Commit Graph

4009 Commits

Author SHA1 Message Date
Dirk Wetter 680aff48e4 Update documentation related to extended run_server_preference() 2020-04-27 17:19:30 +02:00
Dirk Wetter 1e0ef23c81 Rename add_tls_offered --> add_proto_offered
... last but not least SSLv2 and SSLv3 are no TLS protocols
2020-04-27 17:12:25 +02:00
Dirk Wetter 8938c21703 Renaming proto variables in cipher_pref_check()
... to be consistent with ciphers_by_strength:

- proto --> proto_text
- proto_ossl --> proto
2020-04-27 17:08:43 +02:00
Dirk Wetter 3b92b0cf85 Remember better protocol settings in ciphers_by_strength() / cipher_pref_check()
... in cases where the protcol section has not been run before.

Also add " -\n" on the screen/html if protocol is not supported. Also for
SSLv2 which can be supported but at the same time not offer any ciphers
mention there will be an output on the screen.
2020-04-27 16:51:45 +02:00
Dirk Wetter 0a859d7b98 rename $p --> $proto_ossl in cipher_pref_check()
plus remove redundant quotes for that
2020-04-27 15:32:43 +02:00
Dirk Wetter 59b790ab3a
Merge pull request #1588 from drwetter/np_fix31
Negotiated protocol showed no warning for TLS 1.1/1.0
2020-04-25 11:13:43 +02:00
Dirk Wetter 4defa95d0b Negotiated protocol showed no warning for TLS 1.1/1.0
.. whereas the protocol section did that.

This fixes the inconsistency.
2020-04-25 11:12:36 +02:00
Dirk Wetter 3e54f4e4cd Further changes to run_server_preference()
In order not to provide redundant information run_allciphers() is
now not being run via default (1). Therefore run_server_preference()
runs always in wide mode.

In order to archieve that cipher_pref_check() was modified to
accept a fifth argument whether it'll run in wide mode. As
of now cipher_pref_check() is only called by run_server_preference(),
so the code referring to non-wide mode in cipher_pref_check() may also
be deleted in the future.

To provide a better view the run_fs() section is now being run after
run_server_preference().

(1) saves also 5-6 seconds
2020-04-24 13:32:26 +02:00
Dirk Wetter 1a6abb6ab8
Merge pull request #1584 from dcooper16/fix_logjam_ssl_native
Fix run_logjam() in --ssl-native mode
2020-04-24 09:41:59 +02:00
Dirk Wetter b5840153d3
Merge pull request #1586 from dcooper16/improve_ossl30_support
Improve compatibility with OpenSSL 3.0
2020-04-24 09:38:03 +02:00
David Cooper 7f0c2e9137 Improve compatibility with OpenSSL 3.0
This commit fixes a couple of issues related to the use of testssl.sh with OpenSSL 3.0.0-alpha1.

First, when the command line includes an unknown option (e.g., -ssl2), OpenSSL 3.0.0-alpha responds with "Unknown option: -ssl2" rather than "Option unknown option -ssl2". This commit addresses this by making the check for "unknown option" case insensitve.

Second, the printing a DH key, OpenSSL 3.0.0-alpha1 labels the prime and the generator using "prime P:" and "generator G:" rather than just "prime:" and "generator:". This commit by changing testssl.sh to match on either string.
2020-04-23 15:20:50 -04:00
David Cooper bb1c649513 Fix run_logjam() in --ssl-native mode
This commit fixes a problem with run_logjam() when run in --ssl-native mode. If $OPENSSL does not support any DH export ciphers, then no test for such cipher is performed. However, the results of "test" is still checked, leading to testssl.sh incorrectly reporting that the server supports DH EXPORT ciphers.
2020-04-23 14:52:14 -04:00
Dirk Wetter a86ccb6968 First round of polish of David's PR to extend run_server_preference()
See #1580.

This commit brings:

* If there's no cipher for a protocol it adds a "\n - \n" (also for run_cipher_per_proto() )
* further output improvements
* Cipher order --> Cipher listing per protocol
* make some conditional statement easier to read (at least for me)

New open points:
- cipher_pref_check() doesn't save to PROTOS_OFFERED (was there before)
  (just stumbled over this but how about we also use get_protocol() / parse_tls_serverhello()
- do we want run_allciphers() to be started by default?
- $WIDE per default for run_cipher_per_proto() ?
- probably better not to display text in round square brackets when there's no cipher:

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2 (listed by strength)
SSLv3 (server order)
TLSv1 (server order)
TLSv1.1 (server order)
TLSv1.2 (server order)
 xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[..]

- when a server has no preference at all it shows in wide mode:

Has server cipher order?     no (NOT ok) -- only for TLS 1.3
 Negotiated protocol          TLSv1.3
 Negotiated cipher            TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
 Cipher listing per protocol

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
 -
SSLv3
 -
TLSv1 (no server order, thus listed by strength)
 xc014   ECDHE-RSA-AES256-SHA              ECDH 521   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[..]

e.g. dev.testssl.sh
2020-04-23 14:11:33 +02:00
Dirk Wetter c6dfe05874 Merge branch 'extend_run_server_preference' of git://github.com/dcooper16/testssl.sh into dcooper16-extend_run_server_preference 2020-04-23 12:01:03 +02:00
Dirk Wetter a45e9f52d5
Merge pull request #1582 from drwetter/fix_1581
Update documentation (ADDITIONAL_CA_FILES ->  ADDTL_CA_FILES)
2020-04-23 11:25:03 +02:00
Dirk Wetter a9ab2bcd91 Update documentation (ADDITIONAL_CA_FILES -> ADDTL_CA_FILES)
which happened in d44a643fab in
testssl.sh .

This fixes it in the related files. See also #1581
2020-04-23 11:20:46 +02:00
Dirk 8566ca80bc Enable rating again
was per default disabled by accident previously
2020-04-23 09:23:21 +02:00
David Cooper f5aa20ceb1 Extended run_server_preference()
This commit extends run_server_preference() to list every cipher supported by each protocol even in cases in which the server does not enforce a preference order.

For protocols where the server enforces a cipher order the list of supported ciphers is ordered by server preference (as now). For protocols where the server does not enforce a cipher order, the ciphers are listed by encryption strength (as run_cipher_per_proto() does).

In order to implement this, ciphers_by_strength() was extended to offer a non-wide mode.
2020-04-22 12:31:45 -04:00
Dirk Wetter 07c06e0f94 declare t variable in set_skip_tests() 2020-04-22 17:19:36 +02:00
Dirk Wetter 32eab3ead9 Fix problem with --disable-rating
by introducing framework for tests to be skipped, see also #1502.
As a first example for the development branch should serve
--disable-rating / --no-rating. The latter is for now undocumented.
Also the big case statement in parse_cmd_line()  may use a general
--disable-* or --no-* clause where all --disable-* / --no-* are
being parsed/

A new function set_skip_tests() is being introduced which
sets do_<variables> according to the new array SKIP_TESTS .
Any new test do be skipped needs to be added to that array.

The changes in the --devel part come from the tries to fix
the syntax highlight in vim -- which in the end difn't work
2020-04-22 17:14:05 +02:00
Dirk Wetter d6a9360f2c Fix known DH but not weak keys to be capped @ A not B 2020-04-22 14:08:58 +02:00
Dirk Wetter 591edb9300
Merge pull request #1579 from drwetter/1571_31dev
Fix misleading phrasing in run of standard ciphers
2020-04-21 20:30:31 +02:00
Dirk Wetter 8c7dcbbc3b Fix misleading phrasing in run of standard ciphers
see #1571. Bit size doesn't matter. It only matters to the
user which ciphers they are.

Additionally phrased the output better (FS + strong enc) and
do less indentation.

Renamed average_ciphers -> obsoleted_ciphers to refect what's
on the output.
2020-04-21 19:22:16 +02:00
Dirk Wetter 7da2e90083 Honor Magnus 2020-04-20 22:49:48 +02:00
Dirk Wetter 577370a272 Add rating 2020-04-20 22:49:31 +02:00
Dirk Wetter b1ef3a020f add single blank for pretty JSON 2020-04-20 22:48:31 +02:00
Dirk Wetter e9e11e213a * Grading --> Rating. But we still hand out grades 2020-04-20 22:45:58 +02:00
Dirk Wetter c3f09f56f7 Grading --> Rating
but we still hand out grades
2020-04-20 22:41:14 +02:00
Dirk Wetter 127cf95e22 Address rating for STARTTLS tests
STARTTLS tests should always give a bad rating because of the missing
trust 1) . That's why we don't provide more details as "T". Maybe we
decide later to provide an environment variable which still
shows this warning but divulges more details. TBC.

Documentation is missing for STARTTLS + grades.

1) There might be cases also for STARTTLS where encryption is enforced
   and e.g. the certificate fingerprint is validated. As this is highly
   protcol specific we won't test that.
2020-04-20 12:26:33 +02:00
Dirk Wetter fe5e10ff9d
Merge pull request #1574 from magnuslarsen/grading_dev
Less aggresive TLS_FALLBACK_SCVS checks
2020-04-20 11:45:56 +02:00
Dirk 4960829433 Fix JSON for grading / rating 2020-04-19 23:54:42 +02:00
Magnus Larsen b4ad0d2425 Less aggresive TLS_FALLBACK_SCVS checks 2020-04-17 15:31:29 +02:00
Dirk Wetter d9f2ca80d6 fix conditional statement (regression) 2020-04-17 14:54:11 +02:00
Dirk Wetter 2c10676e03 Output polish, minor code polish to grading
... and squash the TLS 1.2 grading cap for TLS 1.3 only server
2020-04-17 14:49:35 +02:00
Dirk Wetter 359965dc17 First round of polishing @magnuslarsen's contribution
* instead of DISABLE_GRADING we use do_grading as for run_* functions we currently don't
  support global variables
* Add AEAD cipher set_grade_cap (needs to be tested though)

* remove redundant quotes
* be to be safe add double quotes at other places
* Fix typos
* Polishing output

Tasks (not complete):

* Review whether it is rated as intended
* Do we want to mofify SSL Lab's rating? (SSLv3 e.g., T for SHA1 certificate?)
* Does JSON output work?
* TLS 1.3 only server are not rated properly --> wait for SSLlabs?
* SWEET32: rating refers to TLS 1.1 atm. SSLlabs docu doesn't give a hint
  (is their docu incomplete?)
* Rating for STARTTLS at all?
2020-04-17 13:24:32 +02:00
Dirk Wetter 64735d0241 Remove env variable DISABLE_GRADING
as for run_* functions we currntly don't have that.

Also AEAD as WIP we can remove that from the doc
2020-04-17 13:22:30 +02:00
Dirk Wetter 9de5421e5c Merge branch 'grading_dev' of git://github.com/magnuslarsen/testssl.sh into magnuslarsen-grading_dev 2020-04-17 10:52:44 +02:00
Dirk Wetter e0d7945c8a
Merge pull request #1570 from petecooper/3.1dev
README version bump for .zip download
2020-04-15 17:16:06 +02:00
Pete Cooper 0a1b632ddc
Update Readme.md
Bump version for zip download
2020-04-15 16:10:11 +01:00
Magnus Larsen e4cef5438d Added grading based on ssllabs 2020-04-15 15:06:08 +02:00
Dirk Wetter 8ce781c71d
Merge pull request #1567 from drwetter/renamed_to_fs
Rename PFS/perfect forward secrecy - ->  FS/forward secrecy
2020-04-14 20:21:52 +02:00
Dirk Wetter 150fd156bb
Merge pull request #1565 from drwetter/cvs_remove
Polishing
2020-04-14 16:41:50 +02:00
Dirk Wetter 8c466bf2ee Rename PFS/perfect forward secrecy to FS/forward secrecy
In all instances:

* command line (will break things)
* JSON IDs (will break things)
* in the documentation
* in the travis checks where used
* everywhere in the code: variables, functions, comments
2020-04-14 15:53:05 +02:00
Dirk 67cfe013b1 Polishing
* remove CVS variables
* add 2x https links instead of http in code doc
2020-04-14 13:35:26 +02:00
Dirk Wetter 663d592466
Merge pull request #1526 from dcooper16/fix1514
Fix #1514
2020-04-14 12:52:38 +02:00
Dirk e345abb023 Merge branch 'multiflexi-3.1dev' into 3.1dev 2020-04-13 23:01:15 +02:00
Dirk ae7b74cf73 Tuning multiflexi's fixes 2020-04-13 22:59:13 +02:00
Dirk Wetter 9d2901edd0
Merge pull request #1471 from drwetter/docu_update
Documention update
2020-04-09 19:57:10 +02:00
Jaroslav Svoboda 7eba0fbb41 FIxed links
Links in comments with http:// changed to https://. Some non working links fixed.
2020-04-09 16:18:33 +02:00
David Cooper 04e51db402 Fix #1514
This commit is an attempt to fix #1514. The commit is mostly based on a suggestion at https://unix.stackexchange.com/questions/57940/trap-int-term-exit-really-necessary. Even with that change, it seemed that if testssl.sh were in the middle of executing run_cipher_per_proto() when it received a signal, it would not stop until that function had completed. This seems to have something to do with subshells. Changing the while loop in run_cipher_per_proto() seems to have fixed that issue. So, I also made similar changes to the while loops in prettyprint_local().
2020-04-02 08:03:45 -04:00