Commit Graph

2606 Commits

Author SHA1 Message Date
Dirk e3b254d0a1 FIX #869 2017-10-20 19:58:20 +02:00
David Cooper 63fe5fa170 Complete fix of #772
PR #777 introduced a proposed solution to #772. This PR applies the proposed solution wherever it was not applied in #777.
2017-10-20 13:54:18 -04:00
David Cooper 0efaf9114f Another fix for OpenSSL 1.1.1
If testssl.sh is used with OpenSSL 1.1.1 and TLSv1.3 support is enabled, then the check for whether the server has a cipher order will always fail. The problem is that since the call to s_client doesn't specify a protocol a TLSv1.3 ClientHello will be sent. However, the call specifies a list of ciphers that doesn't include any TLSv1.3 ciphers. So, OpenSSL will fail with the error: "No ciphers enabled for max supported SSL/TLS version." The solution is to add the "-no_tls1_3" option.

This PR fixes the problem by taking advantage of the recently-added s_client_options() function. It adds a "-no_tls1_3" option whenever:
* $OPENSSL supports TLSv1.3
* The command line doesn't specify any protocol: -ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, or -tls1_3.
* The command line includes the -cipher option
* The list of ciphers that will be sent doesn't include any TLSv1.3 ciphers.

Add TLSv1.3 support to run_cipher_per_proto()

Fix branch
2017-10-20 13:51:29 -04:00
Dirk Wetter f212b609ab Merge pull request #867 from dcooper16/tls13_for_run_allciphers
Add TLSv1.3 support for run_allciphers()
2017-10-20 18:12:02 +02:00
Dirk Wetter d65566921f Merge pull request #868 from dcooper16/tls13_for_run_server_preference
Add TLSv1.3 support for run_server_preference()
2017-10-20 18:09:17 +02:00
David Cooper ca7c8200eb Add TLSv1.3 support for run_server_preference()
This PR adds support for TLSv1.3 to run_server_preference(). It only provides partial support, as it only works if the support supports and earlier TLS protocol (in order to determine whether the server has a cipher order). It also will only show TLSv1.3 as the "Negotiated protocol" if $OPENSSL supports TLSv1.3.

This PR also fixes a bug in which the variable "proto" was defined as used as both a regular variable and as an array.
2017-10-20 11:40:19 -04:00
David Cooper fb5c049fd7 Add TLSv1.3 support for run_allciphers()
This PR adds TLSv1.3 support for run_allciphers(). It also addresses issue #660 for run_allciphers().
2017-10-20 11:39:30 -04:00
Dirk 50fa1e74bd Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2017-10-20 16:45:59 +02:00
Dirk d3795f1254 Add output options similar to nmap (FIX #861) 2017-10-20 16:32:57 +02:00
Dirk Wetter d83f310baf Merge pull request #872 from dcooper16/fix_871
Fix #871
2017-10-20 15:42:16 +02:00
David Cooper ebb99a53d2 Fix #871
This PR fixes the bug identified in issue #871.
2017-10-20 09:09:52 -04:00
Dirk 52e02d9d43 CAA work
This fixes #865 and improves #588. All CAA records are now shown,
also with old DNS binaries.
2017-10-18 18:43:54 +02:00
Dirk 4b187d6253 fix travis error in 8ceb1b5 2017-10-18 17:13:05 +02:00
Dirk 8ceb1b5ad8 use bash internal functions for #864 2017-10-18 15:25:43 +02:00
Dirk Wetter 76248493a0 Merge pull request #863 from dcooper16/run_server_preference_ssl3_bugfix
run_server_preference() bug fix
2017-10-18 13:42:54 +02:00
Dirk Wetter 5b6344f6fb Merge pull request #864 from seccubus/recursive_caa
Make CAA record lookups resolve the entire DNS tree (Fixes #862)
2017-10-18 13:42:02 +02:00
Frank Breedijk 0bb1767cc4 This should return it to normal 2017-10-18 08:22:51 +02:00
Frank Breedijk 4544f0f300 Make CAA record lookups resolve the entire DNS tree (Fixes #862) 2017-10-18 08:05:02 +02:00
David Cooper ab9c70119f run_server_preference() bug fix
If run_server_preference() is performed
* against a server that supports SSLv3 and that does not have a cipher order; and
* using a version of OpenSSL that does not support SSLv3; and
* with the --mapping option set to "rfc" or "no-openssl"
then the "Negotiated cipher per proto" will not show the SSLv3 cipher since cipher[i] will be empty.
2017-10-17 13:28:15 -04:00
Dirk Wetter 4adc96b2f7 Merge pull request #856 from dcooper16/run_cipher_per_proto_tls13
Add TLSv1.3 support to run_cipher_per_proto()
2017-10-14 09:21:09 +02:00
Dirk Wetter ac3ff349c9 Merge pull request #859 from dcooper16/rc4
run_rc4() and #660
2017-10-14 09:17:19 +02:00
Dirk Wetter cd4009fed9 Merge pull request #854 from dcooper16/tls13_run_std_cipherlists
Add TLSv1.3 support for run_std_cipherlists()
2017-10-14 09:15:16 +02:00
David Cooper 605d0178ec run_rc4() and #660
This PR addresses issue #660 for run_rc4(), ensuring that support for RC4 ciphers is detected even if no RC4 ciphers are supported with the highest protocol that the server supports.
2017-10-13 16:50:36 -04:00
David Cooper cbd50043ef Add TLSv1.3 support to run_cipher_per_proto() 2017-10-12 10:37:31 -04:00
David Cooper 7019f8b306 Add TLSv1.3 support for run_std_cipherlists()
This PR adds support for TLSv1.3 to run_std_cipherlists().

This PR also provides a partial fix for #660 - addressing the issue only for run_std_cipherlists(). Rather than testing the server once for each cipher list, it tries the server once for each protocol supported by the server. This makes the testing more robust, but adds significantly to the time it takes to perform the tests.
2017-10-12 10:36:39 -04:00
Dirk Wetter 22fd594334 Merge pull request #857 from dcooper16/use_bash_internal
Use bash internal functions
2017-10-12 11:34:20 +02:00
Dirk Wetter 2129af0537 Merge pull request #858 from dcooper16/sweet32
Fix #660 for run_sweet32()
2017-10-12 10:24:34 +02:00
David Cooper 58d67b52a1 Fix #660 for run_sweet32()
This PR addresses issue #660 for run_sweet32(), detecting if 3DES is used, even if it isn't used with the highest protocol version supported by the server. As with PR #854, this increased robustness comes at the expense of taking addition time to run the test.
2017-10-11 15:41:05 -04:00
David Cooper dab7c1bfc0 Use bash internal functions
This PR replaces more uses of awk with bash internal functions.
2017-10-11 15:20:49 -04:00
Dirk Wetter 430917d59f Merge pull request #855 from dcooper16/use_bash_string_manipulation
Use bash internal functions
2017-10-11 17:28:17 +02:00
David Cooper ea4e68c2ce Use bash internal functions
This PR replaces the use of sed or awk in a few places with bash internal functions.
2017-10-11 10:59:13 -04:00
Dirk Wetter 38b2089c49 Merge pull request #853 from dcooper16/no_sock_reply_file
Don't maintain SOCK_REPLY_FILE in non-debug mode
2017-10-11 14:49:10 +02:00
David Cooper a8ef95c2cc Don't maintain SOCK_REPLY_FILE in non-debug mode
In client_simulation_sockets() and tls_sockets(), don't work to create a SOCK_REPLY_FILE that contains the entire server's response (in cases where the response was spread across multiple packets) unless $DEBUG is at least 1.
2017-10-10 14:48:36 -04:00
Dirk 6bd1c26a14 FIX #851 2017-10-10 19:54:36 +02:00
Dirk Wetter 49fcb0d724 Merge pull request #850 from dcooper16/fix_typo
Fix typo
2017-10-10 17:28:25 +02:00
David Cooper 3f342ec461 Fix typo
I believe there is a typo in the second definition of DEBUG_ALLINONE. If I run testssl.sh using the -x option for bash I get the following error:
     testssl.sh: line 12714: -false: command not found
2017-10-10 10:34:33 -04:00
Dirk 785e94912d replace grep -q by internal bash operator
and provide the alias SETX for DEBUG_ALLINONE
2017-10-09 15:13:46 +02:00
Dirk Wetter 985c21dfb7 Merge pull request #844 from dcooper16/has_server_protocol_fixes
has_server_protocol() fixes
2017-10-09 15:09:17 +02:00
Dirk Wetter 1758d18672 Merge pull request #842 from dcooper16/tls13_part1
Initial support for TLSv1.3
2017-10-09 14:53:32 +02:00
Dirk 6f896a057b add missing \n for html output 2017-10-08 22:03:29 +02:00
Dirk e8e4609495 function safe_echo
In order to santize input better there's a fucntion
now which does the work . ``safe_echo()``.

It is actually the same as ``tml_out()`` but is a bit snappier.
2017-10-08 21:40:28 +02:00
David Cooper fd1f4b3b43 Add TLSv1.3 ciphers
This commit adds the 5 TLSv1.3 ciphers to the list.
2017-10-06 10:05:18 -04:00
David Cooper 968b37e5fe Initial support for TLSv1.3
This PR adds initial support for TLSv1.3 to tls_sockets() and for run_client_simulation(). It does not change any of the other functions test TLSv1.3. So, with the exception of run_client_simulation(), the functionality added by this PR can only be tested using the --devel option.

This PR does not include the ability to decrypt the encrypted portions of the server's response. So, it does not support functions that need to see such things as the server's certificate, status information, or extensions (other than key share).
2017-10-06 10:05:18 -04:00
David Cooper c690d355af has_server_protocol() fixes
This PR fixes the use of has_server_protocol() in two places.

Currently std_ciphersuites() only tries SSLv2 if the server is known to support SSLv2. This changes it to try SSLv2 unless the server is known to not support SSLv2.

In run_beast(), tests against the server are run to determine support for TLSv1.2, TLSv1.1, TLSv1, and SSLv3 unless the server is known to support that protocol (i.e., even if has_server_protocol() reports that the server does not support the protocol). This changes it so that a test is only performed against the server if has_server_protocol() reports that it doesn't know whether the protocol is supported.
2017-10-06 09:56:11 -04:00
Dirk Wetter 833f724689 Merge pull request #843 from dcooper16/client_sim_data_error
Fix incorrect client simulation data
2017-10-04 13:05:32 +02:00
David Cooper 555ce31ab8 Fix incorrect client simulation data
In the data provided by https://api.dev.ssllabs.com/api/v3/getClients, Chrome 57 Win 7 and Firefox 53 Win 7 send ClientHellos that indicate support for TLSv1.3 draft 18, but the highest_protocol for each of these is specified as 0x0303. The result is that if the server being tested supports TLSV1.3 draft 18, `run_client_simulation()` will incorrectly report "No connection" for these servers since the DETECTED_TLS_VERSION (0x0304) will be higher than the specified highest_protocol.

This PR fixes the problem by changing the highest_protocol to 0x0304. Note that another solution to this problem would be to change the ClientHello messages for these two browsers. It is my understanding that TLSv1.3 is disabled by default for these browsers, so presumably the ClientHello messages would not specify TLSv1.3 support if they were configured with TLSv1.3 support disabled.
2017-10-03 16:34:56 -04:00
Dirk Wetter f1efe6b7ba Merge pull request #833 from dcooper16/no_ossl_config
Suppress config file warning
2017-10-03 11:14:52 +02:00
David Cooper dd2e17ac18 Suppress config file warning
This may not be specific to LibreSSL, but just my local setup. However, when I test using LibreSSL testssl.sh still prints the following message several times:

     WARNING: can't open config file: /usr/local/etc/ssl/openssl.cnf

This PR suppresses the error message for several calls to $OPENSSL and so fixes the problem.
2017-10-02 09:54:07 -04:00
Dirk d5e03299e5 Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2017-10-02 15:19:40 +02:00
Dirk 12c47d1912 FIX #401, first part 2017-10-02 15:18:31 +02:00