1
0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-02-23 16:11:15 +01:00
Commit Graph

4524 Commits

Author SHA1 Message Date
Dirk
d001bba86b Finalize DNS via Proxy
See , original PR  from @w4ntun .

Formally testssl.sh returned an error when it wasn't not possible to determine IP
addresses through DNS resolution, even if --proxy and --ip=proxy flags are set.
The main function always tried to determine IP addresses via DNS and exits with
a fatal error if it cannot do it. Although the client cannot get the IP, the
proxy could, so the SSL/TLS analysis is still possible.

This PR allows the analysis for an HTTP service via a proxy server and the DNS
traffic can be sent directly or through the proxy using the flag --ip=proxy.

ATTENTION: This may be a breaking change for those who don't have a local resolver.
They now have to add --ip=proxy.

In addition:
* help() was amended to add --ip=proxy (was only in the ~i/doc dir before)
* amending ~/doc dir to document it's better to add --nodns=min when there's
  no local resolver
2023-03-21 19:40:40 +01:00
Dirk Wetter
cb451777d2
Merge pull request from drwetter/CAstores_update
CA astores update
2023-03-18 20:19:03 +01:00
Dirk Wetter
aac696b0a0 Updated root CA stores 2023-03-17 18:06:57 +01:00
Dirk Wetter
6106887fdd Update DST CA 2023-03-17 18:06:03 +01:00
Dirk Wetter
419aae3c98 updates docu to reflekt actual status 2023-03-17 18:05:24 +01:00
Dirk Wetter
2659a13086
Merge pull request from drwetter/drwetter-patch-4
Update codespell.yml
2023-03-12 18:12:29 +01:00
Dirk Wetter
6cea273a68
Update codespell.yml
add exception for aNULL which should work now
2023-03-12 17:55:10 +01:00
Dirk Wetter
b84e182ca2
Merge pull request from drwetter/sanitize_fileout
Make sure control chars from HTTP header don't end up in html,csv,json
2023-03-12 16:18:20 +01:00
Dirk Wetter
83f67b4fb7
Merge pull request from drwetter/drwetter-patch-4
Update .gitignore
2023-03-12 16:00:11 +01:00
Dirk Wetter
8643ed4c72
Update .gitignore 2023-03-12 15:57:01 +01:00
Dirk Wetter
cacd8c57b1 Add variable htmlfile + filter GOST message
... which is needed for newer LibreSSL/OpenSSL versions
2023-03-12 15:09:24 +01:00
Dirk Wetter
2e33c483dd remove comma in tr as it was interpreted as such 2023-03-12 14:52:11 +01:00
Dirk Wetter
fab67d0cca Remove CR in server banner
... which caused a problem in t/32_isHTML_valid.t.

Also the test for an empty server banner was simplified
2023-03-12 14:00:55 +01:00
Dirk Wetter
d298b41d2c add aNULL exception to codespell 2023-03-11 14:06:47 +01:00
Dirk Wetter
06506b371e Make sure control chars from HTTP header don't end up in html,csv,json
This addresses the bug  by implementing a function which removes
control characters from the file output format html,csv,json at the
output.

In every instance called there's a check before whether the string
contains control chars, hoping it'll save a few milli seconds.

A tr function is used, omitting LF.

It doesn't filter the terminal output and the log file output.
2023-03-11 13:38:28 +01:00
Dirk
9afa277c02 another indent correction 2023-03-03 12:50:02 +01:00
Dirk
2b6bd2f1dd fix indentation 2023-03-03 12:47:12 +01:00
Dirk
581788ff39 Merge branch '3.1dev' of https://github.com/w4ntun/testssl.sh into w4ntun-3.1dev 2023-03-03 12:31:26 +01:00
Dirk Wetter
88763f47a8
Merge pull request from drwetter/fix_mime-type
Fix Accept Header
2023-02-20 20:29:14 +01:00
Dirk
a14fc5bdcf Fix Accept header
see .

"whenever HTTP/1.1 is used then the Accept header uses "text/*" as a MIME type.
This causes some minor issues with some of the checks we are doing"
2023-02-20 15:01:40 +01:00
Dirk Wetter
e57527f3ec
Merge pull request from drwetter/align_json+terminal@run_cipherlists
Rename 3 jsonIDs in run_cipherlists(): breaking change
2023-02-08 17:07:42 +01:00
Dirk Wetter
8260ca16e2
Merge pull request from polarathene/chore/dockerfile-improved-copy
chore: Use a single `COPY` by better leveraging `.dockerignore` patterns
2023-02-07 12:23:04 +01:00
Dirk Wetter
363c0d0a69
Merge pull request from drwetter/drwetter-patch-4
Remove mkdir in Dockerfile
2023-02-07 10:29:08 +01:00
Dirk Wetter
f914423978
Remove mkdir in Dockerfile
see https://github.com/drwetter/testssl.sh/pull/2312#pullrequestreview-1286620850
2023-02-07 10:28:26 +01:00
Brennan Kinney
81634ce13d
chore: Bring back group value for COPY --chown 2023-02-07 21:36:47 +13:00
Dirk Wetter
1ee21b7f22
Merge pull request from polarathene/chore/dockerfile-simplify-user
chore(Dockerfile): Simplify `testssl` user creation
2023-02-07 09:03:23 +01:00
Dirk Wetter
64ae161218
Merge branch '3.1dev' into chore/dockerfile-simplify-user 2023-02-07 09:03:15 +01:00
Dirk Wetter
66ebfb2f58 Add changes to CSV baseline 2023-02-06 21:56:54 +01:00
Dirk Wetter
6f881dc70b Rename 3 jsonIDs in run_cipherlists(): breaking change
see  / 

AVERAGE --> OBSOLETED
GOOD    --> STRONG_NOFS
STRONG  --> STRONG_FS
2023-02-05 19:32:08 +01:00
Dirk Wetter
e87b745c93
Merge pull request from dcooper16/cipherlists_doc
Update documentation for cipherlists tests
2023-02-05 19:25:02 +01:00
Dirk Wetter
05b4cdcc0d
Merge pull request from dcooper16/fix_html
Fix HTML output in Bash 5.2 and newer
2023-02-04 09:22:03 +01:00
David Cooper
3d82f7cb21 Fix HTML output in Bash 5.2 and newer
As noted in , the way that the '&' character is treated in the string part of a pattern substitution changed in Bash 5.2. As a result, the change that was made in  to accommodate older versions of Bash (e.g., on MacOS) now causes testssl.sh to produce incorrect HTML output when run on Bash 5.2.

This commit encodes the '&' characters in the substitution strings in a way that produces correct results on multiple versions of Bash (3.2 on MacOS, 5.2 on Ubuntu 23.10, 5.0 on Ubuntu 20.04).
2023-02-03 14:18:02 -08:00
David Cooper
b661f7b8d3 Update documentation for cipherlists tests
The sets of cipher lists checked by `run_cipherslists()` changed in 3.1dev, but the documentation was not updated.
2023-02-03 11:24:04 -08:00
Dirk Wetter
70237b2328
Merge pull request from polarathene/chore/dockerfile-remove-mkdir
chore: Remove redundant `mkdir`
2023-02-03 19:54:51 +01:00
Dirk Wetter
6c2663aeb6
Merge pull request from SSLbrain/3.1dev
Feature Trustcor certificates being removed/disabled from root stores 
2023-02-02 13:55:07 +01:00
Brennan Kinney
76b8f0c981 chore: Remove redundant mkdir
- If local folder ownership is for example `644` it will fail to handle the `COPY` regardless (while `744` would work).
- Creating the directory with higher permissions in the container does not appear to help.
2023-02-02 14:26:16 +13:00
Sole
3670c1e4ad Removed non-relevant CA's that no longer have active certificates. 2023-02-02 01:13:00 +00:00
Brennan Kinney
dc7d13b853 chore(Dockerfile): Simplify testssl user creation
Create `testssl` user (_and group_) with no password (`-D`) and default their shell to bash (`-s`):
- A group will implicitly be created with the same value as the user. `addgroup testssl` and `-G testssl` are not needed.
- Gecos data (`-g "testssl user"`) doesn't appear relevant to the project to be required? The default gecos value (`Linux User,,,`) should be fine.
2023-02-02 14:07:51 +13:00
Sole
9fc8c33704 Change exception for removed root certificates into easy edit multi-value regular expression for Organization name and making it clear that CA's are actively removed from 1+ root stores. 2023-02-02 00:42:15 +00:00
Brennan Kinney
74892e45c5 chore: Use a single COPY by better leveraging .dockerignore patterns 2023-02-02 12:49:30 +13:00
Dirk Wetter
e02e8be19f
Merge pull request from drwetter/upgrade_alpine_perf-fix
Upgrade Alpine version for both Dockerfiles
2023-02-01 19:45:57 +01:00
Dirk Wetter
beb94d9efc Upgrade Alpine version for both Dockerfiles
... to improve/mitigate performance problems, see .
(musl libc vs. glibc)
2023-02-01 19:40:40 +01:00
Dirk Wetter
5a1a114adc
Merge pull request from drwetter/dependabot/github_actions/docker/build-push-action-4.0.0
Bump docker/build-push-action from 3.3.0 to 4.0.0
2023-01-31 09:37:28 +01:00
Dirk Wetter
0b5c414970
Merge pull request from drwetter/nntp_ci_remove
Remove NNTP from CI tests
2023-01-31 09:37:06 +01:00
Dirk Wetter
2e0898c9ef Remove NNTP from CI tests
Maybe for the future we should check whether host is available and
if so then run the test
2023-01-31 09:34:18 +01:00
dependabot[bot]
8ae8a6fc44
Bump docker/build-push-action from 3.3.0 to 4.0.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3.3.0 to 4.0.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v3.3.0...v4.0.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-31 00:03:02 +00:00
Dirk Wetter
e9db257474 Start listing changes and contributions
... a few items by David and myself.

It's a WIP and there are missing points. Feel free to amend the
CHANGELOG.md and CREDITS.md.
2023-01-17 15:19:34 +01:00
Dirk Wetter
8099dc0106
Merge pull request from drwetter/ldap_starttls_improvements
Add logic for STARTTLS enabled AD servers
2023-01-17 14:27:01 +01:00
Dirk Wetter
fdd72d2785 Cleanup code, clarfy comments for AD/LDAP + STARTTLS 2023-01-17 14:23:53 +01:00
Dirk Wetter
fc2a020294 Add logic for STARTTLS enabled AD servers
There are two different scenarios. x0C is the buffsize reply from openldap-like servers
whereas AD servers probably have x84 and return also the OID. The following is kind of
hackish as ldap_ExtendedResponse_parse() in apps/s_client.c of openssl is kind of hard
to understand. It was deducted from a number of hosts.
Bottom line: We'll look at the 9th byte or at the 17th when retrieving the result code

AD:
30 84 00 00 00 7d 02 01 01 78 84 00 00 00 74 0a 01 34 04 00 04 55 30 30 30 30 30 30 30 30 3a 20 [ failed AD .. LdapErr + OID..]
30 84 00 00 00 28 02 01 01 78 84 00 00 00 1F 0A 01 00 04 00 04 00 8A 16 [.. OID ..]
   ^^ bufflen                                      ^^ resultcode

30 0C 02 01 01 78 07 0A 01 00 04 00 04 00
   ^^ bufflen              ^^ result code
2023-01-17 11:16:05 +01:00