This commit addresses two compatibility issues with LibreSSL 3.1.0, which has added client support for TLS 1.3.
The first issue is that LibreSSL has named the TLS 1.3 ciphers that it supports AEAD-AES256-GCM-SHA384, AEAD-CHACHA20-POLY1305-SHA256, and AEAD-AES128-GCM-SHA256, rather than using the OpenSSL names, which are TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, and TLS_AES_128_GCM_SHA256. (Draft versions of OpenSSL 1.1.1 names these ciphers TLS13-AES-256-GCM-SHA384, TLS13-CHACHA20-POLY1305-SHA256, TLS13-AES-128-GCM-SHA256.) There are several places where testssl.sh checks whether a cipher suite is a TLS 1.3 cipher by checking whether its OpenSSL name begins with "TLS_" (or "TLS13"). In order to work with LibreSSL 3.1.0, these checks also need to consider names that begin with "AEAD-" to be TLS 1.3 ciphers.
Second, in sub_session_resumption() there is code that adds "-no_ssl2" to the "$OPENSSL s_client" command line if that option is supported. If "-no_ssl2" is not supported, then other protocol information is added to the command line. I believe this code was written with the assumption that any version of OpenSSL that supports "-no_ssl2" does not support TLS 1.3. However, LibreSSL 3.1.0 supports both. So, this commit changes the code to add the "-no_ssl2" option only if TLS 1.3 is not supported.
This commit addresses two compatibility issues with LibreSSL.
First, with LibreSSL, "$OPENSSL s_client" does not support the "-curves" option, so the "-groups" option needs to be used instead. Note that with LibreSSL, the command line "$OPENSSL s_client -groups $curve -connect invalid." will not work, as it will complain "no port defined," but will not indicate whether the specified curve is supported. Adding a port number fixes that problem. (There does not seem to be a need to include a port number for other tests, such as whether the "-curves" option itself is supported.)
Second, including "-out -" in the command line for "$OPENSSL genpkey" causes LibreSSL to create a file with the name "-" if the algorithm is supported. This is not an issue at the moment, since LibreSSL's genpkey does not support X25519 or X448. However, both genpkey with both OpenSSL and LibreSSL uses stdout as the default output if no "-out" is specified, so the "-out -" is not necessary.
generate_key_share_extension() and prepare_tls_clienthello() currently check the $OPENSSL version number to determine whether X25519 and X448 are supported. The commit changes these functions to use $HAS_X25519 and $HAS_X448.
run_ticketbleed() and sub_session_ticket_tls() each include one call to "$OPENSSL s_client". For each of these calls the expected response is a TLS 1.2 or earlier ServerHello. However, if $OPENSSL supports TLS 1.3, then a TLS 1.3 ClientHello will be sent.
This commit fixes this problem in two ways. For the call in run_ticketbleed(), "-no_tls1_3" is added to the command line if "$OPENSSL" supports TLS 1.3. For the call in sub_session_ticket_tls(), this commit changes the function so that the same ClientHello version is sent as will sent by run_ticketbleed() via sockets.
... in cases where the protcol section has not been run before.
Also add " -\n" on the screen/html if protocol is not supported. Also for
SSLv2 which can be supported but at the same time not offer any ciphers
mention there will be an output on the screen.
In order not to provide redundant information run_allciphers() is
now not being run via default (1). Therefore run_server_preference()
runs always in wide mode.
In order to archieve that cipher_pref_check() was modified to
accept a fifth argument whether it'll run in wide mode. As
of now cipher_pref_check() is only called by run_server_preference(),
so the code referring to non-wide mode in cipher_pref_check() may also
be deleted in the future.
To provide a better view the run_fs() section is now being run after
run_server_preference().
(1) saves also 5-6 seconds
This commit fixes a couple of issues related to the use of testssl.sh with OpenSSL 3.0.0-alpha1.
First, when the command line includes an unknown option (e.g., -ssl2), OpenSSL 3.0.0-alpha responds with "Unknown option: -ssl2" rather than "Option unknown option -ssl2". This commit addresses this by making the check for "unknown option" case insensitve.
Second, the printing a DH key, OpenSSL 3.0.0-alpha1 labels the prime and the generator using "prime P:" and "generator G:" rather than just "prime:" and "generator:". This commit by changing testssl.sh to match on either string.
This commit fixes a problem with run_logjam() when run in --ssl-native mode. If $OPENSSL does not support any DH export ciphers, then no test for such cipher is performed. However, the results of "test" is still checked, leading to testssl.sh incorrectly reporting that the server supports DH EXPORT ciphers.
See #1580.
This commit brings:
* If there's no cipher for a protocol it adds a "\n - \n" (also for run_cipher_per_proto() )
* further output improvements
* Cipher order --> Cipher listing per protocol
* make some conditional statement easier to read (at least for me)
New open points:
- cipher_pref_check() doesn't save to PROTOS_OFFERED (was there before)
(just stumbled over this but how about we also use get_protocol() / parse_tls_serverhello()
- do we want run_allciphers() to be started by default?
- $WIDE per default for run_cipher_per_proto() ?
- probably better not to display text in round square brackets when there's no cipher:
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2 (listed by strength)
SSLv3 (server order)
TLSv1 (server order)
TLSv1.1 (server order)
TLSv1.2 (server order)
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[..]
- when a server has no preference at all it shows in wide mode:
Has server cipher order? no (NOT ok) -- only for TLS 1.3
Negotiated protocol TLSv1.3
Negotiated cipher TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
Cipher listing per protocol
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
-
SSLv3
-
TLSv1 (no server order, thus listed by strength)
xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[..]
e.g. dev.testssl.sh
This commit extends run_server_preference() to list every cipher supported by each protocol even in cases in which the server does not enforce a preference order.
For protocols where the server enforces a cipher order the list of supported ciphers is ordered by server preference (as now). For protocols where the server does not enforce a cipher order, the ciphers are listed by encryption strength (as run_cipher_per_proto() does).
In order to implement this, ciphers_by_strength() was extended to offer a non-wide mode.
by introducing framework for tests to be skipped, see also #1502.
As a first example for the development branch should serve
--disable-rating / --no-rating. The latter is for now undocumented.
Also the big case statement in parse_cmd_line() may use a general
--disable-* or --no-* clause where all --disable-* / --no-* are
being parsed/
A new function set_skip_tests() is being introduced which
sets do_<variables> according to the new array SKIP_TESTS .
Any new test do be skipped needs to be added to that array.
The changes in the --devel part come from the tries to fix
the syntax highlight in vim -- which in the end difn't work
see #1571. Bit size doesn't matter. It only matters to the
user which ciphers they are.
Additionally phrased the output better (FS + strong enc) and
do less indentation.
Renamed average_ciphers -> obsoleted_ciphers to refect what's
on the output.
STARTTLS tests should always give a bad rating because of the missing
trust 1) . That's why we don't provide more details as "T". Maybe we
decide later to provide an environment variable which still
shows this warning but divulges more details. TBC.
Documentation is missing for STARTTLS + grades.
1) There might be cases also for STARTTLS where encryption is enforced
and e.g. the certificate fingerprint is validated. As this is highly
protcol specific we won't test that.
Dirk Wetter
David Cooper
Magnus Larsen