Revives and rebases #1809 by @tosticated (Jim Blankendaal) onto 3.3dev. When --phone-out is set, run_hsts now queries https://hstspreload.org/api/v2/status and reports whether the domain is on the browser HSTS preload list (preloaded/pending/rejected/unknown), cross-referenced with the served header, the same-domain check and the bulk flag.
Addresses the review comments on #1809: the API-response matching uses native bash string matching instead of forking grep, the JSON quoting is handled inside check_hsts_preloadlist_match() so callers pass plain values, and the value arrays use 'local -a'. The output decision table is kept as-is (per maintainer feedback). Adds t/53_hsts_preload.t. Original design and decision table by @tosticated.
This is just to assist debugging of the runners, so that
we can grab in a case needed the screen and stderr .
* there's a script t/03_debug.t.DISABLED which needs to be renamed then
* it utilises IPC::Run3
- also showing the PATH is added for both runners
- Readme amended accordingly
- URI is now example.com bc Akamai doesn't block too many checks
(MacOS runner was delayed and often hiccuped here)
- failed to flush message --prevention
- term pattern seems better than the "colorized list"
... for t/32_isHTML_valid.t .
Github.com seems to be most reliable from the ones tested so far.
bahn.de has one IP to the outside however Session resumption seems
to come from different hosts behind that IP. Bad choice for this
test.
Fixes#2833
This does a check for the opossum vulnerability, see https://opossum-attack.com/ .
It uses a separate function to send the payload and retrieve the result via `http_header_printf()`. It doesn't use curl or wget. The latter wouldn't work anyway as according to the manpage as the HTTP header which needs to be sent must not contain LFs. This function was introduced because `http_get_header()` -- which was renamed to `http_head()` -- could use wget if curl is not available. On the way to this PR `http_head()` was improved, so that timeouts were used for curl and wget for better maturity.
`http_header_printf()` now uses bach sockets , strips the URI so that a plaintext request is made. This will be done in the background because not every host will answer.
Done also:
- handling when PROXY is requested (try anyway directly as the payload is not "proxyable")
- print a message when no HTTP service is present
- try hard to use plaintext HTTP when auth is required for HTTPS and service HTTP would not be defined otherwise
- manpages
- help
Also when pwnedkeys are checked a not pwned certificate is labled not neutral but OK=green.
... so that we have a comparison between OpenSSL and LibreSSL. Otherwise this test would be completely futile for MacOS.
Also change the displayed text.
See #2832 (which was for 3.2)
This fixes a problem which was introduced @ 8d8f83ace5.
It caused for some hosts not to parse / display the issuer CN correctly.
Also it adds some code in testssl.sh and in a unit test to detect
this earlier. In general an output string FIXME will now cause a
unit test to fail. This can + should be used at other places too!
Fixes#2789
As suggested in #2780 this PR redirects all stderr on a perl level
to stdout so that we should see all errors which we miss because
we can't redirect (>/dev/null in check) or we haven't redirected yet.
Also old checks are imporved, so that $prg is used as in newer
checks.
potato-20