Commit Graph

2637 Commits

Author SHA1 Message Date
Dirk e8d7e16a9d handle better missing ca_hashes.txt 2016-11-04 08:35:27 +01:00
Dirk Wetter cc6da260f8 Merge pull request #508 from dcooper16/parse_tls_serverhello2
Extend TLS ServerHello parsing (part 2)
2016-11-04 07:25:38 +01:00
Dirk Wetter 1d461307be Merge pull request #503 from AlGreed/2.9dev
new pretty JSON format + severity level filter
2016-11-04 07:22:25 +01:00
AlGreed ebc1f691b9 Merge remote-tracking branch 'drwetter/2.9dev' into 2.9dev 2016-11-04 03:05:37 +01:00
AlGreed 175ead6d2a Merge remote-tracking branch 'drwetter/2.9dev' into 2.9dev 2016-11-04 02:54:56 +01:00
David Cooper a6addba038 Extend TLS ServerHello parsing (part 2)
This PR adds initial parsing of the ServerKeyExchange message to `parse_tls_serverhello()`. For ephemeral DH keys, it extracts the length of the key. For ephemeral ECDH keys that are encoded using the named_curve option, it extracts the length of the key and the name of the curve.
2016-11-03 16:14:14 -04:00
David Cooper 31eba73b36 Merge branch '2.9dev' into tls_sockets_extra_extensions 2016-11-03 14:20:20 -04:00
Dirk Wetter 04544e8423 Merge pull request #506 from dcooper16/parse_tls_serverhello1
Extend TLS ServerHello parsing (part 1)
2016-11-03 17:57:15 +01:00
Dirk Wetter 702a9d6c6b Merge pull request #505 from dcooper16/fix_499
Fix #499
2016-11-03 17:51:41 +01:00
David Cooper ed4d29e0c5 Allow caller to provide extra extensions to tls_sockets()
This PR allows the caller to provide additional extensions to `tls_sockets()` to be included in the ClientHello. If the caller provides an extension that would have already been included in the ClientHello, then the caller's value for the extension is used rather than the default value.
2016-11-03 10:49:27 -04:00
David Cooper 98aaab5e12 Extend TLS ServerHello parsing (part 1)
This PR extended `parse_tls_serverhello()` in a few ways:

* If the "full" response is to be parsed, then additional checks are performed to verify that `$tls_hello_ascii` contains the entire response

* The extensions field is parsed and the list of extensions found is placed in `$TLS_EXTENSIONS` (if the "full" response is being parsed).

* Initial support for TLS 1.3 is added:

  - Accounts for differences between TLS 1.2 ServerHello and TLS 1.3 ServerHello (as outlined in PR #499).

  - Recognizes new alerts and handshake message types.

  - Allows for server response to include message fragments of type "application data"
2016-11-03 10:18:27 -04:00
David Cooper 24cc3ae73f Fix #499
I forgot that `parse_tls_serverhello()` is also called by `client_simulation_sockets()`. Since PR #499 changed the input to `parse_tls_serverhello()`, the change needs to be made in `client_simulation_sockets()` as well.
2016-11-03 10:02:45 -04:00
Dirk Wetter a91e45035b Update Readme.md 2016-11-03 13:44:10 +01:00
Dirk Wetter 181c998c7b Update Readme.md 2016-11-03 13:42:18 +01:00
Dirk 096d723767 revert 432163cca5 2016-11-03 13:36:55 +01:00
Dirk Wetter 82dbb23cab Merge pull request #499 from dcooper16/get_full_server_response
Add option to retrieve entire server response
2016-11-03 13:12:16 +01:00
David Cooper 80d9f418d0 Merge branch '2.9dev' into get_full_server_response 2016-10-31 08:57:34 -04:00
Dirk f1d609e008 putput polish 2016-10-29 15:38:07 +02:00
Dirk Wetter 63ec369f34 output polish 2016-10-29 15:37:30 +02:00
David Cooper 3fa8449351 Merge branch '2.9dev' into get_full_server_response 2016-10-28 16:59:01 -04:00
Dirk 432163cca5 Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev
Conflicts:
	Readme.md
2016-10-28 22:19:36 +02:00
Dirk fac1a21b3d Merge branch 'dcooper16-no_version_tolerance_test' into 2.9dev 2016-10-28 22:17:52 +02:00
Dirk cc474190af Merge branch 'no_version_tolerance_test' of https://github.com/dcooper16/testssl.sh into dcooper16-no_version_tolerance_test
Conflicts:
	testssl.sh
2016-10-28 22:17:34 +02:00
Dirk Wetter 4c8369eabb Update Readme.md 2016-10-28 22:07:53 +02:00
Dirk b540d362b9 add option for -n / --nodns which avoids DNS lookups. Usefuk where ne DNS is needed.available as is speeds up the start consinderably 2016-10-28 21:37:10 +02:00
Dirk Wetter df2704dc20 Merge pull request #498 from Sousaphone/master
Apple ATS9 client simulation
2016-10-28 21:31:39 +02:00
Dirk Wetter cd9f45ce25 Merge pull request #493 from dcooper16/asciihex_to_binary
Use printf in asciihex_to_binary_file
2016-10-28 21:31:01 +02:00
Dirk Wetter b735110097 Merge pull request #501 from dcooper16/no_mapping_file
Fix for when no mapping file is present
2016-10-28 21:29:18 +02:00
AlGreed 694e4c7b6e pretty json format + severity levels filter 2016-10-28 15:30:07 +02:00
David Cooper 95f583322a Merge branch 'master' into no_version_tolerance_test 2016-10-27 16:51:50 -04:00
Dirk 99300a0059 bump version 2016-10-27 22:02:35 +02:00
Dirk 00a5d19276 Merge branch 'master' of github.com:drwetter/testssl.sh 2016-10-27 22:00:19 +02:00
Dirk 337e66fc61 Merge branch 'CA_pinning' 2016-10-27 21:59:42 +02:00
Dirk 1613bb214e Merge branch 'master' into CA_pinning
Conflicts:
	testssl.sh
2016-10-27 21:59:10 +02:00
David Cooper 4614e56022 Fix for when no mapping file is present
Now that the mapping file is no longer used, `$ADD_RFC_STR` should not be unset just because the mapping file cannot be found.

In addition, since `show_rfc_style()` is now used in `parse_tls_serverhello()`, it cannot return an empty string just because the user set "--mapping no-rfc" on the command line. Instead, `neat_list()` should check the value of `$ADD_RFC_STR` and not call `show_rfc_style()` if it has been unset.

Finally, since `show_rfc_style()` no longer returns strings with extra spaces, there is no need to call `strip_spaces()`
2016-10-27 14:28:16 -04:00
David Cooper c8ff119316 Add option to retrieve entire server response
In some cases the server's response to a ClientHello spans more than one packet. If the goal is just to determine whether the connection was successful and to extract a few pieces of information from the ServerHello message, then this is unlikely to be a problem. However, if there is a desire to extract the server's certificate chain (Certificate message) or to determine the type and size of the server's ephemeral public key (ServerKeyExchange message), then the entire response needs to be obtained, even if it spans multiple packets.

This PR adds a new function, `check_tls_serverhellodone()`, that checks whether the entire response has been received (e.g., whether the ServerHelloDone message has been received). If the response indicates that the response is incomplete, then `tls_sockets()` requests more data from the server until the response is complete or until the server doesn't provide any more data in response.

The PR only changes the behavior of `tls_sockets()` if the caller indicates that it wants to extract the ephemeral key or that it wants the entire response to be parsed. Otherwise, only the first packet returned by the server is sent to `parse_tls_serverhello()`. [The value of `$process_full` is not used at the moment, but will be in a subsequent PR that modifies `parse_tls_serverhello()`.]

This PR also changes `tls_sockets()` to send a close_notify to the server if the connection was successfully established.
2016-10-25 11:04:23 -04:00
Dirk Wetter bfad620bf5 Update Readme.md 2016-10-21 22:16:19 +02:00
Thomas Alexander Frederiksen 217f2fb91a Apple ATS9 client test 2016-10-19 10:54:37 +02:00
Dirk ef78aec50b FIX #490 2016-10-15 22:56:53 +02:00
Dirk 5e5edd5c89 FIX #490 2016-10-15 22:55:24 +02:00
Dirk Wetter 6abca0c598 Merge pull request #495 from mailsvb/minor_display_fix_ssl3_offer
remove additional pr_off at the end of sslv2 check
2016-10-14 22:07:19 +02:00
mailsvb 4ce4d922ac remove additional pr_off at the end of sslv2 check 2016-10-12 22:32:35 +02:00
Dirk d32dbdaff3 Updating MS store, sill small, still not automated/cumbersome not sure if ok 2016-10-12 21:15:37 +02:00
Dirk 6723622024 - do not do HTTP2+SPDY checks if non-STARTTLS but also non-HTTP
- ASSUMING_HTTP --> ASSUME_HTTP
- minor cleanups
2016-10-11 22:30:30 +02:00
David Cooper 3c55eec654 Remove test of version tolerance
PR #346 added a test for version tolerance to `run_protocols()`, but I think it may now be more appropriate to remove that test. Draft -16 of TLS 1.3, which was posted on September 22, changed the way that version negotiation is handled for TLS 1.3 and above. The current version tolerance test sends a ClientHello with the version field set to "03, 05", to represent a TLS 1.4 ClientHello. While this was consistent with RFC 5246 and with drafts of TLS 1.3 up to -15, draft -16 changed the version field to `legacy_version` and declared that its value should be "03, 03" for TLS 1.2 and above. (For TLS 1.3 and above a Supported Versions extension is included to inform the server which versions of TLS the client supports.) The change in draft -16 was made as a result of the problems with servers not handling version negotiation correctly.

Since the current draft suggests that a server should never be presented with a ClientHello with a version higher than "03, 03" (even for clients that support TLS versions higher than 1.2), it seems there is no reason to include the version tolerance test anymore.

For servers that do not support TLS 1.2, the additional checks that were added by PR #346 will already detect if the server cannot perform version negotiation correctly.
2016-10-11 11:01:04 -04:00
David Cooper 140ff91c60 Use printf in asciihex_to_binary_file
Use `printf` in `asciihex_to_binary_file()` rather than `echo -e -n`
2016-10-11 10:08:59 -04:00
Dirk Wetter d59c581700 Update Readme.md 2016-10-11 12:17:33 +02:00
Dirk 77f98e73e2 medium only for "Secure Client-Initiated Renegotiation" != HTTP 2016-10-10 23:27:34 +02:00
Dirk Wetter 51912944ec Merge pull request #492 from mailsvb/CA_BUNDLES_PATH
fix usage of CA_BUNDLES_PATH env for local ca_bundles
2016-10-09 10:22:22 +02:00
mailsvb 5a967302dc fix usage of CA_BUNDLES_PATH env for local ca_bundles 2016-10-08 22:50:44 +02:00