Commit Graph

3903 Commits

Author SHA1 Message Date
Dirk d858edca1b - filled PROTOS_OFFERED w sense
- minor fixes for fileout
- introduced "fixme()"
2016-06-07 23:06:58 +02:00
Dirk Wetter 1d051a24e0 Merge pull request #374 from dcooper16/CREDITS
Update CREDITS.md
2016-06-07 22:40:56 +02:00
David Cooper fa866f6458 Update CREDITS.md 2016-06-07 14:23:33 -04:00
David Cooper 253ba29cde openssl2rfc and rfc2openssl
This PR provides implementations of openssl2rfc and rfc2openssl. It also uses openssl2rfc() in run_server_preference() to help determine how to display the "negotiated cipher." I believe that using the RFC names addresses the current FIXME:

FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list"
2016-06-07 14:02:48 -04:00
David Cooper ec8420144d Merge branch 'master' into version_negotiation 2016-06-07 10:36:52 -04:00
David Cooper c13ae4a001 Merge branch 'master' into socksend_tls_clienthello_extensions 2016-06-07 10:35:32 -04:00
David Cooper c50f2cc796 Merge branch 'master' into run_allciphers(),run_cipher_per_proto(),-and-SSLv2 2016-06-07 10:33:21 -04:00
David Cooper 366025256b Merge branch 'master' into more_sslv2_sslv3_fixes
Conflicts:
	testssl.sh
2016-06-07 10:30:46 -04:00
David Cooper a6d59b5380 Merge branch 'master' into fix_issue_276 2016-06-07 10:24:56 -04:00
Dirk 8ed6214b6f preliminary fix for #189 (SIZELMT_W_ARND=true needed) 2016-06-07 13:02:58 +02:00
Dirk 29072315e5 output correction for IPv6 and --ip=<addr 2016-06-07 09:08:48 +02:00
Dirk 6f4ba5bda7 - corrected handling of shortened warning periods for LE certs (dual certs were wrong)
- (kind of) readded cert_key_algo in output
- smaller output fixes e.g. for GOST certificates
2016-06-06 13:42:17 +02:00
Dirk Wetter 4668b9879a Update Readme.md 2016-06-04 19:17:10 +02:00
Dirk Wetter efdcd805a9 Update Readme.md 2016-06-04 19:14:38 +02:00
Dirk Wetter 561cfa16fc - FIX #367 2016-06-02 21:31:24 +02:00
David Cooper b1e2fc7448 Merge branch 'master' into version_negotiation 2016-06-02 09:19:37 -04:00
David Cooper e8cc32af54 Merge branch 'master' into socksend_tls_clienthello_extensions 2016-06-02 09:16:45 -04:00
David Cooper f5fcff22d6 Merge branch 'master' into run_allciphers(),run_cipher_per_proto(),-and-SSLv2 2016-06-02 09:14:20 -04:00
David Cooper c593675b8e Merge branch 'master' into more_sslv2_sslv3_fixes 2016-06-02 09:09:57 -04:00
David Cooper fc6b5070af Merge branch 'master' into fix_issue_276 2016-06-02 09:08:24 -04:00
Dirk Wetter 6a9b0e01fc - polishing #366 and IPv6-related 2016-06-02 09:59:52 +02:00
Dirk Wetter 51f4c9ac9e Merge pull request #366 from typingArtist/365_fix_ipv6_handling
drwetter#365 fix ipv6 handling
2016-06-02 09:27:14 +02:00
David Cooper 6825c0b363 Allow for certificates with no subjectAltName extension
While it seems that almost all certificates include a subjectAltName extension, need to allow for the possibility that the two certificates being compared don't have subjectAltName extensions.
2016-06-01 16:20:10 -04:00
David Cooper 3bc0d6b45c Fix issue #276
Here is my proposed change to fix issue #276.
2016-06-01 15:57:40 -04:00
David Cooper a9cd3ec6ca Merge branch 'master' into version_negotiation
Conflicts:
	testssl.sh
2016-05-31 09:51:13 -04:00
typingArtist 2c69e83f5b https://github.com/drwetter/testssl.sh/issues/365 add UNBRACKETED_IPV6 quirks option
Since some OpenSSL binaries, namely Gentoo’s, don’t support bracketed
IPv6 addresses but unbracketed ones, specified as the -connect option,
the UNBRACKETED_IPV6 environment variable can be set to true for
disabling the automatic addition of brackets around IPv6 addresses on
such platforms.
2016-05-27 20:11:47 +02:00
typingArtist cf62353fc6 https://github.com/drwetter/testssl.sh/issues/365 ensure DNS PTR lookups use un-bracketed IPv6 address
While standard OpenSSL requires the literal IPv6 address enclosed
in [brackets], standard DNS lookup tools don’t support the additional
characters. Before making reverse PTR lookups, these brackets have to
be removed from the IPv6 addresses.
2016-05-27 19:54:23 +02:00
Dirk Wetter 1074c062c7 Merge branch 'master' of github.com:drwetter/testssl.sh 2016-05-27 17:44:08 +02:00
Dirk Wetter e1a8306286 - try to address #352
- WARNING in fileout is MEDIUM now
- NOT ok for medium on screen squashed
2016-05-27 17:43:45 +02:00
Dirk Wetter 1ecad208fe Update Readme.md 2016-05-26 18:03:07 +02:00
Dirk Wetter 6fb15e83fa global $OPENSSL_NR_CIPHERS 2016-05-26 12:56:55 +02:00
David Cooper 4d059f7106 Merge branch 'master' into version_negotiation 2016-05-25 16:57:37 -04:00
David Cooper acc72a1daf Merge branch 'master' into socksend_tls_clienthello_extensions 2016-05-25 16:50:56 -04:00
David Cooper a503d883c7 Merge branch 'master' into run_allciphers(),run_cipher_per_proto(),-and-SSLv2 2016-05-25 16:38:23 -04:00
David Cooper f9757c4e4d Merge branch 'master' into more_sslv2_sslv3_fixes 2016-05-25 16:32:04 -04:00
Dirk Wetter 65193cdcee Merge pull request #361 from dcooper16/run_rc4_show_each_fix
run_pfs() and run_rc4() show each fixes
2016-05-24 23:47:23 +02:00
David Cooper 2a4d987f31 Merged master fixed conflict. 2016-05-24 14:19:19 -04:00
David Cooper e0c147ec86 run_pfs() and run_rc4() show each fixes
When run_rc4() is run with the "--show-each" option, but without the "--wide" option, a list of all RC4 ciphers is printed, without any distinction between those that are supported by the server and those that are not. This is the same issue I noted in #332 for run_pfs().

In run_pfs(), the displayed output was corrected, but all ciphers were still being added to $pfs_ciphers, so the list of supported PFS ciphers sent to fileout() was incorrect.

This PR fixes both issues.
2016-05-24 13:57:47 -04:00
Dirk 5a03e96304 - consequently removed "NOT ok" for not-av of TLS 1.2 2016-05-23 22:42:40 +02:00
Dirk Wetter bf17a17b70 - 3DES in standard cipher list is medium, thus "NOT ok" is too much (need for elegant general way for "medium")
(see also https://www.keylength.com/en/8/)
2016-05-23 18:56:05 +02:00
Dirk Wetter aa99c5eb88 - FIX #347
- LF removed in JSON
2016-05-20 13:45:53 +02:00
Dirk Wetter 803e363310 Merge pull request #356 from dcooper16/server_key_size
Fix typo in Server key size check
2016-05-20 08:16:48 +02:00
Dirk Wetter fbf25d7ae1 Merge pull request #357 from dcooper16/cert_sig_algo
Recognize more signature algorithms
2016-05-20 08:12:52 +02:00
David Cooper 2ffed62d53 Recognize more signature algorithms
This PR adds to the list of signature algorithms recognized in certificate_info().
2016-05-19 16:45:56 -04:00
David Cooper dccf9bef63 Fix typo in Server key size check
When certificate_info() is trying to determine what type of public key the server has so that it can determine whether the key size is acceptable, it sometimes looks at $cert_sig_algo rather than $cert_key_algo. This PR fixes that and also adds support for DSA public keys.
2016-05-19 16:39:06 -04:00
Dirk Wetter 9a1425da14 - FIX #354
- polish #353
2016-05-18 19:06:26 +02:00
Dirk Wetter 3dc94d2b3b Merge pull request #353 from dcooper16/parse_tls_serverhello_with_added_checks
parse_tls_serverhello() with added checks
2016-05-18 08:18:47 +02:00
David Cooper 2a0a382321 Don't use dec2hex
The dec2hex() was actually converting from hex to decimal. Since it was only being used in one place, and wasn't really needed there, I just deleted it.
2016-05-17 12:02:12 -04:00
David Cooper cba7fddbdd Revised parse_tls_serverhello()
Revised parse_tls_serverhello() to more carefully check the response for errors, and to provide for more flexibility (e.g., if handshake messages are split across multiple fragments).
2016-05-16 16:52:51 -04:00
David Cooper 07a8bd3143 Support version negotiation test
The new test in PR #346 sends a TLSv1.4 ClientHello, so socksend_tls_clienthello() needs to include the signature algorithms extension if $tls_low_byte >= 3 rather than only if it is equal to 3.
2016-05-11 09:24:07 -04:00