Commit Graph

3306 Commits

Author SHA1 Message Date
David Cooper cce57c4613
Fix run_ssl_poodle()
PR #1463 changed run_ssl_poodle() to only run the test if it is known that the server supports SSLv3. However, support for SSLv3 may be unknown at the time run_ssl_poodle() is run (e.g., if the server supports TLS 1 and SSLv3, and run_ssl_poodle() is the first test performed). So, run_ssl_poodle() should perform testing unless it is known that SSLv3 is not supported.
2020-01-22 11:20:34 -05:00
David Cooper d49d96ae40
Undo copy and paste error
This PR removes what appears to be a copy and paste error introduced by #1463.
2020-01-22 11:14:55 -05:00
Dirk Wetter 2181061c6e
Merge pull request #1463 from drwetter/shortcurt_vulns
Shortcuts for vulnerability tests for TLS 1.3 only servers
2020-01-22 15:37:11 +01:00
Dirk Wetter eeb1acd749 Android 9 still has 2 signature hash algos: x0201 + x0203 2020-01-22 11:41:42 +01:00
Dirk d4d5a61a0b Hopefully make Travis shut up now
picked a TLS 1.2 host
2020-01-22 11:30:21 +01:00
Dirk cae052cfab Address some HTML check failures in travis
(shouldn't work too late)
2020-01-22 11:29:04 +01:00
Dirk Wetter 7c66ed47c0 All self retrieved Android handshakes modified to service ANY 2020-01-22 10:58:00 +01:00
Dirk Wetter a50a660d6c Add Android 10 client simulation 2020-01-22 10:54:50 +01:00
Dirk Wetter ca8054184b remove also leading colon in helper script bc of GREASE 2020-01-22 10:52:07 +01:00
Dirk 39abb27dd9 cloudflare seems not good for html travis checks 2020-01-22 00:28:59 +01:00
Dirk 80530aa34c remove fast as it makes problems especially with Travis+testssl.net 2020-01-21 23:53:52 +01:00
Dirk e0f8c8d43e Relax misunderstanding of DEBUG statemement
There's a check for >825 days certificate lifetime. That
check emits a debug statement when the lifetime is within
this limit. It does that also when the certificate expired.

This commit adds now the word "total"

DEBUG: all is fine with total certificate life time

to make sure the life time left not is what should be understood.
2020-01-21 22:47:53 +01:00
Dirk 26a8f23ec1 Shutup Travis
... by adding the formerly intruoced "DEBUG" statement as a filter.
Note: "DEBUG" can now / should now be taken preferably for extra
output on debug level 1.

Replacing badssl.com by testssl.net. The former needed almost 5 min
for a run, whereas one IP of testssl.net needs ~80 secs. With --fast
even less.
2020-01-21 22:41:50 +01:00
Dirk 952231dd94 Shortcuts for vulnerability tests
Several vulnerability checks add a time penalty when the server
side only support TLS 1.3 as The TLS 1.3 RFC 8446 and implementations
known so far don't support the flaws being checked for.

This PR adds "shortcut" checks for all TLS 1.3, assuming that the
TLS 1.3 implementation is correct which seems at this time a valid
assumpution. That either saves a TCP connect or at least some logic to
be executed.  Also in some cases a TLS 1.3 only server emitted unnecessary
warnings, see #1444.

If $DEBUG -eq 1 then it outputs information that a shortcut was
used. It doesn't do that in other cases because the screen output
seems too obtrusive.

It also adds a shortcut for beast when SSL 3 or TLS 1.0 is is known
not to be supported.

This commit radds 747fb039ed which
was accidenially reverted in 45f28d8166.
It fixes #1462.

See also #1459.
2020-01-20 21:37:02 +01:00
Dirk 431f4fbe5f last walk through the changelog 2020-01-20 12:50:31 +01:00
Dirk 3e8d1983b3 reorder / rephrase some points 2020-01-20 12:49:49 +01:00
Dirk Wetter c08250d1bb
Merge pull request #1461 from drwetter/ci_setx
add check for forgotten "set -x" + provide defined start conditions
2020-01-20 12:20:07 +01:00
Dirk 45f28d8166 Revert "Shortcuts for TLS13 only servers in renegotiation checks"
This reverts commit 747fb039ed.
2020-01-18 21:55:35 +01:00
Dirk 44d1139e99 Revert "Complete shortcut checks (Renegotiation and CRIME)"
This reverts commit 8c24d1a6f2.
2020-01-18 21:54:42 +01:00
Dirk f109d3bbd6 add unlink / start with a clean state
... good when running "prove -v" locally and previously
the run was interrrupted by e.g. ^C
2020-01-18 21:47:44 +01:00
Dirk cb6677e2d3 removed comment 2020-01-18 21:45:32 +01:00
Dirk bec9ebdda8 only one ip 2020-01-18 21:44:24 +01:00
Dirk 2563dfb5e5 add set -x 2020-01-18 21:36:19 +01:00
Dirk 8c24d1a6f2 Complete shortcut checks (Renegotiation and CRIME)
This also makes a short exit when the server side
supports TLS 1.3 only as this protocol doesn't support
TLS renegotiation or compression.

Also it fixes the logic flaw from the previous
commit that "-no_tls1_3" has to be supplied.

Furthermore, it unifies the output presented to the user.
2020-01-18 12:31:38 +01:00
Dirk Wetter 155824214b
Merge pull request #1460 from drwetter/drwetter-patch-1
add also here -z
2020-01-17 15:26:09 +01:00
Dirk Wetter adfa411e24
add also here -z 2020-01-17 15:24:36 +01:00
Dirk 747fb039ed Shortcuts for TLS13 only servers in renegotiation checks
As noted in #1444 a few vulnerability checks don't make sense
or aren't working.  This commit addresses the renegotiation checks.

Also a few redundant quotes in parse_tls_serverhello() and
run_crime() were removed.
2020-01-17 15:16:26 +01:00
Dirk Wetter 71b6305e00
Merge pull request #1458 from drwetter/drwetter-patch-2
fix language
2020-01-17 11:59:50 +01:00
Dirk Wetter ddc7a56ab0
fix language 2020-01-17 11:59:41 +01:00
Dirk Wetter a094ebc981
Merge pull request #1457 from drwetter/drwetter-patch-2
fix missing -z
2020-01-17 11:57:36 +01:00
Dirk Wetter 1fb2db02a7
Update docker-debian10.tls13only.start.sh 2020-01-17 11:57:13 +01:00
Dirk 2ea57f0701 Update attributions and Changes for release
If anything is missing or wrong please let us know or do a PR.

(This is until from earlier time to ~2018. >2019 need to follow)
2020-01-17 11:01:41 +01:00
Dirk Wetter 03fb04a9f9
Merge pull request #1455 from drwetter/drwetter-patch-1
Warning for handshake retrieved by Google apps
2020-01-16 22:48:07 +01:00
Dirk Wetter ac7a20f018
Update client-simulation.wiresharked.md 2020-01-16 22:46:43 +01:00
Dirk Wetter 86afeabf8f
Merge pull request #1438 from drwetter/update_clienthandshakes
Update clienthandshakes
2020-01-16 22:26:21 +01:00
Dirk Wetter c2060c08f3
Merge pull request #1454 from dcooper16/basic_auth_polishing
More polishing of http basic auth
2020-01-16 20:24:39 +01:00
David Cooper 4b6bdf8cdf
More polishing of http basic auth
* Replace "! -z" with "-n"
* Replace "openssl' with "$OPENSSL"
* Redirect stderr output of $OPENSSL to /dev/null to supress "WARNING: can't open config file: /usr/local/etc/ssl/openssl.cnf" message (see #833)
* Remove unnecessary spaces from $GET_REQ11 string.
2020-01-16 13:41:27 -05:00
Dirk Wetter 91e14a3840
Merge pull request #1452 from drwetter/add_1451
Last fine tuning for http basic auth
2020-01-16 16:34:09 +01:00
Dirk Wetter 0691dc1bf8
Merge pull request #1453 from mkauschi/add-cache-control-header-check
Check for the Cache-Control and Pragma header
2020-01-16 16:25:18 +01:00
manuel e498ffbdb2 add Pragma header to other_header_variable 2020-01-16 15:01:48 +01:00
manuel 5813e40e6b chore: add cache control header to other_header variable 2020-01-16 14:55:15 +01:00
Dirk Wetter 4603d924be Last fine tuning for http basic auth
* create roff file and HTML
* add hint to $ENV

Avoid 1x subshell

See #1451.
2020-01-16 14:29:53 +01:00
Dirk Wetter 700a727f3f
Merge pull request #1451 from mkauschi/http-basic-auth-support
Add support for HTTP Basic Auth
2020-01-16 14:13:59 +01:00
manuel ddd29dafdd instantiate BASICAUTH variable 2020-01-16 10:15:07 +01:00
manuel 51fb849954 change basicauth_header variable to a local variable 2020-01-16 10:13:16 +01:00
manuel 942cf3d374 add description for HTTP basic auth credentials switch in the docs 2020-01-16 10:11:22 +01:00
manuel 87b46a54fe add support for http basic auth 2020-01-15 16:46:03 +01:00
Dirk Wetter 787e575085
Merge pull request #1450 from drwetter/826days_towarn
Add one second for 825 day validity test
2020-01-15 15:38:26 +01:00
Dirk Wetter 38a00f7170 Add one second for 825 day validity test
The CA browser form agreed on a validity period of 825 days or less
(https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.3-redlined.pdf,
p4).

PR #1427 addressed that. However when an issuer signed/issued a certificate
with exactly 825 days, the check reported incorrectly that the life time
is too long.

This commit addressed that by adding a second to the calulation. Also the
output takes into account that it must be over ('>') 825 days, not '>='.
2020-01-15 15:32:32 +01:00
Dirk Wetter 520a4fbf75
Merge pull request #1449 from drwetter/pr_1070
Reimplement mitigation check (renegotiation->node.js)
2020-01-15 13:09:39 +01:00