported
* definition of five_random var
run_starttls_injection():
* kill background openssl process when not needed anymore
* kill background socat process when not needed anymore
* close socket
add line in help() for STARTTLS injection
Furthermore:
* for close_socket() calls always add the fd (atm not needed)
* in help() rather advertise --BB instead of -BB
It's more a PoC style and needs some work
* use $OPENSSL or $OPENSSL2
* remove exit 0
* put run_starttls_injection below run_rc4
* test with more vulnerable servers
debugme1() was defined
This is a small cleanup of find_openssl_binary(). It tries also
to find a newer openssl version which we could need for any
new features. As stated in the comment at some point we should
decide whether we stick with our old version or rather supply
a new one. (xmpp-server is also not builtin for our 1.0.2) or
maybe find a good way (code) how to use both.
Also it looks for socat and if found it populates the according
global var.
It does a minor resort of global vars in the beginning.
This PR fixes#1671.
Primarily there's now an additional case statement in the main while loop
which just calls fatal() when it detects --help -b --banner -v or --version.
The documentation was also updated to reflect that.
(Some grammar and other errors which I stumbled over were corrected too)
This fixes#1648.
Java store doesn't seem to be as complete. No downgrading of trust rating
to T but we still need to raise a red flag for some Java clients
This PR will replace #1566. It addresses that if the server side doesn't show STARTTLS
testssl.sh should exit and label it accordingly (see #1536).
For this to achieve starttls_just_send() was were changed so that a return value from of 3
signals the STARTTLS pattern wasn't found is passed back to the parent fd_socket() whcih
will then act accordingly.
Also:
* starttls_full_read() + starttls_just_send() were improved for readability and debugging.
* The caller of starttls_full_read() + starttls_just_send() had redundant indentations which were moved to the callee
* minor bugs were squashed (e.g. ``fd_socket()``'s return values =!0 always were referring to STARTTLS also when no STARTTLS was requested)
This was tested (negative + test and positive) for FTP and SMTP which worked as expected. For POP, IMAP and NNTP it should work
accordingly but I had trouble finding a server whcih DID NOT support STARTTLS.
All other protocols basically should also cause testssl.sh to bail out but haven't been tested either. However
here starttls_io() won't return 3. It returns 1 in a case of problems. It uses NR_STARTTLS_FAIL. If it's encountered 2+
times that STARTTLS fails it early exists using fatal(). So we maybe want to consider changing starttls_io() in the future
to also use return 3 in the case STARTTLS is not offered.
This commit modifies a few functions to use fewer external function calls. In most cases this involves replacing external function calls with Bash internal functions, but in one case it involves replacing multiple external function calls with one call to awk.
This commit makes a few changes to the way that some functions work.
is_ipv4addr() and is_ipv6addr() will now strictly only accept a string that is an IPv4 (or IPv6) address and nothing else.
A couple of changes were also made to match_ipv4_httpheader(). First, lines that match $excluded_header (formerly $whitelisted_header) are not processed in the while loop. This prevents the excluded header from being output in the case that $HEADERFILE includes a non-excluded header with an IPv4 address and an excluded header with a string that looks like an IPv4 address.
The list of excluded headers was also modified to exclude any line that begins "Server: " rather than just lines that begin "Server: PRTG". According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server, the "Server" header describes the software used by the server, so it seems reasonable to expect that this header line will never contain an IPv4 address. Also, looking at some old test results I found cases in which Oracle software version numbers in the Server header were mistakenly matched as IPv4 addresses.
The commit updates the test for the "Visibility Information" certificate extension used in the ETSI Enterprise Transport Security protocol.
The main change is to support OpenSSL 3.0.0, which prints more information about subject alternative names that are encoded as otherName. For otherName types for the OpenSSL has no information, it prints "otherName: <OID>::<unsupported>" rather than just "otherName: <unsupported>". So, testssl.sh needs to account for the possibility that the OID for the visibility information certificate extension will be printed.
This commit also updates the reference for this extension and changes the name of the function from etsi_etls_visibility_info() to etls_ets_visibility_info() since the name of the protocol was changed from Enterprise TLS (eTLS) to Enterprise Transport Security (ETS).
This commit does not change the output to the terminal or to JSON/CSV, even though those outputs use the previous name of eTLS rather than ETS.
The ALPN GREASE test was written based on draft-ietf-tls-grease-01, which reserved all ALPN identifiers beginning with the prefix "ignore/". This commit changes the test to align with RFC 8701, which instead reserves {0x0A,0x0A}, {0x1A,0x1A}, ..., {0xFA,0xFA}.
Improved:
* readability of my old code
* readability of debugging statements
* honor $SNEAKY for SMTP greeting
* hook (arg2 to starttls_smtp_dialog() ), if we plan to add / replace SMTP greeting at some point
This is a legacy warning and seems only needed in a very few cases
whereas in other few cases we don't issue such warnings. So to be
consistent it's right to remove this message as it confuses users
unnecessarily,
It'll appear in debug mode though.
See https://github.com/drwetter/testssl.sh/issues/1119#issuecomment-656271849
As there as suggestions to check intermediate certificates for things such as expiration date, this commit saves the text versions of each of the intermediate certificates so that they are available to extract additional information.
This commit checks whether any intermediate certificates provided by the server include an extended key usage extension that asserts the OCSP Signing key purpose.
This commit replaces #1680, which checks for such certificates by comparing the server's intermediate certificates against a fixed list of known bad certificates.
* open: generation of intermediate certificate files. We do that
at several places. But for some reasons I do not understand currently
we remove those files.
* we don't name the offending certificate
run_cipherlists() checks for support for different groups of ciphers, but does not indicate which ciphers in each group are supported. So, for example, if the JSON file indicates that there is a problem with severity level "HIGH" because the "LOW" ciphers are available, there is no clear indication of which of these ciphers are supported by the server.
If run_server_preference() is run with "--color 3", then there will be a visual indication (via color) of the ciphers the server supports that are considered bad, but this information does not appear in the JSON (or CSV) output. The JSON (or CSV) output will include information about every cipher that is supported, but the severity level is always "INFO".
This commit addresses this problem by changing the fileout() calls in ciphers_by_strength() and cipher_pref_check() that output each supported cipher individually so that the "severity" argument is an indication of the quality of the cipher. With this, information about which bad ciphers are supported can easily be found in the JSON/CSV output.
When testssl.sh is called with an unknown option it prints something like:
0: unrecognized option "--option"
It should be printing the name of the program rather than "0". This commit fixes that.
This commit separates pr_cipher_quality() into two functions, one that returns the quality of a cipher as a numeric rating (get_cipher_quality()) and one that prints a cipher based on its quality (pr_cipher_quality()). This separation allows get_cipher_quality() to be used to determine how good a cipher is without having to print anything. Having this ability would be helpful in implementing the changes suggested in #1311.
Moved the sentence ~i "A grade better than T would lead to a false sense of security"
to the documentation. No reason for excuses in the output. ;-) Explanation fits
better in the doc.
See also #1657
