Commit Graph

1018 Commits

Author SHA1 Message Date
Dirk Wetter 830bc0fb4f Update Readme.md 2016-07-26 20:23:31 +02:00
Dirk Wetter c7afd8e366 Update Readme.md 2016-07-26 20:22:51 +02:00
Dirk 5114a118f2 Merge branch 'master' of github.com:drwetter/testssl.sh 2016-07-26 20:18:37 +02:00
Dirk 69e8be6be8 - new 1.0.2i binaries with IPv6 and renamed old chacha/poly-ciphers from PM 2016-07-26 20:16:35 +02:00
Dirk Wetter 48f2dc20a6 Merge pull request #428 from dcooper16/determine_optimal_proto_ssl2_fix
SSLv2 fixes for determine_optimal_proto()
2016-07-26 18:29:49 +02:00
Dirk Wetter 3f550d14cf Merge pull request #429 from dcooper16/old_openssl_warning
Don't ignore response to old OpenSSL warning
2016-07-26 18:27:33 +02:00
Dirk Wetter 8d3e157e35 Merge pull request #430 from dcooper16/minor_typos
Fix two minor typos
2016-07-26 18:25:39 +02:00
David Cooper 746eab7f6b Fix two minor typos
Fixes for two minor typos that were previously included in PR #345.
2016-07-26 12:07:08 -04:00
David Cooper 4ed1f2fc11 Don't ignore response to old OpenSSL warning
In the check for old versions of OpenSSL, the results of the call to `ignore_no_or_lame()` are ignored, and so the program continues even if the user enters `no`.
2016-07-26 11:29:25 -04:00
David Cooper bc6367d3ad Update testssl.sh 2016-07-26 11:21:23 -04:00
David Cooper b43562aabf Update testssl.sh 2016-07-26 11:13:45 -04:00
David Cooper 23d311b1fc SSLv2 fixes for determine_optimal_proto()
This PR makes three changes to `determine_optimal_proto()`:
* It no longer tries an empty string for `$OPTIMAL_PROTO` twice.
* It does not include `-servername` for `-ssl2` or `-ssl3`, since some versions of OpenSSL that support SSLv2 will fail if `s_client` is provided both the `-ssl2` and `-servername` options.
* It displays a warning if `$OPTIMAL_PROTO` is `-ssl2`, since some tests in testssl.sh will not work correctly for SSLv2-only servers.
2016-07-26 11:10:20 -04:00
Dirk Wetter 5a763ff8e1 Merge pull request #424 from dcooper16/run_rc4_ssl2_ciphers
SSLv2 fixes for run_rc4()
2016-07-26 12:08:17 +02:00
Dirk Wetter a8048ccfa0 Merge pull request #425 from dcooper16/test_just_one_ssl2_ciphers
SSLv2 fixes for test_just_one()
2016-07-26 07:54:29 +02:00
David Cooper add75caf82 SSLv2 fixes for test_just_one()
This PR changes test_just_one() to correctly handle SSLv2 ciphers.

As with PR #424, this PR addresses the problem in which servers that do not implement SSLv2, but that implement RC4-MD5, EXP-RC2-CBC-MD5, EXP-RC4-MD5, or NULL-MD5 are shown as implementing both the SSLv2 and SSLv3 versions of the ciphers, and that any SSLv2 ciphers that a server does implement are not shown as being implemented.
2016-07-25 17:00:49 -04:00
David Cooper 43d5ad5071 SSLv2 fixes for run_rc4()
This PR changes run_rc4() to correctly handle SSLv2 ciphers.

It addresses the problem in which servers that do not implement SSLv2, but that implement SSLv3 ciphers that share an OpenSSL name with an SSLv2 cipher (RC4-MD5 and EXP-RC4-MD5), are not incorrectly shown as having implemented the SSLv2 cipher.

It also addresses the problem that if a server does implement SSLv2 with an RC4 SSLv2-cipher suite, then that cipher suite it not shown as being implemented.
2016-07-25 16:42:04 -04:00
Dirk Wetter 9b3cfab5b8 Merge pull request #341 from dcooper16/run_allciphers(),run_cipher_per_proto(),-and-SSLv2
run_allciphers(),run_cipher_per_proto(), and SSLv2
2016-07-25 20:04:14 +02:00
David Cooper bb29e3c917 Merge branch 'master' into run_allciphers(),run_cipher_per_proto(),-and-SSLv2 2016-07-25 09:39:28 -04:00
Dirk 541690b46e - enabled+renamed tolerance test per default
- quoted some bool vars for faster execution
2016-07-23 15:12:13 +02:00
Dirk Wetter 38b61ed36f Merge pull request #346 from dcooper16/version_negotiation
Additional checks in run_protocols()
2016-07-23 14:54:50 +02:00
Dirk 3d588ddb20 change sequence of out output (trust checks together 2016-07-23 14:52:26 +02:00
Dirk Wetter 0c2acdd8fe Merge pull request #420 from dcooper16/signed-signed-check
Fix check for self-signed certificate
2016-07-23 14:47:14 +02:00
Dirk 1a099d35b7 - minor polishing #419 2016-07-23 11:17:49 +02:00
Dirk Wetter 9ef0cef8ef Merge pull request #419 from dcooper16/CN-hostname-match
CN <--> hostname match
2016-07-23 11:13:29 +02:00
David Cooper ae38670067 Fix check for self-signed certificate
The check for whether a certificate is self-signed was using the undefined variable $CN rather than $cn.
2016-07-22 12:06:52 -04:00
David Cooper 59002c1088 Update JSON id for chain-of-trust 2016-07-22 11:57:16 -04:00
David Cooper df64e47fb9 CN <--> hostname match
PR to address issue #94 (CN <--> hostname match)
2016-07-22 11:31:52 -04:00
Dirk Wetter ddead05825 Merge pull request #418 from dcooper16/issuer2
CA names with domain component attributes
2016-07-21 12:16:24 +02:00
David Cooper 603ed33f57 Merge branch 'master' into version_negotiation 2016-07-20 13:39:11 -04:00
David Cooper 6730ed8340 Merge branch 'master' into run_allciphers(),run_cipher_per_proto(),-and-SSLv2 2016-07-20 13:37:54 -04:00
David Cooper bdea1a0971 Merge branch 'master' into issuer2
Conflicts:
	testssl.sh
2016-07-20 11:45:08 -04:00
Dirk Wetter d98e49f5ba Merge branch 'master' of github.com:drwetter/testssl.sh 2016-07-20 17:39:52 +02:00
Dirk Wetter 6e5c2a824e merged #416 2016-07-20 17:38:55 +02:00
David Cooper 346c52dc7c CA names with domain component attributes
`certificate_info()` does not correctly display the Issuer name for CAs that use domain component attributes.

There is a server on the NIST intra-net that I test against that has a certificate issued by a NIST CA, and the issuer name in the certificate is of the form: `/DC=net/DC=example/DC=internal/CN=CAname`

Since there is no organizational name, testssl.sh displays the name as:
```
 Issuer                       "CAname" ("")
```
In this PR, if the Issuer name has 'DC=' attributes, but does not have an 'O=' attribute, the "DC=" attributes are combined into a DNS name that is used as if it were the organizational name:
```
 Issuer                       "CAname" ("internal.example.net")
```
I should note, however, that I have not been able to find any other examples of TLS server certificates that have been issued by CAs that have domain components ("DC=") in their names. So, it may not be worthwhile to change the code to try to accommodate such CAs.
2016-07-20 11:37:51 -04:00
Dirk Wetter b0d394e93c merged #417 2016-07-20 17:28:09 +02:00
Dirk Wetter b342db6b38 Merge pull request #417 from dcooper16/issuer
Fix JSON output of Issuer name
2016-07-20 17:06:09 +02:00
David Cooper d9f8024d9a Fix JSON output of Issuer name
`certificate_info()` currently outputs `$issuer` to the JSON file, where is should be outputting `$issuer_CN` in order for the information in the JSON file to match the information that is displayed.

This PR also fixes the problem that if an Issuer name contains a domain component attribute (DC=) then it will be mistakenly treated as a country attribute (C=).
2016-07-20 10:50:38 -04:00
Dirk 829231c381 Merge branch 'dcooper16-run_pfs_curves' 2016-07-16 21:21:53 +02:00
Dirk 5de3ef3e22 Merge branch 'run_pfs_curves' of https://github.com/dcooper16/testssl.sh into dcooper16-run_pfs_curves
Conflicts:
	testssl.sh
2016-07-16 21:21:18 +02:00
Dirk 0c22ea9a0e - output polising in curves
- fix for jail #258
2016-07-16 20:48:56 +02:00
David Cooper a06ac81df3 Speed up finding supported curves
Rather than try each curve one at a time, follow model in `cipher_pref_check()`.  First include all curves in ClientHello, then successively remove from the ClientHello those curves that have been offered by the server until the connection fails. This makes the number of calls to `$OPENSSL s_client` one more than the number of supported curves rather than the number of curves in NamedCurve supported by $OPENSSL.

Note, however, that OpenSSL defines MAX_CURVELIST as 28 and fails if the `-curves` option includes more than 28 curves. Since OpenSSL 1.1.0 offers 29 curves from NamedCurve, this PR breaks the list of supported curves in 2. At the cost of one additional calls to `$OPENSSL s_client` it ensures that the number of curves provides to the `-curves` option is below the limit.
2016-07-14 13:23:50 -04:00
Dirk bda62ec715 no glasses needed, just need to look at the right spot ;- 2016-07-11 19:41:32 +02:00
Dirk 5f47359291 polishing output for #413 2016-07-11 18:44:28 +02:00
Dirk Wetter 400e969585 Merge pull request #413 from dcooper16/test_curves
Determine support elliptic curves for ECDHE- ciphers
2016-07-11 18:11:09 +02:00
Dirk Wetter 9f47ccece2 Merge pull request #412 from dcooper16/supported_elliptic_cur
Reorder supported curves
2016-07-11 17:08:39 +02:00
David Cooper 891c56f8bf Determine support elliptic curves for ECDHE- ciphers
This PR extends run_pfs() to display the set of elliptic curves supported by the server, if the server supports any ECDHE- ciphers.
2016-07-11 11:00:56 -04:00
David Cooper fb94221ce0 Reorder supported curves
Reorder the supported curves sent by socksend_tls_clienthello() from strongest to weakest.
2016-07-11 10:52:48 -04:00
David Cooper f968bd8346 Merge branch 'master' into version_negotiation 2016-07-11 10:45:59 -04:00
David Cooper 197bee8658 Merge branch 'master' into run_allciphers(),run_cipher_per_proto(),-and-SSLv2 2016-07-11 10:44:37 -04:00
Dirk Wetter 16087f8252 Merge pull request #411 from welwood08/patch-2
Server cipher order NPN tests should use SNI
2016-07-11 16:24:45 +02:00