This PR ist similar to #2905 for 3.3dev . However for the stable brnach it's
important to note that this is a breaking change as it modifies the output.
That happens only tough when `ciphers_by_strength()` is being used --equivalent
to the command line `./testssl.sh -E` = `./testssl.sh --cipher-per-proto`. As
this is seldom used and was basically succeeded by `-P, --server-preference`
this looks acceptable as it provides consistency which was overdue.
Details:
* keys now always with `v`, like `supportedciphers_TLSv1_2` and also ciphers
(e.g. `TLSv1.2 x35 AES256-SHA`)
* add word "server" to file output so that it reads "NOT a server cipher order configured"
Fixes#2884 for 3.2 .
This commit fixes#2896. This commit avoids modifying the ADDTL_CA_FILES environment variable, and instead substitutes spaces for commas whenever the variable is used.
... to avoid repeated failures because of heise.de . Looks like there are
server side measures which made some tests fail. Often the MacOS CI runner
is slower and seems to run into that.
See also 56c1e585
As suggested in #2885 parsing of the server determined HTTP age var wasn't strict enough, this is a backport for 3.2.
https://www.rfc-editor.org/rfc/rfc7234#section-1.2.1 requires the variable to be a non-negative integer but testssl.sh assumed it was like that but did't check whether that really was the case. This was labled as a (potential) security problem. Potential as it didn't look exploitable after review -- the header as a whole was already sanitized.
This PR fixes the typs confusion and the garbled screen by checking the variable early in run_http_header() and reset it to NaN. That will be used later in run_http_date() to raise a low severity finding. Kudos to @Tristanhx for catching this and for the suggested PR.
Also, only when running in debug mode, this PR fixes that during service_detection() parts of the not-yet-sanitized header ended up on the screen. The fix just calls sanitze_http_header() for the temporary variable $TMPFILE.
For 3.2 sanitze_http_header() had to be modified to accept an argument and the callers needed to be changed.
The opossum patch improved http_get() , http_get_header/http_head()
in terms of readability. This was backported to improve maintainability.
Also in pwned keys if not pwned appear now in green/OK and not just
info level.
HAS_UDS2 was renamed to HAS2_UDS.
... so that we have a comparison between OpenSSL and LibreSSL. Otherwise this test would be completely futile for MacOS.
Also change the displayed text.
The logic was wrong when calling set_rating_state() in parse_cmd_line()
as do_rating was set before to true through set_scanning_defaults().
This PR fixes that by querying ${SKIP_TESTS[@]} instead and then calling
set_rating_state() when no --disable-rating was supplied .
