1
0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-07-18 03:31:58 +02:00
Commit Graph

3167 Commits

Author SHA1 Message Date
9c84129ff4 Better usability for TLS 1.3-only servers
In cases where TLS 1.3 is the only protocol supported by the server (as e.g.
in ), testssl.sh has some limits with the supplied binary.

For now (3.0) there's no perfect technical solution. This PR however improves
the verbosity what's going on and recommends to use an openssl binary
supporting TLS 1.3. And if the "secret" variable OSSL_SHORTCUT is set to true,
it automatically chooses that if available (it's a hack to do so and not
recommended. I just did it as a PoC).

In the next development we should consider probing this upfront!

Furthermore this PR removes some unnecessary quotes in double square brackets.
2019-09-12 10:55:32 +02:00
860671ba76 Style change when referencing current directory. 2019-08-29 09:55:31 +01:00
7b4eff3e58 Merge pull request from drwetter/unittest_json
remove -p from json unit test
2019-08-19 20:52:31 +02:00
71e561ceba Merge pull request from drwetter/binchar_fix
Binary string washer (0x00 bytes) (probably) after completed ClientHello
2019-08-19 20:51:21 +02:00
5874a722d8 Binary string washer (0x00 bytes) (probably) after completed ClientHello
This commit proactively tries to address cases where the server side
    adds Null Bytes after or during ClientHello in cases where it should be text only.

    Now VAR2=$(< $VAR1) is being replaced by VAR2=$(cat -v $VAR1) which is normally
    not best practice and also considered a useless use of "cat", see
    https://web.archive.org/web/20160711205930/http://porkmail.org/era/unix/award.html#uucaletter.

    Especially with bash 3.2 (Mac OS X) AND when on the server side binary chars it
    was reported to not work ok, see .

    Performance measurements showed no to barely measureable penalty (at max 1s displayed difference
    in 9 tries).
2019-08-19 20:51:45 +02:00
d471d7fdf3 Output files to host when using Docker
Provides an example of how to create output files in the host filesystem when using Docker.
2019-08-14 16:50:29 +01:00
520fda64f0 remove -p from json unit test 2019-08-12 12:38:47 +02:00
92654b2899 Merge pull request from drwetter/unittest_json
Fixes for travis
2019-08-12 12:31:46 +02:00
874932774e Fixes for travis
Travis updated the container images so that the perl
reference to 5.18 was outdated. We use now 5.26 which
works, however we should consider to be more flexible.

JSON::Validator didn't compile in the container. Thus
we switched to just use 'JSON'. That also supports JSON
pretty. For the future we should just test for valid JSON
in all unit test files as it is more effective.
2019-08-12 12:25:54 +02:00
ddd9d76d3b try to fix travis 2019-08-09 21:08:48 +02:00
251071081e Merge pull request from drwetter/renego_fixes
Add CVE for Secure Client-Initiated Renegotiation vulnerability
2019-08-09 19:46:51 +02:00
fc1206cfea Add CVE for Secure Client-Initiated Renegotiation vulnerability 2019-08-09 19:44:03 +02:00
5fed82f4c2 Merge pull request from drwetter/renego_fixes
Fix misleading CVE in Secure Renegotiation
2019-08-09 19:38:56 +02:00
95a7b70765 Fix misleading CVE in Secure Renegotiation
For some reason CVE-2009-3555 ended up in Secure Renegotiation,
whereas CVE-2009-3555 is in fact the Insecure Client-Side Renegotiation
vulnerability with the MiTM problem <= OpenSSl 0.9.8k.

This fixes that (see also  and , ) by removing the CVE #
from the output. Also tyhe output was changed for Secure Renegotiation
into supported/not vulnerable vs. Not supported / VULNERABLE

Some comments were added.
2019-08-09 19:35:11 +02:00
e25a80263f ignore perl version for travis 2019-08-08 21:19:43 +02:00
f3230a870c Merge pull request from drwetter/contributing
Fix stale links
2019-08-08 21:11:28 +02:00
3a1025f886 Fix stale links 2019-08-08 21:10:07 +02:00
65e5d58793 Fix travis 2019-08-08 20:59:13 +02:00
49fc218424 Merge pull request from drwetter/contributing
Add CONTRIBUTING.md, docker changes in Readme.md
2019-08-08 18:36:11 +02:00
642cfe46dd Add CONTRIBUTING.md, docker changes in Readme.md
.. also reviewed https://github.com/drwetter/testssl.sh/wiki/Coding-Style
2019-08-08 18:34:14 +02:00
7468776656 Merge pull request from drwetter/psql_mysql_fix 2019-08-06 20:13:15 +02:00
42f2b83a92 Improvements for MySQL via STARTTLS
* labeling is just "experimental"
* use similar functions as in psql
* faster
2019-08-06 20:04:19 +02:00
75a0f14bff Fix message 'tr : command not found' when debugging in determine_sizelimitbug() 2019-08-06 19:06:23 +02:00
206c80aed5 Fix for STARTTLS+socket of postgresql
As noted in  STARTTLS with sockets doesn't
work.

This commit fixes that by correcting the STARTTLS
handshake for postgresql. It has to be send via
sockets instead of echo. The server side then will
respond with "S" when STARTTLS is supported. For this
starttls_io() was slightly modified so that also
an input (from the server perspective) is not necessary.

It's fast too
2019-08-06 18:49:31 +02:00
00d39693f3 Merge pull request from pihug12/3.0
Fix "make-openssl111.sh"
2019-07-10 10:15:44 +02:00
dbacbe7912 Fix "make-openssl111.sh" 2019-07-10 08:54:55 +02:00
f405991b8c Merge pull request from drwetter/alpha_unittest_self
Enable more tests, change to newer JSON scheme
2019-07-09 22:51:51 +02:00
c335ded6d3 Enable more tests, change to newer JSON scheme 2019-07-09 22:49:12 +02:00
eef63b1726 Merge pull request from drwetter/tput_sgr_fix
Fix terminal codes / tput
2019-07-03 11:54:56 +02:00
af6f232790 Fix terminal codes / tput
As noted in  with some terminal settings under Linux there
appeared some ~garbage on the screen.

This fixes that by partly reverting 695d02157a .
At least now and under an older OpenBSD like 6.2 this doesn't seem
to be necessary.
2019-07-03 11:47:54 +02:00
3d5982e60b Merge pull request from dcooper16/fix_color_comparison_typo
Fix typo in check of $COLOR
2019-06-25 09:08:28 +02:00
2a141ab0f4 Fix typo in check of $COLOR
In emphasize_stuff_in_headers() there is a check of the $COLOR value, which checks whether $COLOR is 2. It should check whether $COLOR is 2 or higher.
2019-06-24 14:49:20 -04:00
a4d34b0cff Merge pull request from drwetter/etls_comment
"eTLS" ~> ETS
2019-06-17 10:26:36 +02:00
f1eb2b89b9 "eTLS" -> ETS
Decription was added with the (future) ETSI name ETS [1]. Also
added as a comment MITRE's CVE data using ETS, amended with NIST's
entry in NVD

[1] EFF's interpretation: extra terrible security
   https://www.eff.org/deeplinks/2019/02/ets-isnt-tls-and-you-shouldnt-use-it
2019-06-17 10:01:05 +02:00
6e4abbf33a Merge pull request from drwetter/1279_related
Added HAS_ZLIB in run_crime(), declaration of CERT_COMPRESSION fixed
2019-06-12 21:16:22 +02:00
7a1fb0b3b9 Added HAS_ZLIB in run_crime(), declaration of CERT_COMPRESSION fixed
CERT_COMPRESSION was declared always with fast in ... so that the variable
was always false. This PR fixes that. In addition a informational line
that the new TLS extension has been added (if $DEBUG >3).

Also determine_optimal_proto() is not being run if devel mode
($do_tls_sockets) is enabled.

Furthermore as David added HAS_ZLIB as a global run_crime() now makes
use of it too.
2019-06-12 21:05:43 +02:00
53ecacfcbb Merge pull request from drwetter/SNI_STARTTLS_polish_pwnedkeys
* SNI STARTTLS
* minor polish for pwned keys and devel option certificate compression
2019-06-12 15:59:06 +02:00
b2bf5b72bd Add SNI/STARTTLS, pwnedkeys 2019-06-12 15:41:07 +02:00
912cd906d2 SNI STARTTLS, minor polish
This PR addresses  and : it implements server name indication
also for STARTTLS which has been supported by a number of server
implemantations, in the meantime.

Also it does a final polish to David's pwnedkeys PR  a while back:
UI improvement and detection of network problems.

In addition to PR  it introduces a env variable to devel
mode so that "CERT_COMPRESSION=true ./testssl.sh --devel <params> <target>"
can be used to explore certificate compression on a host.
2019-06-12 14:36:46 +02:00
11add0d4ae Merge pull request from dcooper16/compressed_certs
Initial support for certificate compression
2019-06-07 21:33:36 +02:00
e2042e99d6 Initial support for certificate compression
draft-ietf-tls-certificate-compression specifies a new TLS extension that allows a client to indicate support for receiving the server's certificates in compressed form. This PR adds initial support for that extension to testssl.sh. It was developed based on an announcement that facebook.com has implemented support for the extension.

This PR does not add a test for a server's support for the new extension, it just adds code to parse_tls_serverhello() that will parse a compressed certificate message if one is present in the server's response. So, in practice, the code in this PR will not actually be used until additional code has been added that sends a ClientHello with the compress_certificate extension.

The code in this PR can be tested by using the --devel option and by changing line 19347 from

     tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "ephemeralkey"

to

     tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all+" "00,1b, 00,03, 02, 00,01"

testssl.sh can then be called using

     testssl.sh --debug 3 --devel 04 "13,01" facebook.com

Note that this PR adds a test for zlib support to find_openssl_binary(). The test uses $OPENSSL zlib in the same way it is used in parse_tls_serverhello(). The test asks $OPENSSL zlib to uncompress the compressed version of the string "zlib" and the checks to see whether the decompression was performed correctly. There is already a test for zlib support in run_crime(), but I did not check to see whether the check in run_crime() could be replaced with a check of the new $HAS_ZLIB variable.
2019-06-06 12:17:32 -04:00
91e98f1fc3 Merge pull request from dcooper16/pwnedkeys
Check pwnedkeys.com database
2019-05-23 10:45:57 +02:00
0d2b955e21 Check pwnedkeys.com database
This PR adds a check of whether the server's public key appears in the https://pwnedkeys.com database.
2019-05-22 10:11:34 -04:00
d6fb232152 Merge pull request from drwetter/depr_clients
Depreciation of more clients
2019-05-08 23:18:03 +02:00
d5f90218d1 Deprecation of more clients
* Tor 17
* Android 4.2.2
* IE 7 Vista
2019-05-08 23:12:45 +02:00
0c750c212c Merge pull request from drwetter/ubuntu2openjdk
Change the platform for Java from Ubuntu to OpenJDK
2019-05-07 19:43:58 +02:00
7238a0167a Change the platform for Java from Ubuntu to OpenJDK 2019-05-07 19:39:20 +02:00
174f4ee527 Merge pull request from csett86/safari-macos
Add Safari 12.1 on macOS 10.13.6
2019-05-07 19:35:09 +02:00
9273661779 Merge pull request from csett86/deprecate-java9
Deprecate Java 9, its EOL since March 2018
2019-05-07 08:02:44 +02:00
c41b1f0055 Revert diff noise at end of file 2019-05-06 21:35:58 +02:00