Commit Graph

4127 Commits

Author SHA1 Message Date
David Cooper
3cd8e810ac Add DH groups to supported_groups
There is at least one server that will not negotiate TLS_DHE_* cipher suites with TLS 1.2 and below if the supported_groups extension is present but does not include any DH groups. This commit adds the DH groups that are currently in the TLS 1.3 ClientHello to the TLS 1.2 and earlier ClientHello.
2022-03-09 10:33:51 -05:00
Dirk Wetter
b3e4ac8934
Merge pull request #2117 from dcooper16/fix_sclient_auth
Fix sclient_auth
2022-03-09 11:17:45 +01:00
David Cooper
909513773d Fix sclient_auth
If $connect_success is false, then sclient_auth() does not "return" any value, and the calling function treats this as if sclient_auth() had returned 0.

This commit fixes sclient_auth() so that 1 is returned if $client_success is false.
2022-03-08 14:57:47 -05:00
Dirk Wetter
55b654cbee
Merge pull request #2118 from dcooper16/rsapss
Include RSA-PSS in ClientHello
2022-03-08 20:07:29 +01:00
David Cooper
c713866bc1 Include RSA-PSS in ClientHello
This commit changes prepare_tls_clienthello() so that the RSA-PSS algorithms are offered in the signature algorithms extension of TLS 1.2 and below ClientHello messages.
2022-03-08 11:45:55 -05:00
Dirk Wetter
f73bc446ba
Merge pull request #2115 from enxio/3.1dev
Update docs for #2114
2022-03-02 17:13:41 +01:00
enxio
cdf97f556a Changes reflecting PR #2214. 2022-03-02 15:48:08 +01:00
enxio
50f5bc7e90 Merge branch '3.1dev' of https://github.com/enxio/testssl.sh into 3.1dev 2022-03-02 14:45:54 +01:00
enxio
58ce18bf32 Update documentation related to PR #2114 2022-03-02 14:43:33 +01:00
Dirk Wetter
dc0a4c87bf
Merge pull request #2114 from enxio/3.1dev
Add support for TN3270/telnet STARTTLS.
2022-03-02 14:07:02 +01:00
enxio
8715a1a216 Conform to style. Add some more info on the TN3270 STARTTLS negotiation. 2022-03-02 14:02:14 +01:00
enxio
82367ab96e Add support for TN3270/telnet STARTTLS (similar to OpenSSL's approach). 2022-03-02 10:04:57 +01:00
Dirk Wetter
22ec6de58c
Merge pull request #2112 from drwetter/dependabot/github_actions/actions/checkout-3
Bump actions/checkout from 2 to 3
2022-03-02 08:25:12 +01:00
Dirk Wetter
560424de36
Merge pull request #2113 from drwetter/dependabot/github_actions/docker/login-action-1.14.1
Bump docker/login-action from 1.13.0 to 1.14.1
2022-03-02 08:24:25 +01:00
dependabot[bot]
c75e789229
Bump docker/login-action from 1.13.0 to 1.14.1
Bumps [docker/login-action](https://github.com/docker/login-action) from 1.13.0 to 1.14.1.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.13.0...v1.14.1)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-02 00:34:27 +00:00
dependabot[bot]
85f67f93e9
Bump actions/checkout from 2 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-02 00:34:23 +00:00
Dirk Wetter
740756b55f
Merge pull request #2108 from drwetter/dependabot/github_actions/docker/login-action-1.13.0
Bump docker/login-action from 1.12.0 to 1.13.0
2022-02-26 14:18:56 +01:00
dependabot[bot]
edc279f017
Bump docker/login-action from 1.12.0 to 1.13.0
Bumps [docker/login-action](https://github.com/docker/login-action) from 1.12.0 to 1.13.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.12.0...v1.13.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-02-18 00:50:50 +00:00
Dirk Wetter
7b38198ced
Merge pull request #2106 from drwetter/fix_2096
Fix "ID resumption test failed" under Darwin
2022-02-17 09:04:23 +01:00
Dirk Wetter
e1711a7ccb Fix "ID resumption test failed" under Darwin
Under Darwin using LibreSSL it was not possible to test for session
resumption by session ID.

This fixes #2096 by checking not only the return value of the s_client
hello but also whether a probable certificate is being returned.
2022-02-16 23:09:11 +01:00
Dirk Wetter
ccef30ae8b
Merge pull request #2105 from drwetter/fix_2103_3.1dev
Fix JSON output bc of missing locale in alpine (3.1dev)
2022-02-16 13:30:58 +01:00
Dirk Wetter
27dc0589ae Fix JSON output bc of missing locale in alpine (3.1dev)
It is now being tested whether the binary locale exists and
there's a global introduced for that.

Also there's no fileout warning at this early stage anymore
as it leads to non-valid JSON.

This fixes #2103 in 3.1dev.
2022-02-16 12:16:11 +01:00
Dirk Wetter
dd247faf25
Merge pull request #2101 from drwetter/fix_2100
Fix locale error message when en_US.UTF-8 isn't available
2022-02-14 19:49:24 +01:00
Dirk Wetter
bfb78628da Fix locale error message when en_US.UTF-8 isn't available
Therefore a new global function was declared checking whether any of
the known locales work on the client without seeting them.
C / POSIX should work as well for LC_COLLATE.

This fixes #2100 for 3.1dev.
2022-02-14 18:07:57 +01:00
Dirk Wetter
13f0388539
Merge pull request #2094 from drwetter/fix_2052.Darwin
Fix Darwin / LibreSSL startup problem
2022-02-02 13:34:23 +01:00
Dirk Wetter
9b98c9e73e correct English in comment 2022-02-02 12:28:09 +01:00
Dirk Wetter
8cc3130e0d Fix Darwin / LibreSSL startup problem
This PR addresses a bug where a user encountered the question "The results
might look ok but they could be nonsense. Really proceed".

That happened under Darwin and probably some LibreSSL versions when
checking some hosts. sclient_auth() returned 1 indicating no SSL/TLS
handshake could be established.

This PR modifies sclient_auth() so that in those cases 0 is returned by
skipping the check for the session ID. As NO_SSL_SESSIONID needs to
be set when there's no session ID, this is done separately.
2022-02-02 11:38:33 +01:00
Dirk Wetter
02ec0607a8
Merge pull request #2093 from drwetter/dependabot/github_actions/docker/build-push-action-2.9.0
Bump docker/build-push-action from 2.8.0 to 2.9.0
2022-02-02 11:32:41 +01:00
dependabot[bot]
df5dae79d4
Bump docker/build-push-action from 2.8.0 to 2.9.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.8.0 to 2.9.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v2.8.0...v2.9.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-02-02 00:30:46 +00:00
Dirk Wetter
0d97b93131
Merge pull request #2088 from drwetter/starttls_ldap
Add prototype for STARTTLS+ LDAP via sockets
2022-02-01 11:28:17 +01:00
Dirk Wetter
ce746cd8b7 Add CI check
* for STARTTLS + LDAP
* for STARTTLS + POP3 reenable check with openssl as GH has not the time limits which Travis had
2022-02-01 10:02:35 +01:00
Dirk Wetter
da3520f8b2 Update documentation
* remove hint that LDAP only works with STARTTLS
* Add the relevant LDAP RFC for STARTTLS
* Amend with sieve RFC
* Correct numbering order of RFC section
2022-01-31 11:05:52 +01:00
Dirk Wetter
4639e996db Remove ldap protocol early returns
Partly revert bb5450e3f5
2022-01-31 10:36:51 +01:00
Dirk Wetter
9447c8c866 Amends LDAP + STARTTLS / rename sockread_serverhello()
This commit adds parsing the success value of the STARTTLS upgrade
in LDAP. Only possible values whould be 0 or one according to RFC 2380.
All values not equal to zero will terminate the check.

Also, this PR renames sockread_serverhello() to sockread() as the word
serverhello is pretty misleading. It just reads from ANY socket. (sorry
to confuse people here, that should have gone into a separate PR).
  Also sockread() and sockread_fast() are better documented.
2022-01-27 18:35:40 +01:00
Dirk Wetter
93e3b49619
Merge pull request #2086 from drwetter/dependabot/github_actions/docker/build-push-action-2.8.0
Bump docker/build-push-action from 2.7.0 to 2.8.0
2022-01-24 18:05:12 +01:00
Dirk Wetter
601ff16a0a Add prototype for STARTTLS+ LDAP via sockets
See #1258

To do:
* more robustness. At least the success value from the response need to be retrieved and checked via starttls_io().
* double check the pre-handshake before the OID whether it's correct for every case
* documentation
* inline help

It seems to work though against db.debian.org
2022-01-24 16:49:03 +01:00
dependabot[bot]
48c9c2f480
Bump docker/build-push-action from 2.7.0 to 2.8.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.7.0 to 2.8.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v2.7.0...v2.8.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-19 00:34:18 +00:00
Dirk Wetter
06890d4506
Merge pull request #1990 from dcooper16/improve_client_auth
Improve check for client authentication
2022-01-10 11:19:10 +01:00
Emmanuel Bouthenot
bb48778fb3 Remove unused $PANDOCFLAGS in doc Makefile 2022-01-07 22:23:21 +01:00
Emmanuel Bouthenot
dc8f7d9b9e Switch doc build process to pandoc using a Makefile 2022-01-06 23:21:43 +01:00
David Cooper
680dc9ee01 Fix potential stallling in HTTP query
In run_http_header() the GET command is first sent over TLS using a background process, and then if that does not hang, it is sent again in the foreground. Similarly, service_detection() runs the command in the background.

This commit changes determine_optimal_proto() to follow the example of run_http_header() as protection against the possibility of the HTTP query stalling.
2022-01-06 15:33:37 -05:00
David Cooper
50fe6ca96b Report if couldn't test for client authentication
This commit fixes determine_optimal_proto() and run_server_defaults() so that a "Local problem" is reported if a $URL_PATH is specified, the server is TLS 1.3-only, and $OPENSSL does not support -enable_pha (and the server does not offer client authentication as part of the initial TLS handshake).
2022-01-06 15:33:36 -05:00
David Cooper
48819c56e9 Improve check for client authentication with LibreSSL
Checking for client authentication with TLS 1.3 requires post-handshake authentication, which does not appear to be supported by LibreSSL. This commit improves the check for client authentication when testing a TLS 1.3 server using LibreSSL by having determine_optimal_proto() first test for connectivity with TLS 1.3 without checking for client authentication and then performing a separate check for client authentication using a non-TLS 1.3 protocol.

This commit only affects the flow of the program if a $URL_PATH is specified, the server supports TLS 1.3, and $OPENSSL supports TLS 1.3 but not -enable_pha.

testss.sh may still provide incorrect information about client authentication if a $URL_PATH is provided, the server is TLS 1.3-only, and LibreSSL is used.
2022-01-06 15:33:36 -05:00
David Cooper
7fb688a9d6 Improve check for client authentication
Based on initial testing, this commit improves the check for client authentication in the case that the server only requests client authentication for specific URLs. However, it does not work correctly if the server supports TLS 1.3 and $OPENSSL is a version of LibreSSL that supports TLS 1.3 in s_client. The problem is that LibreSSL does not support post-handshake authentication with TLS 1.3
2022-01-06 15:33:36 -05:00
David Cooper
e41a4c361a WIP: Improve check for client authentication
As noted in #1709, some servers will only request client authentication if a specific URL is requested. This commit modifies the check for client authentication, in the case that a $URL_PATH is provided, by having testssl.sh perform a GET request on the URL provided on the command line.
2022-01-06 15:33:36 -05:00
Dirk Wetter
4a358e0489
Merge pull request #2081 from dcooper16/sclient_dev_null
Send /dev/null to s_client
2022-01-06 21:17:40 +01:00
David Cooper
9dac4592b7 Send /dev/null to s_client
As discussed in #2079, this commit adds "</dev/null" to calls "$OPENSSL s_client" that are intended to test whether a certain option is supported. This is done to prevent hanging in the case that the option is supported, a TLS server happens to be listening on the port to which s_client tries to connect, and the connection is successful.

This PR also adds a new helper function, sclient_supported(), which is called from locally_supported() and run_prototest_openssl(). The helper function makes use of the already defined variables $HAS_SSL2, $HAS_SSL3, and $HAS_TLS13 in order to avoid calling "$OPENSSL s_client" when it has already been determined whether $OPENSSL supports the specified protocol.
2022-01-05 16:26:22 -05:00
Dirk Wetter
e35f0e8ed7
Merge pull request #2078 from drwetter/feature_dig_2077
Add +search to dig
2022-01-03 17:50:21 +01:00
Dirk Wetter
c573984340 Add +search to dig
... for all forward + non-mdns lookups.

This might help to avoid supplying domain names to local hosts (they would need
to have a valid certificate for the short DNS name then).

Fixes #2077
2022-01-03 16:44:09 +01:00
Dirk Wetter
3827521698
Merge pull request #2075 from drwetter/drwetter-patch-1
again wide screen mode for HTML
2021-12-27 17:11:36 +01:00