Commit Graph

4305 Commits

Author SHA1 Message Date
8643ed4c72 Update .gitignore 2023-03-12 15:57:01 +01:00
88763f47a8 Merge pull request #2326 from drwetter/fix_mime-type
Fix Accept Header
2023-02-20 20:29:14 +01:00
a14fc5bdcf Fix Accept header
see #2325.

"whenever HTTP/1.1 is used then the Accept header uses "text/*" as a MIME type.
This causes some minor issues with some of the checks we are doing"
2023-02-20 15:01:40 +01:00
e57527f3ec Merge pull request #2321 from drwetter/align_json+terminal@run_cipherlists
Rename 3 jsonIDs in run_cipherlists(): breaking change
2023-02-08 17:07:42 +01:00
8260ca16e2 Merge pull request #2309 from polarathene/chore/dockerfile-improved-copy
chore: Use a single `COPY` by better leveraging `.dockerignore` patterns
2023-02-07 12:23:04 +01:00
363c0d0a69 Merge pull request #2323 from drwetter/drwetter-patch-4
Remove mkdir in Dockerfile
2023-02-07 10:29:08 +01:00
f914423978 Remove mkdir in Dockerfile
see https://github.com/drwetter/testssl.sh/pull/2312#pullrequestreview-1286620850
2023-02-07 10:28:26 +01:00
81634ce13d chore: Bring back group value for COPY --chown 2023-02-07 21:36:47 +13:00
1ee21b7f22 Merge pull request #2312 from polarathene/chore/dockerfile-simplify-user
chore(Dockerfile): Simplify `testssl` user creation
2023-02-07 09:03:23 +01:00
64ae161218 Merge branch '3.1dev' into chore/dockerfile-simplify-user 2023-02-07 09:03:15 +01:00
66ebfb2f58 Add changes to CSV baseline 2023-02-06 21:56:54 +01:00
6f881dc70b Rename 3 jsonIDs in run_cipherlists(): breaking change
see #2316 / #2320

AVERAGE --> OBSOLETED
GOOD    --> STRONG_NOFS
STRONG  --> STRONG_FS
2023-02-05 19:32:08 +01:00
e87b745c93 Merge pull request #2316 from dcooper16/cipherlists_doc
Update documentation for cipherlists tests
2023-02-05 19:25:02 +01:00
05b4cdcc0d Merge pull request #2317 from dcooper16/fix_html
Fix HTML output in Bash 5.2 and newer
2023-02-04 09:22:03 +01:00
3d82f7cb21 Fix HTML output in Bash 5.2 and newer
As noted in #2304, the way that the '&' character is treated in the string part of a pattern substitution changed in Bash 5.2. As a result, the change that was made in #1481 to accommodate older versions of Bash (e.g., on MacOS) now causes testssl.sh to produce incorrect HTML output when run on Bash 5.2.

This commit encodes the '&' characters in the substitution strings in a way that produces correct results on multiple versions of Bash (3.2 on MacOS, 5.2 on Ubuntu 23.10, 5.0 on Ubuntu 20.04).
2023-02-03 14:18:02 -08:00
b661f7b8d3 Update documentation for cipherlists tests
The sets of cipher lists checked by `run_cipherslists()` changed in 3.1dev, but the documentation was not updated.
2023-02-03 11:24:04 -08:00
70237b2328 Merge pull request #2313 from polarathene/chore/dockerfile-remove-mkdir
chore: Remove redundant `mkdir`
2023-02-03 19:54:51 +01:00
6c2663aeb6 Merge pull request #2311 from SSLbrain/3.1dev
Feature Trustcor certificates being removed/disabled from root stores #2293
2023-02-02 13:55:07 +01:00
76b8f0c981 chore: Remove redundant mkdir
- If local folder ownership is for example `644` it will fail to handle the `COPY` regardless (while `744` would work).
- Creating the directory with higher permissions in the container does not appear to help.
2023-02-02 14:26:16 +13:00
3670c1e4ad Removed non-relevant CA's that no longer have active certificates. 2023-02-02 01:13:00 +00:00
dc7d13b853 chore(Dockerfile): Simplify testssl user creation
Create `testssl` user (_and group_) with no password (`-D`) and default their shell to bash (`-s`):
- A group will implicitly be created with the same value as the user. `addgroup testssl` and `-G testssl` are not needed.
- Gecos data (`-g "testssl user"`) doesn't appear relevant to the project to be required? The default gecos value (`Linux User,,,`) should be fine.
2023-02-02 14:07:51 +13:00
9fc8c33704 Change exception for removed root certificates into easy edit multi-value regular expression for Organization name and making it clear that CA's are actively removed from 1+ root stores. 2023-02-02 00:42:15 +00:00
74892e45c5 chore: Use a single COPY by better leveraging .dockerignore patterns 2023-02-02 12:49:30 +13:00
e02e8be19f Merge pull request #2306 from drwetter/upgrade_alpine_perf-fix
Upgrade Alpine version for both Dockerfiles
2023-02-01 19:45:57 +01:00
beb94d9efc Upgrade Alpine version for both Dockerfiles
... to improve/mitigate performance problems, see #2299.
(musl libc vs. glibc)
2023-02-01 19:40:40 +01:00
5a1a114adc Merge pull request #2300 from drwetter/dependabot/github_actions/docker/build-push-action-4.0.0
Bump docker/build-push-action from 3.3.0 to 4.0.0
2023-01-31 09:37:28 +01:00
0b5c414970 Merge pull request #2303 from drwetter/nntp_ci_remove
Remove NNTP from CI tests
2023-01-31 09:37:06 +01:00
2e0898c9ef Remove NNTP from CI tests
Maybe for the future we should check whether host is available and
if so then run the test
2023-01-31 09:34:18 +01:00
8ae8a6fc44 Bump docker/build-push-action from 3.3.0 to 4.0.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3.3.0 to 4.0.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v3.3.0...v4.0.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-31 00:03:02 +00:00
8099dc0106 Merge pull request #2297 from drwetter/ldap_starttls_improvements
Add logic for STARTTLS enabled AD servers
2023-01-17 14:27:01 +01:00
fdd72d2785 Cleanup code, clarfy comments for AD/LDAP + STARTTLS 2023-01-17 14:23:53 +01:00
fc2a020294 Add logic for STARTTLS enabled AD servers
There are two different scenarios. x0C is the buffsize reply from openldap-like servers
whereas AD servers probably have x84 and return also the OID. The following is kind of
hackish as ldap_ExtendedResponse_parse() in apps/s_client.c of openssl is kind of hard
to understand. It was deducted from a number of hosts.
Bottom line: We'll look at the 9th byte or at the 17th when retrieving the result code

AD:
30 84 00 00 00 7d 02 01 01 78 84 00 00 00 74 0a 01 34 04 00 04 55 30 30 30 30 30 30 30 30 3a 20 [ failed AD .. LdapErr + OID..]
30 84 00 00 00 28 02 01 01 78 84 00 00 00 1F 0A 01 00 04 00 04 00 8A 16 [.. OID ..]
   ^^ bufflen                                      ^^ resultcode

30 0C 02 01 01 78 07 0A 01 00 04 00 04 00
   ^^ bufflen              ^^ result code
2023-01-17 11:16:05 +01:00
ce3bd4764f Merge pull request #2296 from drwetter/dependabot/github_actions/docker/build-push-action-3.3.0
Bump docker/build-push-action from 3.2.0 to 3.3.0
2023-01-16 10:20:13 +01:00
1b2f58d739 Bump docker/build-push-action from 3.2.0 to 3.3.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3.2.0 to 3.3.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v3.2.0...v3.3.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-16 01:05:58 +00:00
7670275e59 Merge pull request #2292 from drwetter/ldap_starttls_improvements
make starttls_ldap_dialog() more readable...
2022-12-27 22:06:12 +01:00
c67cefaf8e add info about error handling 2022-12-26 19:15:49 +01:00
336d3c947a better use safe_echo() 2022-12-26 16:14:26 +01:00
b633efae69 make starttls_ldap_dialog() more readable...
... add references + better debugging output
2022-12-26 16:10:31 +01:00
198bb09d51 Merge pull request #2282 from drwetter/drwetter-patch-2
Reflect past update for docker hub's Dockerfile
2022-11-28 17:09:04 +01:00
0c807bea5b Reflect past update for docker hub's Dockerfile
... using alpine 3.16
2022-11-28 14:10:13 +01:00
9304bb80b8 Merge pull request #2281 from dcooper16/fix_whitespace
Fix whitespace issues
2022-11-25 18:23:58 +01:00
e2942966d2 Fix whitespace issues
This commit fixes incorrect indentations introduced in #2276 and #2278, and also removes the extra whitespace that would have been removed by #2279.
2022-11-25 07:44:48 -08:00
6ba21a937a Merge pull request #2278 from dcooper16/fix_extract_calist
Fix extract_calist()
2022-11-24 11:15:10 +01:00
907126a285 Fix extract_calist()
When a server supports client authentication, extract_calist() extracts the list of supported certification authorities sent by the server. extract_calist() uses different code to extract the list from a TLS 1.3 response than from a TLS 1.2 or earlier response, since the CertificateRequest message was changed for TLS 1.3.

For TLS 1.2 and earlier, extract_calist() assumes that the CertificateRequest message is a sequence of certificate types, signature algorithms, and certification authorities. However, the signature algorithms field was added in TLS 1.2 and does not appear in TLS 1.1 and earlier. So, the current code does not work unless the server supports TLS 1.2 or TLS 1.3.

This commit fixes the problem by checking whether the response is a TLS 1.2 response, and skipping over the extraction of the signature algorithms field if the response is neither TLS 1.2 nor TLS 1.3.
2022-11-23 08:35:45 -08:00
a4666087e8 Merge pull request #2265 from dcooper16/server_sig_algs
Show server supported signature algorithms
2022-11-23 11:11:02 +01:00
c7644ad58e Limit size of signature_algorithms extension
Some servers get confused if the signature_algorithms extension is too large. This commit addresses the problem by:

* For TLS 1.2, generally limiting the signature algoritms to those consistent with the key type being tested.

* For TLS 1.3, breaking the list of signature schemes in two, and testing each half of the list separately.
2022-11-18 06:23:24 -08:00
6088eddab6 Show server supported signature algorithms
This commit modifies run_fs() to show the signature algorithms the server supports in the ServerKeyExchange message for TLS 1.2 and in the CertificateVerify message for TLS 1.3.

Signature algorithms are not shown for TLS 1.1 and earlier, since for those protocol versions the signature algorithm to use is specified by the protocol. While the signature algorithm used in TLS 1.1 and earlier is weak, testssl.sh already warns if these protocol versions are supported.
2022-11-18 06:23:24 -08:00
462a602625 Merge pull request #2276 from dcooper16/pem_fileout
Fix #1747
2022-11-18 11:06:26 +01:00
3eb8cf6754 Fix #1747
This commit fixes #1747 by converting PEM encoded certificates that are sent to fileout() to a single line. As suggested in #1747, '\n' is added after the '----- BEGIN ... -----' line and before the '------ END ... ------' line.

In order to ensure that '\n' appears in the string in the JSON and CSV files, '\\n' is sent to fileout() so that 'printf -- "%b"' converts '\\n' to '\n' rather than converting '\n' to a newline character.

In order to prevent fileout() from converting '\\n' to '\ ', this commit move the fix for #2049 (see PR #2050) from fileout() to fatal().
2022-11-17 06:31:52 -08:00
827782cd58 Merge pull request #2275 from drwetter/remove_negotiated
Remove Negotiated cipher / protocol in server preferences
2022-11-15 09:28:38 +01:00