Commit Graph

4551 Commits

Author SHA1 Message Date
Dirk Wetter f914423978
Remove mkdir in Dockerfile
see https://github.com/drwetter/testssl.sh/pull/2312#pullrequestreview-1286620850
2023-02-07 10:28:26 +01:00
Brennan Kinney 81634ce13d
chore: Bring back group value for `COPY --chown` 2023-02-07 21:36:47 +13:00
Dirk Wetter 1ee21b7f22
Merge pull request #2312 from polarathene/chore/dockerfile-simplify-user
chore(Dockerfile): Simplify `testssl` user creation
2023-02-07 09:03:23 +01:00
Dirk Wetter 64ae161218
Merge branch '3.1dev' into chore/dockerfile-simplify-user 2023-02-07 09:03:15 +01:00
Dirk Wetter 66ebfb2f58 Add changes to CSV baseline 2023-02-06 21:56:54 +01:00
Dirk Wetter 6f881dc70b Rename 3 jsonIDs in run_cipherlists(): breaking change
see #2316 / #2320

AVERAGE --> OBSOLETED
GOOD    --> STRONG_NOFS
STRONG  --> STRONG_FS
2023-02-05 19:32:08 +01:00
Dirk Wetter e87b745c93
Merge pull request #2316 from dcooper16/cipherlists_doc
Update documentation for cipherlists tests
2023-02-05 19:25:02 +01:00
Dirk Wetter 05b4cdcc0d
Merge pull request #2317 from dcooper16/fix_html
Fix HTML output in Bash 5.2 and newer
2023-02-04 09:22:03 +01:00
David Cooper 3d82f7cb21 Fix HTML output in Bash 5.2 and newer
As noted in #2304, the way that the '&' character is treated in the string part of a pattern substitution changed in Bash 5.2. As a result, the change that was made in #1481 to accommodate older versions of Bash (e.g., on MacOS) now causes testssl.sh to produce incorrect HTML output when run on Bash 5.2.

This commit encodes the '&' characters in the substitution strings in a way that produces correct results on multiple versions of Bash (3.2 on MacOS, 5.2 on Ubuntu 23.10, 5.0 on Ubuntu 20.04).
2023-02-03 14:18:02 -08:00
David Cooper b661f7b8d3 Update documentation for cipherlists tests
The sets of cipher lists checked by `run_cipherslists()` changed in 3.1dev, but the documentation was not updated.
2023-02-03 11:24:04 -08:00
Dirk Wetter 70237b2328
Merge pull request #2313 from polarathene/chore/dockerfile-remove-mkdir
chore: Remove redundant `mkdir`
2023-02-03 19:54:51 +01:00
Dirk Wetter 6c2663aeb6
Merge pull request #2311 from SSLbrain/3.1dev
Feature Trustcor certificates being removed/disabled from root stores #2293
2023-02-02 13:55:07 +01:00
Brennan Kinney 76b8f0c981 chore: Remove redundant `mkdir`
- If local folder ownership is for example `644` it will fail to handle the `COPY` regardless (while `744` would work).
- Creating the directory with higher permissions in the container does not appear to help.
2023-02-02 14:26:16 +13:00
Sole 3670c1e4ad Removed non-relevant CA's that no longer have active certificates. 2023-02-02 01:13:00 +00:00
Brennan Kinney dc7d13b853 chore(Dockerfile): Simplify `testssl` user creation
Create `testssl` user (_and group_) with no password (`-D`) and default their shell to bash (`-s`):
- A group will implicitly be created with the same value as the user. `addgroup testssl` and `-G testssl` are not needed.
- Gecos data (`-g "testssl user"`) doesn't appear relevant to the project to be required? The default gecos value (`Linux User,,,`) should be fine.
2023-02-02 14:07:51 +13:00
Sole 9fc8c33704 Change exception for removed root certificates into easy edit multi-value regular expression for Organization name and making it clear that CA's are actively removed from 1+ root stores. 2023-02-02 00:42:15 +00:00
Brennan Kinney 74892e45c5 chore: Use a single `COPY` by better leveraging `.dockerignore` patterns 2023-02-02 12:49:30 +13:00
Dirk Wetter e02e8be19f
Merge pull request #2306 from drwetter/upgrade_alpine_perf-fix
Upgrade Alpine version for both Dockerfiles
2023-02-01 19:45:57 +01:00
Dirk Wetter beb94d9efc Upgrade Alpine version for both Dockerfiles
... to improve/mitigate performance problems, see #2299.
(musl libc vs. glibc)
2023-02-01 19:40:40 +01:00
Dirk Wetter 5a1a114adc
Merge pull request #2300 from drwetter/dependabot/github_actions/docker/build-push-action-4.0.0
Bump docker/build-push-action from 3.3.0 to 4.0.0
2023-01-31 09:37:28 +01:00
Dirk Wetter 0b5c414970
Merge pull request #2303 from drwetter/nntp_ci_remove
Remove NNTP from CI tests
2023-01-31 09:37:06 +01:00
Dirk Wetter 2e0898c9ef Remove NNTP from CI tests
Maybe for the future we should check whether host is available and
if so then run the test
2023-01-31 09:34:18 +01:00
dependabot[bot] 8ae8a6fc44
Bump docker/build-push-action from 3.3.0 to 4.0.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3.3.0 to 4.0.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v3.3.0...v4.0.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-31 00:03:02 +00:00
Dirk Wetter e9db257474 Start listing changes and contributions
... a few items by David and myself.

It's a WIP and there are missing points. Feel free to amend the
CHANGELOG.md and CREDITS.md.
2023-01-17 15:19:34 +01:00
Dirk Wetter 8099dc0106
Merge pull request #2297 from drwetter/ldap_starttls_improvements
Add logic for STARTTLS enabled AD servers
2023-01-17 14:27:01 +01:00
Dirk Wetter fdd72d2785 Cleanup code, clarfy comments for AD/LDAP + STARTTLS 2023-01-17 14:23:53 +01:00
Dirk Wetter fc2a020294 Add logic for STARTTLS enabled AD servers
There are two different scenarios. x0C is the buffsize reply from openldap-like servers
whereas AD servers probably have x84 and return also the OID. The following is kind of
hackish as ldap_ExtendedResponse_parse() in apps/s_client.c of openssl is kind of hard
to understand. It was deducted from a number of hosts.
Bottom line: We'll look at the 9th byte or at the 17th when retrieving the result code

AD:
30 84 00 00 00 7d 02 01 01 78 84 00 00 00 74 0a 01 34 04 00 04 55 30 30 30 30 30 30 30 30 3a 20 [ failed AD .. LdapErr + OID..]
30 84 00 00 00 28 02 01 01 78 84 00 00 00 1F 0A 01 00 04 00 04 00 8A 16 [.. OID ..]
   ^^ bufflen                                      ^^ resultcode

30 0C 02 01 01 78 07 0A 01 00 04 00 04 00
   ^^ bufflen              ^^ result code
2023-01-17 11:16:05 +01:00
Dirk Wetter ce3bd4764f
Merge pull request #2296 from drwetter/dependabot/github_actions/docker/build-push-action-3.3.0
Bump docker/build-push-action from 3.2.0 to 3.3.0
2023-01-16 10:20:13 +01:00
dependabot[bot] 1b2f58d739
Bump docker/build-push-action from 3.2.0 to 3.3.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3.2.0 to 3.3.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v3.2.0...v3.3.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-16 01:05:58 +00:00
Kali 0af73c2d19 fixed DNS via Proxy 2023-01-05 14:11:44 +01:00
Dirk Wetter 7670275e59
Merge pull request #2292 from drwetter/ldap_starttls_improvements
make starttls_ldap_dialog() more readable...
2022-12-27 22:06:12 +01:00
Dirk Wetter c67cefaf8e add info about error handling 2022-12-26 19:15:49 +01:00
Dirk Wetter 336d3c947a better use safe_echo() 2022-12-26 16:14:26 +01:00
Dirk Wetter b633efae69 make starttls_ldap_dialog() more readable...
... add references + better debugging output
2022-12-26 16:10:31 +01:00
Dirk Wetter 198bb09d51
Merge pull request #2282 from drwetter/drwetter-patch-2
Reflect past update for docker hub's Dockerfile
2022-11-28 17:09:04 +01:00
Dirk Wetter 0c807bea5b
Reflect past update for docker hub's Dockerfile
... using alpine 3.16
2022-11-28 14:10:13 +01:00
Dirk Wetter 9304bb80b8
Merge pull request #2281 from dcooper16/fix_whitespace
Fix whitespace issues
2022-11-25 18:23:58 +01:00
David Cooper e2942966d2 Fix whitespace issues
This commit fixes incorrect indentations introduced in #2276 and #2278, and also removes the extra whitespace that would have been removed by #2279.
2022-11-25 07:44:48 -08:00
Dirk Wetter 6ba21a937a
Merge pull request #2278 from dcooper16/fix_extract_calist
Fix extract_calist()
2022-11-24 11:15:10 +01:00
David Cooper 907126a285 Fix extract_calist()
When a server supports client authentication, extract_calist() extracts the list of supported certification authorities sent by the server. extract_calist() uses different code to extract the list from a TLS 1.3 response than from a TLS 1.2 or earlier response, since the CertificateRequest message was changed for TLS 1.3.

For TLS 1.2 and earlier, extract_calist() assumes that the CertificateRequest message is a sequence of certificate types, signature algorithms, and certification authorities. However, the signature algorithms field was added in TLS 1.2 and does not appear in TLS 1.1 and earlier. So, the current code does not work unless the server supports TLS 1.2 or TLS 1.3.

This commit fixes the problem by checking whether the response is a TLS 1.2 response, and skipping over the extraction of the signature algorithms field if the response is neither TLS 1.2 nor TLS 1.3.
2022-11-23 08:35:45 -08:00
Dirk Wetter a4666087e8
Merge pull request #2265 from dcooper16/server_sig_algs
Show server supported signature algorithms
2022-11-23 11:11:02 +01:00
David Cooper c7644ad58e Limit size of signature_algorithms extension
Some servers get confused if the signature_algorithms extension is too large. This commit addresses the problem by:

* For TLS 1.2, generally limiting the signature algoritms to those consistent with the key type being tested.

* For TLS 1.3, breaking the list of signature schemes in two, and testing each half of the list separately.
2022-11-18 06:23:24 -08:00
David Cooper 6088eddab6 Show server supported signature algorithms
This commit modifies run_fs() to show the signature algorithms the server supports in the ServerKeyExchange message for TLS 1.2 and in the CertificateVerify message for TLS 1.3.

Signature algorithms are not shown for TLS 1.1 and earlier, since for those protocol versions the signature algorithm to use is specified by the protocol. While the signature algorithm used in TLS 1.1 and earlier is weak, testssl.sh already warns if these protocol versions are supported.
2022-11-18 06:23:24 -08:00
Dirk Wetter 462a602625
Merge pull request #2276 from dcooper16/pem_fileout
Fix #1747
2022-11-18 11:06:26 +01:00
David Cooper 3eb8cf6754 Fix #1747
This commit fixes #1747 by converting PEM encoded certificates that are sent to fileout() to a single line. As suggested in #1747, '\n' is added after the '----- BEGIN ... -----' line and before the '------ END ... ------' line.

In order to ensure that '\n' appears in the string in the JSON and CSV files, '\\n' is sent to fileout() so that 'printf -- "%b"' converts '\\n' to '\n' rather than converting '\n' to a newline character.

In order to prevent fileout() from converting '\\n' to '\ ', this commit move the fix for #2049 (see PR #2050) from fileout() to fatal().
2022-11-17 06:31:52 -08:00
Dirk Wetter 827782cd58
Merge pull request #2275 from drwetter/remove_negotiated
Remove Negotiated cipher / protocol in server preferences
2022-11-15 09:28:38 +01:00
Dirk Wetter e918a2c31f remove negotiated cipher / protocol also in baseline file 2022-11-14 20:25:56 +01:00
Dirk Wetter 1842b9eefb Remove Negotiated cipher / protocol in server preferences
As a first cleanup action I removed in run_server_preference()
the line with Negotiated Protocol and Negotiated Cipher as
the don't have any real information, see #2235 , comment below:
https://github.com/drwetter/testssl.sh/pull/2235
2022-11-14 17:23:13 +01:00
Dirk Wetter 0dac50c830
Merge pull request #2272 from dcooper16/fix2271
Fix #2271
2022-11-11 16:27:18 +01:00
David Cooper 43fade414c Fix #2271
This commit fixes #2271 by adding the `-no_ssl2` option to the call to get_host_cert() in run_drown(). There is at least one server that causes OpenSSL to hang if this call to get_host_cert() results in an SSLv2 ClientHello being sent. Since this call to get_host_cert() only needs to find the server's certificate in cases in which the server does not support SSLv2, there is no need to send an SSLv2 ClientHello.
2022-11-10 11:24:56 -08:00