Commit Graph

5158 Commits

Author SHA1 Message Date
Dirk Wetter
5b0b771c52 Define vars for early data
It seems needed to introduce two variables for upcoming early data tests,
see #1186. This is not needed for OpenSSL as it introduced that
together with TLS 1.3. For LibreSSL it is though.
2025-10-05 18:19:41 +02:00
Dirk Wetter
637ad03a36 Merge pull request #2904 from testssl/jdvorak001-fix_file_naming
Jdvorak001 fix file naming
2025-09-30 17:31:33 +02:00
Dirk Wetter
d6decc7f79 Merge pull request #2905 from testssl/fix_2884
Consistency for function ciphers_by_strength()
2025-09-30 15:53:34 +02:00
Dirk
78ecf53b67 Consistency for function ciphers_by_strength()
* keys now always with v, like supportedciphers_TLSv1_2 and also
  ciphers (e.g. TLSv1.2   x35     AES256-SHA)
* add word "server" to file output so that it reads "NOT a server cipher order configured"

Fixes #2884
2025-09-30 14:30:52 +02:00
Dirk
123684f554 make spellchecker and myself happy ;-) 2025-09-30 13:58:28 +02:00
Dirk
e8ab2c74e6 straighten global definitions in the very bottom 2025-09-30 13:56:25 +02:00
Dirk
1d6ddfb352 rename datetime_started
.. to fname_date as it's more consitent with fname_prefix
2025-09-30 13:35:08 +02:00
Jan Dvorak
e0009cf0cb Adapt variable naming (datetime_started now) 2025-09-26 12:18:44 +02:00
Jan Dvorak
67aba03a41 Use common datetime part when naming output files across all formats
- the datetime is fetched just once
- it is then passed to the functions that start the output files, always as arg1
2025-09-25 23:26:33 +02:00
Dirk Wetter
d66b67befe Merge pull request #2897 from dcooper16/fix2896
Fix #2896
2025-09-21 23:49:10 +02:00
David Cooper
41db430c46 Fix #2896
This commit fixes #2896. This commit avoids modifying the ADDTL_CA_FILES environment variable, and instead substitutes spaces for commas whenever the variable is used.
2025-09-21 13:23:55 -07:00
Dirk Wetter
97faadf425 Merge pull request #2894 from testssl/faq_update
Restructure, load balancer issue, STARTTLS SMTP better explained
2025-09-18 10:59:25 +02:00
Dirk Wetter
8dec13ba62 Update FAQ.md 2025-09-18 10:57:35 +02:00
Dirk Wetter
94f03a1f1f Merge pull request #2891 from testssl/fix_indentation_3.3dev
Fix indentation @ Intermediate cert validity
2025-09-16 19:52:42 +02:00
Dirk Wetter
75feb05a0c Fix indentation @ Intermediate cert validity
... when there were two server and >1 intermediate CA certificates.
2025-09-16 13:03:48 +02:00
Dirk Wetter
a90b2cfd4e Merge pull request #2886 from testssl/fix_http_age
Fix garbled screen when HTTP Age is not a non-negative int
2025-09-15 17:37:20 +02:00
Dirk Wetter
d08b54b5e1 Merge pull request #2882 from testssl/update_faq
Additions to FAQ
2025-09-15 17:37:07 +02:00
Dirk
52d24925e0 > was a problem
trying to get it right in GiHub MD and retext
2025-09-15 17:35:37 +02:00
Dirk
f36462b14a fix spell checking 2025-09-15 17:26:06 +02:00
Dirk
0b47f24bbd Add STARTTLS + rating amend paragraphs
... and try to avoid "crypto"
2025-09-15 17:20:54 +02:00
Dirk
ef82cd37be fix typo 2025-09-15 16:00:53 +02:00
Dirk
15ebceca84 Fix garbled screen when HTTP Age is not a non-negative int
As suggested in https://github.com/testssl/testssl.sh/pull/2885 parsing
of the server determined HTTP age var wasn't strict enough.

https://www.rfc-editor.org/rfc/rfc7234#section-1.2.1 requires the
variable to be a non-negative integer but testssl.sh assumed it was
like that but did't check whether that really was the case. This was
labled as a (potential) security problem. Potential as it didn't
look exploitable after review -- the header as a whole was already
sanitized.

This PR fixes the typs confusion and the garbled screen by checking
the variable early in run_http_header() and reset it to NaN. That
will be used later in run_http_date() to raise a low severity finding.

Kudos to @Tristanhx for catching this and for the suggested PR.

Also, only when running in debug mode, this PR fixes that during
service_detection() parts of the not-yet-sanitized header ended
up on the screen. The fix just calls sanitze_http_header() for the
temporary variable $TMPFILE.
2025-09-15 15:41:43 +02:00
Dirk Wetter
89a0d8d2c4 Micro additions 2025-09-03 10:51:55 +02:00
Dirk Wetter
e75ef95547 Merge pull request #2879 from testssl/newfaq
Provide an FAQ
2025-09-02 15:46:11 +02:00
Dirk Wetter
0d8150e088 add faq to changes 2025-09-02 15:43:28 +02:00
Dirk Wetter
b1a7c287e8 Include the FAQ 2025-09-02 15:40:54 +02:00
Dirk Wetter
08e6e4f1b5 typo / omitting few words 2025-09-02 15:31:38 +02:00
Dirk Wetter
d367575511 Start over with FAQ
... see #2685
2025-09-02 15:29:06 +02:00
Dirk Wetter
5d959c1860 Merge pull request #2877 from testssl/drwetter-patch-1
Keep  feature_request.md up to date
2025-09-01 16:38:40 +02:00
Dirk Wetter
1fd86b1854 Update feature_request.md 2025-09-01 16:36:59 +02:00
Dirk Wetter
b366d30b9e Merge pull request #2872 from testssl/dependabot/github_actions/actions/checkout-5
Bump actions/checkout from 4 to 5
2025-08-18 17:10:55 +02:00
dependabot[bot]
cce6124a92 Bump actions/checkout from 4 to 5
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-12 11:44:32 +00:00
Dirk Wetter
de222f1241 Merge pull request #2870 from testssl/fraction_sleep
wait_kill() is now 0.1 seconds
2025-07-30 22:29:04 +02:00
Dirk Wetter
881ce7723e wait_kill() is now 0.1 seconds
... which leads to a performance gain., most noteably on Macs.

All times when calling were re-adjusted.

Also:
* PROXY_WAIT was decrease to 10 seconds. 20 seemed just too much
* passed var to `starttls_just_read()` was simplyfied
2025-07-30 18:34:37 +02:00
Dirk Wetter
8f036729ba Merge pull request #2868 from testssl/fix_MAX_SOCKET_FAIL
Fix additional parameter in shouldwedo_ipv6()
2025-07-30 15:14:53 +02:00
Dirk Wetter
bd2312ec0d Merge pull request #2869 from testssl/drwetter-patch-1
Try badge for correct branch
2025-07-30 12:58:14 +02:00
Dirk Wetter
ca8fdcca0e Try badge for correct branch 2025-07-30 12:57:19 +02:00
Dirk
279bc4ad91 Fix additional parameter in shouldwedo_ipv6()
.... for connectivity_problem() which may block testssl.sh
2025-07-30 12:53:13 +02:00
Dirk Wetter
f14e24533b Merge pull request #2867 from testssl/check_ipv6_in_background
Exec IPv6 check in background
2025-07-29 22:54:01 +02:00
Dirk
2ce0110eee Exec IPv6 check in background
... as it can get stuck.

Also reduce MAX_WAITSOCK to 5 instead of 10.
2025-07-29 15:36:23 +02:00
Dirk Wetter
8c1ade5e38 Merge pull request #2865 from testssl/drwetter-patch-3
Modify OS bullet point + badge param
2025-07-29 12:43:25 +02:00
Dirk Wetter
f64cef8871 typo 2025-07-29 12:43:00 +02:00
Dirk Wetter
8ff61c4898 Modify OS bullet point + badge param 2025-07-29 12:40:29 +02:00
Dirk Wetter
9e09d2cd58 Merge pull request #2863 from testssl/reliability_quic
More reliability for QUIC test
2025-07-28 19:03:04 +02:00
Dirk Wetter
31804ac424 Merge pull request #2857 from testssl/reliable_ut_host
Pick another host for unit tests
2025-07-28 16:37:16 +02:00
Dirk
0225bc3604 typo fix 2025-07-28 15:44:58 +02:00
Dirk
9166fc7174 Fix typo in comment 2025-07-28 15:43:01 +02:00
Dirk
f8d3df7747 Make QUIC protocol detction more reliable
The site from that billioniare who made nazi gestures delivers a UDP
response without proper TLS handshake. This led to a false positive
as if the site supports QUIC via h3.

This PR makes the detection of QUIC more robust by adding a certificate check
and also take better the return values from `wait_kill()` into account.

It also introduces a function to remove any non printable chars (depending
on the LC_ALL var): `filter_printable()`

Also `sanitze_http_header()` doesn't operate anymore on a global variable
which is kind of not best practise as it is easily to avoid here.
2025-07-28 15:37:35 +02:00
Dirk Wetter
56c1e58567 Mask IP addresses, change host, compression
... for t/32_isHTML_valid.t .

Github.com seems to be most reliable from the ones tested so far.

bahn.de has one IP to the outside however Session resumption seems
to come from different hosts behind that IP. Bad choice for this
test.
2025-07-28 15:03:51 +02:00
Dirk Wetter
b375755161 Merge pull request #2862 from testssl/drwetter-patch-1
Test with badge referring to the correct branch
2025-07-25 10:21:35 +02:00