There are checks now whether testssl.sh was started with --max and
whether we aim at a target which is an MX record. It has not been
thoutoughly tested but works for a couple of scenarios. There were
cases being identififed where this fails, see comments in the code.
Also this commit addresses an error in the URL handling: for
DNS queries a trailing dot is fine in the variable $NODE. For
HTTP queries it is not.
This commit adds a first PoC implementation of MTA-STS (RFC 8461), see also
issue #1646.
What works:
- test a hostname which is equal to a MX record and a domainname and has
a MTS-STS setup (dev.testssl.sh)
- check _mta-sts TXT record + https://mta-sts.$NODE/.well-known/mta-sts.txt
- check also _smtp._tls TXT record
- screen output
What doesn't work
- test a hostname which is not equal to domainname
- test a hostname which has not mx record
- fileout put
- any parsing of TXT record + .well-known/mta-sts.txt
- when no TXT records or .well-known/mta-sts.txt are there
- fileoutput
- colored screen output
There's a stub function for DANE.
There are also two stub functions splitting HTTP body from HTTP header
which I couldn't get to work and will be removed later.
Besides to avoid confusion it changes from all GET requests over HTTPS tm_out
to safe_echo. It's actually exactly the same only the name is different.
Workaround for bug see #1717. In addition: Bring the test closer to a cleaner style,
as the others
Should --ids-firednly could be as well be removed when travis runs faster.
As there is `apk upgrade` and `apk update`, the apk index will already
be existed. `--no-cache` is for `apk` when there is no `apk update`
behavior and it's expected to be no local cache left, not suitable for
the use case here, which wants to upgrade all the package to the latest
when packaging the image.
... in order to be consistent with run_server_preference().
The wide formatting of other tests need some inspection and
off the top off my head are not as perfectly formatted so that
they should not run per default in wide mode.
Often in the past travis was hitting a limit (50min?).
This is a try to make reasonable cuts to the unit tests:
- For STARTTLS some checks with OPenSSL are skipped
- For JSON and HTML outputs --ids-friendly was added assumming we
don't change the output of ticketbleed, CCSI, HeartBleed and ROBOT any more.
- There's also not point to run those checks against badssl
- for the diff check we switch to 'or diag' to display a dfifference
