Commit Graph

2972 Commits

Author SHA1 Message Date
David Cooper 42687658ea
Fix typos
The primary purpose of this PR is to fix the typo on line 14157, but it also corrects a number of typos that appear in comments.
2018-11-30 10:54:30 -05:00
Dirk 22a11b1e75 Bump version # 2018-11-30 10:02:39 +01:00
Dirk 7d40041652 Re-add RFC 7919 primes into run_logjam()
.. after some discussion. As TLS 1.3 is not tested here
any RFC 7919 primes using this protocol will not show
up (they in in run_pfs() though). To avoid misunderstandings
" DH key detected with <= TLS 1.2" is now being printed.
2018-11-30 08:59:55 +01:00
Dirk Wetter 4e2bd0ef2f
Merge pull request #1166 from dcooper16/dont_test_unsupported_tls11
Don't run TLSv1.1 tests if server doesn't support TLSv1.1
2018-11-29 10:12:08 +01:00
Dirk Wetter 7a6ec6b8a2
Merge pull request #1164 from dcooper16/fix1159
Fix #1159
2018-11-29 10:02:26 +01:00
Dirk Wetter 51df09bbcf
Merge pull request #1167 from dcooper16/fix1159_part2
Fix #1159 part 2
2018-11-29 10:01:47 +01:00
David Cooper f723ec97a7
Fix #1159 part 2
This PR provides an additional fix for the issue raised by #1159. It defines a third option for the degree of processing that should be performed by tls_sockets(): "all+". When "all+" is provided, the processing is exactly the same as for "all" with the exception of the creation of the supported_groups extension. For a TLSv1.3 ClientHello, curves that are not supported by $OPENSSL are omitted from the supported_groups extension rather than offering these curves as the least preferred option.

The "all+" option is used in run_server_defaults() where, unlike with almost every other call to tls_sockets(), a successful connection is of no use unless the response can be decrypted. This is also the case for run_alpn(), and so the call to tls_sockets() was also changed to "all+" there. But, the change has no effect at the moment, since run_alpn() sends a TLSv1.2 ClientHello.
2018-11-28 14:58:17 -05:00
David Cooper 9a47b379d6
Don't run TLSv1.1 tests if server doesn't support TLSv1.1
As a result of #276, `run_server_defaults()` makes several attempts to find certificates that a server offers if the ClientHello is for TLSv1.2 and no SNI is offered. However, these tests are unnecessary if it is already known that the server does not support TLSv1.1.

This PR modifies `run_server_defaults()` so that the the TLSv1.1-only tests are skipped if the server is known to not support TLSv1.1.
2018-11-28 12:52:15 -05:00
David Cooper a3f5dac46c
Fix #1159
This PR fixes #1159. If tls_sockets() connects to a server using TLSv1.3, it cannot be assumed that the server's certificate is available, as testssl.sh may not have been able to decrypt the server's response. This can happen, for example, if X25519 was used for the key exchange and `$OPENSSL` does not support X25519.

If the connection was successful, but the certificate could not be obtained, then this PR tries again using `$OPENSSL`. However, since `$OPENSSL` does not support TLSv1.3, this will only work if the server supports TLSv1.2 or earlier.
2018-11-28 12:10:30 -05:00
Dirk d2fe7567d3 Make STARTTLS NNTP work
This commit addresses #179 and implements NNTP via STARTTLS. I did
a few tests and it did work so far.

However the binary support needs to be done. I backported in my
fork of @PeterMosmans tree the section from OpenSSL 1.1.1 -- but
it didn't work, see https://github.com/openssl/openssl/issues/7722.

I just tried to patch it as I suggested and it worked then. My
patch is pushed soon after to https://github.com/drwetter/openssl-1.0.2.bad,
however I'll better wait for the official OPenSSL 1.1.1 patch.
2018-11-28 16:54:09 +01:00
Dirk e23afb900b Catch better a user cmdline problem
.. when specifying --ip=one AND and an URI
2018-11-28 12:24:45 +01:00
Dirk 696c4d0b93 Improved debug code for cipher order 2018-11-28 10:39:14 +01:00
Dirk b425767427 Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2018-11-27 20:10:23 +01:00
Dirk 8383a7372d Merge branch 'dh_param' into 2.9dev 2018-11-27 20:09:51 +01:00
Dirk 688d049167 Last polishing to include DH groups in logjam and pfs
This commit finalizes #1139. It displays the DH groups
in both run_logjam() and run_pfs() in a simlilar manner
(except the FFDHE groups).

A common small function pr_dh() was introduced which prints
out the dh group and in round brackets colored DH bits.
2018-11-27 20:03:25 +01:00
Dirk 6ce0ad80e6 fit HTML man page to page width 2018-11-23 23:47:21 +01:00
Dirk Wetter 5b3e610e53
Merge pull request #1153 from bitsofinfo/2.9dev
new links to external/related projects
2018-11-19 10:57:29 +01:00
bitsofinfo 13cd12f57b external projects, testssl.sh-processor and testssl.sh-alerts 2018-11-13 14:41:05 -07:00
bitsofinfo 789b405f83 external projects, testssl.sh-processor and testssl.sh-alerts 2018-11-13 14:40:32 -07:00
bitsofinfo 87e52daf95 external projects, testssl.sh-processor and testssl.sh-alerts 2018-11-13 14:39:55 -07:00
Dirk 981432c19a Finalize redoing XMPP handshake
This commit finally fixes #547 and makes XMPP handshakes at least
as fast as the other STARTTLS handshakes.

It utilizes dd to read from the file descriptor. In all tests
I ran so far it didn't cause any problems. There's a potential
problem though that dd might block.
2018-11-13 21:10:41 +01:00
Dirk f591126a1b Minor updates
added: client simulation, requirements.

Updated number of ciphers.
2018-11-12 21:36:43 +01:00
Dirk eb8ba74460 Redid + bugfix for STARTTLS XMPP
This PR fixes #924 and does some foundation for #547. It's a
somewhat preliminary push of code and further work for #547 is required.

XMPP is now similar programmed as other STARTTLS handshakes with the exception
that it is not line based but stream based.  That is still the catch here and
needs to be addressed: STARTTLS protocols like IMAP + SMTP use
starttls_full_read() which reads lines until the line is completely received or
the timeout was encountered.

The new function ``starttls_io()`` however does a wait (fixed value: 1 second)
as there's no lf or terminator.

The XMPP STARTTLS handshakes are now the same as in OpenSSL.

There are redundant functions in this code which will be removed later.

Also at some places a hint for lmtp was missing which was added.
2018-11-12 21:27:30 +01:00
Dirk 0431b7166a Check for OpenSSL + use unames 2018-11-12 20:52:36 +01:00
Dirk de7f7b6cab Check for OpenSSL + use unames 2018-11-12 20:46:35 +01:00
Dirk f4ab795221 Add "No FS" in non-wide mode in client simulation
... and redo there for the output of curves / no FS

fix #98
2018-11-10 00:04:51 +01:00
Dirk a792a25f4d Attention: Replacing JSON ID "target host" by "targetHost"
see #1150.
2018-11-08 22:09:53 +01:00
Dirk 42c47d4f58 RFC --> IANA 2018-11-08 20:38:28 +01:00
Dirk da233c939e RFC --> IANA
The cipher suites names in the RFCs stem (mostly) from IANA, see
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

This PR corrects that in places visible to the user. For backwards
compatibility the cmd line switches still work as before, but there's
a preference to IANA. The RFC naming is labeled as to be retired
in the future.
2018-11-08 20:26:52 +01:00
Dirk 32923bbdb1 TLS 1.3 ciphers forgotten :-(, added 2018-11-08 13:10:56 +01:00
Dirk ca34e3fc12 Updated client simulation
SSLabs API only added one newer version of Chrome (70) and one newer version
of Firefox (62).

Thus the wishlist gets longer (c15e0425dc).
Missing is Android 8 and 9, OpenSSL 1.1.1, Safari on OSX 11 and 12. Java 10
and 11.

Fix #1104
2018-11-05 22:47:28 +01:00
Dirk bf78a62b2e Add SSLv2 ciphers in handshakes, housekeeping
In addition to 7d36ba9a2e which
added new SSLv2 ciphers to the ciphers file this commit adds those
ciphers also to those functions where needed.

Also it does some housekeeping. [[ doesn't require strings on
the right hand side to be quoted, see bash hackers wiki.
2018-11-05 22:02:02 +01:00
Dirk 34ec2b83c3 remove EXPERIMENTAL check in run_pfs() 2018-11-05 18:54:52 +01:00
Dirk 474c28e42b Improving DH params check
PR #1114 brought #1139 a good step forward. This commit adds
a few tweaks to it:

* the groups in run_pfs() are now also italic, except FFDHE groups
* renaming FF groups to DH groups to provide consistency with the
  remainder of testssl.sh
* JSON identifier was renamed from DHE_groups to DH_GROUPS

Open points:

* in run_logjam() there's no warning at all regarding e.g. dh512.badssl.com.
  Reading the Logjam paper in section 3.5., first couple of paragraphs we
  should warn at least against 512 bits here too.

* how do we treat/label 768 bit and 1024 bit in run_logjam() which comes from
  unknown groups? Looks like the paper only was concerned about precompuation.

* In run_logjam() is the bit length not colored but in run_pfs() it is.

* Notation: when do we label FF groups / DH parameter ephemeral?

* Code in run_pfs() and run_logjam() can be merged more.
2018-11-05 18:41:51 +01:00
Dirk Wetter de684885fe
Merge pull request #1114 from dcooper16/run_pfs_dh_groups
Checking for DH groups in run_pfs()
2018-11-03 14:01:15 +01:00
David Cooper e0021c0416 Only update DH_GROUP_OFFERED for non-TLSv1.3 ciphers
run_logjam() is only related to TLSv1.2 and earlier ciphers. So, run_pfs() should only update $DH_GROUP_OFFERED if a DH group was found using a non-TLSv1.3 cipher.

On the other side, if run_logjam() happened to have been run first, and it found an ffdhe cipher, then there is no need for run_pfs() to test for it.
2018-11-02 13:45:43 -04:00
David Cooper df6870a92b Use results from run_pfs() in run_logjam()
If run_pfs() has already determined the DH group(s) offered by the server, then use this in run_logjam() rather than querying the server again.
2018-11-02 13:45:43 -04:00
David Cooper 1fddbc3b44 Use get_common_prime()
This commit changes the code in run_pfs() to use the get_common_prime() helper function.
2018-11-02 13:45:43 -04:00
David Cooper 93116f38e7 Send DHE quality to fileout()
In run_pfs(), when information about the finite field groups offered is printed, the color used is based on the length of the key. This information should also be conveyed to fileout() in the severity parameter.
2018-11-02 13:45:43 -04:00
David Cooper f3cfb53546 Checking for DH groups in run_pfs()
For cipher suites that use ephemeral DH groups, run_pfs() currently only displays information about the group(s) used if the server complies with RFC 7919. In the case of TLSv1.3 this is appropriate, since server can only use the values from this RFC and only if they are offered by the client in the supported_groups extension.

For TLSv1.2 and earlier, however, servers are free to use whatever DH group they want, but run_pfs() only provides information about the group the server uses if the server complies with RFC 7919. (The information is, however, provided by run_logjam()). However, so far no servers comply with RFC 7919's requirement to refuse to negotiate a TLS_DHE cipher if the supported groups extension is present, included DH groups, but none that are supported by the server. There is also reason to believe that this will not change: https://www.ietf.org/mail-archive/web/tls/current/msg26378.html.

So, this PR proposes to change the way that run_pfs() searches for DH groups for TLSv1.2 and earlier. (Note that run_pfs() only checks for TLSv1.2 or earlier if the $EXPERIMENTAL flag is set to true.) First, it removes the test to see if the server will reject a ClientHello that only specifies TLS_DHE cipher suites if it includes a supported_groups extension that only specifies an unrecognized DH group. Instead, if the server supports TLS_DHE cipher suites (at TLSv1.2 or earlier) and the $EXPERIMENTAL flag is true, it will try to find out what group(s) the server uses. Second, it will report the group(s) found even if the server uses a group that does not come from RFC 7919.

The result is that if the server supports selecting groups from the supported_groups extension, it will print all of the groups that the server supports. If the server ignores the supported_groups extension and always uses the same group, it will print essentially the same information as is already printed by run_logjam().

One discrepancy, however, is that this code use pr_dh_quality() to determine how good a DH group is, based on the length of the prime, and pr_dh_quality() has differs from run_logjam() in terms of how it rates groups based on the lengths of their primes.
2018-11-02 13:45:43 -04:00
Dirk c0b43b3fd8 Correct new openssl cipher name
... from 7d36ba9a2e
2018-11-02 14:04:12 +01:00
Dirk 7d36ba9a2e Add more ciphers
There are a couple of old SSLv2 ciphers which haben't been included in
etc/cipher-mapping.txt . This PR updates the file. Names were derived
from the (old) OpenSSL / SSLeay source code.

In addition TLS_NULL_WITH_NULL_NULL (>=SSLv3 cipher) was added.

ToDo: Review functions to be updated to use those ciphers.
2018-11-02 10:35:38 +01:00
Dirk 8fd5ac1e96 Add scrollable heading to table (z-index) 2018-11-01 16:31:57 +01:00
Dirk 5d1cfcad08 Renamed (typo) openssl-rfc.mappping.html and added entries
Some SSLv2 ciphers were missing (see openssl/ssl/ssl2.h and
SSLeay (ssl.h + ssl_lib.c).

Also in this list security bit strength None were renamed to '0',
encryption None to Null.
2018-11-01 14:08:15 +01:00
Dirk 2a65bb8c9a Add +2 to MAX_OSSL_FAIL if running with --openssl-native AND an --openssl-timeout
.. otherwise we'll hit too soon the threshold: Logic: by specifying
a timeout a user indicates that there might be a problem.

Also fatal() now supports a hint which is printed in normal
text (to stderr)
2018-10-30 00:06:59 +01:00
Dirk 987fbeda37 Detect downgrade to plaintext for STARTTLS, IMAP
Some Cyrus IMAD if configured with SSL_CTX_set_cipher_list(context, "!TLSv1")
and similar respond with a plaintext 'a002 NO Starttls negotiation failed"
when a not-supported protocol is detected, see #1082.

This PR fixes this by detecting (also) this downgrade. As a precaution
It still issues a warning as this is seems a special configuration.
2018-10-29 23:19:47 +01:00
Dirk Wetter 43ee837ec2
Merge pull request #1147 from C0FFEEC0FFEE/dev-fixcsv
Dev fixcsv
2018-10-24 09:10:14 +02:00
Michael Koch e184f94b8a Revert "Remove trailing spaces"
This reverts commit 7881dc386c.
2018-10-24 08:27:19 +02:00
Michael Koch 040e4d3050 Remove duplicate commas in CSV output 2018-10-23 14:25:36 +02:00
Michael Koch 7881dc386c Remove trailing spaces 2018-10-23 14:23:38 +02:00