This fixes a problem which was introduced @ 8d8f83ace5.
It caused for some hosts not to parse / display the issuer CN correctly.
Also it adds some code in testssl.sh and in a unit test to detect
this earlier. In general an output string FIXME will now cause a
unit test to fail. This can + should be used at other places too!
Fixes#2789
As suggested in #2780 this PR redirects all stderr on a perl level
to stdout so that we should see all errors which we miss because
we can't redirect (>/dev/null in check) or we haven't redirected yet.
Also old checks are imporved, so that $prg is used as in newer
checks.
Not sure why this has been triggered though.
# Failed test 'Check whether CSV output matches baseline file from testssl.sh'
# at t/61_diff_testsslsh.t line 57.
#
# %s
# @@ -1,5 +1,4 @@
# "id","fqdn/ip","port","severity","finding","cve","cwe"
# -"engine_problem","/","443","WARN","No engine or GOST support via engine with your ./bin/openssl.Linux.x86_64","",""
# "service","testssl.sh/81.169.166.184","443","INFO","HTTP","",""
# "pre_128cipher","testssl.sh/81.169.166.184","443","INFO","No 128 cipher limit bug","",""
# "SSLv2","testssl.sh/81.169.166.184","443","OK","not offered","",""
# Looks like you failed 1 test of 1.
t/61_diff_testsslsh.t ..............
* use system with @args so that we can query the return value
* code style improved for readability
* diff shows the filtered difference
* ok instead of cmp_ok to show not the whole content of vars
This adds a unit test to compare a run against google with the supplied openssl
version vs /usr/bin/openssl .
This would fix#2626.
It looks like there are still points to clarify
* NPN output is different (bug)
* Newer openssl version claims it's ECDH 253 instead of ECDH 256.
* Newer openssl version claims for 130x cipher it's ECDH 253, via sockets it´s ECDH/MLKEM. This seems a bug (@dcooper)
A todo is also restricing the unit test to the one where openssl is being used. E.g. the ROBOT check and more aren't done with openssl. So there's no value checking this here.
.. to scan.
It worked in a few examples locally. Other hosts I tried so far weren't
available anymore (like scanme.nmap.org). In order to reduce the burden
we scan now only during PRs.
This commit modifies run_fs() to show the signature algorithms the server supports in the ServerKeyExchange message for TLS 1.2 and in the CertificateVerify message for TLS 1.3.
Signature algorithms are not shown for TLS 1.1 and earlier, since for those protocol versions the signature algorithm to use is specified by the protocol. While the signature algorithm used in TLS 1.1 and earlier is weak, testssl.sh already warns if these protocol versions are supported.
