Commit Graph

3783 Commits

Author SHA1 Message Date
David Cooper
9dbb629154 Add printing of information about client authentication to run_server_defaults(). Minor cleanup of code to extract information about client authentication. 2021-02-05 13:11:38 -05:00
David Cooper
e8a3dce5ad sclient_auth() improvements
Modify sclient_auth() to use checks similar to sclient_connect_successful() to determine whether the connection attempt was successful. Replace uses of awk and grep with Bash internals string comparisons.
2021-02-05 13:11:38 -05:00
David Cooper
44787d6bcb Extract Client Auth CA list
This commit is a first step towards addressing #1709. It attempts to determime whether certificate-based client authentication is (1) not requested, (2) optional, or (3) required. If it is either optional or required, then it extracts the list of CA names (DNs) that the server sends in its CertificateRequest message.

The code for extracting the CA list from the CertificateRequest message seems to be working correctly. However, this commit is incomplete for a couple of reasons. First, it does not produce any new output, it just collects the information. Second, sclient_auth() needs some work.

The current sclient_auth() simply returns 0 if $OPENSSL returned 0. This may be okay if only trying to determine whether certificate-based client authentication is required. However, if it is optional, then the output will include "CertificateRequest", but $OPENSSL will return 0, since the connection was successful even though the client did not provide a certificates.

If $OPENSSL does not return 0, then sclient_auth() checks whether Master-Key is present. This works for TLS 1.2 and earlier, but not for TLS 1.3. So, sclient_auth() needs to be updated to work correctly with TLS 1.3.

The modified version of sclient_auth() will set CLIENT_AUTH and CLIENT_AUTH_CA_LIST for any version of TLS, but the remaining part of the code needs work. As I am not clear on the reason for this code, I need some help with it. Why does the code only look for "CertificateRequest" if "Master-Key" is present? Why is there a check for Session-ID in a function that is supposed to just be checking for client authentication. Why is CLIENT_AUTH set to false if SESSION-ID is absent (this is a no-op since CLIENT_AUTH would already have been false)?
2021-02-05 13:11:38 -05:00
Dirk Wetter
bf24c80174
Merge pull request #1837 from dcooper16/files_in_mass_testing_file
Mass testing with CSV, HTML, JSON, and/or LOG file names in mass test…
2021-02-04 21:00:12 +01:00
Dirk Wetter
53fc1c2a18
Merge pull request #1838 from fogs/3.1dev
Fixed typos
2021-01-30 10:46:17 +01:00
fogs
9c794ea4bd Fixed typos 2021-01-30 09:13:16 +01:00
David Cooper
1de8def49f Mass testing with CSV, HTML, JSON, and/or LOG file names in mass testing file
See #1148 and #1805.

As noted in #1148, testssl.sh is not current designed to handle a mass testing file in which CSV, HTML, LOG, and/or JSON file names are provided in the mass testing file. If a child process receives a command line with one of the files, it assumes the same command-line option was provided to the parent so that the output of every test is being written to this one file. If this assumption is wrong, then either the file will not be created at all or it will be malformed since it will be missing header and/or footer information.

This PR partially addresses the problem by introducing new command-line arguments that are for internal use only. These command line arguments allow a child process to distinguish between a CSV, HTML, LOG, or JSON file that it is supposed to create itself versus one that is to be shared by all of the child processes.

There is one major limitation to this PR. The code for handle command-line arguments in the mass testing file is very simple and cannot handle whitespace characters, whether they are enclosed in quotes or are escaped. So, any file names included in the mass testing file cannot have whitespace characters.
2021-01-26 16:46:35 -05:00
Dirk Wetter
1beac9c293
Update feature_request.md 2021-01-25 11:33:03 +01:00
Dirk Wetter
4704a883fe
Update other-issues---question.md 2021-01-25 11:32:34 +01:00
Dirk Wetter
6ed29f628f
Update feature_request.md 2021-01-25 11:31:47 +01:00
Dirk Wetter
226871625e
Update feature_request.md 2021-01-25 11:31:31 +01:00
Dirk Wetter
124f6f54be
Update feature_request.md 2021-01-22 12:21:01 +01:00
Dirk Wetter
977f6966e1
Update bug_report.md 2021-01-22 12:20:05 +01:00
Dirk Wetter
eabc21b7c4
Merge pull request #1830 from drwetter/fix_heartbleed_json.1828
Fix file output formatting for heartbleed
2021-01-20 10:12:44 +01:00
Dirk
770e066548 Fix file output formatting for heartbleed
Quotes were wrong for different results, which lead to some confusion
for finding, cve and cwe
2021-01-20 08:48:55 +01:00
Dirk Wetter
7bc16ff7e7
Merge pull request #1826 from drwetter/fix_travis
Travis CI didn't run. Trying to fix it (3.1dev)
2021-01-18 14:23:06 +01:00
Dirk
c66d58b135 Filter for changing certificates of testssl.sh's server 2021-01-18 09:30:31 +01:00
Dirk
9c9207ae89 Travis CI didn't run. Trying to fix it (3.1dev) 2021-01-13 23:15:42 +01:00
Dirk Wetter
477bd13899
Merge pull request #1817 from drwetter/le_issuer_fix1816
Fix issuer check for Let's Encrypt
2021-01-07 10:25:02 +01:00
Dirk
e65233877b Fix issuer check for Let's Encrypt which not halved the exp warn time
Addresses #1816. Also the name changed
2021-01-07 09:19:56 +01:00
Dirk Wetter
b8b23b94df
Merge pull request #1813 from drwetter/file_exec_fix
Fixes the search for a non-executable socat binary
2021-01-05 15:27:40 +01:00
Dirk Wetter
5439985dbe Fixes the search for a non-executable socat binary
... otherwise there wwould be an ugly screen output.
This commit squashes the error message on the screen.
2021-01-05 15:25:28 +01:00
Dirk Wetter
a9f4bb5fb5
Merge pull request #1810 from drwetter/starttls_injection
STARTTLS injection
2020-12-29 14:40:58 +01:00
Dirk Wetter
e1a43e6e16
Merge branch '3.1dev' into starttls_injection 2020-12-29 13:46:18 +01:00
Dirk Wetter
7c66535628 resolve merge conflict 2020-12-29 13:44:04 +01:00
Dirk Wetter
ffe223f6e6
Merge pull request #1807 from tosticated/custom_http_headers
Custom HTTP request headers support added. Addresses #1770
2020-12-26 12:13:59 +01:00
tosticated
351f36c943 Changed parameter to --reqheader for custom HTTP headers. 2020-12-25 20:10:02 +01:00
tosticated
1473cdf02d
Update CHANGELOG.md 2020-12-24 22:00:42 +01:00
tosticated
c1a565fad8 Custom HTTP request headers support added. Addresses #1770 2020-12-22 22:33:25 +01:00
Dirk Wetter
2682d032b8
Merge pull request #1801 from drwetter/tmpfix_order_idsfriendly+U
Fix order for -U and --ids-friendly
2020-12-12 12:03:22 +01:00
Dirk Wetter
39132fe3d0 Fix order for -U and --ids-friendly
Workaround for bug see #1717. In addition: Bring  the test closer to a cleaner style,
as the others

Should --ids-firednly could be as well be removed when travis runs faster.
2020-12-11 20:49:15 +01:00
Dirk Wetter
4f375de26c
Merge pull request #1799 from PeterDaveHello/RefactorDockerfileApkUsage
Refactor `apk` usage in Dockerfile
2020-12-09 09:17:00 +01:00
Peter Dave Hello
abc5694408 Clean up apk cache in Dockerfile after packages installed
This will make the image smaller.
2020-12-09 15:52:04 +08:00
Peter Dave Hello
da84740000 Remove --no-cache for apk in Dockerfile
As there is `apk upgrade` and `apk update`, the apk index will already
be existed. `--no-cache` is for `apk` when there is no `apk update`
behavior and it's expected to be no local cache left, not suitable for
the use case here, which wants to upgrade all the package to the latest
when packaging the image.
2020-12-09 15:47:07 +08:00
Dirk Wetter
2cb96d4e9e
Merge pull request #1798 from drwetter/client_always_wide
Client simulation per default as wide
2020-12-08 23:23:55 +01:00
Dirk Wetter
d76829cd28 wide mode for client simulation 2020-12-08 19:52:42 +01:00
Dirk Wetter
e7fa4ff4ce Client simulation per default as wide
... in order to be consistent with run_server_preference().

The wide formatting of other tests need some inspection and
off the top off my head are not as perfectly formatted so that
they should not run per default in wide mode.
2020-12-08 19:43:07 +01:00
Dirk Wetter
f6e2a5c381
Merge pull request #1797 from atroost/hex2curves
Hex2curves
2020-12-03 12:44:21 +01:00
Alexander Troost
7029ada0ba fixing typo in md file 2020-11-28 14:06:26 +01:00
Alexander Troost
57ffe08dd4 Adding a hex2curves util. 2020-11-28 14:04:00 +01:00
Dirk Wetter
ea6d99fe93
Merge pull request #1795 from drwetter/no_code_update
Trying to save resources for poor Travis/CI ;-)
2020-11-28 10:08:53 +01:00
Dirk Wetter
a780ad6174
fix '|" 2020-11-27 20:24:46 +01:00
Dirk Wetter
1cd5510955 Trying to save resources for poor Travis/CI ;-)
See 3b38a5dea3
2020-11-27 18:10:43 +01:00
Dirk Wetter
19494a6d8b
Merge pull request #1794 from drwetter/drwetter-patch-1
Minor changes to Readme Dockerfile again
2020-11-27 17:05:22 +01:00
Dirk Wetter
c88d22a0f0
Update Dockerfile.md 2020-11-27 17:05:03 +01:00
Dirk Wetter
2655e91255
Update Readme.md 2020-11-27 17:00:34 +01:00
Dirk Wetter
20c57289d1
Merge pull request #1792 from drwetter/docker_docu_polish
Consolidate docker sections in Readme.md and Dockerfile.md
2020-11-27 16:35:03 +01:00
Dirk Wetter
1a7e4f1e92 consolidate docker sections in Readme.md and Dockerfile.md
see #1791
2020-11-27 16:33:23 +01:00
Dirk Wetter
849c031597
Merge pull request #1789 from drwetter/skip_sometunittests
Trying to reduced the runtime of travis
2020-11-27 15:24:06 +01:00
Dirk Wetter
96d4b4f08b Trying to reduced the runtime of travis
Often in the past travis was hitting a limit (50min?).

This is a try to make reasonable cuts to the unit tests:
- For STARTTLS some checks with OPenSSL are skipped
- For JSON and HTML outputs --ids-friendly was added assumming we
  don't change the output of ticketbleed, CCSI, HeartBleed and ROBOT any more.
- There's also not point to run those checks against badssl
- for  the diff check we switch to 'or diag' to display a dfifference
2020-11-27 13:19:52 +01:00