Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity
4,195 Commits 15 Branches 30 Tags 211 MiB
48c7e2d25c
Commit Graph

2503 Commits

Author SHA1 Message Date
Dirk
41bc2fb70c - regression wrt what_dh 2015-10-03 00:14:52 +02:00
Dirk Wetter
f3cef41053 - some speed improvements (sed, tr --> bash internal s'n'r) 
- revamped BEAST a bit: availablity of higher protocols lead now to yellow color, see #208
- Fixed error in BEAST (no higher protos led to no message)
- made BEAST it faster: one check for protocol ssl3+tls1 upfront, see #208
 2015-10-01 13:27:14 +02:00
typingArtist
2ca6c2b0dc improved variable naming, scope and worked around length limitation of cipher list, as suggested by @drwetter 2015-09-30 14:54:39 +02:00
typingArtist
449aada392 fix CBC cipher selection 
CBC cipher selection is not so easy using the openssl tool alone. Selecting the cipher based on the string CBC occuring in it would be right if it’s
about the RFC name of the cipher but not so with the openssl naming. Since CBC ciphers are not going to be continued anyway, I think it’s safe to take
a static list. However, it’s easy to extract it from the cipher list in openssl-rfc.mapping.html, but we certainly don’t want to require that file to
be shipped all the time.
 2015-09-30 12:44:27 +02:00
Dirk
1c1eaa53d8 - fix for renamed http_header function 2015-09-29 18:47:49 +02:00
Dirk
cac49cb1f1 - "--file" implicitly does "--warnings=batch" 
- "--file" works now fine with equal sign
- fixed load balancer issue where header request stalled and testssl.sh consequently too
- http_date needed to be changed too because of that
- needed to estimate then the http_date when request was killed (HAD_SLEPT)
  will Mr. Spock like this??
- fixed load balancer issue where header request for breach test stalled and thus an error was displayed
- code improvements
 2015-09-28 22:54:00 +02:00
Dirk
feaef680aa - IPv6 #11 is 80% working (whohoo!). Needed is an openssl capable IPv6 and HAS_IPv6=true in the environment 
- FIX #191
 2015-09-26 22:44:33 +02:00
Dirk Wetter
cc81642ee3 - #FIX 202 (EV detection from TERENA/Digicert) 2015-09-25 14:35:42 +02:00
Dirk
a2efc201b7 - added a failure condition for trust check 2015-09-24 09:10:43 +02:00
Dirk
06466cca92 - proxy in determine_trust was missing 2015-09-23 09:03:47 +02:00
Dirk
0b1e573fc9 - FIX #190: Server temp key backport for RH-ish systems works now automagically 
- just to be sure there's a cmd line flag --has-dhbit / env HAS_DH_BITS
- some reordering
 2015-09-22 20:09:26 +02:00
Dirk
4b57a22f6e - FIX #198 (date env problem under BSD and maybe others) 2015-09-22 17:14:36 +02:00
Dirk
1668daa04e - NEW: chain of trust -- for openssl 1.0.2 only 
- FIX #97
 2015-09-22 15:05:59 +02:00
Dirk
3eeb1f9d9d - check whether dig, host or nslookup is there. The error message is now describing the cause 2015-09-21 16:43:47 +02:00
Dirk
23802e219d - #FIX 197 
- renamed a variable
 2015-09-21 14:03:48 +02:00
Dirk
6406e1828d - minor polish of output 2015-09-19 15:03:40 +02:00
Dirk
413b64c44a - fixed proxy name resolution and make it more robust 
- additional line if a proxy is used above rDNS
 2015-09-18 15:12:01 +02:00
Dirk
945d26d222 - changed version number 
- retabed to five spaces
 2015-09-17 15:30:15 +02:00
Dirk
58096d6633 2.6 release 2015-09-15 08:49:00 +02:00
Dirk
467988fb0a - improved resilience in cipher order check 
- improved also there compatibility with intolerant IIS6 servers
 2015-09-14 12:54:54 +02:00
Dirk
a2ba43ec78 - litemagenta should be used for not fatal conditions / magenta for fatal conditions (prg terminates then) 2015-09-14 11:12:37 +02:00
Dirk
9b08cb7584 - FIX /workaround for #188 (https://github.com/drwetter/testssl.sh/issues/188) 
- bumped up version to rc4
 2015-09-14 11:03:10 +02:00
Dirk
a9f231b3ff - fix where an $PID"ERRFILE" was written 2015-09-09 16:41:32 +02:00
Dirk
d28317f2d0 - exit code always 0 unless an error occured 
- enable devel feaure of SSLv2 via socket
 2015-09-08 19:30:03 +02:00
Dirk
566a059250 - fix for issue when a non-HTTP service indicates a misleading non-match of certificate 
- wildcard check
 2015-09-06 18:21:08 +02:00
Dirk Wetter
b9bfa2355a fix for scott helme's multiple keys (https://scotthelme.co.uk/hpkp-toolset) 2015-09-04 14:19:06 +02:00
Dirk Wetter
422b4d511a minor cleanups for finding openssl binaries 2015-09-04 10:04:56 +02:00
Dirk Wetter
6a036cd7d4 removed hardcoded obsolete paths for binaries 2015-09-03 13:26:02 +02:00
Dirk
1c5870e3e3 typo, fix from Stefan Stidl (thx!) 2015-09-03 12:17:32 +02:00
Dirk
489baa1299 unitize programming styles: ${var} --> $var, double square brackets instead of single 2015-09-03 12:14:47 +02:00
anoma
6b22851104 Typo. Inconsistent CVE string format 
Trivial typo. All other CVE outputs are in the form CVE-XXXX-YYYY
 2015-09-03 09:10:06 +01:00
Dirk Wetter
90930a2f78 - changed return code if someone dares to use dash as it hiccups 
- catch users try to use sh instead of real bash (#184),  see http://www.gnu.org/software/bash/manual/bashref.html#Bash-POSIX-Mode)
 2015-09-02 12:56:03 +02:00
Dirk Wetter
45eb3ed662 better phrasing for LOGJAM, see #181 2015-08-28 17:43:38 +02:00
Dirk Wetter
90ead7a301 FIX #183 2015-08-28 17:06:07 +02:00
Dirk Wetter
412fb6fb05 FIX #182 2015-08-28 16:46:28 +02:00
Dirk Wetter
9b718d39d0 - removed VERBERR (is now DEBUG=2) 
- hex2dec uses now internal echo instead of printf (which has problems with some chars if unexpected content if not properly used)
 2015-08-28 14:59:04 +02:00
Dirk
b5818f6034 - FIX $177 
- some by-catches whle shellchecking
- minor cleanups
 2015-08-28 00:15:51 +02:00
Dirk
c102bb6712 micro fix for the ESC code orgination fron tput test 2015-08-27 20:39:20 +02:00
Dirk
0d9370237c - FIX #172 
- labeled TLS_FALLBACK_SCSV as experimental, to be improved in next release (remarks in code)
- removed experimental from FREAK check
- separated headerfile from errorfile, TLS handshake oids were sometimes misinterpreted as IPv4 addreses in header
- bumped up rc version
- linefeeds
 2015-08-27 11:25:12 +02:00
Dirk Wetter
c93dc01b41 better service detection, dedicated line for NNTP and certificate stuff redirected to ERRFILE 2015-08-26 20:06:53 +02:00
Dirk Wetter
838112e6d2 - LibreSSL compatibility: recent pull spits out an error if cnf file isn't found (oh well) ==> introduction of #ERRFILE, good idea anyway 
- commented what I wanted to achieve with the colors
- code cleanups
 2015-08-24 23:50:03 +02:00
Dirk
aa91990fb3 - fix bug where a host name like AAA.BBB.CCC.DDD.in-addr.arpa.DOMAIN.TLS was taken as an ipv4 address 
- freebsd 9 supports now also colors with setaf, Darwin?
- correct indentation of help
- improved parsing in command line so that where a distinct option is required it is also tested in the 1st place
- removed -q in help (deprecated as we might want to use it for other things in the future)
- fix: if $PWD/openssl was a dir it bailed out
- cleanup of fatal errors ==> provide ONE function
 2015-08-24 22:17:35 +02:00
Dirk
83bf9067aa FIX #167 (# of certificates provided) 2015-08-23 21:16:34 +02:00
Dirk Wetter
6baf5e377c - sanitize '%' in general output function, avoids hiccups in url encoded strings 
- FIX #178 (Security headers only key in green, not value)
- CSP rule for facebook hast 127.0.0.1 which is labeled as IP address
 2015-08-21 18:10:45 +02:00
Dirk Wetter
87cef93b6c - more solid parsing for HPKP header (FIX #163) 
- X-UA-Compatible is now an "other" flag and key won't be swallowed
 2015-08-21 12:43:10 +02:00
Dirk Wetter
394bde8ff5 output FIX for multiple CRLs (#165) 2015-08-21 10:47:29 +02:00
Peter Mosmans
cd4ba60f16 Fixes #174 
Thanks to Ligushka
 2015-08-18 16:07:24 +02:00
Jonathon Rossi
e8cbf1a699 Fix subject alternative name on darwin 2015-08-18 17:15:17 +10:00
Dirk
9afab04012 FIX #162 (leading space for rp banner and missing lf) 2015-08-17 20:13:52 +02:00
Dirk
405b0f10bf FIX #161 + small improvemnet on rengotiation 2015-08-15 21:33:17 +02:00
Dirk
e3fcd786f7 - FIX #160 -- removed code from #27 
- bumped up version to 2.6rc2
 2015-08-15 18:48:49 +02:00
Dirk Wetter
58a1c1c1da - expiration variables tunable via ENV 
- cleanups expire section
 2015-08-13 16:56:12 +02:00
Thomas Kähn
8963916b3b Fix certificate expiration check 2015-08-12 18:28:50 +02:00
Dirk Wetter
719536a44e FIX: Dilyans bug where a STARTTLS servive runs on a different port 2015-08-12 13:58:45 +02:00
Dirk
5bc6e5fda9 - if a record is local host it is shown now 
- also look in etc hosts for MSYS2
- cosmetic improvements
 2015-08-12 00:17:28 +02:00
Dirk Wetter
81b158431f NEW: showing # of detected pinned keys (HPKP) 2015-08-10 15:58:56 +02:00
Dirk Wetter
72aa8add5c FIX for missing CN (e.g. cloudflare) 2015-08-10 15:17:42 +02:00
Dirk Wetter
e6f0f79157 - FIX: rDNS ignores CNAME now 
- some code beautified
 2015-08-10 14:47:11 +02:00
Dirk
aa2b33fdb4 rp header fine tuning 2015-08-08 13:42:31 +02:00
Dirk
dc60d9360a reverse proxy banner alignment 2015-08-08 13:37:05 +02:00
Dirk
56e6f90308 FIX #158 (pagesspeed header was identified as IPv4 addr) 2015-08-08 10:20:13 +02:00
Dirk Wetter
70ff293fb7 - fix for #156 
- reverting #27. Catch is the functions are being initiated at a fixed time instead of while calling. This conflicts with the --color option which is done late. Other solution?
 2015-08-05 11:31:55 +02:00
Dirk
f1fe2c3286 just renaming as rc1 for 2.6 2015-08-02 01:25:39 +02:00
Dirk
fcb8c5d0bc - FIX for multiple ip addresses for one mx host (didn't expect a matroshka ;-)) 
- make dotted lines smaller
 2015-08-02 01:16:27 +02:00
Dirk
ea1ab3b911 help for mass testing option in #153 2015-08-02 00:26:34 +02:00
Dirk
325abcfc06 - first shot for szepeviktor's color function maker #27 2015-08-02 00:03:30 +02:00
Dirk
9006234c34 - NEW: mass testing via --file 
- FIX: ipv6 address in rDNS was ..umm err ....missing some chars
- rough ipv6 address detection (fixes single colon in "further ip addresses")
- FIX: facebook has EC certificate but signing algo is not EC
- FIX for wrong openssl location in banner
 2015-08-01 23:11:27 +02:00
Peter Mosmans
c04497f2f6 Another fix for #140 
Suppress awk warnings
Don't try to retrieve header information from openssl stderr output
 2015-07-27 12:16:03 +02:00
Dirk
f45f91a07e - quiet mode for mass testing (see #148) w/o banner 
- -q is now --devel
 2015-07-25 14:33:08 +02:00
Dirk
d4f7dd0f91 * squash dirname err msg on FreeBSD 
* numerous DNS related internal improvements
* FIX #137
* FIX #147
 2015-07-23 17:11:33 +02:00
Dirk
013a24caea * - improved DNS parser again, see #141 #140 
* at least exit with -250 or worse if a problem occurs (rest still undefined, needs to be fixed, see #145/#100)
* renamed all top level tests in "run_" for better code
 2015-07-22 13:11:20 +02:00
Dirk
c66a2c8f2e FIX #144: reverse screw up of hpkp function for BSD/Darwin 2015-07-21 20:35:49 +02:00
Dirk
784294b52d awk fixes for MSYS2 FIX #141, #FIX 140 2015-07-21 14:20:15 +02:00
Jonathon Rossi
298a91d743 Fix bash 3 support 
Mac OS X ships with bash 3, not 4. The case statement fallthrough and
continue operators were added in bash 4.
 2015-07-21 15:11:20 +10:00
Dirk Wetter
f81b3a5c25 * GOST ciphers sometimes missing during scan 
* help was not precise wrt some arg w no params
 2015-07-20 14:05:35 +02:00
Dirk Wetter
66f0b22adb word match for -V / -x now only for non-numbers: testssh.sh -x cc google.com tests for chaha ciphers 
(before only word matching was done e.g.: testssl.sh -x ECDH chase.com
 2015-07-17 15:58:07 +02:00
Dirk Wetter
d9b9d2c2fb * path display error in banner fixed 2015-07-17 14:58:12 +02:00
Dirk Wetter
cda5eff12e * STARTTLS_SLEEP 
* resolved misleading output STARTTLS + socket
* fixed poodle ciphers in code (but not used yet)
 2015-07-17 14:33:23 +02:00
Dirk Wetter
f04ee57e79 * display shortend path to $OPENSSL in banner 2015-07-17 13:25:39 +02:00
Harald Wagener
4df61eed14 Update testssl.sh 
Fix typo.
 2015-07-17 11:05:07 +02:00
Dirk Wetter
54290b220a - Provide Darwin binaries and paths thereto 
- provide also other static bins in $PWD/bin
 2015-07-16 23:01:10 +02:00
Dirk Wetter
b157a26632 * EV certificate detection 
* SSLv2 + STARTTLS protocol check always uses sockets now
* STARTTLS protocol now returns over sockets the TLS time (if available)
* few LibreSSL output oddities fixes
* output corrections for STARTTLS
* additional path for binaries (we change the path soon but leave both in the code for now)
 2015-07-16 17:58:03 +02:00
Dirk
4c033bc0cc * header flags added 2015-07-14 20:44:04 +02:00
Dirk
2e40c2bde6 * misleading warning for DH bits for Negotiated cipher omitted if no DH or EC and OPENSSL <= 1.0.1 2015-07-14 19:58:04 +02:00
Dirk
32325d0643 * fix for scanning an IP address only 
* server_preference: cipher adjusted
* some [[ and ]] in loops, hoping to speed up processing a bit
* cosmetic stuff
 2015-07-14 17:13:58 +02:00
Dirk
2ae8f2d6e3 fix regression: port 25 is the one for --mx 2015-07-14 12:35:26 +02:00
Dirk
0b1c0dca46 FIX #132 (see also discussions in #133 2015-07-13 23:41:49 +02:00
Dirk
dfc37bc892 workaround / FIX #134 (OPENSSL_CONF destroyed lookup via host/dig/nslookup 2015-07-13 23:24:23 +02:00
Dirk
f95326cf21 * Liferay in header will be marked in yellow 
* more tries to find openssl binaries (also those in git)
 2015-07-12 18:46:27 +02:00
Dirk
3cf891bd5e * FIX #131 (EC certificate key size was critized) 
* FIX: if request w/o SNI didn't succeed it resulted in an ugly openssl error message
* FIX #51 (we try to initialize GOST engine before showing the banner)
 2015-07-10 10:23:10 +02:00
Dirk Wetter
f1d8471a3d * heartbleed and ccs check enabled per default for STARTTLS 
* performance improvements for sockets+STARTTLS (still only enabled via EXPERIMENTAL=yes)
 2015-07-08 21:30:31 +02:00
Dirk Wetter
d3b8f8e0a2 cosmetic corrections (output) 2015-07-08 11:34:45 +02:00
Dirk Wetter
5944c35075 * EXPERIMETAL=yes is used, testssl.sh uses for protocols, heartbleed, ccs sockets also for STARTTLS! 
* it's slow though (to be improved)
* renamed vars for proxy
* cleanups
 2015-07-07 22:59:31 +02:00
Dirk Wetter
179d8700d1 * NEW: xmpphost support 
* FIX for regression (80e26a75ef), config file GOST
 2015-07-06 20:42:43 +02:00
Dirk Wetter
c08baa94b3 * CHANGE: some tuning variable are now booleans (see help) 
* help() to reflect this
* cleanups
 2015-07-06 10:10:46 +02:00
Dirk
80e26a75ef * Warning if LibreSSL is used #126 
* FIX for screwed up output for fixed ciphers (FREAK, LOGJAM), see also #126
* GOST support now doesn't complain if MY confif file aleady exists (minor fix)
 2015-07-02 16:39:41 +02:00
Dirk
5acfc93d79 * couple of checks for new proxy option from John Newbigin #124 
* minor cleanups for #124
 2015-06-29 23:28:37 +02:00
Dirk
ddd680ac93 * merge #124 from jnewbigin 
* fix my run time error
 2015-06-29 22:29:15 +02:00
Dirk
15a672b521 * assertion vs. condition fixed 2015-06-29 10:41:56 +02:00
Dirk
93f5b8216d * FIX #125 
* beautified some code / function names
 2015-06-28 13:52:42 +02:00
Dirk
5d78c9421f * first tls_low_byte is now always 01 in TLS 1.0 --> TLS 1.2 (see openssl) 
* removing TLS 1.2 check from sockets as IIS has a problem with it
 2015-06-24 11:08:09 +02:00
Dirk
e121f944e9 * FIX: added missed downgrade (ret=2) in socket protcol check 
* resorted helper functions to top
* cleanups (ok, renamed some functions)
 2015-06-23 21:54:47 +02:00
Dirk
b575710634 * FIX in --ip=one 
* straighthen help()
* FIX ret value for no response in parse_tls_serverhello
 2015-06-23 12:58:40 +02:00
Dirk
ae8f998f8f * help corrected, -e is standard 2015-06-23 07:56:56 +02:00
Dirk
a6c5a2af0d * handshake works now with SNI 2015-06-22 23:19:08 +02:00
Dirk
d3c793e6bc * help without <> now and | 
* socket SNI issue: As it turns out Apache 2.2/2.4 is not behaving according to https://tools.ietf.org/html/rfc6066#section-3
   .
 2015-06-22 18:32:40 +02:00
Dirk
58a6f501b5 - better addressed no clear fallback repsonses, see #121 2015-06-20 19:36:11 +02:00
Dirk
633cdc209b - NEW: IP address detection now in HTTP header 
- NEW: Varnish and Squid header detected
- NEW: option --ip=one is a shortcut and means just test the first ip
- CSP Report-Only in security headers
- New: Varnish and Squid header detected, OWA header
- all single tests in bold now
- no support for TLS 1.2 spits out "NOT ok" as it is not ok
- Medium ciphers and DES ciphers are not having aNULL and aDH ciphers anymore and have different colors --> ratings
- http-date is now in http header(), tls_time in server_defaults()
- http header reply is indented to same row as server defaults
- http status code is displayed clearly now
- BUGFIX: IPv6 address wasn't displayed
- cleanup
- application banner now in two lines if needed
- try a second time to get a http header if first one fails
- fix: case where % sign in ip address made prinf hiccup (sanitized)
- fix: $url was in some functions empty
- fixed bug where some headers were displayed twice
 2015-06-19 20:36:32 +02:00
Dirk
59299ce9e1 - FIX #119 (sed -E fails for old sed versions) 
- std_cipherlists tuned
- fix for selfsigned certs (missed sometimes because of trailing space)
 2015-06-17 11:33:29 +02:00
Dirk
06899f3cbf - introduced Reverse Proxy header 
- FIX for OWA header
- beautfied some header funcs
- fixed GET_REQ1?/HEAD_REQ1?
 2015-06-16 23:00:47 +02:00
Dirk
478b8afac7 FIX: bail out better if $NODE doesn't resolve 
cipher lists now wth plural ending
added Liferay-Portal + X-OWA-Version for application banner
new http_header (still leaving old one in)
readability improvements
 2015-06-16 19:53:40 +02:00
Dirk
e16ccd06b6 - testing all IP addresses of a node works now (refactoring of parse_hn_port into three functions) FIX #96 
- SNI is unset if STARTTLS is set
- some BSD fixes (sed)
 2015-06-16 14:04:44 +02:00
Dirk
4432faf497 "--ip" works now (see help) 
little cleanups
 2015-06-15 12:13:16 +02:00
Dirk
a98b67013a FIX #116 
CRIME is lightred/litegreen as it is not that bad as ccs or heartbleed
 resorted some functions
 2015-06-11 21:41:25 +02:00
Dirk
bdff6ba1bd - TLS_FALLBACK* was missing in the help #22 #118 2015-06-11 18:46:22 +02:00
Dirk
f9e4526f70 - polish of #118 
- FIX #22
 2015-06-11 18:33:06 +02:00
JonnyHightower
dc548f1cfc Added check for TLS_FALLBACK_SCSV support in local OpenSSL binary. 
In TLS_FALLBACK_SCSV check, added unique socket address to temporary
file name in order to support multiple simultaneous instances.
 2015-06-10 17:38:39 +01:00
JonnyHightower
0e36255fb9 Added a check for TLS_FALLBACK_SCSV 2015-06-08 17:19:34 +01:00
Dirk
0f5c4981cb - more or less desperate try to figure out the real installation path (and find the mapping file) 
- help extended (equal sign, logjam)
 2015-06-02 22:13:19 +02:00
Dirk
4081b2eef4 - wrong arg for dirname ($1) 2015-06-02 15:59:17 +02:00
Dirk
06c3b06a7a - regression fix on mapping file 2015-06-02 15:53:46 +02:00
Peter Mosmans
8e4970c408 Minor textual fix (added space) 2015-06-01 14:16:31 +02:00
Dirk
cac985967f - first prototype for using = in cmdline, see #108. Tests needed 
- beautified big case loop
 2015-06-01 12:01:38 +02:00
Dirk
452fd6762a - local dns matches don't need lookup anymore over net --> saves timeouts+time 
- further banner tuning + funtion mybanner, 2 addtl global vars for debugging
- cosmetic improvements
 2015-05-31 14:40:12 +02:00
Dirk
77ad7c9252 - the outsticking part was kind of not handy, see #113, remove commit message 2015-05-30 11:36:47 +02:00
Peter Mosmans
764f20dbcf FIX: Show version when specified on command line 
ADDITION: Show git commit information, to support troubleshooting.
 2015-05-30 11:13:57 +02:00
António Meireles
faa9c49a2b fix spelling typos. 
Signed-off-by: António Meireles <antonio.meireles@reformi.st>
 2015-05-29 18:56:57 +01:00
António Meireles
4064332234 trim all whitespace at EOL. 
also, align comment blocks for better code readability.

Signed-off-by: António Meireles <antonio.meireles@reformi.st>
 2015-05-29 18:44:32 +01:00
Dirk
9b2b897a43 - make date even more beautiful, see #110 
- fix RUN_DIR
 2015-05-29 14:12:22 +02:00
Dirk Wetter
e14453b607 Merge pull request #110 from AntonioMeireles/master 
simplify life for OSX users running gnu's coreutils...
 2015-05-29 11:01:47 +02:00
Dirk
41ee37f0dc - per default we do a allciphers run in the end 
- option long changed to wide
- PFS now is per default not wide
- PFS comes after standard cipher lists
- debug output improved (in terms of privacy and additional info)
 2015-05-29 10:36:14 +02:00
Dirk
2ac34c1424 - early check to make sure people really use bash, see #109 2015-05-29 10:08:17 +02:00
António Meireles
4063e38ccf simplify life for OSX users running gnu's coreutils... 
Signed-off-by: António Meireles <antonio.meireles@reformi.st>
 2015-05-28 16:56:37 +01:00
Dirk Wetter
8b10dc9638 - code improvements rc4, beast, logjam, freak 2015-05-27 23:31:25 +02:00
Dirk Wetter
f9605c4f35 - BEAST now also works in wide mode 
- renamed --long in --wide
- added --show-each to help
- inserted help
 2015-05-27 17:04:35 +02:00
Dirk Wetter
a76ca52c4c - first candidate for logjam (missing the precomuted primes though) 
- 1024 DH is now brown instead of red, 768 will be red, 512 bold red
- dumped calls to ok()
- further cosmetic stuff
 2015-05-27 14:28:18 +02:00
Dirk
ed38a365ae - fix regression on missing rfc cipher names 
- cosmetic stuff
 2015-05-27 11:19:30 +02:00
Dirk
060178071d - for pfs. allciphers and cipher_per_proto we WARN now because of weak DH param (if openssl supports it) 
FIX #106, $85
- logjam not yet named *#105, #107) but addressed
- --openssl switch
- reorder find_openssl_binary / mybanner
- proper identation of help
 2015-05-26 12:51:10 +02:00
Dirk
3c161f9ce4 - blanks in headlines added 2015-05-25 21:22:21 +02:00
Dirk
9c7d385098 - omit 1xblank in almost all colored output (and adjust the functions using it) 
- little bit more robust for strange keysize and dh bits
- added ecdsa-with-SHA256 to Signature Algorithm
- FIX: no TLS1+SSL3 resulted in no output for BEAST
 2015-05-25 21:14:59 +02:00
Dirk
e58b53eeae - dh key lenghth in negotiated cipher at first, see $85, #105, #106 
- got rid of ok function calls in protocols
- detection of apache banner win32/win64
 2015-05-25 15:10:09 +02:00
Dirk
a7a19428d6 - FIX for #104: check for hpkp pin match failed if \" was present 2015-05-18 23:10:34 +02:00
Dirk
0c4a36121e - NEW / FIX #104: check for hpkp pin match 2015-05-18 21:51:45 +02:00
Dirk
7cc15e5d4d - 2.4 2015-05-17 22:43:53 +02:00
Dirk
2919a7c40e - 2.4! 
- FIX #92
- FIX for TLS time (difftime was too small for local clock skew)
- warning for freebsd/macosx w/o ports need now a "yes"
- TLS 1.0 not offered is not bold anymore
- output weirdness fixed for cipher order in spdy
 2015-05-17 22:30:49 +02:00
Dirk
6e74b3bd5c - FIX of output whene there's no CBC cipher in BEAST 
- FIX: 2 occurrances of OPENSSL calls had a hostname instead of an IP address
- FIX: starttls protocol correctly displayed
- NEW added duplicate detection for header flags
- NEW: added four GOST cipher to standard socket handshake
- recommends if openssl 1.0.2 is used and results were strange and IIS6 --> run wqith openssl 1.0.1
- declared some global vars as readonly
 2015-05-15 21:32:11 +02:00
Dirk
16d2b33459 - Workarounds for IIS6 #99 : some places where openssl 1.0.2 cannot connect (as opposed 
to =< 1.0.1) finding the right protocol before
- hints for IIS6+openssl 1.0.2 non-conformity #99
- version bumped up to 2.4rc2
- better formatting for BSD in cipher order
- FIX: 2x bug for cipher order + sslv2
- preambel revisited
 2015-05-12 13:37:39 +02:00
Dirk
3a64bd1005 - WONTFIX remarks for #103 and #102 
- better warning for openssl < 1.0
 2015-05-11 16:58:57 +02:00
Dirk
35d8469f67 URL_PATH regression fixed 2015-05-11 10:47:26 +02:00
Dirk
08fe890d5f - two fixes from #40 reported by @salt-lick 2015-05-11 08:52:40 +02:00
Dirk
19fc021587 - FIX: 30x with BigIP doesn't have a date, handled properly now 
- generic GET/HEAD is now always with URL_PATH
 2015-05-10 23:38:06 +02:00
Dirk
0050df5529 - informative header extended 2015-05-10 20:54:43 +02:00
Dirk
2f79ba52fc - NUMEROUS FreeBSD9/Darwin FIXES #40 
- http date
  - cipher list in preferences
- GET_REQ11 now closes the connection
- openssl_age comes afeter the banner so that help doesn't need to go thru this
- uname -s ==> SYSTEM
 2015-05-10 19:20:55 +02:00
Dirk
0aa8ac7e76 - more robust wrt IIS6 (some stuff better with IIS7) 
- X-Powered-By is easy to remove (PHP, ASP.NET), thus labelled as yellow
- same X-AspNet-Version (version # itself is brown)
- better addressed address resolution failures ;-)
- bumped up version to 2.4rc1
 2015-05-06 18:48:51 +02:00
Dirk
f3f3967bd1 - FIX $87 (2), finally 
- feature: integrated TLS+HTTP time into server defaults
- NEW: option: -U/vulnerable
- moved explanation for BREACH into result
- FREAK and CCS are not labled experimental anymore
- unifying of get request headers
- readability of help
 2015-05-02 15:01:02 +02:00
Dirk Wetter
2aa82e5164 - partly FIX for #87 (removed SNI helps. Doesn't make sense anyway) 
- changed order of Secure Renegotiation/Secure Client-Initiated Renegotiation
- readability improvements in renego
 2015-05-01 12:18:43 +02:00
Dirk
d766a0b459 - fix additional \n in RC4 if no RC4 ciphers were detected 2015-04-28 08:04:09 +02:00
Dirk
1ea7a0947f - RC4 has now 2 CVEs and cipher per default are displayed short 
- introducng a variable name LONG which for certain funcs shows broad output with hexc, cipher, KX, etc.
- FIX: regression not showing security headers
- introducing VULN_THRESHLD
 2015-04-22 18:24:39 +02:00
Dirk
3891f5b13b - FIX #83 
- emphasize also OS names in HTTP headers
 2015-04-22 15:22:53 +02:00
Dirk
06bd8b2517 - FIX for complete bailing out 2015-04-22 11:56:13 +02:00
Dirk
bafce6edce - reordering code so that all attacks are together 
- RC4 is now really omitted in PFS test
- cleanup of some comments
 2015-04-22 10:33:44 +02:00
Dirk
5bec0a16c9 - better compatibility with windows 2003 server 
- all long options are advertised now as with dashes and not underscore
- cosmetic stuff
 2015-04-20 10:05:01 +02:00
Dirk
7b6dba6369 FIX for #82 2015-04-18 23:03:16 +02:00
Dirk
5625ee536e - BUGFIX: IIS server lead to false pisitive if SSLv3 was enabled 
(timeout was faster then socket resply)
- FIX: CORS header not labeled as green
- NEW: Now also STARTTLS works with all cmd line options and is absolutely doing the same stuff!
  (integrated starttls() into parse_hn_port() )
- option --mx needed to be changed because of starttls
- regression fix: exec for socket doesn't play nice with stderr redirect
  (probably bash bug)
- added some env options to cmd line as long args (--assuming-http,--ssl_native,
  --color, debug, --sneaky, --warnings)
- threw away getent as it doesn't work under Linux && not network && localhost
  (replaced by grep)
- SSL-POODLE is not labeled anymore experimental
- HB+CCS are called while checking STARTTLS but given a hint that its not yet supported
- added more env vars to debug output
- cleanups
 2015-04-16 20:36:17 +02:00
Dirk
f682c5ceea - FIX regression: more_flags execution was missing 
- FIX regression: capitalized/all lowercase headers weren't detected
- if socksend is blocked (IDS) output looks better and is reported as test didn't succeed
- no secure cookie or Httponly will be marked as brown
- tput color yellow is now brown
 2015-04-14 13:16:43 +02:00
Dirk
9d5168dbb5 - more robust grep >=2.20, e.g Debian 8.0 (thx @stevenb18) 
- FIX: false positive for breach while testing google.com (referer header was hardcoded to google.com)
 2015-04-14 10:15:07 +02:00
Dirk
683e9dccab - FIX (regression): -V 
- logic of some ENV variables changed (attention!)
- included some ENV as long options (not in the help yet)
- decentralized http check for breach
- if openssl is not executable it bails out better now
- help function now exits
 2015-04-13 22:55:40 +02:00
Dirk
a12d39769f - underline CN, SAN and issuer deutschepost case (see sourceforge.net/p/ssllabs/mailman/message/33764851/) 2015-04-10 15:15:47 +02:00
Dirk
53e0955dfb FIX: missing server preferences, NEW: each cipher server preferences per protocol! 2015-04-09 22:08:48 +02:00
Dirk
a98161acc9 - fixes to changes from Peter's better cmd line parsing 
- cosmetc improvements (vulneraibilities)
 2015-04-09 21:42:52 +02:00
Peter Mosmans
c8d169cc0f Removed GNU getopt 
Minor fix to --poodle option
 2015-04-07 18:05:52 +10:00
Peter Mosmans
9780e83895 Refactored major parts of code 
Note that due to the refactoring of some status messages, the output will be slightly different (more verbose) than previous versions

Moved specific status messages to http_header()
Moved specific status messages to breach()
Moved specific status messages to ccs_injection()
Moved specific status messages to heartbleed()
Moved specific status messages to renego()
Moved specific status messages to crime()
Moved specific status messages to tls_poodle()
Moved specific status messages to freak()
Moved specific status messages to beast()

Added some more documentation for functions

Fixed typos in help

Created new function main:
This is the main function of testssl.sh
Refactored major part of the original main function

Created new function startup:
Parses the startup options

Created new function intialize_globals:
Initializes all used global variables

Created new function scanning_defaults:
Sets default scanning options when only one parameter (URI) is given

TODO: Refactor more/duplicate parts of functions

Note: For the new functions, fixed spaces (4) are used instead of tabs
 2015-04-07 17:00:43 +10:00
Dirk
84aca9d9a3 FIX #80: show HTTP 401 2015-04-02 13:35:22 +02:00
Dirk
2cc56c4d1f NEW: added security headers 2015-04-02 13:04:57 +02:00
Dirk
8da96f78f2 - got rid of "strings" 2015-04-02 12:19:24 +02:00
Dirk
940f51e74b protocol check via sockets now also for SSLv3 2015-03-31 10:34:30 +02:00
Dirk
9ed58b6202 cleanups / bsd date in tls time 2015-03-30 23:09:19 +02:00
Dirk
d9ae35fc7e open fixes from Rechi (pull request $67) 2015-03-30 14:59:44 +02:00
Dirk Wetter
7f4fc5902e Merge pull request #75 from feld/tr 
Using square brackets in tr results in trying to match/replace them
 2015-03-19 09:14:54 +01:00
Dirk Wetter
f4c9f692d2 Merge pull request #76 from feld/printf 
Fix variable directly referenced in printf
 2015-03-19 09:14:32 +01:00
Mark Felder
819e6e6163 Fix variable directly referenced in printf 2015-03-18 15:43:06 -05:00
Mark Felder
63a1df1fe2 Using square brackets in tr results in trying to match/replace them 2015-03-18 15:42:21 -05:00
Dirk
2d0bfca343 - FIX for 3des cipher report (thx Дилян) 2015-03-17 22:12:25 +01:00
Dirk
ca6ca5d47e - added two pairs of ciphers to server preference (thx Dilian) 2015-03-17 22:02:23 +01:00
Dirk
2faad9de9a - working tls handshake with bash sockets (not yet in production, hint: see option "-q" in the bottom) 2015-03-17 18:11:18 +01:00
Dirk
c159af7f42 - check whether openssl is executable 
- spaces to tabs
- adding hint to "aha" in help
 2015-03-17 15:14:58 +01:00
Dirk
263535520f - FIX for date --> applied to other BSD systems too 
- FIX for SNI output as it doensn';t make sense for non HTTP servives
- lines for RC4 and PFS shortenedA
- display all MX records to test before testing
- removed LOCERR, added CCS_MAX_WAITSOCK, HEARTBLEED_MAX_WAITSOCK
 2015-03-17 12:22:21 +01:00
Dirk
f8ba69f9fb - some internal code internal cleanups 
- minor cosmetic output corrections
- preparation for bash sockets for SSLv3 to TLS 1.2
 2015-03-16 00:22:51 +01:00
Dirk
4556108a72 further improvements through shellcheck 2015-03-15 16:59:29 +01:00
Dirk
68695bbad3 FIX #74 for sed BSD: doesn't like inline \n 
headline for BEAST was missing
 2015-03-15 16:10:14 +01:00
Dirk
655944bd4d - FIX: regression for wc -l w/o cat (3x) 
- removal of unneccessary waitpid, inline
 2015-03-15 14:41:34 +01:00
Dirk
fbd383f345 - prework for checking hpkp fingerprints 2015-03-15 10:18:37 +01:00
Mark Felder
2684f5c392 Make date command work with both Linux and FreeBSD 2015-03-13 15:51:50 -05:00
Mark Felder
6f15652121 Merge branch 'master' of github.com:feld/testssl.sh 2015-03-13 15:24:37 -05:00
Mark Felder
8cdd516ad1 more ps >/dev/null fixes 
more useless cat
 2015-03-13 15:24:16 -05:00
Mark Felder
8d965f7c71 More useless cat 2015-03-13 15:19:47 -05:00
Mark Felder
7babe7478d Remove 2>&1 for the ps $pid lines; it's unnecessary 2015-03-13 15:16:21 -05:00
Mark Felder
c83e1b98e2 Merge branch 'master' of github.com:feld/testssl.sh 2015-03-13 15:12:45 -05:00
Mark Felder
8ad1cca0ab Remove useless kittens 2015-03-13 15:10:36 -05:00
Mark Felder
4cdc89aa61 Revert to 2>&1 > /dev/null order because it isn't behaving correctly. 2015-03-13 14:56:30 -05:00
Mark Felder
59ed025f36 Replace expr with $(( )) 
https://github.com/koalaman/shellcheck/wiki/SC2003
 2015-03-13 14:54:36 -05:00
Mark Felder
73202da2fd Fix missing single quote 2015-03-13 14:26:02 -05:00
Mark Felder
b7b88a03e7 Fix order of the redirect 
https://github.com/koalaman/shellcheck/wiki/SC2069
 2015-03-13 10:00:14 -05:00
Mark Felder
305fcca2ae Replace backticks with $(..) 
https://github.com/koalaman/shellcheck/wiki/SC2006
 2015-03-13 09:52:39 -05:00
Dirk
c1ca5a641b - FIX garbled output for servers with a TLS reply on SSLv2 socket call 2015-03-13 12:20:19 +01:00
Mark Felder
f037a3f811 Minor optimizations to redunce unnecessary forking 2015-03-11 12:13:38 -05:00
Dirk
d8d8318f6d FIX for #71 (proper workaround for lastpipe in rc4, pfs, and cbc) 2015-03-09 08:07:45 +01:00
Dirk
77e28922c1 - NEW: proper check for freak CVE-2015-0204 
- NEW: check for number of keys for hpkp
- cleanup hsts+hpkp
 2015-03-07 09:51:55 +01:00
Dirk
f23904b35f - MX record: the lower the # the higher the priority (thx, rechi) 2015-03-03 07:21:30 +01:00
Dirk
55e8908234 - finalize mx records, FIX: #41 2015-03-02 14:42:28 +01:00
Dirk Wetter
2614c093d7 Merge pull request #66 from Rechi/master 
Check MX Records (#41)
 2015-03-02 14:13:33 +01:00
Dirk
37fa44cecf - remark about rc4 rfc 2015-03-02 14:09:34 +01:00
Rechi
81afa43755 Check MX Records (#41) 2015-02-28 14:12:58 +01:00
Dirk
29214c7a1f - better detection for ssl poodle 
- change of shorticut from zero to letter o
 2015-02-27 21:21:39 +01:00
Marc Schütz
274ee394e8 Don't let error message slip through when no certs have been downloaded 2015-02-24 18:10:28 +01:00
Dirk Wetter
868c813055 Merge pull request #64 from PeterMosmans/spellingfix 
FIX: minor spelling issue
 2015-02-24 10:03:32 +01:00
Peter Mosmans
5440b24b92 FIX: minor spelling issue 2015-02-24 14:57:43 +10:00
Dirk
8aa8254c2d - FIX #62 (CentOS 7/RHEL: engine failure), was not usable b4 2015-02-23 10:40:10 +01:00
Dirk
d0d7bb47e2 - FIXED: #47 ("double" linefeed if RFC mapping file is not present) 2015-02-22 23:05:40 +01:00
Dirk
e2448ea95d - NEW: tells how many certificates provides (and grabs them with DEBUG=1) 
- COLOR for no cipher order is red now
- "VULNERABLE" comes now always with "NOT ok"
 2015-02-21 11:47:12 +01:00
Dirk
bacb3b69ba - FIXED: #38, new openssl from peter mosmans makes the workaround unneccessary 2015-02-21 10:38:04 +01:00
Dirk
b261c1079a - Fix #55 (302 detection for URL) 2015-02-15 14:00:13 +01:00
Dirk
f203b8b299 - Fix #46 (preload lists HPKP and HSTS) 
- word match for includeSubDomains (useful if one specified the keyword wrong)
 2015-02-15 13:37:44 +01:00
Dirk
b0a40ae1e8 - FIX #60: mod_security CRS doesn't complain anymore 2015-02-15 13:14:11 +01:00
Dirk
ab48c66f74 - certificate sha2 fingerprint added (#59, @@kyhwana) 
- sha1 fp: removed colons as long serials after it look ugly (lf)
 2015-02-15 12:58:51 +01:00
Dirk
e5a015b842 - workaround for issue #58, same in http_header 
- FIX: if a web site returned IMAP e.g. in HTML code it may have led to the assumption IMAP is the service ;-/
 2015-02-13 16:01:46 +01:00
Dirk
d15d5b0c6f - FIX regression: CRIME check 
- FIX: port ended up sometimes as URL part
- also if it runs http a line is displayed as confirmation that HTTP was detected
 2015-02-12 13:40:53 +01:00
Dirk
d9e4873fda - WORKAROUND for bug in PeterMosmans OPENSSL chacha/poly version: not testing EXPORT40/EXPORT then 2015-02-12 09:32:47 +01:00
Dirk
d98aa626e7 - NEW: check for Secure Client-Initiated Renegotiation 
- debugging #1: PS4 and debugme
- debugging statement tmpfile_handle where missing #2
 2015-02-11 09:43:04 +01:00
Dirk
ed04b636da - starttls for ldap now also supported 2015-02-09 14:02:02 +01:00
Marc Schütz
4fc8111c0a Trivial typo fix 
noone => none
 2015-02-07 17:30:36 +01:00
Dirk
f30d7568e7 - checking protoype of tls sockets but not called/working yet 
- small fixes $DEBUG
 2015-02-04 09:48:34 +01:00
Dirk
1b8d96f1d8 - NEW: certificate fingerprints + serial 2015-02-03 23:46:47 +01:00
Dirk
d2b833b2fa - TLS 1.0/1.1 is not green anymore, only TLS 1.2 is the real one! 
- no bold for 3DES and medium
- nslookup for MSYS2 etc. having no hosts (and fixing error message if host doesn't exist)
 2015-02-03 23:20:59 +01:00
Dirk
4f1ca24bd2 FIX: experiration threshold < 30 days 2015-01-30 16:26:55 +01:00
Dirk
85bc14c946 - FIX: STARTTLS is the criteria for using bash sslv2 or not, not the service 2015-01-29 23:24:49 +01:00
Dirk
16c804d4ca FIX: BEAST (supports higher protocols only when CBC ciphers detected) 
- FIX: URL in app banner
 - cosmetic issue: display also if one cookie was issue the number 1
 2015-01-29 23:20:58 +01:00
Dirk
89012a7a42 * NEW: protocol check SSLv2 in bash sockets per default (HTTP) 
(fallback to openssl with SSL_NATIVE=1)
 2015-01-29 10:46:16 +01:00
Dirk
5e864c28b4 * NEW: emphasize any numbers in http header output 
* internal renaming of color functions ( --> pr_*)
* new color switches (tput)
* $COLOR is treated as integer not string
* for some issues color adjusted accordingly (red --> brown/yellow)
 2015-01-29 09:33:35 +01:00
Dirk
3abaad5eb1 Merge branch 'master' of github.com:drwetter/testssl.sh 2015-01-28 15:31:13 +01:00
NV
e3a66f5a70 Fix GOST handling in LibreSSL 2015-01-28 14:17:27 +09:00
Dirk
d35e2f95b8 fix for wrong # of HttpOnly cookie 2015-01-23 15:09:35 +01:00
Dirk
84caf9ffd1 fix for double line and double application banner 2015-01-23 12:17:27 +01:00
Dirk
baadfd0492 BREACH is not labeled as experimental anymore as it works reliably 
- so is heartbleed
 - FIX: shopt is removed in rc4 as most of the bash shells segfault here (bug!)
 - not tested anymore for HTTP within starttls, instead displaying here a line
 2015-01-23 12:01:32 +01:00
Dirk
6c6511ddb2 - VERBOSE -eq 1 is now DEBUG -eq 2 (VERBOSE completely removed) 
- DEBUG has now four modes 1: just keep files 2: VERBOSE -eq 1 3: head hexdumps and other stuff, 4: full debugging
- env and internal stuff $TEMPDIR
 2015-01-21 12:53:00 +01:00
Dirk
d5924eedc4 - BEAST finally works 
- handling of spaces in output
- different ciphers
- FIX: setopt also for RC4 (proper handling of ret value)
 2015-01-20 21:59:21 +01:00
Dirk
28330dc6fc first prototype BEAST | FIX: maketempf in initialize_engine | FIX: exit statements in main w/ more meaning/shorter 2015-01-20 21:51:49 +01:00
Dirk
5853202efd fine tuning on banner 2015-01-15 20:29:46 +01:00
Dirk
4c6f0d9a50 - FIX: grep -a if we hit binary content with http_header (also if otherwise specified) 
- NEW: can specify URL (used for header matters and breach)
- FIX: better handling of >1 cookies
 2015-01-14 12:23:53 +01:00
Dirk
3d81a7b5ec * NEW: cookie flags (experimental) [URL is missing] 
* FIX: 30x handling for http_header (hint for final URL if stalled)
* FIX: proper display of app-banners if >1
 2015-01-14 09:48:44 +01:00
Dirk
cedeff2b42 typo in tempdir led to missing gost cipher 2015-01-08 14:16:22 +01:00
Dirk
8a3e0267ba safer bacth processing if port isn't available 2015-01-06 16:25:19 +01:00
Lars Windolf
d1ab23c146 Change question logic on non-SSL port 
Idea is to bail out per default (with WARNINGS=off) this makes batch processing possible
as often testssl.sh hangs for minutes or endless on non-SSL ports.
 2015-01-03 11:41:35 +01:00
Dirk
eae1b2810f - check for CN wrt SNI / no SNI 
- fix different responses for CACert
 2014-12-23 09:59:03 +01:00
Dirk
4aa674d138 - Negotiated cipher per proto 
- nr_ciphers of used openssl version in banner
- spdy_pre check
- -testversion_new --> -testversion
 2014-12-21 23:22:50 +01:00
Dirk
a570d907e9 - Cipher order check! (also for starttls) 
- includes a remark 4 default_cipher (limited sense as client will pick)
- selfsigned certs: error!
- number of local ciphers in check with allciphers
 2014-12-21 00:47:23 +01:00
Dirk
21493fb788 - tempfile handling: every function leaves one, if DEBUG is set 
- FIX*2: OPENSSL_CONF/GOST_CONF
 2014-12-19 17:02:26 +01:00
Dirk
8635012cf5 - subjectAltName 2014-12-19 07:12:20 +01:00
Dirk
521a7160a9 - NEW: certificate info, details: 
- NEW: CN, SAN
- NEW: OCSP URI
- NEW: CRL distr point
- NEW: Issuer
- NEW: expiration
- NEW: signature algo
- renamed cmdline --simple_preference to --server_defaults
- now we have a TEMPDIR where all files are written toA
- function or handling/removing TMPFILE
 2014-12-18 09:33:24 +01:00
Dirk
b40c0b7178 - RELEASE: final 2.2 
- change of cmd line order for STARTTLS
- help more clear
 2014-12-08 10:32:51 +01:00
Dirk
b3efb3c4b0 - BUGFIX: potential stalling in HTTP Header query 
- BUGFIX: HTTP specific vuln. won't be checked if service is not http (we still
check crime and also spdy => gmail has spdy for pop and imap)
- Feature: service detection: HTTP, IMAP, POP, SMTP
- alignment in rDNS output corrected
- minor cleanup / improvements
 2014-11-30 01:30:20 +01:00
Dirk
27f06f8d50 - BUGFIX: BSD now has proper heartbleed and ccs injection detection 
- significant code improvement of hex-byte parser <-> socket sender
- BUGFIX: BSD now doesn't put an extra \n if rfc map file is missing
- bumped to 2.1rc3, hoping that'll be the last
 2014-11-27 21:33:33 +01:00
Dirk
c034cd8a95 - for colors: double square brackets (might save a fork to "[ or "test" 
- in terms of debugging cleaned up listciphers/std_cipherlists
- in other terms too
 2014-11-25 13:12:24 +01:00
Yuri
19f936bece Fixed the problem when COLOR=0 caused 'printf' to break due to leading dashes interpreted as command line options. 2014-11-22 12:15:47 -08:00
Peter Mosmans
c3ab016164 Fixed minor redirection typo for 'which' command 2014-11-22 12:57:36 +10:00
Dirk
d4265742b1 color codes for protocols and default ciphers reflect better a rating 
- fix: heartbleed function needed a $TMPFILE for determining the TLS protocol
 - version bumped to 2.1rc2
 2014-11-20 10:46:55 +01:00
Dirk
5dd4a8f3fa - fix in cleanup (while debug) 
- wrong cmd line option --> help instread of error
 2014-11-19 22:23:13 +01:00
Dirk
05877dca93 - protocol check stream lined: similar now for every protocol 
- NPN/SPDY is not green anymore
 2014-11-19 18:04:43 +01:00
Dirk
d77b667489 - protocol w/o cipher (only SSLv2 so far) 
- for EVERY protocol now check whether $openssl supports it
- better fail for PFS if there are no local ciphers
 2014-11-19 17:08:59 +01:00
Dirk
99e472ac01 - banner (opensssl version build date, platform) slightly changed 
- even clearer warning upon old openssl version (MacOSX!)
- oparoz hexdump patch
- heartbleed doenst do a precheck anymore --> just sockets as it may lead to false negatives
  if the client was complied with it disabled (FreeBSD)
 2014-11-19 13:22:22 +01:00
Dirk
f2c44803ed - FreeBSD fixes (getent, printf) 2014-11-18 23:14:17 +01:00
Dirk
41a480abb4 small cleanup 2014-11-18 20:23:17 +01:00
Dirk
8756151a26 Merge branch 'master' of github.com:drwetter/testssl.sh 2014-11-18 16:40:14 +01:00
Dirk
049a945abc - prettyprint_local now also can do word pattern matching 
- help improved
- put the stripping of leading 0 into normalize_cipher_code where it belonged
- the latter makes a modified mapping-rfc.txt necessary!
 2014-11-18 11:03:03 +01:00
Dirk
f45d85617b - hexcode in neat list now w/o leading 0 
- help cleaned up and clearer (& removing tabs)
- test_just_one with headline
 2014-11-18 10:29:11 +01:00
Peter Mosmans
de0b4313b8 Make sure that cleanup() function is always called 
Added {HEADERFILE_BREACH} to temporary files that should be removed
Removed obsolete cleanup calls
 2014-11-18 14:30:48 +11:00
Dirk
cf8fa2c3f3 - version bumped to 2.1rc1, better layout for chacha (albeit bit ugly), better layout for all ciphers, test_just_one w/ headline 2014-11-18 01:36:29 +01:00
Dirk
16279267ea - sockread w/ sleep 
- ccs better documented + more verbose during debug
 2014-11-18 00:26:58 +01:00
Dirk
7414b5b310 next step in color handling: 2=full color, 1: b/w, 0: no ESC codes at all 2014-11-17 18:49:56 +01:00
Dirk
fc4c2e5446 - omit the "**" in non colored mode 
- query COLOR properly (env)
 2014-11-17 17:43:59 +01:00
Dirk
a7bbc6c39a warning upon "no ssl enabled server" clearer; we check only for return code of s_client. Fails if certificate needed 2014-11-17 17:05:43 +01:00
Dirk
481af083a3 NEW: first working implementation of "-x <list_of_csv_hexcodes> server" with a catch: none a/v local cipher 2014-11-02 23:37:17 +01:00
Dirk
5984e86f81 FIX for RUN_DIR, bumped up version to 2.1beta 2014-10-30 21:12:18 +01:00
Dirk
f56f81090a NEW: HPKP 2014-10-29 21:24:43 +01:00
Dirk
b49b1451c4 FIX: for FreeBSD and spaces in "Local problem ..." 2014-10-29 20:23:21 +01:00
Dirk
ef5bf00094 FIXED: too much spaces in "Local problem: No .. configured" 2014-10-23 15:52:06 +02:00
Dirk
6737cd230c FIXED: When there is no support in openssl for SSLv2 the error message and the next protocol test get on the same line 2014-10-23 15:40:15 +02:00
Dirk
1720fed5fe be clear that no TLS_FALLBACK_SCSV support yet 2014-10-17 22:16:37 +02:00
Dirk
86e0141f72 POODLE hack 2014-10-15 13:10:06 +02:00
Dirk
192867554e - FIX for getent line 2014-10-15 11:56:40 +02:00
Dirk
5e76322840 - regression on libressl fix fdor openssl fixed 2014-10-14 16:28:18 +02:00
Dirk
df06f45432 - mm: patch for libressl 2014-10-14 16:08:11 +02:00
Dirk
905e1540ab another error message suppressed (DNS) and properly handled internally 2014-10-09 11:22:23 +02:00
Dirk
08202a5768 - FIX: socket reset (ccs, hb) made formatting look not ok 2014-10-08 14:30:31 +02:00
Dirk
4ae510650d - for seldom cases of two hsts header we don't throw an error but take the first one 2014-10-08 01:03:14 +02:00
Dirk
e06251a1d3 - removed netcat dependency, availability check with bash sockets only. Should work on RH'ish distros better now 2014-10-07 12:04:21 +02:00
Dirk
723ab08258 - BUGFIX: supplying ip addresses only works again 2014-10-07 11:14:39 +02:00
Dirk Wetter
3dee100ac2 - clearer output 2014-09-25 16:24:21 +02:00
Dirk
455cd2fe62 - only numbers for hsts (thx to Olivier) 2014-09-24 11:17:28 +02:00
Dirk
fb40dad089 - jobcontrol for heartbleed and CCS test --> no blocking anymore 2014-09-16 22:18:09 +02:00
Dirk
a7fe0b48b5 * added ocsp stapling in server defaults test 
* non-working prototype of testing a single cipher via hexcode
 2014-08-29 14:57:20 +02:00
Dirk Wetter
93503a1b43 - except minor points now compatible to MacOSX and *BSD 
- Russian GOST cipher support added
- more see CHANGELOG.txt
 2014-07-16 19:04:15 +02:00
Dirk Wetter
9a689bbffc - first try to commit here 2014-07-01 16:28:16 +02:00