Commit Graph

4390 Commits

Author SHA1 Message Date
David Cooper dc996ba2b9 Find RSASSA-PSS certificates with TLS 1.3
This commit fixes get_server_certificate() so that it can obtain certificates with RSASSA-PSS subject public keys over TLS 1.3.
2023-03-28 14:31:28 -07:00
David Cooper 5002dd23b1 Add support for brainpool curves with TLS 1.3
This commit adds support for the curves brainpoolP256r1tls13, brainpoolP384r1tls13, and brainpoolP512r1tls13.
2023-03-28 08:53:20 -07:00
Dirk Wetter 82fbd8076e
Merge pull request #2347 from drwetter/suse_docker
Switching from Alpine Image to multistaged opensuse/leap
2023-03-24 09:23:26 +01:00
Dirk 91f3d9716b amending previous commit 2023-03-23 15:05:15 +01:00
Dirk 90aa86ce6b add another contributor and change
(not related to this PR but it'll be forgotten otherwise)
2023-03-23 14:45:51 +01:00
Dirk Wetter f95d0dd09a
Merge pull request #2328 from drwetter/w4ntun-merge
fixed DNS via Proxy
2023-03-23 14:31:17 +01:00
Dirk bad5dedf42 correcting Brennan's name 2023-03-23 14:22:05 +01:00
Dirk 48a597e19d don't forget the kudos ;-) 2023-03-23 09:11:14 +01:00
Odinmylord 035996cc44 updated default_testssl.csvfile with new RSA-PSS 2023-03-23 00:14:15 +01:00
Odinmylord cf0c1c1f5f Added more details to the SignatureAlgorithms 2023-03-22 23:14:56 +01:00
Dirk Wetter 37c17a5e09
Merge pull request #2344 from polarathene/refactor/dockerfile-to-opensuse
refactor(dockerfile): Change base Alpine (3.17) => openSUSE Leap (15.4)
2023-03-22 11:10:21 +01:00
Brennan Kinney 6af0a801ec chore: Bring back `ZYPPER_OPTIONS` 2023-03-22 22:56:59 +13:00
Brennan Kinney 1212ad8e59 refactor: Support syntax without BuildKit features
These have been available via opt-in prior to v23 of Docker Engine with `DOCKER_BUILDKIT=1` ENV as a prefix to running `docker build`, however it's been requested to avoid the syntax.

No HereDoc (multi-line RUN with EOF marker) or `RUN --mount` available. This makes the `busybox` approach a hassle, so I've brought back the explicit creation of user and home dir.

Without the cache mounts, bring back `zypper clean`. It's not doing much as the `--cache-dir` is still set, but should reduce disk space for the `builder` layer. Local builds will be slower as a result when this layer is invalidated.

AFAIK, this also makes it tricky to use the `ZYPPER_OPTIONS`? So no longer DRY.
2023-03-22 22:16:28 +13:00
Brennan Kinney 718eb3461c chore: Revise `Dockerfile`
- Removing bulk of the noise from inline documentation.
- Packages bundled into single line like previous the Alpine version had.
- `CACHE_ZYPPER` is only used as an `ARG` in the `builder` stage.
- `zypper clean` wasn't able to clear anything from the install root, other than the `CACHE_ZYPPER` mount.
2023-03-22 21:31:34 +13:00
Brennan Kinney 0b86094ab9 fix: `WORKDIR` before `adduser` avoids surprises
The additions from `adduser` reading `/etc` does not appear to apply if the directory already exists, and permissions (including SGID) are adjusted properly for the home dir.

This mean the excess backup copies in `/etc` are introduced again however.
2023-03-22 21:19:05 +13:00
Brennan Kinney 48c180d0d8 fix: Manually create `testssl` user and home
BusyBox `adduser` was reading config from `/etc` that unnecessarily populates the home folder with various dot files.

Alternative approach is to create the user and home folder manually. This avoids some extra files like the `-` suffixed backup copies from `adduser`.
2023-03-22 21:19:05 +13:00
Brennan Kinney 1392987f01 refactor: Change base image from `alpine:3.17` to `opensuse/leap:15.4` 2023-03-22 21:19:05 +13:00
Dirk d001bba86b Finalize DNS via Proxy
See #2328, original PR #2295 from @w4ntun .

Formally testssl.sh returned an error when it wasn't not possible to determine IP
addresses through DNS resolution, even if --proxy and --ip=proxy flags are set.
The main function always tried to determine IP addresses via DNS and exits with
a fatal error if it cannot do it. Although the client cannot get the IP, the
proxy could, so the SSL/TLS analysis is still possible.

This PR allows the analysis for an HTTP service via a proxy server and the DNS
traffic can be sent directly or through the proxy using the flag --ip=proxy.

ATTENTION: This may be a breaking change for those who don't have a local resolver.
They now have to add --ip=proxy.

In addition:
* help() was amended to add --ip=proxy (was only in the ~i/doc dir before)
* amending ~/doc dir to document it's better to add --nodns=min when there's
  no local resolver
2023-03-21 19:40:40 +01:00
Dirk Wetter cb451777d2
Merge pull request #2338 from drwetter/CAstores_update
CA astores update
2023-03-18 20:19:03 +01:00
Dirk Wetter aac696b0a0 Updated root CA stores 2023-03-17 18:06:57 +01:00
Dirk Wetter 6106887fdd Update DST CA 2023-03-17 18:06:03 +01:00
Dirk Wetter 419aae3c98 updates docu to reflekt actual status 2023-03-17 18:05:24 +01:00
Dirk Wetter 2659a13086
Merge pull request #2336 from drwetter/drwetter-patch-4
Update codespell.yml
2023-03-12 18:12:29 +01:00
Dirk Wetter 6cea273a68
Update codespell.yml
add exception for aNULL which should work now
2023-03-12 17:55:10 +01:00
Dirk Wetter b84e182ca2
Merge pull request #2332 from drwetter/sanitize_fileout
Make sure control chars from HTTP header don't end up in html,csv,json
2023-03-12 16:18:20 +01:00
Dirk Wetter 83f67b4fb7
Merge pull request #2333 from drwetter/drwetter-patch-4
Update .gitignore
2023-03-12 16:00:11 +01:00
Dirk Wetter 8643ed4c72
Update .gitignore 2023-03-12 15:57:01 +01:00
Dirk Wetter cacd8c57b1 Add variable htmlfile + filter GOST message
... which is needed for newer LibreSSL/OpenSSL versions
2023-03-12 15:09:24 +01:00
Dirk Wetter 2e33c483dd remove comma in tr as it was interpreted as such 2023-03-12 14:52:11 +01:00
Dirk Wetter fab67d0cca Remove CR in server banner
... which caused a problem in t/32_isHTML_valid.t.

Also the test for an empty server banner was simplified
2023-03-12 14:00:55 +01:00
Dirk Wetter d298b41d2c add aNULL exception to codespell 2023-03-11 14:06:47 +01:00
Dirk Wetter 06506b371e Make sure control chars from HTTP header don't end up in html,csv,json
This addresses the bug #2330 by implementing a function which removes
control characters from the file output format html,csv,json at the
output.

In every instance called there's a check before whether the string
contains control chars, hoping it'll save a few milli seconds.

A tr function is used, omitting LF.

It doesn't filter the terminal output and the log file output.
2023-03-11 13:38:28 +01:00
Dirk 9afa277c02 another indent correction 2023-03-03 12:50:02 +01:00
Dirk 2b6bd2f1dd fix indentation 2023-03-03 12:47:12 +01:00
Dirk 581788ff39 Merge branch '3.1dev' of https://github.com/w4ntun/testssl.sh into w4ntun-3.1dev 2023-03-03 12:31:26 +01:00
Dirk Wetter 88763f47a8
Merge pull request #2326 from drwetter/fix_mime-type
Fix Accept Header
2023-02-20 20:29:14 +01:00
Dirk a14fc5bdcf Fix Accept header
see #2325.

"whenever HTTP/1.1 is used then the Accept header uses "text/*" as a MIME type.
This causes some minor issues with some of the checks we are doing"
2023-02-20 15:01:40 +01:00
Dirk Wetter e57527f3ec
Merge pull request #2321 from drwetter/align_json+terminal@run_cipherlists
Rename 3 jsonIDs in run_cipherlists(): breaking change
2023-02-08 17:07:42 +01:00
Dirk Wetter 8260ca16e2
Merge pull request #2309 from polarathene/chore/dockerfile-improved-copy
chore: Use a single `COPY` by better leveraging `.dockerignore` patterns
2023-02-07 12:23:04 +01:00
Dirk Wetter 363c0d0a69
Merge pull request #2323 from drwetter/drwetter-patch-4
Remove mkdir in Dockerfile
2023-02-07 10:29:08 +01:00
Dirk Wetter f914423978
Remove mkdir in Dockerfile
see https://github.com/drwetter/testssl.sh/pull/2312#pullrequestreview-1286620850
2023-02-07 10:28:26 +01:00
Brennan Kinney 81634ce13d
chore: Bring back group value for `COPY --chown` 2023-02-07 21:36:47 +13:00
Dirk Wetter 1ee21b7f22
Merge pull request #2312 from polarathene/chore/dockerfile-simplify-user
chore(Dockerfile): Simplify `testssl` user creation
2023-02-07 09:03:23 +01:00
Dirk Wetter 64ae161218
Merge branch '3.1dev' into chore/dockerfile-simplify-user 2023-02-07 09:03:15 +01:00
Dirk Wetter 66ebfb2f58 Add changes to CSV baseline 2023-02-06 21:56:54 +01:00
Dirk Wetter 6f881dc70b Rename 3 jsonIDs in run_cipherlists(): breaking change
see #2316 / #2320

AVERAGE --> OBSOLETED
GOOD    --> STRONG_NOFS
STRONG  --> STRONG_FS
2023-02-05 19:32:08 +01:00
Dirk Wetter e87b745c93
Merge pull request #2316 from dcooper16/cipherlists_doc
Update documentation for cipherlists tests
2023-02-05 19:25:02 +01:00
Dirk Wetter 05b4cdcc0d
Merge pull request #2317 from dcooper16/fix_html
Fix HTML output in Bash 5.2 and newer
2023-02-04 09:22:03 +01:00
David Cooper 3d82f7cb21 Fix HTML output in Bash 5.2 and newer
As noted in #2304, the way that the '&' character is treated in the string part of a pattern substitution changed in Bash 5.2. As a result, the change that was made in #1481 to accommodate older versions of Bash (e.g., on MacOS) now causes testssl.sh to produce incorrect HTML output when run on Bash 5.2.

This commit encodes the '&' characters in the substitution strings in a way that produces correct results on multiple versions of Bash (3.2 on MacOS, 5.2 on Ubuntu 23.10, 5.0 on Ubuntu 20.04).
2023-02-03 14:18:02 -08:00
David Cooper b661f7b8d3 Update documentation for cipherlists tests
The sets of cipher lists checked by `run_cipherslists()` changed in 3.1dev, but the documentation was not updated.
2023-02-03 11:24:04 -08:00