This PR includes two tweaks:
* it helps avoiding the bug querying OCSP responder #2329 by adding
openssl. The openssl supplied has a mimor DNS lookup problem due
to glibc / musl libc compatibilty issues
* by adding openssl also it helps a bit for some performance problems
related to other projects, see #2314
Also the git binary is removed (#2315).
Thanks to @polarathene for the discussions
This is for 3.0. For 3.1dev, see #2332 .
This PR addresses the bug #2330 by implementing a function which removes control characters from the file output format html,csv,json in the output.
In every instance called there's a check before whether the string contains control chars, hoping it'll save a few milli seconds.
A tr function is used, omitting LF.
It doesn't filter the terminal output and the log file output, yet. It provides a function though which is not being called.
see #2325. This is for the 3.0 branch (for 3.1dev see #2326)
"whenever HTTP/1.1 is used then the Accept header uses "text/*" as a MIME type.
This causes some minor issues with some of the checks we are doing"
Grading is a new feature in 3.1dev,, so set_grade_cap() is not defined in the 3.0 branch.
This commit removes the call to set_grade_cap() in certificate_info().
As noted in #2304, the way that the '&' character is treated in the string part of a pattern substitution changed in Bash 5.2. As a result, the change that was made in #1481 to accommodate older versions of Bash (e.g., on MacOS) now causes testssl.sh to produce incorrect HTML output when run on Bash 5.2.
This commit encodes the '&' characters in the substitution strings in a way that produces correct results on multiple versions of Bash (3.2 on MacOS, 5.2 on Ubuntu 23.10, 5.0 on Ubuntu 20.04).
This commit fixes#2271 by adding the `-no_ssl2` option to the call to get_host_cert() in run_drown(). There is at least one server that causes OpenSSL to hang if this call to get_host_cert() results in an SSLv2 ClientHello being sent. Since this call to get_host_cert() only needs to find the server's certificate in cases in which the server does not support SSLv2, there is no need to send an SSLv2 ClientHello.
The actions release numbers were taken from the 3.1dev branch.
Note: there was one strange codespell error in PR #2263.
Maybe the updated action will avoid this in the future.
This commit fixes an infinite loop in run_pfs() that occurs in cases in which $OPENSSL supports TLS 1.3 and the server supports all of the non-TLS 1.3 FS ciphers that $OPENSSL supports but not all of the TLS 1.3 ciphers that $OPENSSL supports.
The problem is that testing for supported ciphers using $OPENSSL, testing should stop if there are no more ciphers to test (because all of the ciphers supported by $OPENSSL have been determined to be supported by the server). However, currently testing only stops if both the list of TLS 1.3 ciphers and non-TLS 1.3 ciphers is empty. In the problematic case, only the list of non-TLS 1.3 ciphers is empty. Instead of stopping, s_client_options() is called with a -cipher option with an empty list, and s_client_options() simply removes the -cipher option from the command, resulting in a call to $OPENSSL s_client with a full list of non-TLS 1.3 ciphers. Since this call succeeds, the loop continues.
This commit fixes the problem by stopping TLS 1.3 ClientHello testing when the list of TLS 1.3 ciphers is empty and stopping non-TLS 1.3 ClientHello testing when the list of non-TLS 1.3 ciphers is empty.
When neat_list() is printing information about a cipher suite that uses (EC)DH key exchange that was obtained using an old version of OpenSSL the rows are not properly aligned, since the key exchange input includes an unexpected trailing space. This commit fixes the problem by removing any trailing spaces from $kx.
certificate_transparency() does not work in debug mode, since tls_sockets() writes debugging messages to stdout. This commit fixes the problem by having certificate_transparency() return its results using a global variable rather than writing the results to stdout and having having run_server_defaults() catch the output.
There is at least one server that includes a new session ticket in the same packet as the Finished message. This confuses check_tls_serverhellodone() since the new session ticket is encrypted under the application traffic keys rather than the handshake keys. check_tls_serverhellodone(), being unable to decrypt the new session ticket, reports a failure and does not return any of the decrypted data.
This commit fixes the problem by having check_tls_serverhellodone() simply ignore any data that appears after the Finished message.
