Commit Graph

70 Commits

Author SHA1 Message Date
Dirk ce0be5fefc Handle problem when pulling fails
... when e.g. sitting in a German train with bad internet connection
2019-12-09 10:26:39 +01:00
Dirk Wetter 326558dec1
Remove c&p relict 2019-10-28 18:36:39 +01:00
Dirk Wetter bcc1298eb3
0-RTT dockerfile script for nginx 2019-10-02 17:52:34 +02:00
Dirk Wetter fe43d9dd0c
Docker files for testing
docker-debian10.tls13only.start.sh can be linked to e.g. docker-debian10.tls13.start.sh, then also TLS 1.2 is added.
2019-10-02 17:50:11 +02:00
pihug12 dbacbe7912 Fix "make-openssl111.sh" 2019-07-10 08:54:55 +02:00
Dirk c335ded6d3 Enable more tests, change to newer JSON scheme 2019-07-09 22:49:12 +02:00
Dirk 13d3b7329b Don't include SSLv2 ciphers in hexstream2cipher.sh 2019-05-06 19:35:12 +02:00
Dirk 5f047db92f Add client simlation data and provide howto
While we are thankful that Ivan Ristic permitted to use the client
data from SSLlabs, it became of bit outdated now (see #1158). Also
as sslhaf [1] was used, the data comes from HTTP traffic only.

This is a start to address it. It provides data from Android 9
(connecting to the play store, so that it is sure we don't capture
a ClientHello from an application having an own TLS stack.

Also it provides documentation how to grab data yourself, and
provide it back to testssl.sh.

Aim is at least for testssl.sh 3.0 to add Android 8 and OpenSSL 1.1.1 (@drwetter).

My hope others can assist with  Safari on OSX 11 and 12. Java 10 and 11,
and a recent Opera and Edge version. (Firefox and Chrome are out of
date too)

Mail clients to follow later.

[1] https://github.com/ssllabs/sslhaf
2019-04-18 10:06:01 +02:00
Dirk e768ab3f7b Remove file as Not needed 2019-04-18 10:04:08 +02:00
Dirk 44881d5eba Revert change for MacOSX as hinted 2019-03-19 10:00:13 +01:00
Dirk 57054bc149 minor code improvements 2019-02-22 15:09:05 +01:00
Dominik Herrmann 9d26b86030
Update make-openssl.sh: Darwin compatibility
- Darwin doesn't build with -static (removed; file name suffix changed to "dynamic" in this case)
- Darwin has a different openssldir (/private/etc/ssl)
- script doesn't fail any more at make clean step in case there is no Makefile yet
- Darwin 64 bit compilation needs ./Configure instead of ./config and an explicit reference to darwin64-x86_64-cc
2019-02-22 11:17:57 +01:00
Dirk ed7e7d8d50 Add line for Darwin
not sure whether -static just works. TBD
2019-02-22 10:07:46 +01:00
Dirk 0431b7166a Check for OpenSSL + use unames 2018-11-12 20:52:36 +01:00
Dirk de7f7b6cab Check for OpenSSL + use unames 2018-11-12 20:46:35 +01:00
Dirk ee8c70bce3 Minor polish
Typos, cleanup ec_nistp_64_gcc_128 (for 64 bit at least), add -DOPENSSL_TLS_SECURITY_LEVEL=0
2018-07-18 00:57:32 +02:00
Dirk 5d5d21af04 Make script for OpenSSL 1.1.1 tree 2018-07-17 00:41:21 +02:00
Dirk Wetter 55adbf905f
Merge pull request #1033 from dcooper16/client_sim_data_tls13
TLS 1.3 clients in update_client_sim_data.pl
2018-04-16 09:07:35 +02:00
David Cooper f0ebf0339b
update_client_sim_data.pl and GREASE ciphers
Two GREASE ciphers currently appear in https://api.dev.ssllabs.com/api/v3/getClients: 0x3A3A for Chrome 57 and 0xAAAA for Chrome 65.

update_client_sim_data.pl currently only recognizes 0x3A3A as a GREASE cipher and so prints a "FIXME" for 0xAAAA. This PR fixes the problem by adding all 16 ciphers from https://tools.ietf.org/html/draft-ietf-tls-grease-00 to update_client_sim_data.pl.
2018-04-13 17:19:27 -04:00
David Cooper 639b1af916 TLS 1.3 clients in update_client_sim_data.pl
https://api.dev.ssllabs.com/api/v3/getClients incorrectly indicates a highestProtocol of 771 (TLS 1.2) for clients that support TLS 1.3, which leads run_client_simulation() to incorrectly report "no connection" if the client would have actually connected using TLS 1.3.

This has been addressed by manually editing etc/client-simulation.txt to set the highest_protocol to 0x0304 for the clients that support TLS 1.3.

This PR modifies update_client_sim_data.pl to automatically apply the fix for clients that support TLS 1.3 in order to avoid a possible regression when etc/client-simulation.txt is updated.
2018-04-13 16:51:06 -04:00
David Cooper cd8ceae80e Add curve information to SSL native client simulations
When performing client simulations in "--ssl-native" mode, provide the client's list of supported curves to "$OPENSSL s_client" in order to make the results even more accurate.
2018-04-11 13:48:40 -04:00
David Cooper 39db50eea2 Improve SSL native client simulation
This PR improves client simulation in "--ssl-native" mode:

* It changes ${protos[i]} to list the protocols that should be disabled rather than those that should be enabled, except in the case that the client only supports one protocol.

* It sets the values for ${tlsvers[i]}, which is used in run_client_simulation(), but was not defined.

* It adds a new variable, ${ciphersuites[i]}, that lists the TLSv1.3 cipher suites supported by a client.

Client simulation still produces false results in "--ssl-native" mode, but the results are better than before.
2018-04-10 16:57:24 -04:00
Karsten Weiss eead9f62d9 Fix typos found by codespell 2018-04-10 17:37:04 +02:00
Dirk 407358623e Fix, header restore, TLS13 ciphers
This fixes a bug which prevented the script from running properly. Also
the commit restores writing a correct comment header. In addition it
adds TLS 1.3 ciphers.
2018-01-03 21:41:09 +01:00
Dirk 26c77cc3c2 any openssl will do 2017-09-18 14:02:12 +02:00
Dirk Wetter 4379174970 rename generated file, comment it better + take care of one GREASE cipher 2017-08-30 23:02:21 +02:00
Dirk 69fa8ca378 several improvements
timeout: the TLS ticket check has a timeout, so that early on non-reachable hosts
are determined. If it is running into the timeout, it quits early. The
timeout is configurable via environment e.g. TIMEOUT=16 ./ticketbleed.bash <host>

Also other ports are allowed albeit it probably it is of limited use

Supplying no arg is now more user-friendly
2017-06-09 12:45:22 +02:00
Dirk 15219475e9 strip supplied port automatically 2017-06-09 11:27:59 +02:00
Dirk b69505223a added "gmap2testssl.sh": utility which converts grepable nmap output to testssl's file input 2017-06-09 11:22:11 +02:00
Dirk 53b6e2cfe8 changed PoC to a 3 rounder test (like testssl.sh) to increase reliability.
If different memory is returned each try it is for sure vulnerable. This
helps getting weird servers properly tested and weeds out false positives.
2017-06-07 18:16:18 +02:00
Dirk 91b9236055 PoC for unit test in bash 2017-05-31 10:30:02 +02:00
Dirk 59a175cba3 changed to Linux 2017-05-15 20:53:09 +02:00
Dirk 2aa68827b9 don't do double work, reordering stuff 2017-05-12 17:58:20 +02:00
Dirk f70bc4e08f better platform support, revert to pure /bin/sh, better verbosity... 2017-05-12 17:21:45 +02:00
Dirk ebd9e6ae65 manually merged #728 (see #423), credits also to @seccubus. Unfortunately the unit tests don't make so much sense atm 2017-05-08 23:51:37 +02:00
Dirk f8e1ad0b7f add missing # 2017-04-22 15:19:39 +02:00
Dirk 7de5e0113b check in 2017-04-21 11:29:20 +02:00
Dirk ac5b9a8a78 minor polishing, correct handshake length 2017-04-18 23:06:12 +02:00
Dirk dd9b3919fc PoC uploaded 2017-04-16 20:38:47 +02:00
David Cooper e18f5821d2 Merge branch '2.9dev' into rename_ephemeral_DH_ciphers 2017-02-03 13:42:04 -05:00
Dirk cb1d133528 preparing for lucky13 2017-02-03 17:40:35 +01:00
David Cooper c09a77006e Rename cipher lists for run_logjam()
This PR renames the cipher lists for `run_logjam()` in generate_static_cipher_lists.sh to align with their names in testssl.sh, as requested in #590.

I think these names are still open for misinterpretation, however, since its not clear whether "dh_cipher" refers to ciphers that use static DH keys, ephemeral DH keys, or both.
2017-01-24 10:49:59 -05:00
David Cooper dcd37729f4 Generate list of all DHE ciphers
This PR adds a function that generates a list of all DHE ciphers for `run_logjam()`.
2017-01-18 15:16:13 -05:00
David Cooper 0bc2b1c4bb Create static cipher lists for testssl.sh
This PR adds a new utility that generates the various static cipher lists that appear in testssl.sh.

This utility serves two purposes:
* It can be run whenever new ciphers are added to cipher-mapping.txt to see if any of the lists in testssl.sh need to be updated. (This includes if cipher-mapping.txt is modified to add OpenSSL-style names for ciphers that are currently listed, but that have not yet been assigned such names.)
* It can be used as a reference in order to understand how each of the lists is defined.
2017-01-12 13:17:04 -05:00
Dirk 1613bb214e Merge branch 'master' into CA_pinning
Conflicts:
	testssl.sh
2016-10-27 21:59:10 +02:00
Frank Breedijk 5d7367a68d Shell script to generate ca_hashes.txt (OSX only) 2016-07-25 09:47:24 +02:00
Dirk Wetter 018468a670 more user friendly... 2016-07-09 14:24:38 +02:00
Dirk eb58598ca5 make it public, see #122 2016-07-08 11:40:17 +02:00
Dirk 6eedd5747f wrong language fix ;-) 2016-06-23 11:13:11 +02:00
Dirk 6efc3e90f5 includes IPv6 check and is ready for other uname's 2016-06-23 11:04:58 +02:00