Commit Graph

4195 Commits

Author SHA1 Message Date
David Cooper
15f8fc5a3f Fix run_server_defaults()
PR #1960 created a bug by placing code between the call to determine_tls_extensions() and a check of its return code. This commit fixes the problem.
2022-04-14 11:01:26 -04:00
David Cooper
a2252168f1 Fix run_server_preference() with no default protocol
run_server_preference() calls "default_proto=$(get_protocol $TMPFILE)" even if all attempts to connect to the server failed. This will result in default_proto incorrectly being set to TLS 1.2. This commit fixes the issue by only calling get_protocol() if an attempt to connect to the server was successful.
2022-04-14 10:50:13 -04:00
David Cooper
0be5ca5309 Support DHE/ECDHE servers with uncommon curves
When running in --ssl-native mode, run_fs() will not detect ECDHE ciphers if the server supports both DHE and ECDHE ciphers and the ECDHE ciphers are only supported with curves that are not offered by $OPENSSL by default. This commit fixes this by adding extra connection attempts with the -curves parameter explicitly provided.
2022-04-14 08:51:25 -04:00
David Cooper
ac662f8699 Improve compatibility with LibreSSL
Older versions of LibreSSL that do not support TLS 1.3 only include a small list of curves in the supported_groups extension by default, so need to retry with curves explicitly defined even with versions of $OPENSSL that do not support TLS 1.3.
2022-04-14 08:51:25 -04:00
David Cooper
dd35be2e4b Fix #2131
This commit fixes #2131 by having run_fs() attempt a TLS 1.2 ClientHello if the initial TLS 1.3 ClientHello fails. The TLS 1.2 ClientHello will offer many more curves than the TLS 1.3 ClientHello offers, and so it may succeed if the server supports ECDHE ciphers, but only with curves that were removed by RFC 8446.
2022-04-14 08:51:25 -04:00
Dirk Wetter
54e5469411
Merge pull request #2150 from dcooper16/no_session_id
Fix setting NO_SESSION_ID
2022-04-14 13:19:24 +02:00
Dirk Wetter
225f1286b4
Merge pull request #2149 from dcooper16/fix2147
Fix #2147
2022-04-14 13:12:16 +02:00
David Cooper
cc74256091 Fix setting NO_SESSION_ID
With a TLS 1.3 connection using $OPENSSL, a session ID will only appears as part of a post-handshake session ticket. However, when $OPENSSL s_client is called as in determine_optimal_proto() (i.e., with "< /dev/null"), a post-handshake session ticket will not always be received, even if the server supports it. This can result in NO_SESSION_ID incorrectly being set to true. This commit fixes the issue by setting NO_SESSION_ID to true by default, and then setting it to false if a session ID is returned by any connection to the server.
2022-04-13 09:26:36 -04:00
David Cooper
70b1ee643f Fix #2147
This commit fixes #2147 by having awk search for additional possible strings to start the CRL Distribution Points output. Unless the CRLDP extension is malformed, it will begin with "Full Name", "Relative Name", "Reasons", or "CRL Issuer".
2022-04-12 14:01:02 -04:00
Dirk Wetter
6054be6dff
Merge pull request #2145 from dcooper16/ossl3_fix
More OpenSSL compatibility fixes
2022-04-12 18:50:26 +02:00
David Cooper
618de1c24e More OpenSSL compatibility fixes
This commit fixes two more issues with using OpenSSL 3.X. When $OPENSSL is used to obtain a fingerprint, OpenSSL 3.X prepends the fingerprint with "sha1" or "sha256" rather than "SHA1" or "SHA256". In addition, the way that OpenSSL 3.X writes distinguished names causes a space character to appear at the beginning of "$cn" and "$issuer_CN" in certificate_info().
2022-04-11 11:23:09 -04:00
Dirk Wetter
e82178719d
Merge pull request #2141 from dcooper16/ossl3_compat
OpenSSL compatibility fix
2022-04-07 21:29:20 +02:00
Dirk Wetter
fc07b379d0
Merge pull request #2142 from dcooper16/fix_flat_json
Fix flat JSON file
2022-04-07 21:28:32 +02:00
David Cooper
09973c8c44 Fix flat JSON file
PR #2140 contains a bug when handling flat JSON files. FIRST_FINDING should only be set to true in the case of structured JSON output, since it is only in that case that fileout_insert_warning() appends a comma to the JSON file. This commit fixes the problem.
2022-04-07 13:57:49 -04:00
David Cooper
6f55a4d08b OpenSSL compatibility fix
OpenSSL 3.0.X uses different names for some elliptic cures in the "Server Temp Key" line than previous previous versions. This commit addresses this issue by checking for both names.
2022-04-07 13:44:42 -04:00
Dirk Wetter
46b66c777a
Merge pull request #2140 from dcooper16/fix2138
Fix #2138
2022-04-07 17:33:59 +02:00
David Cooper
3d0dab4da3 Fix #2138
This commit fixes #2138 by having testssl.sh not wrap early JSON findings in a clientProblem object if the finding is created by a mass testing child and all findings are being placed in a common file. It also sets FIRST_FINDING to true in case another finding is written before the "service" information is written.

Since fileout_insert_warning() adds a comma after the finding is written, the JSON can become corrupted in mass testing if a clientProblem finding is written and then no additional findings are written for that test. In order to try to prevent this, the commit adds several fileout() calls to determine_optimal_proto() in cases in which testssl.sh might exit before testing begins.
2022-04-06 15:41:52 -04:00
Dirk
b6c18f5e4e Remove trailing spaces to get rid of failing status of CI 2022-04-01 18:05:27 +02:00
Dirk Wetter
ed38cbeed3
Merge pull request #2137 from drwetter/2074_md_fixes
Fix makefile
2022-04-01 15:10:44 +02:00
Dirk
fe010c87d2 Fix makefile
* add title
* feature to just rebuild html and roff with force target
2022-04-01 15:08:55 +02:00
Dirk Wetter
429655de55
Merge pull request #2133 from drwetter/2074_md_fixes
Implement fixes in documentation from #2074
2022-04-01 14:48:24 +02:00
Dirk
83d4075465 fixes for roff and html 2022-04-01 14:45:48 +02:00
Dirk
db932c2bdc prevent CI from running in doc dir s/docs/doc/ 2022-04-01 14:14:59 +02:00
Dirk
28085e5ec9 Implement fixes in documentation from #2074
kudos @k0lter

* numbering
* some ticks / backticks

For now I left the html and roff files like they were. That should be reconsidered
later.
2022-04-01 13:12:02 +02:00
Dirk
ab81558ba4 Merge branch 'k0lter-doc-fixes' into 3.1dev 2022-04-01 12:52:28 +02:00
David Cooper
9829105450 Reorder output of run_server_preference()
This commit reorders the output of run_server_preference() as discussed in #1311.
2022-04-01 12:50:12 +02:00
David Cooper
c14ea2efc8 Use tls_sockets() in run_tls_fallback_scsv()
This commit adds the use of tls_sockets() to run_tls_fallback_scsv() to perform testing when the --ssl-native flag is not used. With this commit, run_tls_fallback_scsv() only uses tls_sockets() instead of $OPENSSL if the ClientHello needs to include the TLS_FALLBACK_SCSV flag, but it is not supported by $OPENSSL, or if the protocol that would be negotiated is SSLv3 and $OPENSSL does not support SSLv3.
2022-04-01 12:50:12 +02:00
dependabot[bot]
b3979a8979 Bump docker/build-push-action from 2.9.0 to 2.10.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.9.0 to 2.10.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v2.9.0...v2.10.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-01 12:50:12 +02:00
David Cooper
16369853d5 Working NNTP server
Switch NNTP server testing to a currently working server from http://vivil.free.fr/nntpeng.htm.
2022-04-01 12:50:12 +02:00
enxio
c0fb2d1f70 Declare missing variable, style. 2022-04-01 12:50:12 +02:00
enxio
bcacee1e4c Conform to style with local variables: declare "ret" properly. 2022-04-01 12:50:12 +02:00
David Cooper
008fa228c0 Add DH groups to supported_groups
There is at least one server that will not negotiate TLS_DHE_* cipher suites with TLS 1.2 and below if the supported_groups extension is present but does not include any DH groups. This commit adds the DH groups that are currently in the TLS 1.3 ClientHello to the TLS 1.2 and earlier ClientHello.
2022-04-01 12:50:12 +02:00
David Cooper
7a3ce9c677 Fix sclient_auth
If $connect_success is false, then sclient_auth() does not "return" any value, and the calling function treats this as if sclient_auth() had returned 0.

This commit fixes sclient_auth() so that 1 is returned if $client_success is false.
2022-04-01 12:50:12 +02:00
David Cooper
bddf9c967f Include RSA-PSS in ClientHello
This commit changes prepare_tls_clienthello() so that the RSA-PSS algorithms are offered in the signature algorithms extension of TLS 1.2 and below ClientHello messages.
2022-04-01 12:50:12 +02:00
enxio
1c2e340506 Conform to style. Add some more info on the TN3270 STARTTLS negotiation. 2022-04-01 12:50:12 +02:00
enxio
1eb5b2949e Add support for TN3270/telnet STARTTLS (similar to OpenSSL's approach). 2022-04-01 12:50:12 +02:00
dependabot[bot]
60885e0c15 Bump actions/checkout from 2 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-01 12:50:12 +02:00
dependabot[bot]
7a3b1f018f Bump docker/login-action from 1.13.0 to 1.14.1
Bumps [docker/login-action](https://github.com/docker/login-action) from 1.13.0 to 1.14.1.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.13.0...v1.14.1)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-01 12:50:12 +02:00
dependabot[bot]
00e7977a2c Bump docker/login-action from 1.12.0 to 1.13.0
Bumps [docker/login-action](https://github.com/docker/login-action) from 1.12.0 to 1.13.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.12.0...v1.13.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-01 12:50:12 +02:00
Dirk Wetter
1059b07909 Fix "ID resumption test failed" under Darwin
Under Darwin using LibreSSL it was not possible to test for session
resumption by session ID.

This fixes #2096 by checking not only the return value of the s_client
hello but also whether a probable certificate is being returned.
2022-04-01 12:50:12 +02:00
Dirk Wetter
deef51305a Fix JSON output bc of missing locale in alpine (3.1dev)
It is now being tested whether the binary locale exists and
there's a global introduced for that.

Also there's no fileout warning at this early stage anymore
as it leads to non-valid JSON.

This fixes #2103 in 3.1dev.
2022-04-01 12:50:12 +02:00
Dirk Wetter
dd5d91f527 Fix locale error message when en_US.UTF-8 isn't available
Therefore a new global function was declared checking whether any of
the known locales work on the client without seeting them.
C / POSIX should work as well for LC_COLLATE.

This fixes #2100 for 3.1dev.
2022-04-01 12:50:12 +02:00
Dirk Wetter
86853c4a5c correct English in comment 2022-04-01 12:50:12 +02:00
Dirk Wetter
8b4ebc385a Fix Darwin / LibreSSL startup problem
This PR addresses a bug where a user encountered the question "The results
might look ok but they could be nonsense. Really proceed".

That happened under Darwin and probably some LibreSSL versions when
checking some hosts. sclient_auth() returned 1 indicating no SSL/TLS
handshake could be established.

This PR modifies sclient_auth() so that in those cases 0 is returned by
skipping the check for the session ID. As NO_SSL_SESSIONID needs to
be set when there's no session ID, this is done separately.
2022-04-01 12:50:12 +02:00
dependabot[bot]
a64094a804 Bump docker/build-push-action from 2.8.0 to 2.9.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.8.0 to 2.9.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v2.8.0...v2.9.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-01 12:50:12 +02:00
Dirk Wetter
c5ed4c9e5e Add CI check
* for STARTTLS + LDAP
* for STARTTLS + POP3 reenable check with openssl as GH has not the time limits which Travis had
2022-04-01 12:50:12 +02:00
Dirk Wetter
05d94fa019 Update documentation
* remove hint that LDAP only works with STARTTLS
* Add the relevant LDAP RFC for STARTTLS
* Amend with sieve RFC
* Correct numbering order of RFC section
2022-04-01 12:49:53 +02:00
Dirk Wetter
a778356cc3 Remove ldap protocol early returns
Partly revert bb5450e3f5
2022-04-01 12:45:59 +02:00
Dirk Wetter
9ec1ca30ba Amends LDAP + STARTTLS / rename sockread_serverhello()
This commit adds parsing the success value of the STARTTLS upgrade
in LDAP. Only possible values whould be 0 or one according to RFC 2380.
All values not equal to zero will terminate the check.

Also, this PR renames sockread_serverhello() to sockread() as the word
serverhello is pretty misleading. It just reads from ANY socket. (sorry
to confuse people here, that should have gone into a separate PR).
  Also sockread() and sockread_fast() are better documented.
2022-04-01 12:45:59 +02:00
Dirk Wetter
6bd0d9eba0 Add prototype for STARTTLS+ LDAP via sockets
See #1258

To do:
* more robustness. At least the success value from the response need to be retrieved and checked via starttls_io().
* double check the pre-handshake before the OID whether it's correct for every case
* documentation
* inline help

It seems to work though against db.debian.org
2022-04-01 12:45:59 +02:00