Commit Graph

996 Commits

Author SHA1 Message Date
Frank Breedijk
5d7367a68d Shell script to generate ca_hashes.txt (OSX only) 2016-07-25 09:47:24 +02:00
Frank Breedijk
fccc5fe4fb Merge branch 'CA_pinning' of https://github.com/drwetter/testssl.sh into CA_pinning 2016-07-25 09:38:30 +02:00
Dirk
541690b46e - enabled+renamed tolerance test per default
- quoted some bool vars for faster execution
2016-07-23 15:12:13 +02:00
Dirk Wetter
38b61ed36f Merge pull request #346 from dcooper16/version_negotiation
Additional checks in run_protocols()
2016-07-23 14:54:50 +02:00
Dirk
3d588ddb20 change sequence of out output (trust checks together 2016-07-23 14:52:26 +02:00
Dirk Wetter
0c2acdd8fe Merge pull request #420 from dcooper16/signed-signed-check
Fix check for self-signed certificate
2016-07-23 14:47:14 +02:00
Dirk
1a099d35b7 - minor polishing #419 2016-07-23 11:17:49 +02:00
Dirk Wetter
9ef0cef8ef Merge pull request #419 from dcooper16/CN-hostname-match
CN <--> hostname match
2016-07-23 11:13:29 +02:00
David Cooper
ae38670067 Fix check for self-signed certificate
The check for whether a certificate is self-signed was using the undefined variable $CN rather than $cn.
2016-07-22 12:06:52 -04:00
David Cooper
59002c1088 Update JSON id for chain-of-trust 2016-07-22 11:57:16 -04:00
David Cooper
df64e47fb9 CN <--> hostname match
PR to address issue #94 (CN <--> hostname match)
2016-07-22 11:31:52 -04:00
Dirk Wetter
ddead05825 Merge pull request #418 from dcooper16/issuer2
CA names with domain component attributes
2016-07-21 12:16:24 +02:00
David Cooper
603ed33f57 Merge branch 'master' into version_negotiation 2016-07-20 13:39:11 -04:00
Dirk Wetter
82c8663b4f speed improvement due to using a precomputed hash table for known CAs 2016-07-20 19:12:02 +02:00
Dirk Wetter
12c7af11c6 fixed hashes 2016-07-20 19:11:38 +02:00
Dirk Wetter
fad41b059f - first set of patches 2016-07-20 19:01:02 +02:00
Dirk Wetter
fddc533fc4 Merge branch 'seccubus-feature/ca-pinning' into CA_pinning 2016-07-20 18:48:09 +02:00
Dirk Wetter
535c37fbb3 Merge branch 'feature/ca-pinning' of https://github.com/seccubus/testssl.sh into seccubus-feature/ca-pinning 2016-07-20 18:47:05 +02:00
David Cooper
bdea1a0971 Merge branch 'master' into issuer2
Conflicts:
	testssl.sh
2016-07-20 11:45:08 -04:00
Dirk Wetter
d98e49f5ba Merge branch 'master' of github.com:drwetter/testssl.sh 2016-07-20 17:39:52 +02:00
Dirk Wetter
6e5c2a824e merged #416 2016-07-20 17:38:55 +02:00
David Cooper
346c52dc7c CA names with domain component attributes
`certificate_info()` does not correctly display the Issuer name for CAs that use domain component attributes.

There is a server on the NIST intra-net that I test against that has a certificate issued by a NIST CA, and the issuer name in the certificate is of the form: `/DC=net/DC=example/DC=internal/CN=CAname`

Since there is no organizational name, testssl.sh displays the name as:
```
 Issuer                       "CAname" ("")
```
In this PR, if the Issuer name has 'DC=' attributes, but does not have an 'O=' attribute, the "DC=" attributes are combined into a DNS name that is used as if it were the organizational name:
```
 Issuer                       "CAname" ("internal.example.net")
```
I should note, however, that I have not been able to find any other examples of TLS server certificates that have been issued by CAs that have domain components ("DC=") in their names. So, it may not be worthwhile to change the code to try to accommodate such CAs.
2016-07-20 11:37:51 -04:00
Dirk Wetter
b0d394e93c merged #417 2016-07-20 17:28:09 +02:00
Dirk Wetter
b342db6b38 Merge pull request #417 from dcooper16/issuer
Fix JSON output of Issuer name
2016-07-20 17:06:09 +02:00
David Cooper
d9f8024d9a Fix JSON output of Issuer name
`certificate_info()` currently outputs `$issuer` to the JSON file, where is should be outputting `$issuer_CN` in order for the information in the JSON file to match the information that is displayed.

This PR also fixes the problem that if an Issuer name contains a domain component attribute (DC=) then it will be mistakenly treated as a country attribute (C=).
2016-07-20 10:50:38 -04:00
Dirk
829231c381 Merge branch 'dcooper16-run_pfs_curves' 2016-07-16 21:21:53 +02:00
Dirk
5de3ef3e22 Merge branch 'run_pfs_curves' of https://github.com/dcooper16/testssl.sh into dcooper16-run_pfs_curves
Conflicts:
	testssl.sh
2016-07-16 21:21:18 +02:00
Dirk
0c22ea9a0e - output polising in curves
- fix for jail #258
2016-07-16 20:48:56 +02:00
David Cooper
a06ac81df3 Speed up finding supported curves
Rather than try each curve one at a time, follow model in `cipher_pref_check()`.  First include all curves in ClientHello, then successively remove from the ClientHello those curves that have been offered by the server until the connection fails. This makes the number of calls to `$OPENSSL s_client` one more than the number of supported curves rather than the number of curves in NamedCurve supported by $OPENSSL.

Note, however, that OpenSSL defines MAX_CURVELIST as 28 and fails if the `-curves` option includes more than 28 curves. Since OpenSSL 1.1.0 offers 29 curves from NamedCurve, this PR breaks the list of supported curves in 2. At the cost of one additional calls to `$OPENSSL s_client` it ensures that the number of curves provides to the `-curves` option is below the limit.
2016-07-14 13:23:50 -04:00
Dirk
bda62ec715 no glasses needed, just need to look at the right spot ;- 2016-07-11 19:41:32 +02:00
Dirk
5f47359291 polishing output for #413 2016-07-11 18:44:28 +02:00
Dirk Wetter
400e969585 Merge pull request #413 from dcooper16/test_curves
Determine support elliptic curves for ECDHE- ciphers
2016-07-11 18:11:09 +02:00
Dirk Wetter
9f47ccece2 Merge pull request #412 from dcooper16/supported_elliptic_cur
Reorder supported curves
2016-07-11 17:08:39 +02:00
David Cooper
891c56f8bf Determine support elliptic curves for ECDHE- ciphers
This PR extends run_pfs() to display the set of elliptic curves supported by the server, if the server supports any ECDHE- ciphers.
2016-07-11 11:00:56 -04:00
David Cooper
fb94221ce0 Reorder supported curves
Reorder the supported curves sent by socksend_tls_clienthello() from strongest to weakest.
2016-07-11 10:52:48 -04:00
David Cooper
f968bd8346 Merge branch 'master' into version_negotiation 2016-07-11 10:45:59 -04:00
Dirk Wetter
16087f8252 Merge pull request #411 from welwood08/patch-2
Server cipher order NPN tests should use SNI
2016-07-11 16:24:45 +02:00
Dirk
3e8d5208dc further fix, see #410 2016-07-11 16:20:36 +02:00
Dirk Wetter
c32706c039 Merge pull request #410 from welwood08/patch-1
Unreadable SAN list on FreeBSD
2016-07-11 16:01:35 +02:00
Will Elwood
2573a9b8b8 More SNI for NPN tests
Found another NPN test (for the case where server doesn't specify cipher order?) that wasn't using SNI.
Also found a comment saying proxies don't support NPN => removed `$PROXY` from all modified lines.
2016-07-11 14:37:20 +01:00
Will Elwood
382d22648a Server cipher order NPN tests should use SNI
I noticed the NPN parts of this test were not returning any ECDSA ciphers where I expected them to match the results of the immediately preceding TLS 1.2 test. Found it wasn't using SNI so my test server was using the default domain (snakeoil RSA certificate) instead of the tested domain (dual ECDSA/RSA certificates).
2016-07-11 14:15:50 +01:00
Will Elwood
3c39396391 Unreadable SAN list on FreeBSD
On FreeBSD, sed does not support "\n" in the replacement string of a substitution. The SANs are currently output all together inside a single pair of quotes and each separated with an "n" character, needless to say this is very difficult to read.

After a little digging, it seems this is a somewhat recent regression of the fix in #173. I believe `tr` would be a more cross-platform way to do this, and several sources (including the author of that PR) would seem to agree - assuming the newline is now necessary.

It doesn't appear to matter what order the newline replacement happens amongst all the other replacements, so I have placed it first simply to avoid extending any already-long lines. Please correct me if this deduction is false.
2016-07-11 13:35:55 +01:00
Dirk Wetter
018468a670 more user friendly... 2016-07-09 14:24:38 +02:00
David Cooper
f216cbe61f Merge branch 'master' into version_negotiation 2016-07-08 09:39:12 -04:00
Dirk
eb58598ca5 make it public, see #122 2016-07-08 11:40:17 +02:00
Dirk
af4117aa7a FIX #404 2016-07-08 11:25:41 +02:00
Dirk
8c11334030 FIX #405 2016-07-08 11:15:41 +02:00
Dirk Wetter
57bf01a360 Merge pull request #402 from dcooper16/poodle
Check for all CBC ciphers in Poodle test
2016-07-08 10:04:49 +02:00
Dirk Wetter
9c92a866e0 Update Readme.md 2016-07-08 08:04:58 +02:00
Dirk Wetter
345087c3a4 Merge pull request #403 from teward/patch-1
Missing closing parenteses in help output for --openssl
2016-07-06 20:45:45 +02:00