Commit Graph

2161 Commits

Author SHA1 Message Date
Dirk
485c09461b Avoid conflicts of OpenSSL 1.1.1 config file
This addresses a bug where openssl s_client connects hiccuped
because of newer config files which our openssl 1.0.2 couldn't
swallow.

It appeared first on Debian.

FIX #1117

FIX #1098
2018-09-05 16:56:15 +02:00
Dirk
45c6f98382 Fix error introduced from previous commit 2018-08-15 02:17:14 +02:00
Dirk
32947188dd FiX test scenarios with -6 and --ip=<ipv6address>
This PR fixes #1100 where those cmdline options were supplied
and also the IPv4 address was tested.

It also lables supplied IPv6 addresses as AAAA records
instead of A records.

Still, determine_ip_addresses() has space for improvements.

Some comparisons fixed strings popped up during debugging were polished
to avoid internal quoting

[[ $VAR == "teststr" ]]

will be otherwise expanded to

[[ $VAR == \t\e\s\t\s\t\r ]]
2018-08-15 01:34:27 +02:00
Dirk
452f4333c0 The certificate from self-signed.badssl.com was about to expire
which raises a MEDIUM type issue in testssl.sh .

This commit does a workaround for this, so that those certificates
will be ok in Travis CI.
2018-06-13 15:02:08 +02:00
Dirk
af8b0855b6 Fix line feeds in vulnerabilty output when running in wide mode (backport)
Backport of b6cc01a558:

-----

This commit is a FIX for #1069, thus when running in
wide mode it corrects an additional line feed which
happened sometimes.

As @dcooper16 pointed out it also cleans up the needless
if-statements in run_rc4(), run_lucky13() and run_beast().

It also inserts for wide mode lines a blank so the alignment
is not at the left border anymore (check for leftovers
needed).
2018-06-13 13:41:33 +02:00
Dirk
7daf5de674 JSON and CSV output problem with mass testing
This is a backport of #1039 to 2.9.5. Log from David Cooper:

There is currently a problem if mass testing is being performed, JSON and/or CSV output is to be produced, the parent process calls `fileout()`, and each child process have its own output file for the JSON and/or CSV output. The can be seen, for example, with the following:
```
testssl.sh --openssl=openssl_1.1.1 --file test_servers.txt --csvfile output_dir --jsonfile output_dir
```
A call will be made in the parent process to report that openssl_1.1.1 has "No engine or GOST support via engine." `fileout()` will try to write to output_dir, which will result in an error.

This PR fixes the problem by checking that the file to be written to is not a directory (as is already done in `html_out()` for HTML output).

NOTE: At some point, a change should be made so that all of these checks are performed once (probably in `html_header()`,`csv_header()`, and `json_header()`), with the results being stored in a variable, so that these file operations do not need to be performed each time output is to be written to one of these files.
2018-04-24 07:54:23 +02:00
Dirk
4071f252bc CCS injection: better handling of TLS alert protocols
This is a backport of 8149c2d5cf.

In certain situations while testting for CCS injection it could have happened
that an error code was sent which was not interpreted properly by testssl.sh.
(https://tools.ietf.org/html/rfc5246#section-7.2)

This has now been fixed and thus addresses #906. Also it has been made sure
that other error codes are reported appropiately.

The case where this test failed before was a non-patched Ubuntu 12.04
with openssl/postfix on port 25.
2018-04-20 11:46:21 +02:00
Dirk
ec7ef8aa3c Bump patch version 2018-04-09 10:07:46 +02:00
Dirk
c96d01d376 Fix regression in #198
For enddate conversion there's no need to tell ``date``
to convert the time including the TZ. MacOS X' date hiccups
when this will be done (strangely, FreeBSDs are fine).
2018-04-09 09:07:51 +02:00
Dirk
7d4f36493c be more verbose what --warnings batch means (see #1027) 2018-04-05 21:54:25 +02:00
Dirk
68b07f1ebc workaround for missing date format conversion (OpenBSD) in http date 2018-03-24 19:45:21 +01:00
Dirk
7cd872313e better matching of empty server banners
Backport of b1b30b3fb8
2018-03-23 14:28:39 +01:00
Dirk
4ff442ad7f Backport of fix for #1021
Note: The order of an if-statement matters if a variable isn't
declared. ;-)

Probably this 2.9.5 can live without it but rather play safe
and clean...
2018-03-21 15:06:09 +01:00
Dirk
48a702a569 readjust missing HSTS in JSON to info level, see #1010 2018-03-21 09:56:50 +01:00
Dirk
ef594c4e1f fix non-initialized variables 2018-03-02 21:02:16 +01:00
Dirk
c636a82b0a Fix HPKP regression where it stated that only one SPKI was used 2018-03-01 15:34:25 +01:00
Dirk
ac5aca0dcf address #876 (empty addcmd2 variable) 2018-02-27 13:08:42 +01:00
Dirk
a2d59abf87 Rollup: OpenBSD compatbility, SLES 10 incompatibility
bash 3.2 is now a minium requirement and it is being tested.
It refuses to run if anything lower is detected/

Rollback of d5c86a8df2, see #999

Backport (f812403292) for OpenBSD date.
Also adding LibreSSL not to warn bceause of trust reliability
2018-02-19 11:16:04 +01:00
Dirk
d5c86a8df2 Fix #999, for bash 3.1, regex matchg failed 2018-02-16 19:11:58 +01:00
Dirk
f7288fd4bf Backport of Alpine Linux Dockerfile from 2.9dev 2018-02-09 14:11:27 +01:00
Dirk
c004469e0f backport of #982
fixes #981
2018-02-08 14:16:36 +01:00
Dirk
af6ca18933 change certificate enddate not to contain the TZ offset 2018-01-31 16:37:22 +01:00
Dirk
56aa009491 backport #968 2018-01-23 10:13:46 +01:00
Dirk
e40e4007b1 backport of #961 (client auth and broken json-pretty) 2018-01-19 14:18:10 +01:00
Dirk
4d7aa5df8b Fix for POP3, robustness for STARTTLS
POP3 STARTTLS handshakes were often unsuccessful as
a regex wasn't properly escaped.

Furthermore if a STARTTLS handshake doesn't succeed, there's
a warning now.
2017-12-06 12:48:55 +01:00
Dirk
8ebba5593d Fixes in headers
- double word match: Content-Security-Policy matched also X-Content-Security-Policy
- X-UA-Compatible always appeared twice
2017-12-01 13:37:23 +01:00
Dirk
a53cb4b971 Recognise TLS alerts as a sign that SSLv2 is not supported
See #908 and f61b701f5a

In order to have better debugging info the TLS alert message is printed
in clear. Messages code and text assignements was moveed to a separate
function.
2017-11-29 12:00:53 +01:00
Dirk
59b4f6364b Increase STARTTLS_SLEEP for lame servers 2017-11-24 23:09:03 +01:00
Dirk
bf0fde27e6 backport dockerfile from 2.9dev 2017-11-19 16:14:30 +01:00
Dirk Wetter
a802792db5 update links, reorder features 2017-09-27 09:02:29 +02:00
Dirk
ed88add923 regression fix: output for CVE-2015-3197 was missing in DROWN 2017-09-20 17:24:37 +02:00
Dirk
c5ac8c9227 workaround due to problem with blanks in $SWURL
SWURL contained for historical reasons trailing blanks
for released versions.
This caused an error in pr_boldurl --> html_out which
didn't write the trailing style info and didn't close
the href tag (travis complained.)

This patch removes the trailing blank but it doesn't
fix the error
2017-09-20 10:47:18 +02:00
Dirk
11b4f67d7e version number 2017-09-20 07:11:11 +02:00
Dirk Wetter
f9c72ea85e Update Readme.md 2017-09-19 16:22:09 +02:00
Dirk
11d7645754 changed for 2.9.5 2017-09-19 16:13:38 +02:00
Dirk
b9b09f586e added MS CA store, see #825
Finally complete, thx @naumanshah03
2017-09-19 15:15:54 +02:00
Dirk Wetter
f48deaaa9d Update README.md 2017-09-19 14:50:08 +02:00
Dirk
4972cda2af FIX #762 (replace which by 'type -p') 2017-09-19 00:08:33 +02:00
Dirk
1c10ad0124 remove echoing ~ /usr/bin/timeout 2017-09-18 23:38:06 +02:00
Dirk
b222fe8f53 Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2017-09-18 23:34:12 +02:00
Dirk Wetter
95af735862 Update README.md 2017-09-18 23:33:25 +02:00
Dirk Wetter
3caa73c1b8 Update README.md 2017-09-18 23:32:35 +02:00
Dirk
bd55830a7e FIX #823, for jabber try PTR record first or fail 2017-09-18 23:25:07 +02:00
Dirk
f014a1853b missing update from 985c845486 2017-09-18 23:01:37 +02:00
Dirk Wetter
7294df927f Merge pull request #677 from dcooper16/no_sni
Just get non-SNI certificate once
2017-09-18 21:14:34 +02:00
David Cooper
34fa8fc98e Just get non-SNI certificate once
Currently the call to `$OPENSSL s_client` to obtain the certificate returned by the server when SNI is not provided is in `certificate_info()`, which means that it is called once for each certificate found the various called to `get_server_certificates()`.

This PR moves the call to `$OPENSSL s_client` to `run_server_defaults()` so that the call is made only once, even if more than one server certificate was found.

In addition, in most cases the certificate returned by the server when SNI is not provided will already have been retrieved by `run_server_defaults()` (in rounds 8-14), in which case `$HOSTCERT.nosni` can just be copied from there rather than making an additional call to `$OPENSSL s_client`.
2017-09-18 13:31:38 -04:00
Dirk Wetter
a395f91f0e Merge pull request #777 from dcooper16/fix772
Fix #772
2017-09-18 18:36:53 +02:00
Dirk
6b1d81d28d imor housekeeping for `fileout() in run_http_header()` 2017-09-18 18:18:05 +02:00
Dirk Wetter
200440a28f Merge pull request #820 from seccubus/insecure_redirect
Fixed file output error in case of insecure redirect
2017-09-18 18:01:43 +02:00
Dirk
f372b4b775 FIX #622
If the host negotiated SSLv3 reading of the ServerKeyExchange message failed
and as a consequence determination of the DH key
2017-09-18 17:50:06 +02:00