Commit Graph

3810 Commits

Author SHA1 Message Date
Dirk 9c7d385098 - omit 1xblank in almost all colored output (and adjust the functions using it)
- little bit more robust for strange keysize and dh bits
- added ecdsa-with-SHA256 to Signature Algorithm
- FIX: no TLS1+SSL3 resulted in no output for BEAST
2015-05-25 21:14:59 +02:00
Dirk e58b53eeae - dh key lenghth in negotiated cipher at first, see $85, #105, #106
- got rid of ok function calls in protocols
- detection of apache banner win32/win64
2015-05-25 15:10:09 +02:00
Dirk a7a19428d6 - FIX for #104: check for hpkp pin match failed if \" was present 2015-05-18 23:10:34 +02:00
Dirk 0c4a36121e - NEW / FIX #104: check for hpkp pin match 2015-05-18 21:51:45 +02:00
Dirk Wetter bf7b867d86 Update Readme.md 2015-05-17 22:56:38 +02:00
Dirk 7cc15e5d4d - 2.4 2015-05-17 22:43:53 +02:00
Dirk 43732ae53d Merge branch 'master' of github.com:drwetter/testssl.sh 2015-05-17 22:42:53 +02:00
Dirk 4e7bbb20a0 - 2.4 2015-05-17 22:41:58 +02:00
Dirk 1c509bf845 2015-05-17 22:34:50 +02:00
Dirk 2919a7c40e - 2.4!
- FIX #92
- FIX for TLS time (difftime was too small for local clock skew)
- warning for freebsd/macosx w/o ports need now a "yes"
- TLS 1.0 not offered is not bold anymore
- output weirdness fixed for cipher order in spdy
2015-05-17 22:30:49 +02:00
Dirk 6e74b3bd5c - FIX of output whene there's no CBC cipher in BEAST
- FIX: 2 occurrances of OPENSSL calls had a hostname instead of an IP address
- FIX: starttls protocol correctly displayed
- NEW added duplicate detection for header flags
- NEW: added four GOST cipher to standard socket handshake
- recommends if openssl 1.0.2 is used and results were strange and IIS6 --> run wqith openssl 1.0.1
- declared some global vars as readonly
2015-05-15 21:32:11 +02:00
Dirk Wetter 7741d99cc8 Update Readme.md 2015-05-12 13:42:42 +02:00
Dirk 7614ac6f87 Merge branch 'master' of github.com:drwetter/testssl.sh 2015-05-12 13:38:20 +02:00
Dirk 16d2b33459 - Workarounds for IIS6 #99 : some places where openssl 1.0.2 cannot connect (as opposed
to =< 1.0.1) finding the right protocol before
- hints for IIS6+openssl 1.0.2 non-conformity #99
- version bumped up to 2.4rc2
- better formatting for BSD in cipher order
- FIX: 2x bug for cipher order + sslv2
- preambel revisited
2015-05-12 13:37:39 +02:00
Dirk Wetter a7d7158c4b Update Readme.md 2015-05-12 10:21:31 +02:00
Dirk 3a64bd1005 - WONTFIX remarks for #103 and #102
- better warning for openssl < 1.0
2015-05-11 16:58:57 +02:00
Dirk 35d8469f67 URL_PATH regression fixed 2015-05-11 10:47:26 +02:00
Dirk 08fe890d5f - two fixes from #40 reported by @salt-lick 2015-05-11 08:52:40 +02:00
Dirk 19fc021587 - FIX: 30x with BigIP doesn't have a date, handled properly now
- generic GET/HEAD is now always with URL_PATH
2015-05-10 23:38:06 +02:00
Dirk 0050df5529 - informative header extended 2015-05-10 20:54:43 +02:00
Dirk 2f79ba52fc - NUMEROUS FreeBSD9/Darwin FIXES #40
- http date
  - cipher list in preferences
- GET_REQ11 now closes the connection
- openssl_age comes afeter the banner so that help doesn't need to go thru this
- uname -s ==> SYSTEM
2015-05-10 19:20:55 +02:00
Dirk 0aa8ac7e76 - more robust wrt IIS6 (some stuff better with IIS7)
- X-Powered-By is easy to remove (PHP, ASP.NET), thus labelled as yellow
- same X-AspNet-Version (version # itself is brown)
- better addressed address resolution failures ;-)
- bumped up version to 2.4rc1
2015-05-06 18:48:51 +02:00
Dirk f3f3967bd1 - FIX $87 (2), finally
- feature: integrated TLS+HTTP time into server defaults
- NEW: option: -U/vulnerable
- moved explanation for BREACH into result
- FREAK and CCS are not labled experimental anymore
- unifying of get request headers
- readability of help
2015-05-02 15:01:02 +02:00
Dirk Wetter 2aa82e5164 - partly FIX for #87 (removed SNI helps. Doesn't make sense anyway)
- changed order of Secure Renegotiation/Secure Client-Initiated Renegotiation
- readability improvements in renego
2015-05-01 12:18:43 +02:00
Dirk d766a0b459 - fix additional \n in RC4 if no RC4 ciphers were detected 2015-04-28 08:04:09 +02:00
Dirk Wetter ae1abda571 Update Readme.md 2015-04-24 16:52:08 +02:00
Dirk 150fb671bb - more thourough what has been done 2015-04-23 09:25:28 +02:00
Dirk Wetter b492031b95 Update Readme.md 2015-04-23 08:48:28 +02:00
Dirk 1ea7a0947f - RC4 has now 2 CVEs and cipher per default are displayed short
- introducng a variable name LONG which for certain funcs shows broad output with hexc, cipher, KX, etc.
- FIX: regression not showing security headers
- introducing VULN_THRESHLD
2015-04-22 18:24:39 +02:00
Dirk 3891f5b13b - FIX #83
- emphasize also OS names in HTTP headers
2015-04-22 15:22:53 +02:00
Dirk 06bd8b2517 - FIX for complete bailing out 2015-04-22 11:56:13 +02:00
Dirk bafce6edce - reordering code so that all attacks are together
- RC4 is now really omitted in PFS test
- cleanup of some comments
2015-04-22 10:33:44 +02:00
Dirk c751e9f459 typo 2015-04-21 08:14:36 +02:00
Dirk 5bec0a16c9 - better compatibility with windows 2003 server
- all long options are advertised now as with dashes and not underscore
- cosmetic stuff
2015-04-20 10:05:01 +02:00
Dirk 7b6dba6369 FIX for #82 2015-04-18 23:03:16 +02:00
Dirk Wetter 3f0f489f50 Indicated freeze 2015-04-16 21:05:23 +02:00
Dirk 5625ee536e - BUGFIX: IIS server lead to false pisitive if SSLv3 was enabled
(timeout was faster then socket resply)
- FIX: CORS header not labeled as green
- NEW: Now also STARTTLS works with all cmd line options and is absolutely doing the same stuff!
  (integrated starttls() into parse_hn_port() )
- option --mx needed to be changed because of starttls
- regression fix: exec for socket doesn't play nice with stderr redirect
  (probably bash bug)
- added some env options to cmd line as long args (--assuming-http,--ssl_native,
  --color, debug, --sneaky, --warnings)
- threw away getent as it doesn't work under Linux && not network && localhost
  (replaced by grep)
- SSL-POODLE is not labeled anymore experimental
- HB+CCS are called while checking STARTTLS but given a hint that its not yet supported
- added more env vars to debug output
- cleanups
2015-04-16 20:36:17 +02:00
Dirk f682c5ceea - FIX regression: more_flags execution was missing
- FIX regression: capitalized/all lowercase headers weren't detected
- if socksend is blocked (IDS) output looks better and is reported as test didn't succeed
- no secure cookie or Httponly will be marked as brown
- tput color yellow is now brown
2015-04-14 13:16:43 +02:00
Dirk 9d5168dbb5 - more robust grep >=2.20, e.g Debian 8.0 (thx @stevenb18)
- FIX: false positive for breach while testing google.com (referer header was hardcoded to google.com)
2015-04-14 10:15:07 +02:00
Dirk 683e9dccab - FIX (regression): -V
- logic of some ENV variables changed (attention!)
- included some ENV as long options (not in the help yet)
- decentralized http check for breach
- if openssl is not executable it bails out better now
- help function now exits
2015-04-13 22:55:40 +02:00
Dirk 1043c40a60 Merge branch 'master' of github.com:drwetter/testssl.sh 2015-04-10 15:16:20 +02:00
Dirk a12d39769f - underline CN, SAN and issuer deutschepost case (see sourceforge.net/p/ssllabs/mailman/message/33764851/) 2015-04-10 15:15:47 +02:00
Dirk Wetter bfcd684e19 Update Readme.md 2015-04-10 10:13:30 +02:00
Dirk Wetter 9ebf112858 Update Readme.md 2015-04-09 22:24:57 +02:00
Dirk 53e0955dfb FIX: missing server preferences, NEW: each cipher server preferences per protocol! 2015-04-09 22:08:48 +02:00
Dirk 7f984ea83f - 2015-04-09 21:45:22 +02:00
Dirk a98161acc9 - fixes to changes from Peter's better cmd line parsing
- cosmetc improvements (vulneraibilities)
2015-04-09 21:42:52 +02:00
Dirk Wetter eb73ffc053 Merge pull request #79 from PeterMosmans/refactoring
Refactored major parts of code
2015-04-09 21:38:29 +02:00
Peter Mosmans c8d169cc0f Removed GNU getopt
Minor fix to --poodle option
2015-04-07 18:05:52 +10:00
Peter Mosmans 9780e83895 Refactored major parts of code
Note that due to the refactoring of some status messages, the output will be slightly different (more verbose) than previous versions

Moved specific status messages to http_header()
Moved specific status messages to breach()
Moved specific status messages to ccs_injection()
Moved specific status messages to heartbleed()
Moved specific status messages to renego()
Moved specific status messages to crime()
Moved specific status messages to tls_poodle()
Moved specific status messages to freak()
Moved specific status messages to beast()

Added some more documentation for functions

Fixed typos in help

Created new function main:
This is the main function of testssl.sh
Refactored major part of the original main function

Created new function startup:
Parses the startup options

Created new function intialize_globals:
Initializes all used global variables

Created new function scanning_defaults:
Sets default scanning options when only one parameter (URI) is given

TODO: Refactor more/duplicate parts of functions

Note: For the new functions, fixed spaces (4) are used instead of tabs
2015-04-07 17:00:43 +10:00