Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 22:05:26 +01:00
Code Issues Packages Projects Releases Wiki Activity
3,905 Commits 17 Branches 35 Tags
93c1180f9dc05237ebe5fdce31e32fd21b9eb596
Commit Graph

3905 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dirk Wetter
93c1180f9d Update feature_request.md 2021-10-21 10:56:27 +02:00
Dirk Wetter
ff919df2e0 Update bug_report.md 2021-10-21 10:52:34 +02:00
Dirk Wetter
489b63e9dd Merge pull request #2017 from drwetter/cab_is4browsers 
Add browser requirement for the entropy of cert serial
 2021-10-21 09:51:00 +02:00
Dirk Wetter
110d1aa73c Add browser requirement for the entropy of cert serial 2021-10-20 19:26:23 +02:00
Dirk Wetter
79df758023 Merge pull request #2014 from drwetter/fix_len_certserialnum 
Check cert serial len + fix output when too big
 2021-10-20 08:58:46 +02:00
Dirk Wetter
2edfa57eaa Check cert serial len + fix output when too big 
OpenSSL shows certificate serial numbers >35 with a LF (0A). Testssl.sh
just output that which makes JSON invalid and displays the LF in the terminal
too.

This commit fixes that (#2010) by adding filters so that the
serialnumber is not a multiline string.

Also this commit introduces a new function: a size check of the cert serial.
Below 8 bytes the CAB Forum's lower limit is hit which says the *entropy*
from a CSPRNG should be at least 64 bits. It is assumed that below 8 bytes
length this requirement isn't possible to meet (needs to be clarified with
Shannon, 8 bytes seems to low to me).
  The high threshold is according to RFC 5280, Section-4.1.2.2 .

See also #2013.

The output has changed, so that on the terminal the serial has one line,
SHA1 and SHA256 each one line. The new json key is "cert_serialNumberLen".
 2021-10-19 19:42:12 +02:00
Dirk Wetter
9683af44a2 Merge pull request #1988 from drwetter/windows_dns_fix 
Addressing lame DNS responses on WSL
 2021-10-18 16:52:35 +02:00
Dirk Wetter
d496c0d44b Merge pull request #2002 from smokris/1995-trusted-first 
In determine_trust(), use the OpenSSL '-trusted_first' flag to ignore the now-expired DST Root CA X3 root certificate
 2021-10-07 18:03:20 +02:00
Steve Mokris
5c4500ea4f Initialize/reset the TRUSTED1ST variable, in case determine_optimal_proto() changes the active openssl binary partway through execution 2021-10-06 16:01:13 -04:00
Steve Mokris
0012adf47e Add a test to verify that expired.badssl.com's chain of trust is expired. 2021-10-05 13:53:58 -04:00
Steve Mokris
c98bbdc36d In determine_trust(), use the OpenSSL '-trusted_first' flag to ignore the now-expired DST Root CA X3 root certificate. Fixes #1995. 2021-10-05 13:45:26 -04:00
Dirk Wetter
d720720150 Merge pull request #2005 from drwetter/fix_1992_certificateIssuerName 
Fix invalid JSON when certificate issuer contains non-ASCII chars
 2021-10-03 19:52:35 +02:00
Dirk
a5aa3a4bbf Fix invalid JSON when certificate issuer contains non-ASCII chars 
Changed printf %s to printf %b which cause now to output
UTF-8 correctly.

See #1992
 2021-10-03 18:19:24 +02:00
Dirk Wetter
b6b5a67b92 Save # of connects / WSL uses 127.0.0.1:0 by default 
In order to save time and to spare WSL users lame DNS lookups
I removed a couple of connect calls from 14 to 4:

$OPENSSL s_client -ssl2 -connect invalid.
-->
OPENSSL s_client -ssl2

NXCONNECT to localhost IP and port 0 is now the default when WSL
is detected. Not sure whether this is working under all circumstances,
so this needs some testing.
 2021-10-02 15:25:42 +02:00
Dirk Wetter
068e07c52c Merge pull request #1997 from mig5/fix-letsencrypt-remove-dst-root-x3-ca-cert 
Remove the expired DST Root CA X3 cert from all trust stores, and ensure Mozilla's is up to date (fixes ISRG X1 alternate path)
 2021-10-02 08:38:34 +02:00
Dirk Wetter
bab14124c1 Merge pull request #2001 from drwetter/revert-1998-1995-trusted-first 
Revert "In determine_trust(), use the OpenSSL '-trusted_first' flag to ignore the now-expired DST Root CA X3 root certificate"
 2021-10-02 08:34:07 +02:00
Dirk Wetter
e874c1013b Revert "In determine_trust(), use the OpenSSL '-trusted_first' flag to ignore the now-expired DST Root CA X3 root certificate" 2021-10-02 08:33:39 +02:00
Dirk Wetter
624e934f77 Merge pull request #1998 from smokris/1995-trusted-first 
In determine_trust(), use the OpenSSL '-trusted_first' flag to ignore the now-expired DST Root CA X3 root certificate
 2021-10-02 08:33:03 +02:00
Miguel Jacq
905f801309 Remove the expired DST Root CA X3 cert from all trust stores, and ensure Mozilla's is up to date (fixes ISRG X1 alternate path) 
Remove changes to Dockerfiles

Update hashes for CA trust stores
 2021-10-02 08:05:56 +10:00
Steve Mokris
b0754ce0f1 In determine_trust(), use the OpenSSL '-trusted_first' flag to ignore the now-expired DST Root CA X3 root certificate. Fixes #1995. 2021-10-01 16:24:04 -04:00
Dirk Wetter
667c6e698c Merge pull request #1996 from dcooper16/fix_md_formatting 
Update testssl.1.md
 2021-10-01 18:02:03 +02:00
David Cooper
8b129577a7 Update testssl.1.md 
testssl.1.md included '.SS "SINGLE CHECK OPTIONS"', which belongs in testssl.1, but not in testssl.1.md. This commit removes this extra line.
 2021-09-30 14:09:17 -04:00
Dirk Wetter
b8bff805f7 Merge pull request #1991 from klaernie/contenttype 
fix html output content type header
 2021-09-24 14:21:04 +02:00
Andre Klaerner
4f72f2fa8e fix html output content type header 2021-09-24 11:36:29 +02:00
Dirk Wetter
ae21ef7eab Merge pull request #1987 from drwetter/fix_1982_kali.cnf 
Fix #1982: Newer openssl.cnf break openssl detection
 2021-09-15 11:19:05 +02:00
Dirk Wetter
fe6c22f7fd Addressing lame DNS responses on WSL (WIP) 
This commit provides a global variable to the RFC 6761 use of "invalid."
which WSL clients doen't seem to handle very well, see #1738, #1812.

With this commit it e.g. is possible to use

     NXCONNECT=localhost:0 ./testssl.sh <TARGET>

to save some time.

This commit will be amended later.
 2021-09-15 09:53:20 +02:00
Dirk Wetter
2405176a26 Fix #1982: Newer openssl.cnf break openssl detection 
Newer configuration files from openssl may include statements
which aren't compatible with our supplied old openssl version.
This commit adds an autodetection of such a file and uses a
openssl.cnf provided by this project then.
 2021-09-15 09:31:03 +02:00
Dirk Wetter
3207357e8c Merge pull request #1985 from DimitriPapadopoulos/codespell 
Typos found by codespell
 2021-09-14 13:37:59 +02:00
Dimitri Papadopoulos
fcb282e3c3 Typos found by codespell 
Run codespell in CI
 2021-09-14 13:33:39 +02:00
Dirk Wetter
3dddcbf445 Merge pull request #1983 from drwetter/drwetter-patch-1 
Update bug_report.md
 2021-09-10 18:37:43 +02:00
Dirk Wetter
611754165f Merge pull request #1984 from drwetter/drwetter-patch-2 
Update feature_request.md
 2021-09-10 18:37:17 +02:00
Dirk Wetter
5fc23932ac Update feature_request.md 2021-09-10 18:37:02 +02:00
Dirk Wetter
2f173de7e0 Update bug_report.md 2021-09-10 18:33:39 +02:00
Dirk Wetter
1d4acd9027 Merge pull request #1981 from drwetter/fix_1978 
Fix minor inconsistency in description of cipher categories
 2021-09-10 08:09:21 +02:00
Dirk
529e9da823 Fix GHA (starttls nntp) 
using another IP
 2021-09-09 23:17:09 +02:00
Dirk
15cfd849fe Replace --standard by --categories 2021-09-09 22:07:44 +02:00
Dirk
739f45015f Fix minor inconsistency in description of cipher categories 
A longer while back the section ~ "Testing standard ciphers" was
renamed to "Testing cipher categories". However the internal help
didn't reflect that.

This fixes that, including an addtion to the documentation.

Note: the help still lists "-s --std, --standard" as a cmd line
switch.
 2021-09-08 08:46:47 +02:00
Dirk Wetter
8f20d11830 Merge pull request #1976 from ap-wtioit/3.1dev-fix_dig_r_check 
Fix dig -r check to only run if dig is available
 2021-09-06 10:19:41 +02:00
Andreas Perhab
5ec1f83434 Fix dig -r check to only run if dig is available 2021-09-06 08:35:00 +02:00
Dirk Wetter
15e6fb4c9c Merge pull request #1975 from a1346054/fixes 
WIP: Minor cleanup
 2021-09-05 15:50:11 +02:00
a1346054
b1f5c6c9af Trim excess whitespace 2021-09-04 13:28:30 +00:00
a1346054
6782e2a3b9 Fix spelling 2021-09-04 12:39:03 +00:00
a1346054
1b17a2c67d Fix shellcheck warnings 2021-09-03 22:19:39 +00:00
a1346054
54dcecd184 Make text file not executable 2021-09-03 22:19:39 +00:00
a1346054
945747c210 Use license file from gnu.org 
Downloaded from:
https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
 2021-09-03 22:19:39 +00:00
Dirk Wetter
05ef9f91b6 Merge pull request #1972 from drwetter/fix_dig-r 
Fix cases where dig -r wasn't working
 2021-09-01 19:50:15 +02:00
Dirk
bc742e0ea4 Amend previous commit 
* add -q in grep statement to make sure the console stays clean
* redo check for noidnout by also using the help function of dig
 2021-09-01 18:44:28 +02:00
Dirk
f8a87315cf Fix cases where dig -r wasn't working 
* the ignore ~/.digrc option from dig is now parsed from the builtin help
* there was a potential DNS call which is now avoided
* for +noidnout check however there's a call to invalid. added
* the OPENSSL_CONF="" in check_resolver_bins() was moved a few lines
  higher to avoid other errors in the terminal

Tested on (EOL) Ubuntu 14.04 which only has dig in an older version

See also #1950
 2021-09-01 18:28:12 +02:00
Dirk Wetter
ad3f7c3438 Merge pull request #1970 from drwetter/dependabot/github_actions/docker/build-push-action-2.7.0 
Bump docker/build-push-action from 2.6.1 to 2.7.0
 2021-08-30 10:19:39 +02:00
dependabot[bot]
c39edaaa1d Bump docker/build-push-action from 2.6.1 to 2.7.0 
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.6.1 to 2.7.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v2.6.1...v2.7.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-08-30 01:03:28 +00:00