1
0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-07-17 19:21:57 +02:00
Commit Graph

1035 Commits

Author SHA1 Message Date
8da00a8025 Merge pull request from dcooper16/devel_option
Fix "--devel" with SSLv2
2016-08-28 18:03:17 +02:00
dfa0cfd0b4 Merge pull request from dcooper16/no_ssl2
OpenSSL 1.1.0 doesn't have "-no_ssl2" option
2016-08-28 17:58:56 +02:00
b9c0ac9ee3 Merge pull request from dcooper16/beast_no_ssl3
Warning on BEAST when no local SSLv3 support
2016-08-28 17:57:39 +02:00
12e3a3314a OpenSSL 1.1.0 doesn't have "-no_ssl2" option
With OpenSSL 1.1.0, `s_client -no_ssl2` fails with an "unknown option" error. At the moment the `-no_ssl2` option is only used in two functions, `run_client_simulation()` and `run_crime()`. In `run_crime()`, the `-no_ssl2` option is only included if the OpenSSL version is 0.9.8.

This PR checks whether the OpenSSL version in use supports the `-no_ssl2` option, and if it doesn't, it removes it from the calls to `s_client` in `run_client_simulation()`.
2016-08-24 10:14:12 -04:00
7cfe97f23a Warning on BEAST when no local SSLv3 support
If the version of OpenSSL being used doesn't support `s_client -ssl3` (e.g., OpenSSL 1.1.0), `run_beast()` doesn't display a warning that testing for CBC in SSLv3 isn't locally supported.

This PR adds a "Local problem" warning if the OpenSSL being used doesn't support `s_client -ssl3`.
2016-08-23 12:37:22 -04:00
2b7a77979c Fix "--devel" with SSLv2
If testssl.sh is called with `--devel 22` and the response from `sslv2_sockets()` is not 0, then `tls_sockets()` will be called, and the result of the `tls_sockets()` command will be output rather than the result of the `sslv2_sockets()` command.
2016-08-11 14:40:20 -04:00
424cf233d1 FIX 2016-08-09 10:35:58 +02:00
b0923a1833 - workaround for failed CI test 2016-07-26 22:00:53 +02:00
b1595c124b - new 1.0.2i binaries with IPv6 and renamed old chacha/poly-ciphers from PM 2016-07-26 21:03:09 +02:00
c8490c0dea Merge branch 'master' of github.com:drwetter/testssl.sh 2016-07-26 20:51:56 +02:00
7fb89f8071 - new 1.0.2i binaries with IPv6 and renamed old chacha/poly-ciphers from PM 2016-07-26 20:51:21 +02:00
1d516a2d4d Delete openssl.Linux.i686-krb5 2016-07-26 20:43:02 +02:00
19f2182af1 Delete openssl.Linux.x86_64-krb5 2016-07-26 20:42:48 +02:00
a0582d70e1 Merge branch 'master' of github.com:drwetter/testssl.sh 2016-07-26 20:41:26 +02:00
d5bda3272f - new 1.0.2i binaries with IPv6 and renamed old chacha/poly-ciphers frpom PM 2016-07-26 20:40:27 +02:00
1c4790b184 Update Readme.md 2016-07-26 20:32:05 +02:00
2e1e45fca0 Update Readme.md 2016-07-26 20:31:20 +02:00
830bc0fb4f Update Readme.md 2016-07-26 20:23:31 +02:00
c7afd8e366 Update Readme.md 2016-07-26 20:22:51 +02:00
5114a118f2 Merge branch 'master' of github.com:drwetter/testssl.sh 2016-07-26 20:18:37 +02:00
69e8be6be8 - new 1.0.2i binaries with IPv6 and renamed old chacha/poly-ciphers from PM 2016-07-26 20:16:35 +02:00
48f2dc20a6 Merge pull request from dcooper16/determine_optimal_proto_ssl2_fix
SSLv2 fixes for determine_optimal_proto()
2016-07-26 18:29:49 +02:00
3f550d14cf Merge pull request from dcooper16/old_openssl_warning
Don't ignore response to old OpenSSL warning
2016-07-26 18:27:33 +02:00
8d3e157e35 Merge pull request from dcooper16/minor_typos
Fix two minor typos
2016-07-26 18:25:39 +02:00
746eab7f6b Fix two minor typos
Fixes for two minor typos that were previously included in PR .
2016-07-26 12:07:08 -04:00
4ed1f2fc11 Don't ignore response to old OpenSSL warning
In the check for old versions of OpenSSL, the results of the call to `ignore_no_or_lame()` are ignored, and so the program continues even if the user enters `no`.
2016-07-26 11:29:25 -04:00
bc6367d3ad Update testssl.sh 2016-07-26 11:21:23 -04:00
b43562aabf Update testssl.sh 2016-07-26 11:13:45 -04:00
23d311b1fc SSLv2 fixes for determine_optimal_proto()
This PR makes three changes to `determine_optimal_proto()`:
* It no longer tries an empty string for `$OPTIMAL_PROTO` twice.
* It does not include `-servername` for `-ssl2` or `-ssl3`, since some versions of OpenSSL that support SSLv2 will fail if `s_client` is provided both the `-ssl2` and `-servername` options.
* It displays a warning if `$OPTIMAL_PROTO` is `-ssl2`, since some tests in testssl.sh will not work correctly for SSLv2-only servers.
2016-07-26 11:10:20 -04:00
5a763ff8e1 Merge pull request from dcooper16/run_rc4_ssl2_ciphers
SSLv2 fixes for run_rc4()
2016-07-26 12:08:17 +02:00
a8048ccfa0 Merge pull request from dcooper16/test_just_one_ssl2_ciphers
SSLv2 fixes for test_just_one()
2016-07-26 07:54:29 +02:00
add75caf82 SSLv2 fixes for test_just_one()
This PR changes test_just_one() to correctly handle SSLv2 ciphers.

As with PR , this PR addresses the problem in which servers that do not implement SSLv2, but that implement RC4-MD5, EXP-RC2-CBC-MD5, EXP-RC4-MD5, or NULL-MD5 are shown as implementing both the SSLv2 and SSLv3 versions of the ciphers, and that any SSLv2 ciphers that a server does implement are not shown as being implemented.
2016-07-25 17:00:49 -04:00
43d5ad5071 SSLv2 fixes for run_rc4()
This PR changes run_rc4() to correctly handle SSLv2 ciphers.

It addresses the problem in which servers that do not implement SSLv2, but that implement SSLv3 ciphers that share an OpenSSL name with an SSLv2 cipher (RC4-MD5 and EXP-RC4-MD5), are not incorrectly shown as having implemented the SSLv2 cipher.

It also addresses the problem that if a server does implement SSLv2 with an RC4 SSLv2-cipher suite, then that cipher suite it not shown as being implemented.
2016-07-25 16:42:04 -04:00
9b3cfab5b8 Merge pull request from dcooper16/run_allciphers(),run_cipher_per_proto(),-and-SSLv2
run_allciphers(),run_cipher_per_proto(), and SSLv2
2016-07-25 20:04:14 +02:00
bb29e3c917 Merge branch 'master' into run_allciphers(),run_cipher_per_proto(),-and-SSLv2 2016-07-25 09:39:28 -04:00
541690b46e - enabled+renamed tolerance test per default
- quoted some bool vars for faster execution
2016-07-23 15:12:13 +02:00
38b61ed36f Merge pull request from dcooper16/version_negotiation
Additional checks in run_protocols()
2016-07-23 14:54:50 +02:00
3d588ddb20 change sequence of out output (trust checks together 2016-07-23 14:52:26 +02:00
0c2acdd8fe Merge pull request from dcooper16/signed-signed-check
Fix check for self-signed certificate
2016-07-23 14:47:14 +02:00
1a099d35b7 - minor polishing 2016-07-23 11:17:49 +02:00
9ef0cef8ef Merge pull request from dcooper16/CN-hostname-match
CN <--> hostname match
2016-07-23 11:13:29 +02:00
ae38670067 Fix check for self-signed certificate
The check for whether a certificate is self-signed was using the undefined variable $CN rather than $cn.
2016-07-22 12:06:52 -04:00
59002c1088 Update JSON id for chain-of-trust 2016-07-22 11:57:16 -04:00
df64e47fb9 CN <--> hostname match
PR to address issue  (CN <--> hostname match)
2016-07-22 11:31:52 -04:00
ddead05825 Merge pull request from dcooper16/issuer2
CA names with domain component attributes
2016-07-21 12:16:24 +02:00
603ed33f57 Merge branch 'master' into version_negotiation 2016-07-20 13:39:11 -04:00
6730ed8340 Merge branch 'master' into run_allciphers(),run_cipher_per_proto(),-and-SSLv2 2016-07-20 13:37:54 -04:00
bdea1a0971 Merge branch 'master' into issuer2
Conflicts:
	testssl.sh
2016-07-20 11:45:08 -04:00
d98e49f5ba Merge branch 'master' of github.com:drwetter/testssl.sh 2016-07-20 17:39:52 +02:00
6e5c2a824e merged 2016-07-20 17:38:55 +02:00