1
0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-07-18 11:41:56 +02:00
Commit Graph

1108 Commits

Author SHA1 Message Date
42e9406ee1 run_rp_banner(): Fix indentation. 2016-09-14 12:24:54 +02:00
6a6d4880d6 run_application_banner(): Fix modified in subshell bug.
Refactor the while loop so it doesn't use a subshell anymore. Also use
"read -r" to prevent backslash escaping.

```
In testssl.sh line 1193:
               app_banners="$app_bannersline"
               ^-- SC2030: Modification of app_banners is local (to subshell caused by pipeline).

In testssl.sh line 1195:
          fileout "app_banner" "WARN" "Application Banners found: $app_banners"
                                                                  ^-- SC2031: app_banners was modified in a subshell. That change might be lost.
```

Found by ShellCheck.
2016-09-14 12:24:44 +02:00
beae0ce195 run_{rp,application}_banner(): Fix unassigned variables.
This commit fixes the following two instances of referenced but not assigned
variables:

```
In testssl.sh line 1159:
               rp_banners="$rp_bannersline"
                           ^-- SC2154: rp_bannersline is referenced but not assigned.

In testssl.sh line 1193:
               app_banners="$app_bannersline"
                            ^-- SC2154: app_bannersline is referenced but not assigned.
```

Found by ShellCheck.
2016-09-14 12:24:28 +02:00
10b3e7db55 Merge pull request from nachtgeist/issue-467
quote argument for s_client's -nextprotoneg parameter
2016-09-14 07:24:29 +02:00
2a926609ca quote argument for s_client's -nextprotoneg parameter
The argument to -nextprotoneg is provided in sometimes empty an unquoted
variables. Because of the missing quotes, the next word on the line "-status"
gets parsed as "-nextprotoneg"'s argument instead of enabling the OCSP status
check.

This fixes .
2016-09-13 21:22:35 +02:00
cca1b49890 - fixing wrong cipher order for URL=ipaddress 2016-09-12 21:54:51 +02:00
4158372ab7 Merge pull request from knweiss/referenced_but_not_assigned
compare_server_name_to_cert(): Fix unassigned vars.
2016-09-12 16:51:34 +02:00
93c240278a Merge pull request from knweiss/referenced_but_not_assigned2
certificate_info(): Fix unassigned variable.
2016-09-12 16:49:33 +02:00
b9d9a909b1 certificate_info(): Fix unassigned variable.
Fix referenced but not assigned variable 'sign_algo'.

In testssl.sh line 4309:
               fileout "${json_prefix}algorithm" "DEBUG" "Signature Algorithm: $sign_algo"
                                                                               ^-- SC2154: sign_algo is referenced but not assigned.

Found by ShellCheck.
2016-09-12 16:20:05 +02:00
7dbbe42ea0 compare_server_name_to_cert(): Fix unassigned vars.
Two instances of referenced but not assigned variables ('req' instead of
'ret').

In testssl.sh line 4130:
     if [[ $req -eq 0 ]]; then
           ^-- SC2154: req is referenced but not assigned.

Found by ShellCheck.
2016-09-12 16:12:18 +02:00
f0132dcb7f stringer usabiliy warning for SHA1 + HTTP 2016-09-07 21:34:27 +02:00
d1cc7b3755 FIX 2016-09-06 08:32:05 +02:00
c00c98caa2 warning for SHA1 sig algo and web servers 2016-09-05 10:01:46 +02:00
228296e175 Merge pull request from andreild/issue-289-domain-resolution-etc-hosts
Fix  - the grep that decides whether a domain is a local address …
2016-09-02 15:38:28 +02:00
fdcdad3faa Merge pull request from dcooper16/more_sslv2_sslv3_fixes
More SSLv2 (and SSLv3) related fixes
2016-09-02 09:06:52 +02:00
caec8029f2 Merge pull request from dcooper16/tls_sockets_and_no_SNI
Fix tls_sockets() when SNI empty
2016-09-02 08:50:35 +02:00
a9002ba6e6 Fix tls_sockets() when SNI empty
`socksend_tls_clienthello()` always includes a server name extension in the ClientHello (for TLS 1.0 and above), even if `$SNI` is empty. If `$NODE` is an IP address, then the IP address is placed in the extension, even though RFC 6066 says that only DNS names are supported in the extension.

This PR changes `socksend_tls_clienthello()` so that the server name extension is only included in the ClientHello is `$SNI` is not empty.
2016-09-01 13:22:39 -04:00
2313aee22d fix for previously borken HPKP_MIN value 2016-09-01 19:09:12 +02:00
1c53160348 ups ;-) 2016-09-01 19:04:47 +02:00
59d4acec11 Merge branch 'master' into more_sslv2_sslv3_fixes 2016-09-01 10:56:57 -04:00
d665f69c72 fix 2016-09-01 12:42:56 +02:00
2613d20375 Merge pull request from dcooper16/certificate_info
Display SNI information in "Server Certificate" line
2016-08-31 18:26:45 +02:00
e79e980336 Display SNI information in "Server Certificate" line
This PR is an attempt to address issue . If more than one certificate is being displayed, then a parenthetical saying "(in response to request w/o SNI)" is added for any certificate that was obtained using `$SNI=""`.

In addition, if the certificate was obtained without SNI, then `certificate_info()` doesn't call `$OPENSSL s_client` in order to obtain the non-SNI host certificate and it does not display a separate "Trust (hostname)" finding for the non-SNI certificate.
2016-08-30 15:22:46 -04:00
6e6fdf6410 Merge branch 'master' into more_sslv2_sslv3_fixes 2016-08-29 15:02:40 -04:00
ba1ea6dcba Merge pull request from dcooper16/unsupported_purpose
Output correct error for unsupported certificate purpose
2016-08-29 17:39:00 +02:00
957225595f Merge branch 'master' into unsupported_purpose 2016-08-29 10:17:27 -04:00
97b8dd1959 Merge branch 'master' into more_sslv2_sslv3_fixes
Conflicts:
	testssl.sh
2016-08-29 09:57:36 -04:00
f5792a1e8d 1st important fixes ;-) 2016-08-28 21:43:48 +02:00
54a66b9d88 - minor output fixes
- removed "experimental" from TLS_FALLBACK_SCSV + DROWN
- bumped up version to rc2
2016-08-28 21:41:30 +02:00
1e5b619a19 Merge pull request from dcooper16/server_preference_sslv2_fixes
SSLv2 fixes for server preference
2016-08-28 19:15:22 +02:00
dbb7d6f4be Merge pull request from dcooper16/sslv2_sockets
Move printing of results out of sslv2_sockets()
2016-08-28 18:27:29 +02:00
f4d9a638ba Merge pull request from dcooper16/poodle_no_ssl3
Warning on Poodle test when no local SSLv3 support
2016-08-28 18:10:50 +02:00
a76e67cbbe Merge pull request from dcooper16/determine_optimal_proto_fix
Fix SSLv2-only test in determine_optimal_proto()
2016-08-28 18:08:01 +02:00
1d83e220bf Merge pull request from dcooper16/dh_keys
Support DH server keys
2016-08-28 18:04:22 +02:00
8da00a8025 Merge pull request from dcooper16/devel_option
Fix "--devel" with SSLv2
2016-08-28 18:03:17 +02:00
dfa0cfd0b4 Merge pull request from dcooper16/no_ssl2
OpenSSL 1.1.0 doesn't have "-no_ssl2" option
2016-08-28 17:58:56 +02:00
b9c0ac9ee3 Merge pull request from dcooper16/beast_no_ssl3
Warning on BEAST when no local SSLv3 support
2016-08-28 17:57:39 +02:00
98dc3bfadb Support DH server keys
When `certificate_info()` is given a certificate with a DH public key it displays something like:
```
   Server key size              fixme:  dhKeyAgreement 3072 bits (FIXME: can't tell whether this is good or not)
```

This PR fixes that so that the output is:
```
   Server key size              DH 3072 bits
```
2016-08-25 15:23:53 -04:00
aeba340dcb Output correct error for unsupported certificate purpose
This PR is in response to issue . I tried repeating the reported problem by creating a certificate in which the extendedKeyUsage extension was present and only included the anyExtendedKeyUsage OID. In running the test, I discovered two problems.

First, when `determine_trust()` is calling `verify_retcode_helper()` to display the reason that path validation failed, it assumes that there are at least two certificate bundles provided. (I was running the test using just one certificate bundle, containing my local root.) So, I changed `determine_trust()` to use `${verify_retcode[1]}` rather than `${verify_retcode[2]}` in the case that all bundles failed (it seems that 2 vs. 1 was an arbitrary choice).

Once that was fixed, testssl.sh output "NOT ok  (unknown, pls report) 26". So, the second thing this PR fixes is to output "NOT ok (unsupported certificate purpose)" if OpenSSL responds with an unsupported certificate purpose error.
2016-08-25 11:41:16 -04:00
12e3a3314a OpenSSL 1.1.0 doesn't have "-no_ssl2" option
With OpenSSL 1.1.0, `s_client -no_ssl2` fails with an "unknown option" error. At the moment the `-no_ssl2` option is only used in two functions, `run_client_simulation()` and `run_crime()`. In `run_crime()`, the `-no_ssl2` option is only included if the OpenSSL version is 0.9.8.

This PR checks whether the OpenSSL version in use supports the `-no_ssl2` option, and if it doesn't, it removes it from the calls to `s_client` in `run_client_simulation()`.
2016-08-24 10:14:12 -04:00
7cfe97f23a Warning on BEAST when no local SSLv3 support
If the version of OpenSSL being used doesn't support `s_client -ssl3` (e.g., OpenSSL 1.1.0), `run_beast()` doesn't display a warning that testing for CBC in SSLv3 isn't locally supported.

This PR adds a "Local problem" warning if the OpenSSL being used doesn't support `s_client -ssl3`.
2016-08-23 12:37:22 -04:00
0fcb2bcb44 Fix SSLv2-only test in determine_optimal_proto()
The test for whether a server only supports SSLv2 was broken, since `$OPTIMAL_PROTO` will be `-ssl2` whether SSLv2 is the only protocol that succeeds or no protocol succeeds.

This PR sets $OPTIMAL_PROTO (or $STARTTLS_OPTIMAL_PROTO) to "" if no protocol succeeds.
2016-08-23 12:29:31 -04:00
38abfeb1e5 Return 0 even if test couldn't be performed 2016-08-23 11:35:03 -04:00
7dd1d15e9a run_ssl_poodle() when OpenSSL doesn't support SSLv3
If the version of OpenSSL being used doesn't support `s_client -ssl3` (e.g., OpenSSL 1.1.0), `run_ssl_poodle()` displays `not vulnerable (OK)` even though it can't test whether the server is vulnerable.

This PR fixes it so that a "Local problem" warning is displayed is `s_client -ssl3` isn't supported.

The PR also removes the `$SNI` from the call to `$OPENSSL s_client` since OpenSSL ignores the `-servername` directive for `-ssl3` anyways.
2016-08-23 11:31:04 -04:00
2b7a77979c Fix "--devel" with SSLv2
If testssl.sh is called with `--devel 22` and the response from `sslv2_sockets()` is not 0, then `tls_sockets()` will be called, and the result of the `tls_sockets()` command will be output rather than the result of the `sslv2_sockets()` command.
2016-08-11 14:40:20 -04:00
358a4082e8 Move printing of results out of sslv2_sockets()
This PR addresses the "FIXME" in `run_protocols()`:
```
      sslv2_sockets                                                    #FIXME: messages/output need to be moved to this (higher) level
```
It also changes `run_drown()` to call `sslv2_sockets()` in order to avoid duplicate code.
2016-08-11 14:16:33 -04:00
ba74740613 Merge branch 'master' into server_preference_sslv2_fixes 2016-08-09 10:52:11 -04:00
8a7827436d Merge branch 'master' into more_sslv2_sslv3_fixes 2016-08-09 10:48:49 -04:00
424cf233d1 FIX 2016-08-09 10:35:58 +02:00
b0923a1833 - workaround for failed CI test 2016-07-26 22:00:53 +02:00