by introducing framework for tests to be skipped, see also #1502.
As a first example for the development branch should serve
--disable-rating / --no-rating. The latter is for now undocumented.
Also the big case statement in parse_cmd_line() may use a general
--disable-* or --no-* clause where all --disable-* / --no-* are
being parsed/
A new function set_skip_tests() is being introduced which
sets do_<variables> according to the new array SKIP_TESTS .
Any new test do be skipped needs to be added to that array.
The changes in the --devel part come from the tries to fix
the syntax highlight in vim -- which in the end difn't work
STARTTLS tests should always give a bad rating because of the missing
trust 1) . That's why we don't provide more details as "T". Maybe we
decide later to provide an environment variable which still
shows this warning but divulges more details. TBC.
Documentation is missing for STARTTLS + grades.
1) There might be cases also for STARTTLS where encryption is enforced
and e.g. the certificate fingerprint is validated. As this is highly
protcol specific we won't test that.
* instead of DISABLE_GRADING we use do_grading as for run_* functions we currently don't
support global variables
* Add AEAD cipher set_grade_cap (needs to be tested though)
* remove redundant quotes
* be to be safe add double quotes at other places
* Fix typos
* Polishing output
Tasks (not complete):
* Review whether it is rated as intended
* Do we want to mofify SSL Lab's rating? (SSLv3 e.g., T for SHA1 certificate?)
* Does JSON output work?
* TLS 1.3 only server are not rated properly --> wait for SSLlabs?
* SWEET32: rating refers to TLS 1.1 atm. SSLlabs docu doesn't give a hint
(is their docu incomplete?)
* Rating for STARTTLS at all?
In all instances:
* command line (will break things)
* JSON IDs (will break things)
* in the documentation
* in the travis checks where used
* everywhere in the code: variables, functions, comments
This commit is an attempt to fix#1514. The commit is mostly based on a suggestion at https://unix.stackexchange.com/questions/57940/trap-int-term-exit-really-necessary. Even with that change, it seemed that if testssl.sh were in the middle of executing run_cipher_per_proto() when it received a signal, it would not stop until that function had completed. This seems to have something to do with subshells. Changing the while loop in run_cipher_per_proto() seems to have fixed that issue. So, I also made similar changes to the while loops in prettyprint_local().
This commit fixes#1551 by changing get_cipher() to recognize RFC names that begin with SSL_*. It also modifies run_beast() so that it does not get stuck in an infinite loop if get_cipher() doesn't return a valid cipher name.
This commit modifies run_cipherlists() to align with pr_cipher_quality().
The biggest change made by this commit is that it breaks the current list of STRONG ciphers into two lists: one for AEAD ciphers that offer forward secrecy (STRONG) and one for AEAD ciphers that do not offer forward secrecy (GOOD).
The remaining changes are just minor tweaks:
* A few ciphers that use MD5 are moved from AVERAGE and 3DES to LOW.
* '!AECDH' was added to the OpenSSL description for LOW to catch one cipher in OpenSSL 1.0.2-chacha that offers no authentication that was being included in the LOW list.
This commit also changes sub_cipherlists() to change the output when a cipherlist with a rating of 6 is not present. There was a "FIXME" associated with this output, but it didn't matter before since there were no cipherlists with a rating of 6.
This PR modifes pr_cipher_quality() as proposed in #1548 so that GOST ciphers are handled correctly. It changes pr_cipher_quality() so that the OpenSSL name is used in cases in which no RFC name is defined. It also adds a case statement for GOST so that GOST ciphers (that do not use MD5 or Null encryption) are marked as pr_svrty_low (as they are in run_cipherlists) rather than just being assigned the default rating (5).
This commit fixes the way pr_cipher_quality handles the OpenSSL names of some ARIA ciphers that either provide no authentication or that use CBC padding.
This commit makes several changes to the way that ciphers are rated by pr_cipher_quality:
* It upgrades SEED ciphers to considered as strong as the corresponding AES ciphers.
* It downgrades ciphers that use AEAD, but that use a non-FS key exchange (TLS_DH_*, TLS_ECDH*, TLS_PSK_WITH_*) from best to good, thus giving them the same rating as AEAD ciphers that use static RSA (TLS_RSA_*).
* It downgrades some CBC ciphers to low (4) that are currently rated as neither good nor bad (5).
* It modifies the ratings created using OpenSSL names to provide the same ratings as those created using RFC names.
The permitted values for $DISPLAY_CIPHERNAMES are "rfc-only", "openssl-only", "openssl", and "rfc". However, get_install_dir() incorrectly sets $DISPLAY_CIPHERNAMES to "no-rfc" if it cannot find the $CIPHERS_BY_STRENGTH_FILE. ("no-rfc" is the string users would specify at the command line for the --mapping option, but not the value that $DISPLAY_CIPHERNAMES is set to internally).
As noted in #1481, testssl.sh has a problem with printing percent ('%') characters.
At one point, the function out() was implemented as `/usr/bin/printf -- "${1//%/%%}"`. When this was the case, any '%' needed to be replaced with '%%' since '$1' was being used as the format string. This was changed, however, by 8a2fe5915a. Since the format string is now "%b" rather than '$1', the replacement is not needed anymore. Instead, the replacement now causes any '%' to be printed to be duplicated.
This problem does not happen very often, but does sometimes occur when a '%' character appears in a URI, such as in an HTTP redirect, a certificate revocation list, or an OCSP URI.
.. as it may not be available everywhere, see #1521 (NixOS).
This commit replaces all instances from pwd or /bin/pwd by $PWD.
It is a bash internal and the fastest. Also it added some quotes
to PWD a it may contain white spaces in the future (currently
there's a check for it that it won't)
.. as it may not be everywhere available, see #1521 (NixOS).
This commit replaces all instances from pwd or /bin/pwd by `pwd -P`
(-P -> no symbolic link)
This PR fixes two issues related to the generation of HTML files.
First, text that is to appear in the HTML file is first passed through html_reserved() to replace reserved characters with their corresponding entity names (e.g., '>' becomes '>'). html_reserved() seems to work correctly on Ubuntu Linux, but it does not work as expected on MacOS. On MacOS, rather than converting '>' to '>', it gets converted to '\>', and the backslash is rendered by browsers.
This PR appears to fix the problem. However, given that the original version of html_reserved() was not portable, this revised version should be tested on multiple platforms.
I also noticed that in almost every case in which a string is passed to html_out(), it is first run through html_reserved(), but for some reason that is not the case in out() and outln(). I can't see any reason why html_reserved() is not called first in these two cases, so this PR adds in the calls.
This commit fixes two minor issues related to HSTS_MIN:
* If there is a misconfiguration the recommended max-age should be based on $HSTS_MIN rather than being hardcoded to 15552000 seconds = 180 days.
* If max-age is exactly $HSTS_MIN, testssl.sh shouldn't say that max-age is too short while also say that >= $HSTS_MIN seconds is recommended.
This commit addresses two bugs: #1506 and #1508.
First, the variable rDNS can contain multiple lines due to multiple PTR DNS
records, though this is not recommended. In those cases the multiple PTR DNS
were concatenated on the screen, without any blank.
Secondly - depending on the name server entries and on the output of the DNS
binaries used it can contain non-printable characters or characters which are
printable but later on interpreted on the output device (\032 was mentioned
in #1506) which on the screen was interpreted as octal 32 (decimal 26 = ▒,
try echo "\032"), so basically a terminal escape sequence was smuggled
from the DNS server to the screen of the users. In JSON pretty output we
had also this escape sequence which was fine for jsonlint but caused jq
to hiccup.
Fix: we use a loop to check for each FQDN returned. There we remove chars which
under those circumstances can show up. The blacklist is taken from RFC 1912
("Allowable characters in a label for a host name are only ASCII, letters, digits,
and the `-' character").
Since, in cases in which the server enforces a cipher order, both run_cipher_per_proto() and run_server_preference() list every cipher supported by the server for each protocol, there was a discussion at one point about eliminating run_cipher_per_proto() and extending run_server_preference().
This PR takes a step in that direction by providing the option to present the "Cipher order" in wide mode.
This PR fixes one Shellcheck issue:
In testssl_3.1dev_20200208.sh line 2395:
HEADERVALUE="$(fgrep -Fai "$key:" $HEADERFILE | head -1)"
^-- SC2197: fgrep is non-standard and deprecated. Use grep -F instead.
The man page for grep states that fgrep is the same a grep -F and that grep is deprecated. So, fgrep -F is just redundant.
