Commit Graph

3903 Commits

Author SHA1 Message Date
Dirk Wetter 693cb216f7
Merge pull request #1615 from drwetter/license_patch3.1dev
Amendment to "Relax the possible GPL license contradiction"
2020-05-06 09:18:51 +02:00
Dirk 908975380d Amendment to "Relax the possible GPL license contradiction"
fix it also in the man pages. See #1590 / #1593
2020-05-06 09:17:42 +02:00
Dirk Wetter 41259d2f1b
Merge pull request #1612 from drwetter/TYPO3-Parsetime
Add X-TYPO3-Parsetime
2020-05-05 19:53:15 +02:00
Dirk Wetter 918d358e95 Add X-TYPO3-Parsetime 2020-05-05 13:37:58 +02:00
Dirk Wetter ec37a6e1bd
Merge pull request #1610 from drwetter/xmpp_improvements
Fix STARTTLS pretests, improve XMPP handshakes
2020-05-05 08:47:34 +02:00
Dirk Wetter d949b305c0 Fix STARTTLS pretests, improve XMPP handshakes
There was a empty variable in determine_optimal_proto() which prevented to save
STARTTLS_OPTIMAL_PROTO. This is fixed.

The buffers and return codes for XMPP in starttls_io() were under not every
circumstances correct. This fixes those cases and making that in general more
robust (hopefully).  (There's still code commented out which I'll leave it for
now).

When openssl did not support -starttls xmpp-server there was a copy
and paste error saying that -xmpphost option was not supported.
2020-05-04 22:38:02 +02:00
Dirk Wetter 1a0ade585e
Merge pull request #1609 from dcooper16/check_server_response
Check server's response
2020-05-04 21:35:50 +02:00
Dirk Wetter 308582bd0e
Merge pull request #1608 from drwetter/1590_2_3.1dev
Address further potential license restriction
2020-05-04 20:35:37 +02:00
Dirk cdc1a08819 Address further potential license restriction
.. see https://github.com/drwetter/testssl.sh/issues/1590#issuecomment-623526604

Added some formatting and verbal improvements in the intruductory comment section.
2020-05-04 20:34:32 +02:00
David Cooper ae8a056afe Check server's response
There is code at the beginning of parse_tls_serverhello() that checks whether the server's response appears to consist of a sequence of messages of the form <protocol><content type><content>. However, at the moment the check is only performed if "$do_starttls" is false. This commit changes parse_tls_serverhello() so that the check is always performed.
2020-05-04 14:29:13 -04:00
Dirk Wetter 934c5fc60c
Merge pull request #1603 from drwetter/aes_cgm_doc
Fix typo in docs: Strong grade Ciphers / AEAD
2020-05-02 19:54:54 +02:00
Dirk 381fdfa985 Fix typo in docs: Strong grade Ciphers / AEAD 2020-05-02 19:49:01 +02:00
Dirk Wetter 8e6c80ffba
Merge pull request #1601 from drwetter/xmpp_server_polish
STARTTLS xmpp-server polish
2020-05-02 19:41:24 +02:00
Dirk 7981a238a5 Comment out S2S XMPP server test for now 2020-05-02 19:40:45 +02:00
Dirk 05c90d4c3a remove add_tls_offered 2020-05-02 18:37:02 +02:00
Dirk 485bcc1888 Change Travis/CI environment to bionic
... as it comes with openssl 1.1.1 and we can check also XMPP S2S
protocol
2020-05-02 18:34:10 +02:00
Dirk 5da54b9ce8 fix var declaration 2020-05-01 21:42:41 +02:00
Dirk 9e61d6605e Perl needs a semicolon ;-/ 2020-05-01 19:17:58 +02:00
Dirk 191c69fbdd Minor probe for STARTTLS xmpp-server
... don't know whether this gets through -- depends on the
version openssl used (1.0.2 doesn't have that)
2020-05-01 18:39:36 +02:00
Dirk 1d7adebb4e Add HAS_XMPP_SERVER
... see also #1575
2020-05-01 18:32:22 +02:00
Dirk 0e6fb44bd3 add xmpp-server 2020-05-01 18:31:35 +02:00
Dirk 53ee37b046 XMPP server 2020-05-01 18:03:19 +02:00
Dirk Wetter 2b174821e4
Merge pull request #1575 from horazont/feature/xmpp-server
STARTTLS: add support for xmpp-server
2020-05-01 17:53:34 +02:00
Jonas Schäfer 4daf20585d STARTTLS: add support for xmpp-server
XMPP client-to-server and server-to-server links historically use
different XML namespaces. Some server implementations are strict
about this and will not proceed with the connection attempt when
the client namespace (`jabber:client`) is used on a
server-to-server link.

openssl s_client also supports `xmpp-server`.
2020-05-01 17:44:30 +02:00
Dirk f5a1884439 Merge branch 'magnuslarsen-grading_dev' into 3.1dev 2020-05-01 17:37:13 +02:00
Dirk ebe75252fa Merge branch '3.1dev' into magnuslarsen-grading_dev 2020-05-01 17:36:29 +02:00
Dirk Wetter aa702369c1
Merge pull request #1597 from dcooper16/use_has_x25519
Use $HAS_X25519 and $HAS_X448
2020-05-01 16:21:47 +02:00
Dirk Wetter ece209886c
Merge pull request #1598 from dcooper16/improve_libressl_302_compat
Improve compatibility with LibreSSL 3.0.2 and earlier
2020-05-01 16:16:28 +02:00
Dirk Wetter c52ba088cf
Merge pull request #1599 from dcooper16/improve_libressl_310_compat
Improve LibreSSL 3.1.0 compatibility
2020-05-01 16:12:28 +02:00
David Cooper a5a28d2457 Improve LibreSSL 3.1.0 compatibility
This commit addresses two compatibility issues with LibreSSL 3.1.0, which has added client support for TLS 1.3.

The first issue is that LibreSSL has named the TLS 1.3 ciphers that it supports AEAD-AES256-GCM-SHA384, AEAD-CHACHA20-POLY1305-SHA256, and AEAD-AES128-GCM-SHA256, rather than using the OpenSSL names, which are TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, and TLS_AES_128_GCM_SHA256. (Draft versions of OpenSSL 1.1.1 names these ciphers TLS13-AES-256-GCM-SHA384, TLS13-CHACHA20-POLY1305-SHA256, TLS13-AES-128-GCM-SHA256.) There are several places where testssl.sh checks whether a cipher suite is a TLS 1.3 cipher by checking whether its OpenSSL name begins with "TLS_" (or "TLS13"). In order to work with LibreSSL 3.1.0, these checks also need to consider names that begin with "AEAD-" to be TLS 1.3 ciphers.

Second, in sub_session_resumption() there is code that adds "-no_ssl2" to the "$OPENSSL s_client" command line if that option is supported. If "-no_ssl2" is not supported, then other protocol information is added to the command line. I believe this code was written with the assumption that any version of OpenSSL that supports "-no_ssl2" does not support TLS 1.3. However, LibreSSL 3.1.0 supports both. So, this commit changes the code to add the "-no_ssl2" option only if TLS 1.3 is not supported.
2020-04-30 11:08:04 -04:00
David Cooper cb67d91417 Improve compatibility with LibreSSL 3.0.2 and earlier
This commit addresses two compatibility issues with LibreSSL.

First, with LibreSSL, "$OPENSSL s_client" does not support the "-curves" option, so the "-groups" option needs to be used instead. Note that with LibreSSL, the command line "$OPENSSL s_client -groups $curve -connect invalid." will not work, as it will complain "no port defined," but will not indicate whether the specified curve is supported. Adding a port number fixes that problem. (There does not seem to be a need to include a port number for other tests, such as whether the "-curves" option itself is supported.)

Second, including "-out -" in the command line for "$OPENSSL genpkey" causes LibreSSL to create a file with the name "-" if the algorithm is supported. This is not an issue at the moment, since LibreSSL's genpkey does not support X25519 or X448. However, both genpkey with both OpenSSL and LibreSSL uses stdout as the default output if no "-out" is specified, so the "-out -" is not necessary.
2020-04-30 10:37:12 -04:00
David Cooper 541d960924 Use $HAS_X25519 and $HAS_X448
generate_key_share_extension() and prepare_tls_clienthello() currently check the $OPENSSL version number to determine whether X25519 and X448 are supported. The commit changes these functions to use $HAS_X25519 and $HAS_X448.
2020-04-30 10:26:56 -04:00
Dirk Wetter a1f6fe49ba
Merge pull request #1595 from dcooper16/ticketbleed_no_tls1_3
Ticketbleed and TLS 1.3
2020-04-30 10:01:28 +02:00
David Cooper 3db9d74c21 Ticketbleed and TLS 1.3
run_ticketbleed() and sub_session_ticket_tls() each include one call to "$OPENSSL s_client". For each of these calls the expected response is a TLS 1.2 or earlier ServerHello. However, if $OPENSSL supports TLS 1.3, then a TLS 1.3 ClientHello will be sent.

This commit fixes this problem in two ways. For the call in run_ticketbleed(), "-no_tls1_3" is added to the command line if "$OPENSSL" supports TLS 1.3. For the call in sub_session_ticket_tls(), this commit changes the function so that the same ClientHello version is sent as will sent by run_ticketbleed() via sockets.
2020-04-29 10:13:22 -04:00
Dirk a9d28949fe Clarify responsilility for rating 2020-04-28 21:13:36 +02:00
Dirk Wetter 97ac4c452e Update documentation (ADDITIONAL_CA_FILES -> ADDTL_CA_FILES)
which happened in d44a643fab in
testssl.sh .

This fixes it in the related files. See also #1581
2020-04-28 15:07:33 +02:00
Dirk Wetter 3745e12673 Add latest changes (cherry picked from 3.1dev)
including the one since 3.0
2020-04-28 14:59:35 +02:00
Dirk db84e5c87c Add grade cap reasons and warnings to JSON/CSV 2020-04-28 13:38:23 +02:00
Dirk 13a76bc719 (try to) resolve merge conflict 2020-04-28 13:35:24 +02:00
Dirk Wetter 67780b1c3c
Merge pull request #1593 from drwetter/1590_readme_dev
Relax the possible GPL license contradiction
2020-04-28 10:08:19 +02:00
Dirk 88c04f5345 Relax the possible GPL license contradiction
... see also #1590
2020-04-28 10:06:29 +02:00
Dirk Wetter a3b84ce0c3
Merge pull request #1591 from drwetter/1583_changelog
Add latest changes
2020-04-27 19:20:14 +02:00
Dirk Wetter 50d10d00f7 Add latest changes
including the one since 3.0
2020-04-27 19:19:19 +02:00
Dirk Wetter 2854aafca6
Merge pull request #1583 from drwetter/dcooper16-extend_run_server_preference
WIP: Extended run_server_preference()
2020-04-27 18:52:51 +02:00
Dirk Wetter 680aff48e4 Update documentation related to extended run_server_preference() 2020-04-27 17:19:30 +02:00
Dirk Wetter 1e0ef23c81 Rename add_tls_offered --> add_proto_offered
... last but not least SSLv2 and SSLv3 are no TLS protocols
2020-04-27 17:12:25 +02:00
Dirk Wetter 8938c21703 Renaming proto variables in cipher_pref_check()
... to be consistent with ciphers_by_strength:

- proto --> proto_text
- proto_ossl --> proto
2020-04-27 17:08:43 +02:00
Dirk Wetter 3b92b0cf85 Remember better protocol settings in ciphers_by_strength() / cipher_pref_check()
... in cases where the protcol section has not been run before.

Also add " -\n" on the screen/html if protocol is not supported. Also for
SSLv2 which can be supported but at the same time not offer any ciphers
mention there will be an output on the screen.
2020-04-27 16:51:45 +02:00
Dirk Wetter 0a859d7b98 rename $p --> $proto_ossl in cipher_pref_check()
plus remove redundant quotes for that
2020-04-27 15:32:43 +02:00
Dirk Wetter 59b790ab3a
Merge pull request #1588 from drwetter/np_fix31
Negotiated protocol showed no warning for TLS 1.1/1.0
2020-04-25 11:13:43 +02:00