Commit Graph

4009 Commits

Author SHA1 Message Date
David Cooper fd5928af47 Use fewer external function calls
This commit modifies a few functions to use fewer external function calls. In most cases this involves replacing external function calls with Bash internal functions, but in one case it involves replacing multiple external function calls with one call to awk.

This commit makes a few changes to the way that some functions work.

is_ipv4addr() and is_ipv6addr() will now strictly only accept a string that is an IPv4 (or IPv6) address and nothing else.

A couple of changes were also made to match_ipv4_httpheader(). First, lines that match $excluded_header (formerly $whitelisted_header) are not processed in the while loop. This prevents the excluded header from being output in the case that $HEADERFILE includes a non-excluded header with an IPv4 address and an excluded header with a string that looks like an IPv4 address.

The list of excluded headers was also modified to exclude any line that begins "Server: " rather than just lines that begin "Server: PRTG". According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server, the "Server" header describes the software used by the server, so it seems reasonable to expect that this header line will never contain an IPv4 address. Also, looking at some old test results I found cases in which Oracle software version numbers in the Server header were mistakenly matched as IPv4 addresses.
2020-08-06 07:50:01 -04:00
Dirk Wetter d2a44122f2
Merge pull request #1693 from drwetter/more_verbose_starttls
Better debugging of STARTTLS commands
2020-08-04 22:12:36 +02:00
Dirk Wetter 2e6f912cef
Merge pull request #1694 from dcooper16/alpn_grease
Align ALPN GREASE test with RFC 8701
2020-08-04 22:11:12 +02:00
Dirk Wetter 4da37d9ece
Merge pull request #1695 from dcooper16/etls_ossl30
Update ETSI ETS test
2020-08-04 22:06:23 +02:00
David Cooper 7f99ffa55d Update ETSI ETS test
The commit updates the test for the "Visibility Information" certificate extension used in the ETSI Enterprise Transport Security protocol.

The main change is to support OpenSSL 3.0.0, which prints more information about subject alternative names that are encoded as otherName. For otherName types for the OpenSSL has no information, it prints "otherName: <OID>::<unsupported>" rather than just "otherName: <unsupported>". So, testssl.sh needs to account for the possibility that the OID for the visibility information certificate extension will be printed.

This commit also updates the reference for this extension and changes the name of the function from etsi_etls_visibility_info() to etls_ets_visibility_info() since the name of the protocol was changed from Enterprise TLS (eTLS) to Enterprise Transport Security (ETS).

This commit does not change the output to the terminal or to JSON/CSV, even though those outputs use the previous name of eTLS rather than ETS.
2020-08-04 08:29:22 -04:00
David Cooper 9d62647226 Align ALPN GREASE test with RFC 8701
The ALPN GREASE test was written based on draft-ietf-tls-grease-01, which reserved all ALPN identifiers beginning with the prefix "ignore/". This commit changes the test to align with RFC 8701, which instead reserves {0x0A,0x0A}, {0x1A,0x1A}, ..., {0xFA,0xFA}.
2020-08-04 07:35:05 -04:00
Dirk e8a930088c Better debugging of STARTTLS commands
Improved:

* readability of my old code
* readability of debugging statements
* honor $SNEAKY for SMTP greeting
* hook (arg2 to starttls_smtp_dialog() ), if we plan to add / replace SMTP greeting at some point
2020-08-03 23:11:00 +02:00
Dirk Wetter c3fbc52c07
Merge pull request #1692 from dcooper16/grease_update
Update GREASE reference
2020-08-03 17:17:58 +02:00
David Cooper 5b17bbcf87 Add RFC 8701 to list of RFCs
This commit adds RFC 8701 to the list of RFCs in the documentation.
2020-08-03 11:14:10 -04:00
David Cooper 57c4913260 Update GREASE reference
The GEASE Internet Draft is now RFC 8701. This commit updates the references.
2020-08-03 10:43:15 -04:00
Dirk Wetter 57c2ab1ba1
Merge pull request #1690 from a1346054/3.1dev
Fix minor spelling issue
2020-08-03 08:29:45 +02:00
a1346054 e6c5507b20
Fix grammar 2020-08-02 21:54:27 +00:00
a1346054 e8d2992add
Fix grammar 2020-08-02 21:48:15 +00:00
a1346054 5b44e43ec4
Fix grammar 2020-08-02 21:47:40 +00:00
Dirk Wetter 7f071ddbb9
Merge pull request #1688 from drwetter/squash_GOST_msg
Squash "No engine or GOST support via engine..."
2020-07-20 20:14:37 +02:00
Dirk 161567f9d2 add quotes 2020-07-20 20:13:41 +02:00
Dirk Wetter 43c62b13d9
Merge pull request #1687 from drwetter/polish_1686
Polish completion of json/csv output
2020-07-20 15:54:56 +02:00
Dirk a51a0a73a7 Squash "No engine or GOST support via engine..."
This is a legacy warning and seems only needed in a very few cases
whereas in other few cases we don't issue such warnings. So to be
consistent it's right to remove this message as it confuses users
unnecessarily,

It'll appear in debug mode though.

See https://github.com/drwetter/testssl.sh/issues/1119#issuecomment-656271849
2020-07-20 11:43:52 +02:00
Dirk 86c730b74e Polish completion of json/csv output
To be more consistent with the screen output:

* grade --> overall grade
* add rating doc url
2020-07-20 11:34:44 +02:00
Dirk Wetter 1f388d8b94
Merge pull request #1686 from magnuslarsen/3.1dev
[Rating] Added complete json/csv output
2020-07-20 11:28:35 +02:00
Magnus Larsen 0d9ca76f37 Added complete json/csv output for rating 2020-07-18 21:14:38 +02:00
Dirk Wetter 00779eb639
Merge pull request #1685 from dcooper16/bad_ocsp
Check for bad OCSP intermediate certificates
2020-07-16 19:50:48 +02:00
David Cooper bd856e2ada Save intermediate certificates for more use
As there as suggestions to check intermediate certificates for things such as expiration date, this commit saves the text versions of each of the intermediate certificates so that they are available to extract additional information.
2020-07-16 07:57:27 -04:00
David Cooper 17ee0245b5 Speed up intermediate certificate extraction
This commit speeds up extraction of intermediate certificates by using Bash commands rather than awk.
2020-07-15 11:56:31 -04:00
David Cooper 851cd564e6 Check for bad OCSP intermediate certificates
This commit checks whether any intermediate certificates provided by the server include an extended key usage extension that asserts the OCSP Signing key purpose.

This commit replaces #1680, which checks for such certificates by comparing the server's intermediate certificates against a fixed list of known bad certificates.
2020-07-15 11:56:20 -04:00
Dirk Wetter 19f2c2872a
Merge pull request #1680 from drwetter/badocspcert
Implementation of hanno's bad OCSP intermediate CA detector
2020-07-15 11:51:34 +02:00
Dirk d07d1f102e Works now
* open: generation of intermediate certificate files. We do that
  at several places. But for some reasons I do not understand currently
  we remove those files.
* we don't name the offending certificate
2020-07-14 23:42:06 +02:00
Dirk eb7b0c9644 add hash file 2020-07-14 22:26:23 +02:00
Dirk 903eeec97b Start of implementing of hanno's bad OCSP intermediate CA detector
see https://github.com/hannob/badocspcert
2020-07-14 22:23:11 +02:00
Dirk Wetter 41ac04ef27
Merge pull request #1677 from drwetter/breach2medium
Revised risk for BREACH --> medium
2020-07-10 19:56:53 +02:00
Dirk cec5726f30 Revised risk for BREACH --> medium 2020-07-10 19:52:47 +02:00
Dirk Wetter b941d7db4a
Merge pull request #1674 from dcooper16/rate_ciphers_in_json
Include cipher quality in JSON and CSV
2020-07-10 12:34:06 +02:00
David Cooper 6c8df4529c Include cipher quality in JSON and CSV
run_cipherlists() checks for support for different groups of ciphers, but does not indicate which ciphers in each group are supported. So, for example, if the JSON file indicates that there is a problem with severity level "HIGH" because the "LOW" ciphers are available, there is no clear indication of which of these ciphers are supported by the server.

If run_server_preference() is run with "--color 3", then there will be a visual indication (via color) of the ciphers the server supports that are considered bad, but this information does not appear in the JSON (or CSV) output. The JSON (or CSV) output will include information about every cipher that is supported, but the severity level is always "INFO".

This commit addresses this problem by changing the fileout() calls in ciphers_by_strength() and cipher_pref_check() that output each supported cipher individually so that the "severity" argument is an indication of the quality of the cipher. With this, information about which bad ciphers are supported can easily be found in the JSON/CSV output.
2020-07-07 12:35:35 -04:00
Dirk Wetter 6071ae9883
Merge pull request #1672 from dcooper16/fix_unrecognized_option
Fix printing of unrecognized option
2020-07-07 15:53:49 +02:00
David Cooper 45eafd239f Fix printing of unrecognized option
When testssl.sh is called with an unknown option it prints something like:

     0: unrecognized option "--option"

It should be printing the name of the program rather than "0". This commit fixes that.
2020-07-07 07:30:48 -04:00
Dirk Wetter d881140cac
Merge pull request #1669 from dcooper16/separate_pr_cipher_quality
Separate pr_cipher_quality() into two functions
2020-07-07 08:36:31 +02:00
David Cooper 919064095f Separate pr_cipher_quality() into two functions
This commit separates pr_cipher_quality() into two functions, one that returns the quality of a cipher as a numeric rating (get_cipher_quality()) and one that prints a cipher based on its quality (pr_cipher_quality()). This separation allows get_cipher_quality() to be used to determine how good a cipher is without having to print anything. Having this ability would be helpful in implementing the changes suggested in #1311.
2020-07-06 15:45:36 -04:00
Dirk Wetter 9122ffec1d
Merge pull request #1668 from drwetter/1657_polish
Polish STARTTLS rating output
2020-06-26 10:02:23 +02:00
Dirk Wetter 7c75993746 remove unused spaces var 2020-06-25 20:54:43 +02:00
Dirk Wetter 288223c707 Polish STARTTLS rating output
Moved the sentence ~i "A grade better than T would lead to a false sense of security"
to the documentation. No reason for excuses in the output. ;-) Explanation fits
better in the doc.

See also #1657
2020-06-25 20:47:51 +02:00
Dirk Wetter ae72592959
Merge pull request #1666 from dcooper16/fix1665
Fix #1665
2020-06-25 20:45:19 +02:00
David Cooper 1f2b4a3f40 Fix #1665
This commit fixes #1665 by adding the certificate number to the JSON identifier for cert_eTLS.
2020-06-25 13:18:28 -04:00
Dirk Wetter b1f64a50df
Merge pull request #1663 from dcooper16/fix1662
Fix #1662
2020-06-25 13:39:58 +02:00
David Cooper 91ceaca1e9 Fix #1662
This commit fixes #1662 by changing the fileout to use the value of $cert_ext_keyusage rather than the string "cert_ext_keyusage".
2020-06-25 07:31:50 -04:00
Dirk Wetter b2d41330e0 port typo fixes to html and roff doc 2020-06-25 13:05:47 +02:00
Dirk Wetter 55f7f7d69a
Merge pull request #1657 from magnuslarsen/3.1dev
[Rating] STARTTLS output styling
2020-06-24 09:51:21 +02:00
Dirk Wetter 3c30887f39
Merge pull request #1659 from csett86/wireshark-android-7-0
Add wiresharked Android 7.0 (native)
2020-06-24 09:49:24 +02:00
Magnus Larsen f647ae8264 Change to grade cap 2020-06-23 19:24:24 +02:00
Christoph Settgast 82e939f2bd Add wiresharked Android 7.0 (native)
After being bitten by https://stackoverflow.com/questions/39133437/sslhandshakeexception-handshake-failed-on-android-n-7-0
I add a wiresharked Android 7.0 to reflect that bug in Android 7.0.
2020-06-23 15:26:31 +02:00
Magnus Larsen 069c5ae917 Spelling 2020-06-22 19:16:20 +02:00