Commit Graph

4171 Commits

Author SHA1 Message Date
David Cooper ad6cde996a
Add check for the Expect-CT header
This commit adds a check for the Expect-CT header to run_more_flags().
2017-10-30 11:48:48 -04:00
Dirk Wetter b9723424e7
Merge pull request #882 from dcooper16/suppress_config_file_warn
Suppress more config file warnings
2017-10-30 08:41:55 +01:00
Dirk Wetter fd9ee18ab5
Merge pull request #883 from dcooper16/run_cipher_match_tls13
Add TLSv1.3 support for run_cipher_match()
2017-10-27 23:58:28 +02:00
David Cooper 24c342b34b
Add TLSv1.3 support for run_cipher_match()
This PR adds TLSv1.3 support for run_cipher_match(). It also addresses issue #660 for run_cipher_match().
2017-10-27 13:52:09 -04:00
David Cooper 1addd74178
Suppress more config file warnings
This PR is a continuation of #833.

With additional testing with different options I encountered more places where $OPENSSL was printing "WARNING: can't open config file: /usr/local/etc/ssl/openssl.cnf" where testssl.sh was not suppressing the error message.

This PR redirects stderr to /dev/null or to $ERRFILE for several more calls to $OPENSSL in order to suppress these warning messages.
2017-10-27 13:07:04 -04:00
Dirk Wetter a0fc34763f
Merge pull request #881 from dcooper16/libressl_enc_names
Fix problem with LibreSSL encryption names
2017-10-27 17:55:15 +02:00
David Cooper a25cbf5078
Fix problem with LibreSSL encryption names
For ciphers that use the ChaCha20-Poly1305 cipher, LibreSSL shows "Enc=ChaCha20-Poly1305" in the "openssl ciphers -V" command rather than "Enc=ChaCha20(256)" and for some GOST ciphers it shows "Enc=GOST-28178-89-CNT" rather than "Enc=GOST(256)". This causes a problem for neat_list() if information is being obtained from "$OPENSSL ciphers -V" rather than from the cipher-mapping.txt file.
2017-10-27 11:49:11 -04:00
Dirk Wetter 884fa3ffed Merge pull request #879 from dcooper16/use_helper_function
Use read_sigalg_from_file() helper function
2017-10-27 17:13:26 +02:00
David Cooper 06f842ae69 Use read_sigalg_from_file() helper function
This PR fixes several places where the read_sigalg_from_file() helper function isn't being used.
2017-10-27 10:34:04 -04:00
Dirk a85ca3c250 FIX #765
Inconsistency in using optional and mandatory parameters in help and man page
2017-10-26 11:46:14 +02:00
Dirk 4e70ac6ad5 FIX #870 = testssl.sh -v/-b picks up wrong openssl binary 2017-10-22 23:41:17 +02:00
Dirk Wetter f88e3d89f1 Merge pull request #826 from dcooper16/fix772
Complete fix of #772
2017-10-22 23:28:16 +02:00
Dirk Wetter b16a86cf46 Merge pull request #827 from dcooper16/OpenSSL_111_fix
Another fix for OpenSSL 1.1.1
2017-10-22 23:27:50 +02:00
Dirk Wetter 90eb1f128c Merge pull request #873 from tomwassenberg/comment-fix
Correct small inconsistency in code comment
2017-10-21 11:49:08 +02:00
Tom Wassenberg 39bc207d0e
Correct small inconsistency in comment
The main parameter is referred to as "<URI>" everywhere, except for in one
comment, where it was "<host>". Made this consistent with other uses.
2017-10-20 21:36:41 +02:00
Dirk e3b254d0a1 FIX #869 2017-10-20 19:58:20 +02:00
David Cooper 63fe5fa170 Complete fix of #772
PR #777 introduced a proposed solution to #772. This PR applies the proposed solution wherever it was not applied in #777.
2017-10-20 13:54:18 -04:00
David Cooper 0efaf9114f Another fix for OpenSSL 1.1.1
If testssl.sh is used with OpenSSL 1.1.1 and TLSv1.3 support is enabled, then the check for whether the server has a cipher order will always fail. The problem is that since the call to s_client doesn't specify a protocol a TLSv1.3 ClientHello will be sent. However, the call specifies a list of ciphers that doesn't include any TLSv1.3 ciphers. So, OpenSSL will fail with the error: "No ciphers enabled for max supported SSL/TLS version." The solution is to add the "-no_tls1_3" option.

This PR fixes the problem by taking advantage of the recently-added s_client_options() function. It adds a "-no_tls1_3" option whenever:
* $OPENSSL supports TLSv1.3
* The command line doesn't specify any protocol: -ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, or -tls1_3.
* The command line includes the -cipher option
* The list of ciphers that will be sent doesn't include any TLSv1.3 ciphers.

Add TLSv1.3 support to run_cipher_per_proto()

Fix branch
2017-10-20 13:51:29 -04:00
Dirk Wetter f212b609ab Merge pull request #867 from dcooper16/tls13_for_run_allciphers
Add TLSv1.3 support for run_allciphers()
2017-10-20 18:12:02 +02:00
Dirk Wetter d65566921f Merge pull request #868 from dcooper16/tls13_for_run_server_preference
Add TLSv1.3 support for run_server_preference()
2017-10-20 18:09:17 +02:00
David Cooper ca7c8200eb Add TLSv1.3 support for run_server_preference()
This PR adds support for TLSv1.3 to run_server_preference(). It only provides partial support, as it only works if the support supports and earlier TLS protocol (in order to determine whether the server has a cipher order). It also will only show TLSv1.3 as the "Negotiated protocol" if $OPENSSL supports TLSv1.3.

This PR also fixes a bug in which the variable "proto" was defined as used as both a regular variable and as an array.
2017-10-20 11:40:19 -04:00
David Cooper fb5c049fd7 Add TLSv1.3 support for run_allciphers()
This PR adds TLSv1.3 support for run_allciphers(). It also addresses issue #660 for run_allciphers().
2017-10-20 11:39:30 -04:00
Dirk 50fa1e74bd Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2017-10-20 16:45:59 +02:00
Dirk d3795f1254 Add output options similar to nmap (FIX #861) 2017-10-20 16:32:57 +02:00
Dirk Wetter d83f310baf Merge pull request #872 from dcooper16/fix_871
Fix #871
2017-10-20 15:42:16 +02:00
David Cooper ebb99a53d2 Fix #871
This PR fixes the bug identified in issue #871.
2017-10-20 09:09:52 -04:00
Dirk 52e02d9d43 CAA work
This fixes #865 and improves #588. All CAA records are now shown,
also with old DNS binaries.
2017-10-18 18:43:54 +02:00
Dirk 4b187d6253 fix travis error in 8ceb1b5 2017-10-18 17:13:05 +02:00
Dirk 8ceb1b5ad8 use bash internal functions for #864 2017-10-18 15:25:43 +02:00
Dirk Wetter 76248493a0 Merge pull request #863 from dcooper16/run_server_preference_ssl3_bugfix
run_server_preference() bug fix
2017-10-18 13:42:54 +02:00
Dirk Wetter 5b6344f6fb Merge pull request #864 from seccubus/recursive_caa
Make CAA record lookups resolve the entire DNS tree (Fixes #862)
2017-10-18 13:42:02 +02:00
Frank Breedijk 0bb1767cc4 This should return it to normal 2017-10-18 08:22:51 +02:00
Frank Breedijk 4544f0f300 Make CAA record lookups resolve the entire DNS tree (Fixes #862) 2017-10-18 08:05:02 +02:00
David Cooper ab9c70119f run_server_preference() bug fix
If run_server_preference() is performed
* against a server that supports SSLv3 and that does not have a cipher order; and
* using a version of OpenSSL that does not support SSLv3; and
* with the --mapping option set to "rfc" or "no-openssl"
then the "Negotiated cipher per proto" will not show the SSLv3 cipher since cipher[i] will be empty.
2017-10-17 13:28:15 -04:00
Dirk Wetter 4adc96b2f7 Merge pull request #856 from dcooper16/run_cipher_per_proto_tls13
Add TLSv1.3 support to run_cipher_per_proto()
2017-10-14 09:21:09 +02:00
Dirk Wetter ac3ff349c9 Merge pull request #859 from dcooper16/rc4
run_rc4() and #660
2017-10-14 09:17:19 +02:00
Dirk Wetter cd4009fed9 Merge pull request #854 from dcooper16/tls13_run_std_cipherlists
Add TLSv1.3 support for run_std_cipherlists()
2017-10-14 09:15:16 +02:00
David Cooper 605d0178ec run_rc4() and #660
This PR addresses issue #660 for run_rc4(), ensuring that support for RC4 ciphers is detected even if no RC4 ciphers are supported with the highest protocol that the server supports.
2017-10-13 16:50:36 -04:00
David Cooper cbd50043ef Add TLSv1.3 support to run_cipher_per_proto() 2017-10-12 10:37:31 -04:00
David Cooper 7019f8b306 Add TLSv1.3 support for run_std_cipherlists()
This PR adds support for TLSv1.3 to run_std_cipherlists().

This PR also provides a partial fix for #660 - addressing the issue only for run_std_cipherlists(). Rather than testing the server once for each cipher list, it tries the server once for each protocol supported by the server. This makes the testing more robust, but adds significantly to the time it takes to perform the tests.
2017-10-12 10:36:39 -04:00
Dirk Wetter 22fd594334 Merge pull request #857 from dcooper16/use_bash_internal
Use bash internal functions
2017-10-12 11:34:20 +02:00
Dirk Wetter 2129af0537 Merge pull request #858 from dcooper16/sweet32
Fix #660 for run_sweet32()
2017-10-12 10:24:34 +02:00
David Cooper 58d67b52a1 Fix #660 for run_sweet32()
This PR addresses issue #660 for run_sweet32(), detecting if 3DES is used, even if it isn't used with the highest protocol version supported by the server. As with PR #854, this increased robustness comes at the expense of taking addition time to run the test.
2017-10-11 15:41:05 -04:00
David Cooper dab7c1bfc0 Use bash internal functions
This PR replaces more uses of awk with bash internal functions.
2017-10-11 15:20:49 -04:00
Dirk Wetter 430917d59f Merge pull request #855 from dcooper16/use_bash_string_manipulation
Use bash internal functions
2017-10-11 17:28:17 +02:00
David Cooper ea4e68c2ce Use bash internal functions
This PR replaces the use of sed or awk in a few places with bash internal functions.
2017-10-11 10:59:13 -04:00
Dirk Wetter 38b2089c49 Merge pull request #853 from dcooper16/no_sock_reply_file
Don't maintain SOCK_REPLY_FILE in non-debug mode
2017-10-11 14:49:10 +02:00
David Cooper a8ef95c2cc Don't maintain SOCK_REPLY_FILE in non-debug mode
In client_simulation_sockets() and tls_sockets(), don't work to create a SOCK_REPLY_FILE that contains the entire server's response (in cases where the response was spread across multiple packets) unless $DEBUG is at least 1.
2017-10-10 14:48:36 -04:00
Dirk 6bd1c26a14 FIX #851 2017-10-10 19:54:36 +02:00
Dirk Wetter 49fcb0d724 Merge pull request #850 from dcooper16/fix_typo
Fix typo
2017-10-10 17:28:25 +02:00