Commit Graph

4790 Commits

Author SHA1 Message Date
830af44953 Merge pull request #2690 from dcooper16/mlkem
Support draft-connolly-tls-mlkem-key-agreement
2025-03-11 15:33:22 +01:00
70e1c4d693 Merge pull request #2689 from dcooper16/sort_tls_extns
Sort TLS extensions
2025-03-11 15:20:36 +01:00
6ed6db500b Merge pull request #2688 from dcooper16/ossl4_compat
OpenSSL 4 compatibility
2025-03-11 15:16:45 +01:00
ac83b79680 Merge pull request #2687 from dcooper16/ossl35_compat
OpenSSL 3.5 compatibility
2025-03-11 15:13:44 +01:00
410b3acf5c OpenSSL 4 compatibility
According to https://openssl-library.org/roadmap/index.html, OpenSSL 4 is scheduled to be released in April 2026. This commit modifies code that checks $OPENSSL version numbers so that versions 4 and above will be recognized.
2025-03-10 15:58:40 -07:00
75b78bc21a Sort TLS extensions
This commit modifies testssl.sh so that run_server_defaults() prints the server's supported TLS extensions sorted by extension number rather than listing them in the order in which they were found.

In order to simplify the sorting of the extensions, this commit changes $TLS_EXTENSIONS from a string to an array. In February 2017 comments were added (925e1061b2) saying that it would be $TLS_EXTENSIONS were an array. So, this commit addresses those comments. However, it is possible that the reason for those comments no longer apply.
2025-03-10 15:38:24 -07:00
683f028164 Support draft-connolly-tls-mlkem-key-agreement
This commit adds support for the three code points in draft-connolly-tls-mlkem-key-agreement.
2025-03-06 11:42:00 -08:00
6a333d17b7 OpenSSL 3.5 compatibility
With the current master branch of OpenSSL (3.5.0-dev), the output that is provided by s_client has changed in the case of a cipher suite that uses an ephemeral key. Rather than preceding the ephemeral key information with "Server Temp Key: ", it is now preceded by either "Peer Temp Key:" or "Negotiated TLS1.3 group:". This commit modifies the lines that extract ephemeral key information from OpenSSL responses to accept any of these strings.
2025-03-06 10:33:04 -08:00
f34b81ed8f Merge pull request #2683 from testssl/drwetter-patch-1
Update pull_request_template.md
2025-03-06 11:16:01 +01:00
b25038e248 Update pull_request_template.md 2025-03-06 11:14:54 +01:00
08d8039813 Merge pull request #2681 from testssl/date_not_available
Fix regex for openssl banner
2025-03-05 22:20:42 +01:00
7bb04e020e Fix regex for openssl banner
,,, and also update the warning when runing in SSL native mode to check the ciphers
before and include OpenSSL also
2025-03-05 17:52:34 +01:00
9807bc327a Merge pull request #2679 from testssl/banner_change
Banner change
2025-03-05 16:28:29 +01:00
e6cfe8c3b0 Resolve merge conflict by incorporating both suggestions 2025-03-05 15:35:18 +01:00
e2ee8b24b4 fix typo in comment 2025-03-05 15:06:41 +01:00
5ffcd086eb Add missing local vars 2025-03-05 15:02:15 +01:00
3152cdf864 Banner change + minor fix for curve detection
In order to tell openssl binaries better apart the short banner below the
hash tag signs contain now also the date. That is the short version of the
build date unless it is not supplied which is the case of opensuse. Then
the name contains the date and it's taken from there.

The start and end banner lines have the same length now.

"sieve" was added in a comment and the sequence where sieve appears in
a pattern was trying to match other occurences (i.e. after nntp)

While testing the banners it appeared under Linux that a) the vendor
supplied openssl sometimes hangs during startup when determining the
supported curves using -connect b) a pattern was missing to detect
whether the curve was not supported which falsely labeled all supplied curves
as supported when using /usr/bin/openssl . The pattern for the latter
was added (b). For a) there needs to be a follow up PR to avoid the
long delays.
2025-03-05 14:41:12 +01:00
f555fb050e Merge pull request #2678 from dcooper16/fix_typo
Fix typo
2025-03-05 09:13:12 +01:00
bbdf19df85 Fix typo
This commit fixes a typo that was introduced by #2656.
2025-03-04 14:01:50 -08:00
3ae276497d Merge pull request #2677 from testssl/dependabot/github_actions/docker/setup-qemu-action-3.6.0
Bump docker/setup-qemu-action from 3.5.0 to 3.6.0
2025-03-03 09:49:25 +01:00
4d43d97622 Bump docker/setup-qemu-action from 3.5.0 to 3.6.0
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3.5.0 to 3.6.0.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](https://github.com/docker/setup-qemu-action/compare/v3.5.0...v3.6.0)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-03 00:22:11 +00:00
4fde2e7e49 Merge pull request #2674 from testssl/dependabot/github_actions/docker/build-push-action-6.15.0
Bump docker/build-push-action from 6.14.0 to 6.15.0
2025-02-27 10:32:27 +01:00
105c19e4ef Merge pull request #2675 from testssl/dependabot/github_actions/docker/setup-qemu-action-3.5.0
Bump docker/setup-qemu-action from 3.4.0 to 3.5.0
2025-02-27 10:32:03 +01:00
c9d1ba4fcc Merge pull request #2673 from dcooper16/avoid_subshell
Avoid subshell overhead
2025-02-27 10:31:04 +01:00
c37e171424 Bump docker/setup-qemu-action from 3.4.0 to 3.5.0
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3.4.0 to 3.5.0.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](https://github.com/docker/setup-qemu-action/compare/v3.4.0...v3.5.0)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-27 00:03:48 +00:00
5bfe6d63bd Bump docker/build-push-action from 6.14.0 to 6.15.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.14.0 to 6.15.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v6.14.0...v6.15.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-27 00:03:46 +00:00
78dd0a13c9 Merge pull request #2671 from javabrett/javabrett/improve-ev-detection
Improved (experimental) Extended Validation (EV) certificate identification
2025-02-26 22:56:21 +01:00
c38f46880f Avoid subshell overhead
This commit removes the use of parenthesis in two expressions in run_fs() in order to avoid subshell overhead.
2025-02-26 13:25:49 -08:00
102e4fb9b7 Merge pull request #2620 from Odinmylord/fix_curves
fix curves findings in TLS1.2 and prior versions
2025-02-26 13:15:34 -08:00
04e5bc4be9 Merge pull request #2672 from javabrett/patch-1
Update CONTRIBUTING.md
2025-02-26 10:23:26 +01:00
5f548b4214 Update CONTRIBUTING.md
Fixed typo complains -> complaints.
2025-02-26 13:02:16 +11:00
352ed61a2e Improved (experimental) Extended Validation (EV) certificate identification.
Three changes:

- added grep for "EV TLS" in addition to "EV SSL", as some issuers are
  using this.  This grep link actually picks-up most EV policies.
- Added policy detection for 2.23.140.1.1.  This is from CA Browser
  Forum https://cabforum.org/resources/object-registry/ extended-validation(1).
- Added policy detection for 1.3.6.1.4.1.38064.1.3.1.4 , which is SSL.com's EV policy.
2025-02-26 10:10:21 +11:00
ff41cbbb89 Merge pull request #2669 from magnuslarsen/3.1dev
fix(rating): explicit enable rating if required vuln-checks are enabled
2025-02-23 14:29:18 +01:00
9429afade1 fix(rating): explicit enable rating if required tests are ran 2025-02-23 11:48:41 +01:00
69e2067b99 Merge pull request #2666 from krufab/fix/fix-typo-in-help-message
Corrected typo in the help message
2025-02-22 16:00:31 +01:00
1539148f0b Corrected typo in the help message
Signed-off-by: Fabio Kruger <10956489+krufab@users.noreply.github.com>
2025-02-22 00:55:08 +01:00
b3609603f9 remove unnecessary "if" statements and remove break from "if" statements 2025-02-20 15:45:05 +01:00
ffa3e19764 Merge pull request #2662 from dcooper16/fix_ossl_supported_curve_check
Fix check for OpenSSL supported curves
2025-02-20 11:30:10 +01:00
94ff89671f Merge pull request #2664 from testssl/dependabot/github_actions/docker/build-push-action-6.14.0
Bump docker/build-push-action from 6.13.0 to 6.14.0
2025-02-20 11:29:28 +01:00
ec220e7c27 Bump docker/build-push-action from 6.13.0 to 6.14.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.13.0 to 6.14.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v6.13.0...v6.14.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-20 00:56:34 +00:00
5c7e7bcbc7 Fix check for OpenSSL supported curves
OpenSSL 3.X outputs a different error message than previous versions when $OPENSSL s_client -curves X ... is called with an unsupported curve. This was resulting in the check within find_openssl_binary() adding every curve to $OPENSSL_SUPPORTED_CURVES, even ones that were not supported. This commit changes to check in order to detect the new error message.
2025-02-19 12:47:35 -08:00
74209e05de Merge pull request #2660 from testssl/rm_comment
Remove obsolete comment that SNI is not needed for ticketbleed
2025-02-17 15:39:26 +01:00
2baaf61cc5 Merge pull request #2657 from dcooper16/fix_pattern_match
Fix pattern matches
2025-02-15 14:14:38 +01:00
f085fd1880 Merge pull request #2659 from dcooper16/npn_sockets
Enable run_npn() to use tls_sockets()
2025-02-15 13:47:13 +01:00
e79dc8161e Remove obsolete comment that SNI is not needed for ticketbleed
See also aa5d4917cf (r1954824502)
2025-02-15 13:33:52 +01:00
4b57f4c9f9 Merge pull request #2656 from dcooper16/ticketbleed
Enhance ticketbleed testing
2025-02-15 13:31:15 +01:00
96bd3072de Enable run_npn() to use tls_sockets()
LibreSSL does not support the -nextprotoneg option. This commit enhances run_npn() to use tls_sockets() when $HAS_NPN is false, rather than reporting that the check can not be performed.
2025-02-14 12:25:39 -08:00
acf48977c2 Fix pattern matches
This commit fixes three lines of code that use Bash substring matching. In each case, a list of strings to match was enclosed in brackets. This resulted in a match if the string to test contained any character from any of the strings to match. This commit fixes the issue by removing the brackets.

(The bugs were introduced in b8e9b09ca7 and 8149c2d5cf)
2025-02-13 14:21:26 -08:00
aa5d4917cf Enhance ticketbleed testing
Some versions of OpenSSL/LibreSSL do not support TLS 1.1 and earlier, either because they do not support the protocol (e.g, `$OEPNSSL s_client -tls1` results in a "unknown option" error) or because the cryptography needed to support these protocol versions (e.g., MD5/SHA1) is not available.

Given the limitations of some versions of $OPENSSL, this commit enhances ticketbleed testing in two ways. First, it performs the testing using the newest (non-TLS 1.3) version supported by the server, so that TLS 1 and TLS 1.1 aren't used unless TLS 1.2 is not supported. Second, it adds tests for whether the protocol version to be used is supported by $OPENSSL and for whether connection attempts were successful, rather than assuming connection attempts succeed.
2025-02-13 07:59:36 -08:00
4b4260831e Merge pull request #2653 from testssl/address_addCA_issue
Address CA file parsing problem (3.2)
2025-02-07 14:18:51 +01:00