Commit Graph

2989 Commits

Author SHA1 Message Date
Dirk Wetter eef63b1726
Merge pull request #1289 from drwetter/tput_sgr_fix
Fix terminal codes / tput
2019-07-03 11:54:56 +02:00
Dirk Wetter af6f232790 Fix terminal codes / tput
As noted in #1288 with some terminal settings under Linux there
appeared some ~garbage on the screen.

This fixes that by partly reverting 695d02157a .
At least now and under an older OpenBSD like 6.2 this doesn't seem
to be necessary.
2019-07-03 11:47:54 +02:00
Dirk Wetter 3d5982e60b
Merge pull request #1285 from dcooper16/fix_color_comparison_typo
Fix typo in check of $COLOR
2019-06-25 09:08:28 +02:00
David Cooper 2a141ab0f4
Fix typo in check of $COLOR
In emphasize_stuff_in_headers() there is a check of the $COLOR value, which checks whether $COLOR is 2. It should check whether $COLOR is 2 or higher.
2019-06-24 14:49:20 -04:00
Dirk Wetter a4d34b0cff
Merge pull request #1283 from drwetter/etls_comment
"eTLS" ~> ETS
2019-06-17 10:26:36 +02:00
Dirk f1eb2b89b9 "eTLS" -> ETS
Decription was added with the (future) ETSI name ETS [1]. Also
added as a comment MITRE's CVE data using ETS, amended with NIST's
entry in NVD

[1] EFF's interpretation: extra terrible security
   https://www.eff.org/deeplinks/2019/02/ets-isnt-tls-and-you-shouldnt-use-it
2019-06-17 10:01:05 +02:00
Dirk Wetter 6e4abbf33a
Merge pull request #1282 from drwetter/1279_related
Added HAS_ZLIB in run_crime(), declaration of CERT_COMPRESSION fixed
2019-06-12 21:16:22 +02:00
Dirk 7a1fb0b3b9 Added HAS_ZLIB in run_crime(), declaration of CERT_COMPRESSION fixed
CERT_COMPRESSION was declared always with fast in ... so that the variable
was always false. This PR fixes that. In addition a informational line
that the new TLS extension has been added (if $DEBUG >3).

Also determine_optimal_proto() is not being run if devel mode
($do_tls_sockets) is enabled.

Furthermore as David added HAS_ZLIB as a global run_crime() now makes
use of it too.
2019-06-12 21:05:43 +02:00
Dirk Wetter 53ecacfcbb
Merge pull request #1281 from drwetter/SNI_STARTTLS_polish_pwnedkeys
* SNI STARTTLS
* minor polish for pwned keys and devel option certificate compression
2019-06-12 15:59:06 +02:00
Dirk Wetter b2bf5b72bd Add SNI/STARTTLS, pwnedkeys 2019-06-12 15:41:07 +02:00
Dirk Wetter 912cd906d2 SNI STARTTLS, minor polish
This PR addresses #316 and #1280: it implements server name indication
also for STARTTLS which has been supported by a number of server
implemantations, in the meantime.

Also it does a final polish to David's pwnedkeys PR #1274 a while back:
UI improvement and detection of network problems.

In addition to PR #1279 it introduces a env variable to devel
mode so that "CERT_COMPRESSION=true ./testssl.sh --devel <params> <target>"
can be used to explore certificate compression on a host.
2019-06-12 14:36:46 +02:00
Dirk Wetter 11add0d4ae
Merge pull request #1279 from dcooper16/compressed_certs
Initial support for certificate compression
2019-06-07 21:33:36 +02:00
David Cooper e2042e99d6 Initial support for certificate compression
draft-ietf-tls-certificate-compression specifies a new TLS extension that allows a client to indicate support for receiving the server's certificates in compressed form. This PR adds initial support for that extension to testssl.sh. It was developed based on an announcement that facebook.com has implemented support for the extension.

This PR does not add a test for a server's support for the new extension, it just adds code to parse_tls_serverhello() that will parse a compressed certificate message if one is present in the server's response. So, in practice, the code in this PR will not actually be used until additional code has been added that sends a ClientHello with the compress_certificate extension.

The code in this PR can be tested by using the --devel option and by changing line 19347 from

     tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "ephemeralkey"

to

     tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all+" "00,1b, 00,03, 02, 00,01"

testssl.sh can then be called using

     testssl.sh --debug 3 --devel 04 "13,01" facebook.com

Note that this PR adds a test for zlib support to find_openssl_binary(). The test uses $OPENSSL zlib in the same way it is used in parse_tls_serverhello(). The test asks $OPENSSL zlib to uncompress the compressed version of the string "zlib" and the checks to see whether the decompression was performed correctly. There is already a test for zlib support in run_crime(), but I did not check to see whether the check in run_crime() could be replaced with a check of the new $HAS_ZLIB variable.
2019-06-06 12:17:32 -04:00
Dirk Wetter 91e98f1fc3
Merge pull request #1274 from dcooper16/pwnedkeys
Check pwnedkeys.com database
2019-05-23 10:45:57 +02:00
David Cooper 0d2b955e21
Check pwnedkeys.com database
This PR adds a check of whether the server's public key appears in the https://pwnedkeys.com database.
2019-05-22 10:11:34 -04:00
Dirk Wetter d6fb232152
Merge pull request #1271 from drwetter/depr_clients
Depreciation of more clients
2019-05-08 23:18:03 +02:00
Dirk d5f90218d1 Deprecation of more clients
* Tor 17
* Android 4.2.2
* IE 7 Vista
2019-05-08 23:12:45 +02:00
Dirk Wetter 0c750c212c
Merge pull request #1270 from drwetter/ubuntu2openjdk
Change the platform for Java from Ubuntu to OpenJDK
2019-05-07 19:43:58 +02:00
Dirk Wetter 7238a0167a Change the platform for Java from Ubuntu to OpenJDK 2019-05-07 19:39:20 +02:00
Dirk Wetter 174f4ee527
Merge pull request #1268 from csett86/safari-macos
Add Safari 12.1 on macOS 10.13.6
2019-05-07 19:35:09 +02:00
Dirk Wetter 9273661779
Merge pull request #1269 from csett86/deprecate-java9
Deprecate Java 9, its EOL since March 2018
2019-05-07 08:02:44 +02:00
Christoph Settgast c41b1f0055 Revert diff noise at end of file 2019-05-06 21:35:58 +02:00
Christoph Settgast fa77a9c80e Deprecate Java 9, its EOL since March 2018
No current distro (Ubuntu, Debian, Fedora) is still shipping it,
Oracle has EOLed it in March 2018 according to

https://www.oracle.com/technetwork/java/java-se-support-roadmap.html
2019-05-06 21:26:30 +02:00
Christoph Settgast a17f45b563 Add Safari 12.1 on macOS 10.13.6
manually wiresharked
2019-05-06 21:19:46 +02:00
Dirk Wetter 1ccc8bdcb8
Merge pull request #1263 from csett86/java
Add Java 11 and 12 client simulations
2019-05-06 19:40:33 +02:00
Dirk Wetter 4cae781d98
Merge pull request #1267 from drwetter/hexstream2cipher_fix
Don't include SSLv2 ciphers in hexstream2cipher.sh
2019-05-06 19:37:44 +02:00
Dirk 13d3b7329b Don't include SSLv2 ciphers in hexstream2cipher.sh 2019-05-06 19:35:12 +02:00
Christoph Settgast 8c8a626b49 Remove erroneous DES-CBC-MD5 from Java 11 and 12
DES-CBC-MD5 was included by utils/hexstream2cipher.sh,
heres the relevant snippet, line 160:

148: c025 --> 0xc0,0x25 --> ECDH-ECDSA-AES128-SHA256
152: c029 --> 0xc0,0x29 --> ECDH-RSA-AES128-SHA256
156: 0067 --> 0x00,0x67 --> DHE-RSA-AES128-SHA256
160: 0040 --> 0x00,0x40 --> DHE-DSS-AES128-SHA256 DES-CBC-MD5
164: c009 --> 0xc0,0x09 --> ECDHE-ECDSA-AES128-SHA
168: c013 --> 0xc0,0x13 --> ECDHE-RSA-AES128-SHA
172: 002f --> 0x00,0x2f --> AES128-SHA
176: c004 --> 0xc0,0x04 --> ECDH-ECDSA-AES128-SHA

Unfortunately I don't know how to fix utils/hexstream2cipher.sh,
but I have manually removed the erroneous cipher and space from
the client-sim.
2019-05-06 18:07:43 +02:00
Dirk Wetter 29a74713ee
Merge pull request #1266 from drwetter/more_unittests1
t/25_baseline_starttls in line with the new scheme now
2019-05-06 14:08:54 +02:00
Dirk Wetter 33ece6858d In line with the new scheme now 2019-05-06 14:07:08 +02:00
Dirk Wetter c5d76fec27
Merge pull request #1265 from drwetter/more_unittests1
Another (minor) step forwad for unit tests
2019-05-06 11:22:42 +02:00
Dirk Wetter 51e8373efb Update to newest template
* die statement if testssl.sh cannot be found from the current path
* comment everything out for JSON
* don't repeat the pattern, use a variable
* use "speaking" variable names
2019-05-06 11:20:28 +02:00
Dirk Wetter 802d0defe7 Better phrased and provide examples 2019-05-06 11:13:37 +02:00
Dirk Wetter cf7c1ba4ae
Merge pull request #1262 from drwetter/more_unittests1
More unit / integration tests + Fix client simulation with OpenSSL, LDAP
2019-05-05 18:43:13 +02:00
Dirk Wetter 710017ba57 Merge branch 'more_unittests1' of github.com:drwetter/testssl.sh into more_unittests1 2019-05-05 15:08:18 +02:00
Dirk Wetter 15df3316c1 Formatting fixed 2019-05-05 15:07:55 +02:00
Dirk Wetter 62bd23a632
add headline+note 2019-05-05 13:54:56 +02:00
Dirk Wetter 3785e9d622
Proper formatting 2019-05-05 13:45:23 +02:00
Dirk Wetter c3ff9e85f9 Rename file according to new scheme
... Readme.md
2019-05-05 13:44:02 +02:00
Dirk Wetter 666e897623 renamed 2019-05-05 13:42:48 +02:00
Dirk Wetter b63c389b54 Renamed 2019-05-05 12:58:49 +02:00
Dirk Wetter b9aee02978 Split IPv6 + IPv4
... and disable IPv6 test as it is NOT supported by Travis CI,
see https://docs.travis-ci.com/user/reference/overview/#virtualisation-environment-vs-operating-system

The *.disabled file should provide a start if it'll be available
at some time or one can manage this in travis with a docker container,
see https://github.com/travis-ci/travis-ci/issues/8891
2019-05-05 12:53:07 +02:00
Dirk Wetter 50a83235fe Renamed + testssl.net (IPv6) 2019-05-05 12:08:13 +02:00
Christoph Settgast 11416790cd Add Java 12 from Ubuntu 19.04
manually wiresharked, detailed version info:

$ java -version
openjdk version "12.0.1" 2019-04-16
OpenJDK Runtime Environment (build 12.0.1+12-Ubuntu-1)
OpenJDK 64-Bit Server VM (build 12.0.1+12-Ubuntu-1, mixed mode, sharing)
2019-05-04 22:30:46 +02:00
Christoph Settgast c4b5f33532 Add Java 11 from Ubuntu 18.04
manually wiresharked, detailed version info:

$ java -version
openjdk version "11.0.2" 2019-01-15
OpenJDK Runtime Environment (build 11.0.2+9-Ubuntu-3ubuntu118.04.3)
OpenJDK 64-Bit Server VM (build 11.0.2+9-Ubuntu-3ubuntu118.04.3, mixed mode)
2019-05-04 22:20:53 +02:00
Dirk Wetter df88577ec4 Add basline test for IPv4 and IPv6
... client simulations come later. One pattern for
failed output added
2019-05-04 13:51:20 +02:00
Dirk Wetter 19e9137f79 Add --vulnerabilities and LDAP constraints to documentation 2019-05-04 11:57:03 +02:00
Dirk Wetter 9c0a1459c0
Merge pull request #1261 from drwetter/safari-fix
Fix error + round brackets
2019-05-04 11:09:10 +02:00
Dirk Wetter bfd6caa624 Fix error + round brackets
PR #1260 missed a 'current' line which caused an output problem.

I'd like to add round brackets to the displayed name so that we remember
what comes from wireshark and waht from SSLlabs
2019-05-04 11:05:57 +02:00
Dirk Wetter d15fbedaa1
Merge pull request #1260 from csett86/safari121-ios122
Add Safari 12.1 from iOS 12.2
2019-05-04 10:53:48 +02:00