The current code for setting $host_header in check_revocation_ocsp() will not work for LibreSSL 3.*. In addition, the code uses $OPENSSL2, which is not defined. This commit fixes these issues.
As `--phone-out` sometimes doesn't work with our binary we switch transparently/automagically
to the vendor support openssl binary -- if available. This is the PR for 3.0, for 3.2 see #2695 .
This fixes at least #2516 where the issue has been explained/debugged in detail.
See also #2667 and #1275.
OpenSSL 3.X outputs a different error message than previous versions when $OPENSSL s_client -curves X ... is called with an unsupported curve. This was resulting in the check within find_openssl_binary() adding every curve to $OPENSSL_SUPPORTED_CURVES, even ones that were not supported. This commit changes to check in order to detect the new error message.
This commit fixes three lines of code that use Bash substring matching. In each case, a list of strings to match was enclosed in brackets. This resulted in a match if the string to test contained any character from any of the strings to match. This commit fixes the issue by removing the brackets.
(The bugs were introduced in b8e9b09ca7 and 8149c2d5cf)
.... by forbidding spaces in supplied CA files/directories
Also now we're sanitizing the cmd line parameter better `using safe_echo()`
See also #2647 .
When testing a TLS 1.3 host s_client_options used TLS 1.3 ciphers to test for NPN. As that is not implemented we nee dto make sure any other version is used.
This PR ensures that --after testing whether it's a TLS 1.3-only host where this test doesn't make any sense in the first place.
Fix for #2633
In some cases OpenSSL returns an "unsupported" message rather than a "not found" message if X25519 and X448 are not supported. This commit changes the check for whether X5519 and X448 are supported for checking for either response.
This commit fixes#2599 by not wrapping fileout() messages in a "clientProblem" wrapper if TLS13_ONLY is set. The TLS13_ONLY flag being set is an indicator that fileout_banner() has already been called.
In rare cases testssl.sh writes to the terminal output "likely not offered" but misses the "likely" in the json/csv output.
This fixes#2575 for the 3.0 branch by adding that word and amending the return value 4 with a comment.
* Upgrade both GHCR and Docker hub foile to alpine 3.2
* uses openssl version 3.3 as a alternative to option (default is still "ours"
* docker 3.0 yml hast now ubuntu-22.04 (not EOL) + "latest" omitted
... for readablity and bugs to be filed (see #2506)
This PR defines a short string for the OpenSSL banner as some suppliers have
makde them (unnecessarily) long so that it won't fit in the banner.
The banner also now omits the built line nad bash version when scanning
as for the user it is normally not important.
Same as #2528, only for the 3.0 branch.
- Mozilla: 2024-7-02
- Debian 12, ca-certificates from 20230311
- JDK 21.04
- Apple via https://github.com/apple-oss-distributions/security_certificates (according to git log latest change Fri Dec 15 00:44:35 2023)
- Microsoft via CertUtil (date of this PR)
Modified Readme to reflect that the Apple CA certificates are better to retrieve from GH and clarified minor things.
This also fixes#2525 (for 3.0), where >=2 certificates were missing.
