Commit Graph

943 Commits

Author SHA1 Message Date
Dirk Wetter b342db6b38 Merge pull request #417 from dcooper16/issuer
Fix JSON output of Issuer name
2016-07-20 17:06:09 +02:00
David Cooper d9f8024d9a Fix JSON output of Issuer name
`certificate_info()` currently outputs `$issuer` to the JSON file, where is should be outputting `$issuer_CN` in order for the information in the JSON file to match the information that is displayed.

This PR also fixes the problem that if an Issuer name contains a domain component attribute (DC=) then it will be mistakenly treated as a country attribute (C=).
2016-07-20 10:50:38 -04:00
Dirk 829231c381 Merge branch 'dcooper16-run_pfs_curves' 2016-07-16 21:21:53 +02:00
Dirk 5de3ef3e22 Merge branch 'run_pfs_curves' of https://github.com/dcooper16/testssl.sh into dcooper16-run_pfs_curves
Conflicts:
	testssl.sh
2016-07-16 21:21:18 +02:00
Dirk 0c22ea9a0e - output polising in curves
- fix for jail #258
2016-07-16 20:48:56 +02:00
David Cooper a06ac81df3 Speed up finding supported curves
Rather than try each curve one at a time, follow model in `cipher_pref_check()`.  First include all curves in ClientHello, then successively remove from the ClientHello those curves that have been offered by the server until the connection fails. This makes the number of calls to `$OPENSSL s_client` one more than the number of supported curves rather than the number of curves in NamedCurve supported by $OPENSSL.

Note, however, that OpenSSL defines MAX_CURVELIST as 28 and fails if the `-curves` option includes more than 28 curves. Since OpenSSL 1.1.0 offers 29 curves from NamedCurve, this PR breaks the list of supported curves in 2. At the cost of one additional calls to `$OPENSSL s_client` it ensures that the number of curves provides to the `-curves` option is below the limit.
2016-07-14 13:23:50 -04:00
Dirk bda62ec715 no glasses needed, just need to look at the right spot ;- 2016-07-11 19:41:32 +02:00
Dirk 5f47359291 polishing output for #413 2016-07-11 18:44:28 +02:00
Dirk Wetter 400e969585 Merge pull request #413 from dcooper16/test_curves
Determine support elliptic curves for ECDHE- ciphers
2016-07-11 18:11:09 +02:00
Dirk Wetter 9f47ccece2 Merge pull request #412 from dcooper16/supported_elliptic_cur
Reorder supported curves
2016-07-11 17:08:39 +02:00
David Cooper 891c56f8bf Determine support elliptic curves for ECDHE- ciphers
This PR extends run_pfs() to display the set of elliptic curves supported by the server, if the server supports any ECDHE- ciphers.
2016-07-11 11:00:56 -04:00
David Cooper fb94221ce0 Reorder supported curves
Reorder the supported curves sent by socksend_tls_clienthello() from strongest to weakest.
2016-07-11 10:52:48 -04:00
Dirk Wetter 16087f8252 Merge pull request #411 from welwood08/patch-2
Server cipher order NPN tests should use SNI
2016-07-11 16:24:45 +02:00
Dirk 3e8d5208dc further fix, see #410 2016-07-11 16:20:36 +02:00
Dirk Wetter c32706c039 Merge pull request #410 from welwood08/patch-1
Unreadable SAN list on FreeBSD
2016-07-11 16:01:35 +02:00
Will Elwood 2573a9b8b8 More SNI for NPN tests
Found another NPN test (for the case where server doesn't specify cipher order?) that wasn't using SNI.
Also found a comment saying proxies don't support NPN => removed `$PROXY` from all modified lines.
2016-07-11 14:37:20 +01:00
Will Elwood 382d22648a Server cipher order NPN tests should use SNI
I noticed the NPN parts of this test were not returning any ECDSA ciphers where I expected them to match the results of the immediately preceding TLS 1.2 test. Found it wasn't using SNI so my test server was using the default domain (snakeoil RSA certificate) instead of the tested domain (dual ECDSA/RSA certificates).
2016-07-11 14:15:50 +01:00
Will Elwood 3c39396391 Unreadable SAN list on FreeBSD
On FreeBSD, sed does not support "\n" in the replacement string of a substitution. The SANs are currently output all together inside a single pair of quotes and each separated with an "n" character, needless to say this is very difficult to read.

After a little digging, it seems this is a somewhat recent regression of the fix in #173. I believe `tr` would be a more cross-platform way to do this, and several sources (including the author of that PR) would seem to agree - assuming the newline is now necessary.

It doesn't appear to matter what order the newline replacement happens amongst all the other replacements, so I have placed it first simply to avoid extending any already-long lines. Please correct me if this deduction is false.
2016-07-11 13:35:55 +01:00
Dirk Wetter 018468a670 more user friendly... 2016-07-09 14:24:38 +02:00
Dirk eb58598ca5 make it public, see #122 2016-07-08 11:40:17 +02:00
Dirk af4117aa7a FIX #404 2016-07-08 11:25:41 +02:00
Dirk 8c11334030 FIX #405 2016-07-08 11:15:41 +02:00
Dirk Wetter 57bf01a360 Merge pull request #402 from dcooper16/poodle
Check for all CBC ciphers in Poodle test
2016-07-08 10:04:49 +02:00
Dirk Wetter 9c92a866e0 Update Readme.md 2016-07-08 08:04:58 +02:00
Dirk Wetter 345087c3a4 Merge pull request #403 from teward/patch-1
Missing closing parenteses in help output for --openssl
2016-07-06 20:45:45 +02:00
Thomas Ward de05711e5a Fix grammar issue in help output for --openssl
Missing a closing parentheses `)`.
2016-07-06 14:23:32 -04:00
David Cooper ec6c0ce605 Check for all CBC ciphers in Poodle test
This PR should address issue #399.

I created the list of ciphers using the CIPHERS_BY_STRENGTH file from PR #373, making a list of all ciphers that had "CBC" in the RFC name and for which I had been able to find a corresponding OpenSSL name. Then, since that list contained more than 128 ciphers, I removed any ciphers from the list where the name ended in "-SHA256" or "-SHA384", as it is my understanding that those ciphers can only be used with TLS 1.2.
2016-07-06 10:52:54 -04:00
Dirk 0217992553 fixed error where an URI in X509v3 Issuer Alternative Name was displayed and an URI in SAN 2016-07-05 00:08:51 +02:00
Dirk d2f2dab7fb fix regression lf in CN 2016-07-05 00:02:34 +02:00
Dirk 2bba19360f see #401, part 2 2016-07-04 23:52:52 +02:00
Dirk Wetter 251e3f9a3b Merge pull request #371 from dcooper16/fix_issue_276
Fix issue #276
2016-07-04 23:25:13 +02:00
Dirk 0b5705fff4 FIX #258, FIX #398
partly addressed: #246
2016-07-04 23:05:12 +02:00
Dirk f01bff973a renamed function, better banner for logging 2016-07-04 13:59:39 +02:00
Dirk 491a03233b updating neat_list() to be faster and more compatible to openssl 1.1.0 with new chacha/poly ciphers 2016-07-03 22:35:21 +02:00
Dirk d5242c255e FIX #384 2016-07-03 21:45:49 +02:00
Dirk 37b33c9d79 Merge branch 'master' of github.com:drwetter/testssl.sh 2016-07-01 18:26:20 +02:00
Dirk 32f249b0c2 enabling sockets for client testing per default #375 2016-07-01 18:26:05 +02:00
Dirk Wetter 0d2797e5a0 travis ci icon 2016-07-01 14:58:54 +02:00
Dirk 1e9863823c Merge branch 'master' of github.com:drwetter/testssl.sh 2016-07-01 12:04:21 +02:00
Dirk 2362cd8745 wording for GOST sig algos and keys 2016-07-01 12:03:46 +02:00
David Cooper 53dec241f1 Merge branch 'master' into fix_issue_276 2016-06-29 09:56:08 -04:00
Dirk Wetter aed0a8475a Merge pull request #396 from seccubus/unit-tests
Pull request that helps to enable travis CI integrations
2016-06-29 09:53:51 +02:00
Frank Breedijk ec9276c17d Serach and replace failure, fixed now 2016-06-29 00:38:51 +02:00
Frank Breedijk 23ef87c134 Making tests work correctly 2016-06-29 00:35:52 +02:00
Frank Breedijk ac7dd4da79 CBC isn't done yet. Unit tests count themselves now 2016-06-29 00:24:57 +02:00
Frank Breedijk 0e8f69e6ac Merge branch 'master' into unit-tests 2016-06-29 00:16:36 +02:00
Frank Breedijk fa19ac168f Be more verbose in your error testing 2016-06-29 00:15:32 +02:00
Frank Breedijk 353756ffd6 We need dnsutils as well 2016-06-29 00:12:46 +02:00
Frank Breedijk 2111008880 Install test dependancies 2016-06-29 00:09:12 +02:00
Frank Breedijk 0a86f07e61 Lets get unit testing 2016-06-29 00:02:53 +02:00