This commit fixes a check where the Boolean variables $HAS_UDS and $HAS_UDS2 are checked for whether they are empty rather than for whether they are true.
Decryption is TLS 1.3 handshakes is very slow if the response is encrypted using ChaCha20 and the $OPENSSL enc command does not support ChaCha20. This commit mitigates that problem by using $OPENSSL2 for ChaCha20 decryption if such decryption is needed and $OPENSSL does not support it.
This commit also changes testssl.sh to make use of $OPENSSL2 for AES-GCM decryption, when $OPENSSL2 supports it, but $OPENSSL does not. However, this change is not as important. Implementing AES-GCM in Bash using $OPENSSL for AES ECB operations isn't nearly as slow as fully implementing ChaCha20 in Bash.
On MacOS `run_http_header()` hiccuped when in any place of the web site unprintable chars were returned, see https://github.com/testssl/testssl.sh/issues/2708#issuecomment-2738347784 .
This PR fixes that by moving the sanitization to a separate function and run it earlier before any processing of the returned content (header plus body) takes place.
Output was:
```
'HTTP Status Code awk: towc: multibyte conversion failure on: '� disabilitato");
input record number 36, file /tmp/testssl.FHu8E0/AAA.BBB.CCC.DDD.http_header.txt
source line number 1
'wk: towc: multibyte conversion failure on: '� disabilitato");
input record number 36, file /tmp/testssl.FHu8E0/AAA.BBB.CCC.DDD.http_header.txt
source line number 1
200 OK
```
When parsing the intermediate cerificates there was a parser problem when using
LibreSSL and not OpenSSL.
This PR fixes the issue #2705 and addresses the problem by using the -nameopt multiline command
of LibreSSL/OpenSSL .
The current code for setting $host_header in check_revocation_ocsp() will not work for LibreSSL 3.* or for upcoming versions of OpenSSL (version 4 or greater). The check will also not work correctly if $OPENSSL2 is used and $OPENSSL2 is not /usr/bin/openssl. This commit fixes these issues.
Previously in 4f1a91f92e there was a
double header sent to the server to check whether the certificate
was revoked.
This PR addresses that and fixes#2667 .
Before version 3.0.0, OpenSSL versions includes letters (e.g., 1.1.1w). Such version numbers confuse [[ ${OSSL_VER//./} -ge 210 ]]. Since this check is only needed for LibreSSL, this commit adds a conditional so that the check is only performed for LibreSSL.
As `--phone-out` sometimes doesn't work with our binary we switch transparently/automagically
to the vendor support openssl binary -- if available.
This fixes at least #2516 where the issue has been explained/debugged in detail.
See also #2667 and #1275.
