This commit fixes two issues with the headers in the structured JSON output. First, if run_cipher_match() is performed the header this is used is "pretest" rather than "singleCipher". Second, the headers for "serverPreferences" and "fs" are swapped.
Shellcheck complains on line 2234 that keyopts is referenced but not assigned and there is no explanation in the code (or in the documentation) why "$keyopts" is there. This commit adds a comment so that "$keyopts" isn't deleted as part of a code cleanup.
This commit adds several variables to reset_hostdepended_vars() that are not currently being reset for each host being tested, but that should be reset.
testssl.sh currently calls "git log --format='%h %ci' -1 2>/dev/null" three times. This commits changes testssl.sh to make this call just once and then use Bash string manipulation to extract the necessary information from the result.
Sending the entire log to /dev/null is a rather expensive way of checking whether
we are inside a git working tree. Use `git rev-parse --is-inside-work-tree` instead.
This commit fixes#2049 by converting newline characters to spaces in JSON and CSV findings.
fileout() calls newline_to_spaces() on the $findings that are to be written to JSON and CSV files. However, this only affects actual newline characters in the string, not escaped newline characters (i.e., "\n"). Escaped newline characters pass through this function unchanged, but then get converted to newline characters when they are written to the JSON and/or CSV files. This commit fixes the problem by also converting escaped newline characters ("\n") to spaces.
This fixes#1834 and #1435.
The --connect-timeout option had the problem that under certain circumstances
like parallel mass scanning it didn't work. The culprit was that a subshell command
was used to connect to the target but the file descriptor wasn't exported.
The commit changes tha logic so that this connect is still done in a subshell
as a pre-check if it's possible to connect. If this fails it proceeds with
error handling if NR_SOCKET_FAIL is above threshold. Otherwsie it just connects
again.
When testing of the alexa 500 it worked for me(tm). It would be great if others
can give it a try.
This commit fixes a bug in sub_cipherlists() when using sockets to test whether a server supports a set of ciphers with SSLv2. Code that is supposed to extract the list of SSLv2 ciphers to test for is incorrectly reading from the list of non-SSLv2 ciphers.
This commit adds a check that ./testssl.sh has both read and execute permission. If ./testssl.sh is lacking execute permission, it will pass the tests in 00_testssl_help.t and 01_testssl_banner.t that run the program as `bash ./testssl.sh`, but will fail the subsequent tests that run the program as `./testssl.sh`, but the reason for the failure will not be clear.
As noted in https://github.com/drwetter/testssl.sh/pull/1963#issuecomment-954935175, there are two places in which debugme1() is called in which the command to be run prints something to stdout, which is then redirected to a file. Now that debugme1() includes a redirect from stdout to stderr, these two lines do not work as expected. The output appears in the terminal and an empty file is created.
This commit fixes the issue by not using the debugme1() function in these two places.
This commit changes a few lines of code that checks OpenSSL version numbers to recognize 3.0.1 and 3.1.0 in addtion to 3.0.0.
According to https://www.openssl.org/blog/blog/2018/11/28/version, API/ABI compatibility is guaranteed for the same MAJOR version number (starting with version 3), so it should be sufficient to just check that $OSSL_VER_MAJOR is 3.
This commit adds PrioritzeChaCha detection, as requested in #1733. If the server (1) enforces a cipher order for a given protocol, (2) supports at least one non-ChaCha cipher for that protocol, and (3) supports at least one ChaCha cipher that would normally be less preferred than the ChaCha cipher, then a test is performed to see if the server selects the ChaCha cipher if it is listed first in the ClientHello.
While OpenSSL 1.0.2-chacha supports more than 128 cipher suites, other versions of OpenSSL tend to support far fewer than that.
Calling check_tls12_pref() adds to the run time of cipher_pref_check(), but is only needed if OpenSSL would otherwise send a ClientHello with more than 128 cipher suites. So, this commit adds another check and only calls check_tls12_pref() if the server has the size limit bug and OpenSSL supports more than 127 ciphers.
The code added by #2024 creates a cipher list with two consecutive colons. While this doesn't seem to be a problem, the commit removes the extra colon.
Some servers are configured to prioritize ChaCha ciphers if those ciphers are preferred by the client, even if the server is generally configured to use the server's cipher preferences rather than the client's. As a result of this, if a ChaCha cipher appears in the ClientHello before a non-ChaCha cipher, the server may select the ChaCha cipher even if the server is configured to prefer the non-ChaCha cipher.
In a few cases, e.g., cloudflare.com for TLS 1.2, this affects the ordering of the ciphers presented by cipher_pref_check(). This commit fixes the problem by having cipher_pref_check() (and check_tls12_pref()) always place any ChaCha ciphers at the end of the cipher list in the ClientHello. This ensures that cipher_pref_check() presents the ciphers in the server's preference order.
This commit fixes an error in s_client_options() when the function is called with an empty "-cipher" list and $OPENSSL supports "@SECLEVEL". This happens, for example, when ciphers_by_strength() is called for TLS 1.3.
The call to `openssl s_client` will fail is the cipher option is provided with an empty list or a list that just contains "@SECLEVEL=0". So, "@SECLEVEL=0" should only be added if the "$ciphers" list is non-empty. If "$ciphers" remains empty, then the "-cipher" option will not be added to the command line.
As noted in #2016 the detection of curves in find_openssl_binary()
copuld be improved.
This commit removes another connect call. Also it corrects the port statement
for LibreSSL-like pre-checks as port 0 generally seems to me better suited.
Inline documentation was added.
It worked so far with openssl 1.0.2, 1.1.1 and 3.0 and LibreSSL 3.4.
This needs to be backported to 3.0.
Dirk Wetter
David Cooper
Dr. Matthias St. Pierre
Magnus Larsen
Jens Wahnes