Fixes#2833
This does a check for the opossum vulnerability, see https://opossum-attack.com/ .
It uses a separate function to send the payload and retrieve the result via `http_header_printf()`. It doesn't use curl or wget. The latter wouldn't work anyway as according to the manpage as the HTTP header which needs to be sent must not contain LFs. This function was introduced because `http_get_header()` -- which was renamed to `http_head()` -- could use wget if curl is not available. On the way to this PR `http_head()` was improved, so that timeouts were used for curl and wget for better maturity.
`http_header_printf()` now uses bach sockets , strips the URI so that a plaintext request is made. This will be done in the background because not every host will answer.
Done also:
- handling when PROXY is requested (try anyway directly as the payload is not "proxyable")
- print a message when no HTTP service is present
- try hard to use plaintext HTTP when auth is required for HTTPS and service HTTP would not be defined otherwise
- manpages
- help
Also when pwnedkeys are checked a not pwned certificate is labled not neutral but OK=green.
... so that we have a comparison between OpenSSL and LibreSSL. Otherwise this test would be completely futile for MacOS.
Also change the displayed text.
See #2832 (which was for 3.2)
This fixes a problem which was introduced @ 8d8f83ace5.
It caused for some hosts not to parse / display the issuer CN correctly.
Also it adds some code in testssl.sh and in a unit test to detect
this earlier. In general an output string FIXME will now cause a
unit test to fail. This can + should be used at other places too!
Fixes#2789
As suggested in #2780 this PR redirects all stderr on a perl level
to stdout so that we should see all errors which we miss because
we can't redirect (>/dev/null in check) or we haven't redirected yet.
Also old checks are imporved, so that $prg is used as in newer
checks.
Not sure why this has been triggered though.
# Failed test 'Check whether CSV output matches baseline file from testssl.sh'
# at t/61_diff_testsslsh.t line 57.
#
# %s
# @@ -1,5 +1,4 @@
# "id","fqdn/ip","port","severity","finding","cve","cwe"
# -"engine_problem","/","443","WARN","No engine or GOST support via engine with your ./bin/openssl.Linux.x86_64","",""
# "service","testssl.sh/81.169.166.184","443","INFO","HTTP","",""
# "pre_128cipher","testssl.sh/81.169.166.184","443","INFO","No 128 cipher limit bug","",""
# "SSLv2","testssl.sh/81.169.166.184","443","OK","not offered","",""
# Looks like you failed 1 test of 1.
t/61_diff_testsslsh.t ..............
* use system with @args so that we can query the return value
* code style improved for readability
* diff shows the filtered difference
* ok instead of cmp_ok to show not the whole content of vars
This adds a unit test to compare a run against google with the supplied openssl
version vs /usr/bin/openssl .
This would fix#2626.
It looks like there are still points to clarify
* NPN output is different (bug)
* Newer openssl version claims it's ECDH 253 instead of ECDH 256.
* Newer openssl version claims for 130x cipher it's ECDH 253, via sockets it´s ECDH/MLKEM. This seems a bug (@dcooper)
A todo is also restricing the unit test to the one where openssl is being used. E.g. the ROBOT check and more aren't done with openssl. So there's no value checking this here.
.. to scan.
It worked in a few examples locally. Other hosts I tried so far weren't
available anymore (like scanme.nmap.org). In order to reduce the burden
we scan now only during PRs.
