This addresses a bug where openssl s_client connects hiccuped
because of newer config files which our openssl 1.0.2 couldn't
swallow.
It appeared first on Debian.
FIX#1117FIX#1098
This PR fixes#1100 where those cmdline options were supplied
and also the IPv4 address was tested.
It also lables supplied IPv6 addresses as AAAA records
instead of A records.
Still, determine_ip_addresses() has space for improvements.
Some comparisons fixed strings popped up during debugging were polished
to avoid internal quoting
[[ $VAR == "teststr" ]]
will be otherwise expanded to
[[ $VAR == \t\e\s\t\s\t\r ]]
Backport of b6cc01a558:
-----
This commit is a FIX for #1069, thus when running in
wide mode it corrects an additional line feed which
happened sometimes.
As @dcooper16 pointed out it also cleans up the needless
if-statements in run_rc4(), run_lucky13() and run_beast().
It also inserts for wide mode lines a blank so the alignment
is not at the left border anymore (check for leftovers
needed).
This is a backport of #1039 to 2.9.5. Log from David Cooper:
There is currently a problem if mass testing is being performed, JSON and/or CSV output is to be produced, the parent process calls `fileout()`, and each child process have its own output file for the JSON and/or CSV output. The can be seen, for example, with the following:
```
testssl.sh --openssl=openssl_1.1.1 --file test_servers.txt --csvfile output_dir --jsonfile output_dir
```
A call will be made in the parent process to report that openssl_1.1.1 has "No engine or GOST support via engine." `fileout()` will try to write to output_dir, which will result in an error.
This PR fixes the problem by checking that the file to be written to is not a directory (as is already done in `html_out()` for HTML output).
NOTE: At some point, a change should be made so that all of these checks are performed once (probably in `html_header()`,`csv_header()`, and `json_header()`), with the results being stored in a variable, so that these file operations do not need to be performed each time output is to be written to one of these files.
This is a backport of 8149c2d5cf.
In certain situations while testting for CCS injection it could have happened
that an error code was sent which was not interpreted properly by testssl.sh.
(https://tools.ietf.org/html/rfc5246#section-7.2)
This has now been fixed and thus addresses #906. Also it has been made sure
that other error codes are reported appropiately.
The case where this test failed before was a non-patched Ubuntu 12.04
with openssl/postfix on port 25.
For enddate conversion there's no need to tell ``date``
to convert the time including the TZ. MacOS X' date hiccups
when this will be done (strangely, FreeBSDs are fine).
bash 3.2 is now a minium requirement and it is being tested.
It refuses to run if anything lower is detected/
Rollback of d5c86a8df2, see #999
Backport (f812403292) for OpenBSD date.
Also adding LibreSSL not to warn bceause of trust reliability
POP3 STARTTLS handshakes were often unsuccessful as
a regex wasn't properly escaped.
Furthermore if a STARTTLS handshake doesn't succeed, there's
a warning now.
See #908 and f61b701f5a
In order to have better debugging info the TLS alert message is printed
in clear. Messages code and text assignements was moveed to a separate
function.
SWURL contained for historical reasons trailing blanks
for released versions.
This caused an error in pr_boldurl --> html_out which
didn't write the trailing style info and didn't close
the href tag (travis complained.)
This patch removes the trailing blank but it doesn't
fix the error
Currently the call to `$OPENSSL s_client` to obtain the certificate returned by the server when SNI is not provided is in `certificate_info()`, which means that it is called once for each certificate found the various called to `get_server_certificates()`.
This PR moves the call to `$OPENSSL s_client` to `run_server_defaults()` so that the call is made only once, even if more than one server certificate was found.
In addition, in most cases the certificate returned by the server when SNI is not provided will already have been retrieved by `run_server_defaults()` (in rounds 8-14), in which case `$HOSTCERT.nosni` can just be copied from there rather than making an additional call to `$OPENSSL s_client`.