Commit Graph

4303 Commits

Author SHA1 Message Date
Dirk Wetter
0dac50c830
Merge pull request #2272 from dcooper16/fix2271
Fix #2271
2022-11-11 16:27:18 +01:00
David Cooper
43fade414c Fix #2271
This commit fixes #2271 by adding the `-no_ssl2` option to the call to get_host_cert() in run_drown(). There is at least one server that causes OpenSSL to hang if this call to get_host_cert() results in an SSLv2 ClientHello being sent. Since this call to get_host_cert() only needs to find the server's certificate in cases in which the server does not support SSLv2, there is no need to send an SSLv2 ClientHello.
2022-11-10 11:24:56 -08:00
Dirk Wetter
92a80f7f86
Merge pull request #2268 from drwetter/mastodon
Hint for mastodon
2022-11-10 15:11:41 +01:00
Dirk Wetter
c403249678
Hint for mastodon
... and to a separate account
2022-11-10 15:09:03 +01:00
Dirk Wetter
6716dc7465
Merge pull request #2261 from osown/3.1dev
if PROXY variable is set there is no need to do a direct connection attempt
2022-11-10 10:52:14 +01:00
Dirk Wetter
2b0fdfdf64
Merge pull request #2262 from dcooper16/run_fs_infnite_loop
Fix infinite loop in run_fs()
2022-11-10 09:43:29 +01:00
Dirk Wetter
a4419fa9c9
Merge pull request #2264 from dcooper16/padding
Clean up adding padding
2022-11-10 09:37:42 +01:00
Dirk Wetter
dda579cdf2
Merge pull request #2266 from dcooper16/fix2249
Fix #2249
2022-11-10 09:22:35 +01:00
David Cooper
f5162c9897 Fix #2249
This commit fixes #2249 by recognizing "sha1WithRSA" synonym for "sha1WithRSAEncryption."

OpenSSL uses "sha1WithRSAEncryption" to represent 1.2.840.113549.1.1.5 and "sha1WithRSA" to represent 1.3.14.3.2.29. While 1.2.840.113549.1.1.5 is generally recognized as the "standard" OID for RSA with SHA-1 (see, for example, RFC 3279), 1.3.14.3.2.29 has been used in some places as well (https://codereview.chromium.org/1223763002, https://bugzilla.mozilla.org/show_bug.cgi?id=1042479, https://github.com/pyca/cryptography/issues/3160).
2022-11-09 10:26:38 -08:00
David Cooper
e59d6ab9f6 Clean up adding padding
This commit simplifies the adding of padding data in a few places. Rather than adding one or two bytes at a time in a "for" loop, all of the padding is added in one step by extracting it from a long padding string. (The one exception is in run_robot(), where a "for" loop is used to add additional padding in case in which the RSA modulus is longer than the pre-defined padding string.)

Extracting the padding from a long string is faster than using a "for" loop and it makes the debugging file a little cleaner.

The idea is the same as PR #1940.
2022-11-07 14:13:45 -08:00
Tobias Pawelke
305855eef7 if PROXY variable is set there is no need to do a direct connection attempt 2022-11-02 13:19:28 +01:00
David Cooper
a4c24d58f4 Fix infinite loop in run_fs()
This commit fixes an infinite loop in run_fs() that occurs in cases in which $OPENSSL supports TLS 1.3 and the server supports all of the non-TLS 1.3 FS ciphers that $OPENSSL supports but not all of the TLS 1.3 ciphers that $OPENSSL supports.

The problem is that testing for supported ciphers using $OPENSSL, testing should stop if there are no more ciphers to test (because all of the ciphers supported by $OPENSSL have been determined to be supported by the server). However, currently testing only stops if both the list of TLS 1.3 ciphers and non-TLS 1.3 ciphers is empty. In the problematic case, only the list of non-TLS 1.3 ciphers is empty. Instead of stopping, s_client_options() is called with a -cipher option with an empty list, and s_client_options() simply removes the -cipher option from the command, resulting in a call to $OPENSSL s_client with a full list of non-TLS 1.3 ciphers. Since this call succeeds, the loop continues.

This commit fixes the problem by stopping TLS 1.3 ClientHello testing when the list of TLS 1.3 ciphers is empty and stopping non-TLS 1.3 ClientHello testing when the list of non-TLS 1.3 ciphers is empty.
2022-11-01 14:03:27 -07:00
Dirk Wetter
f5d41ff26f
Merge pull request #2258 from drwetter/minor
Fix indentation + clarify openssl warning
2022-10-21 15:44:55 +02:00
Dirk Wetter
7c38cc7290
Merge pull request #2235 from dcooper16/fix1311
Fix #1311
2022-10-21 15:41:24 +02:00
David Cooper
5c889bde0f Include cipher order information in file output on a per protocol basis
This commit fileout() calls to ciphers_by_strength() and cipher_pref_check() to indicate whether or not the server enforces a cipher order for a protocol version.
2022-10-20 12:49:22 -07:00
Dirk
55558b86d8 Fix indentation + clarify openssl warning 2022-10-20 14:55:22 +02:00
David Cooper
045778b2d8 Fix #1311
This commit fixes #1311 by only rating the lack of a server-enforced ciper order negatively if there is a difference in the quality rating of the ciphers offered for a particular protocol.
2022-10-19 10:03:53 -07:00
Dirk Wetter
8d9b11be40
Merge pull request #2257 from drwetter/drwetter-patch-1
Fix typo
2022-10-19 14:09:48 +02:00
Dirk Wetter
ea67c4f4a8
Fix typo
See #2256
2022-10-19 14:06:26 +02:00
Dirk Wetter
73fa3e5aef
Merge pull request #2251 from drwetter/dependabot/github_actions/docker/setup-qemu-action-2.1.0
Bump docker/setup-qemu-action from 2.0.0 to 2.1.0
2022-10-13 09:37:40 +02:00
Dirk Wetter
f823c0528e
Merge pull request #2252 from drwetter/dependabot/github_actions/docker/build-push-action-3.2.0
Bump docker/build-push-action from 3.1.1 to 3.2.0
2022-10-13 09:37:23 +02:00
Dirk Wetter
fa412b1a33
Merge pull request #2250 from drwetter/dependabot/github_actions/docker/login-action-2.1.0
Bump docker/login-action from 2.0.0 to 2.1.0
2022-10-13 09:37:06 +02:00
dependabot[bot]
681fd6e8d7
Bump docker/build-push-action from 3.1.1 to 3.2.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3.1.1 to 3.2.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v3.1.1...v3.2.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-13 00:12:49 +00:00
dependabot[bot]
e735c022b0
Bump docker/setup-qemu-action from 2.0.0 to 2.1.0
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 2.0.0 to 2.1.0.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](https://github.com/docker/setup-qemu-action/compare/v2.0.0...v2.1.0)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-13 00:12:46 +00:00
dependabot[bot]
35a6fe94bf
Bump docker/login-action from 2.0.0 to 2.1.0
Bumps [docker/login-action](https://github.com/docker/login-action) from 2.0.0 to 2.1.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v2.0.0...v2.1.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-13 00:12:43 +00:00
Dirk Wetter
0ed2bf0ada
Merge pull request #2234 from cancom/fix/grade-cap-sorting
Fix grade cap reasons not showing weak public keys
2022-10-07 16:48:06 +02:00
Dirk Wetter
09a479cb7a
Merge pull request #2238 from dcooper16/SC2235
Fix Shellcheck SC2235
2022-10-07 16:24:04 +02:00
David Cooper
bbe8987053 Fix Shellcheck SC2235
SC2235 is "Use { ..; } instead of (..) to avoid subshell overhead."

In a large number of places testssl.sh uses paraenthesis in complex boolean expressions in order to specify an evaluation order. The paranthesis results in the expression being evaluated in a subshell, which makes evaluation very expensive. This commit addresses the problem by rewriting any expressions that unnecessarily create subshells.
2022-09-29 15:37:51 -07:00
Dirk Wetter
b03d8ca1e3
Merge pull request #2248 from war59312/patch-1
Readme.md - Small Fixes To Docs Section
2022-09-29 19:16:25 +02:00
Will
7fee2381dc
Update Readme.md 2022-09-29 13:00:13 -04:00
Will
2e04127f06
Readme.md - Small Fixes To Docs Section
Small fix for Documentation section
2022-09-28 15:36:05 -04:00
Dirk Wetter
c487f911aa
Merge pull request #2247 from drwetter/bump_version_rc
Bump rc version
2022-09-28 17:17:52 +02:00
Dirk Wetter
77a2d891cf Bump rc version
... so that distributors feel more encouraged to switch to this version
and drop 3.0.x
2022-09-28 09:21:25 +02:00
Dirk Wetter
33376cca8c
Merge pull request #2244 from drwetter/grep_quotes
Squashed some double quotes for grep expressions
2022-09-18 21:50:30 +02:00
Dirk Wetter
8c14a42180 Squashed some double quotes for grep expressions
... in favor of single quotes
2022-09-18 19:27:36 +02:00
Dirk Wetter
0e61b72197
Merge pull request #2242 from ghen2/grep-3.8
Fix grep 3.8 warnings on unneeded escapes of hyphen, slash, space.
2022-09-18 17:38:11 +02:00
Geert Hendrickx
e36325f8cd
Fix grep 3.8 warnings on unneeded escapes of hyphen, slash, space.
Use -e where needed to avoid confusion of expression as arguments.
2022-09-17 21:04:14 +02:00
Dirk Wetter
03b3ba8078
Merge pull request #2239 from dcooper16/neat_list_alignment
Fix alignment in neat_list()
2022-09-16 09:14:51 +02:00
David Cooper
93ece13747 Fix alignment in neat_list()
When neat_list() is printing information about a cipher suite that uses (EC)DH key exchange that was obtained using an old version of OpenSSL the rows are not properly aligned, since the key exchange input includes an unexpected trailing space. This commit fixes the problem by removing any trailing spaces from $kx.
2022-09-15 13:51:04 -07:00
Dirk Wetter
de48956639
Merge pull request #2237 from a1346054/which
Use bash-builtin `command -v` instead of external `which`
2022-09-14 21:25:14 +02:00
Dirk Wetter
1193d89344
Merge pull request #2236 from a1346054/fixes
Use `grep -E` instead of `egrep`
2022-09-14 21:19:47 +02:00
a1346054
902bdf3d92
Use bash-builtin command -v instead of external which
`command -v` is a bash builtin and is a standardized version of `which`
2022-09-12 23:24:26 +00:00
a1346054
4712c48597
Use grep -E instead of egrep 2022-09-12 20:12:28 +00:00
Benedict Becker
0572609793
Fix grade cap reasons not showing weak public keys 2022-09-07 16:18:19 +02:00
Dirk Wetter
b3c49b584d
Merge pull request #2227 from dcooper16/fix_data_after_finished
Fix decrypting TLS 1.3 server response
2022-09-07 10:11:39 +02:00
Dirk Wetter
34f7b4d8a3
Merge pull request #2229 from cancom/feat/overall_grade
Consistent overall_grade output
2022-09-07 10:10:12 +02:00
Dirk Wetter
7e885b4b95
Merge pull request #2225 from dcooper16/fix_determine_cert_compression
Fix determine_cert_compression() and certificate_transparency()
2022-09-07 10:08:25 +02:00
Benedict Becker
075bdc5fbf
Consistent overall_grade output 2022-09-07 09:38:59 +02:00
David Cooper
0403149b61 Fix determine_cert_compression() and certificate_transparency()
determine_cert_compression() and certificate_transparency() do not work in debug mode, since tls_sockets() writes debugging messages to stdout. This commit fixes the problem by having determine_cert_compression() and certificate_transparency() return their results using a global variable rather than writing the results to stdout and having having run_server_defaults() catch the output.
2022-09-06 11:09:18 -07:00
David Cooper
963b606168 Fix decrypting TLS 1.3 server response
There is at least one server that includes a new session ticket in the same packet as the Finished message. This confuses check_tls_serverhellodone() since the new session ticket is encrypted under the application traffic keys rather than the handshake keys. check_tls_serverhellodone(), being unable to decrypt the new session ticket reports a failure and does not return any of the decrypted data.

This commit fixes the problem by having check_tls_serverhellodone() simply return (or ignore) any data that appears after the Finished message. If such data is returned, then tls_sockets() derives the application traffic keys and decrypts it so that it can be parsed by parse_tls_serverhello().
2022-09-06 09:58:45 -07:00