Commit Graph

42 Commits

Author SHA1 Message Date
Dirk
ab7ca281c0 Minor polishing 2018-12-07 14:35:49 +01:00
Dirk
6fe5adbbc3 Improved connection failure conditions
As a kind of a pre-warning this commit allows the n-1 connection problem to
give feedback on the screen (that wasn't working before).

Also the message on the screen is now more clear and the manpage
gives better advice.

Related to #1172
2018-12-05 16:09:36 +01:00
Dirk
f591126a1b Minor updates
added: client simulation, requirements.

Updated number of ciphers.
2018-11-12 21:36:43 +01:00
Dirk
da233c939e RFC --> IANA
The cipher suites names in the RFCs stem (mostly) from IANA, see
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

This PR corrects that in places visible to the user. For backwards
compatibility the cmd line switches still work as before, but there's
a preference to IANA. The RFC naming is labeled as to be retired
in the future.
2018-11-08 20:26:52 +01:00
Dirk
44570541c0 Tell which OpenSSL versions support IPv6 out of the box 2018-09-10 09:52:59 +02:00
Dirk
8d7dd663f9 Finalizing proxy support for OCSP checks
As mentioned in #1106 proxying ocsp protocol doesn't work (yet)
This commit notifies the user that it is not possible. One
can ignore that and try by supplying IGN_OCSP_PROXY=true.

It also fixes a typo I probably introduced (pVULN_THRESHLD).
2018-08-24 15:43:25 +02:00
Dirk
3fdcd034f3 Fine tuning of --outprefix
The standard separator after $FNAME_PREFIX is now '-'.
You can as well supply a different <fname_prefix> ending in '.',  '_' or ',' , then
no no additional '-' will be appended.

Also a small bash function get_last_char() has been introduced which returns
the last char from a supplied string.
2018-08-23 11:40:50 +02:00
Dirk
5837e82c85 Supplying of both -6 and --ip=one results in picking an IPv6 address
... previously it depended on the order of DNS replies otherwise. This was
one outcome of discussion in #1026 where it seemed more logical
to pick an IPv6 address as opposed to an abitrary (v4/v6) address.
2018-08-16 12:03:56 +02:00
Dirk
33cf1d524c Fine tuning if Jac2NL's commit of IDS evasion
Reduce the offensive tests to 4: the others are "just" / mostly cipher
based checks which should not cause an IDS to block. (This maybe
subject to reconsider at a later time.)

Added a switch --ids-friendly

Updated VULN_COUNT accordingly

Added this (including PHONE_OUT to env debugging output)

Added help()

Manual section added
2018-06-26 13:04:30 +02:00
Dirk
87f0cda234 Fix #1071 : typos and link in docu 2018-06-25 18:31:55 +02:00
Dirk
aa0f33e984 Update RFC section in ~/doc with soon to be TLS 1.3 RFC
See PR #1072, title taken from
https://github.com/ietf/draft-ietf-tls-tls13/blob/master/rfc8446.xml
(maybe subject to change).

Todo: Handle the obsolted ones, maybe by adding "obsolete"
2018-06-20 09:41:51 +02:00
Dirk
c3927d00c8 Document --phone-out 2018-04-27 21:37:44 +02:00
Dirk
ddf5ff6bc9 Minor additions wrt --color=3 and fname prefix 2018-04-26 09:39:30 +02:00
Dirk
e7619fa8d9 Documenting exit error codes improvements
See prevoius commit b2be380b54 and
issue #985 / #752.
2018-04-12 18:14:14 +02:00
Dirk
36247fecf2 fix no-DNS related error in documentation 2018-04-12 01:19:02 +02:00
Dirk
2a4de68c59 Merge branch 'nodns-935' into 2.9dev 2018-04-12 01:06:33 +02:00
Dirk
557942cb0a Change logic and add conservative value for -n/--nodns (#935)
This PR changes the logic the no-DNS switch works. The switch
now expects a value. "min" does minimum lookups, "none" does
no lookups at all (details see testssl.sh(1) ). "none" is
equivalent to the paranoid (boolean) value "true" before.
2018-04-12 00:19:52 +02:00
Karsten Weiss
eead9f62d9 Fix typos found by codespell 2018-04-10 17:37:04 +02:00
Dirk
eb3b3a1988 be more verbose what --warnings=batch means (see #1027) 2018-04-05 22:02:35 +02:00
Dirk
1924c9a0a6 Connectivity problems, man page update
See previous commit

This commit finally fixes #1005 so that either a --ssl-native scan
terminates on the next (defined) occasion if there are network connectivity
problems. It introduces another set of variables (MAX_OSSL_FAIL vs. NR_OSSL_FAIL).
As "openssl s_client connect" is sometimes still being used without --ssl-native
it also shortens the wait for regular scans if an outage is encountered.
To make things easier bot sets (incl. *_SOCKET_FAIL) of variables are independent.

For the seldom case that somebody uses --ssl-native with client checks an exception
had to be made as otherwise only MAX_OSSL_FAIL client check would be performed.
This hasn't been understood yet...

As sometimes HTTP header requests (over OpenSSL) fail repeatedly in a way that an empty
reply is returned, the same strategy of detecting problems is applied here,
using MAX_HEADER_FAIL and NR_HEADER_FAIL.

All three detection mechanisims share a new function connectivity_problem().
2018-03-28 17:48:04 +02:00
Dirk
2e5dd0439a document variable for previous commit 080840f 2018-03-02 20:57:06 +01:00
Dirk
b5fcc00031 reflect previous commit of changed treatment of --severity
... and some minor polishing
2018-03-01 15:13:55 +01:00
Dirk
ba8d613aa5 Add documentation about the current and corrected exit codes 2018-02-14 23:40:08 +01:00
Dirk
01f7612bd0 add keys to server defaults, cert start/end time in GMT 2018-01-29 23:43:25 +01:00
Dirk
659a6176b6 Add TLS 1.3, better explanation for -6 2018-01-28 12:47:05 +01:00
Dirk
0bc1f6f708 make MAX_PARALLEL and MAX_WAIT_TEST configurable + documentation 2017-12-27 09:50:34 +01:00
Dirk
1488baeac5 Documentation of CA_BUNDLES_PATH
See also #941
2017-12-20 09:00:00 +01:00
Dirk
c23f47858d Overwrite as a default empty files
This commit tries to address #934. Empty files can now
be overwritten without exiting with an error.
2017-12-14 10:06:19 +01:00
David Cooper
5de873f8bc Test for vulnerability to Bleichenbacher attack
This PR adds a test to check whether a server that supports ciphers suites that use RSA key transport (TLS_RSA) are vulnerable to Bleichenbacher attacks (see http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf).
2017-12-12 09:51:48 -05:00
Dirk
47409a32d6 delayed commit for file prefix
Also added David
2017-11-24 23:13:38 +01:00
Dirk
e450eb34e4 FIX #846 -- add output filename prefix
This commit adds the possibility to supply a output
file name prefix via --outprefix or FNAME_PREFIX
2017-11-14 19:41:25 +01:00
Dirk
9daec2a515 Add "auto" keyword to -oA/-oa (FIX #887)
File names are now auto-generated by using "-oA auto" / -oa "auto"
--similar to --csv and friends.

Also the formerly hidden switches --outFile and --outfile were added in the
help and in the manual.
2017-11-01 09:58:52 +01:00
Dirk
2aeabd19b2 Better clarification on bit size and encryption strength
Fix #770
2017-10-31 12:00:09 +01:00
Dirk
a85ca3c250 FIX #765
Inconsistency in using optional and mandatory parameters in help and man page
2017-10-26 11:46:14 +02:00
Dirk
d3795f1254 Add output options similar to nmap (FIX #861) 2017-10-20 16:32:57 +02:00
Dirk
e32479818d mentioning BiGIP cookies and MongoDB 2017-09-27 09:25:22 +02:00
Dirk
f6cf96d916 polish help for -g option 2017-09-23 12:54:44 +02:00
Dirk
68509694d4 NO_ENGINE (#834) and GREASE (#814) 2017-09-23 11:55:09 +02:00
David Cooper
a6f7121d25 Correct typos 2017-09-20 12:10:29 -04:00
Dirk
9345b55865 added ALL_CLIENTS for client siumulation 2017-08-30 23:40:47 +02:00
Dirk
8b2dfb81c5 reflect 37c8ee8c4e: debug level 2 is showing only minimal information like rough status and errors 2017-07-26 23:13:57 +02:00
Dirk
28fe4c48de manpage not for editing
Generated via ``ronn -r testssl.1.md`` from the md source. Can be viewed
e.g. by ``nroff -man testssl.1 [| less]``
2017-07-13 12:35:13 +02:00