This is an implementation for QUIC (RFC 9000, RFC 9114). It's purely
OpenSSL based for now. As some distros support newer (>= 3.2) versions
this works on some distros now and will work on more as time goes by.
It has been tested with MacOS and Linux. If there's an OpenSSL version
in /usr/bin/ it will automagically use that version.
A new short sub function named sub_quic() was introduced for handling this as
run_protocols() is already "full".
It appears below TLS 1.3. A check against HTTPS RR #2484 is planned but
not implemented yet. PR #2484 has to be worked on and merged before.
New variables were introduces (HAS_QUIC/ +HAS2_QUIC). Also there's
QUIC_WAIT as we run the connect in the background and we need a wait time.
HAS_UDS2 was renamed to HAS2_UDS as HAS2 should signal this is for OPENSSL2
and UDS2 doesn't make sense.
To clarify:
- check for a proxy and then don't do the check?
- short unit test (t/31_isJSON_valid.t cjecks cloudflare but ...)
... which was done in #2772 . This is done for testing as building the container doesn't
work anymore, see #2810 .
Action logs say it was build but it's unclear why it is still based on 3.2rc4 .
Hence this test.
The schedule was commented out as it would not apply either here as 3.3dev is
now the default version.
In #2727 there were workarounds introduced which sped up processing decryption of
ChaCha20 and and AES-GCM by using OPENSSL2 when it is supporting such functions.
However when OPENSSL2 is called and OPENSSL_CONF still points to the autogenerated
file which works for `~/bin/openssl.$(uname -s).$(uname -m)` the decryption `$plaintext`
will be empty which later on caused a negative value, see #2780 .
This fixes#2780 by prepending `OPENSSL_CONF=''` to each OPENSSL2 instance. Also it
makes `chacha20()` and `gcm-decrypt()` more robust. It is now more readable now.
At other places $OPENSSL2 were prepended by `OPENSSL_CONF=''` also if there weren't
any obvious errors noticed.
Also now all OPENSSL2 vars will appear in /tmp/testssl.XXXXXX/environment.txt when
debugging.
It was also noticed that the `find_socat()` function had room for improvements, it was
not set in any case when `socat was in $PATH or supplied via env SOCAT.
This fixes a problem which was introduced @ 8d8f83ace5.
It caused for some hosts not to parse / display the issuer CN correctly.
Also it adds some code in testssl.sh and in a unit test to detect
this earlier. In general an output string FIXME will now cause a
unit test to fail. This can + should be used at other places too!
Fixes#2789
As suggested in #2780 this PR redirects all stderr on a perl level
to stdout so that we should see all errors which we miss because
we can't redirect (>/dev/null in check) or we haven't redirected yet.
Also old checks are imporved, so that $prg is used as in newer
checks.
