Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-02-02 13:51:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
668 Commits 14 Branches 31 Tags 227 MiB
b97788ba73
Commit Graph

368 Commits

Author SHA1 Message Date
Laine Gholson
686dd511a6 Add support for .local domains with avahi 2015-10-31 20:01:52 -05:00
Martin Hoffmann
6a8d4870ab Missing space ;) 
Whoops... edited this from the github webpage..
 2015-10-30 09:56:48 +01:00
Martin Hoffmann
9bfeac19bc Fix: tput: No value for $TERM and no -T specified 
Avoid "tput: No value for $TERM and no -T specified" when running from CGI or similar by checking for interactive shell
 2015-10-30 09:46:35 +01:00
Peter Mosmans
62af7be5a1 Added check for availability oftput (Fixes #222) 
Slight change due to drwetter's comment
 2015-10-25 22:31:44 +10:00
William Lovins
4095dc53be Changed wording for easier readability. 2015-10-16 14:40:06 +01:00
Dirk
7bf1319c93 - FIX #218 for exim and friends 2015-10-15 15:14:37 +02:00
Dirk
eb49132682 - changed headline for each sub test from blue to underline+bold 
- save determine_service log
 2015-10-15 14:15:07 +02:00
Dirk
78fab8addb - FIX #213, wording 2015-10-13 22:25:01 +02:00
Dirk
d4dbf1138c - FIX #214 2015-10-13 08:31:54 +02:00
Dirk
1a1f007ef9 - banner f'up reversed 2015-10-11 23:34:53 +02:00
Dirk
8c0786d147 - switched on clientauth functionality (missed b4) 2015-10-11 23:23:35 +02:00
Dirk
b9bfd48871 - client based auth (see sclient_connect_successful() works now, see #206) 
- careful regression tests for this, point open: speed
- test for more TLS extensions
- heartbleed() does now before a check whether heartbeat is available to save time
- breach simplyfied (and doesn't have to be killed in seldom cases)
- tmpfiles are only being erased after exit not after each function
- user agent is testssl -- unless --sneaky is chosen
- global host vars are now being resetted to prevent side effects
- tls version in record layer is now always 1
- used ERRFILE wherever possible
- smaller code cleanups
 2015-10-11 23:07:16 +02:00
Dirk Wetter
0600e39b45 - fix screw up of rDNS display for those few folks having only IPv4 ;-) 2015-10-06 12:30:29 +02:00
Dirk
f8d6a2fb6d - IPv6 formatting fixed, see #11 (points 3,4,5) 
5 cannot be done automagically, see issue
 2015-10-05 09:56:21 +02:00
Dirk
a0d634f94a - ouput corrections for BEAST 2015-10-04 12:32:29 +02:00
Dirk
41bc2fb70c - regression wrt what_dh 2015-10-03 00:14:52 +02:00
Dirk Wetter
f3cef41053 - some speed improvements (sed, tr --> bash internal s'n'r) 
- revamped BEAST a bit: availablity of higher protocols lead now to yellow color, see #208
- Fixed error in BEAST (no higher protos led to no message)
- made BEAST it faster: one check for protocol ssl3+tls1 upfront, see #208
 2015-10-01 13:27:14 +02:00
typingArtist
2ca6c2b0dc improved variable naming, scope and worked around length limitation of cipher list, as suggested by @drwetter 2015-09-30 14:54:39 +02:00
typingArtist
449aada392 fix CBC cipher selection 
CBC cipher selection is not so easy using the openssl tool alone. Selecting the cipher based on the string CBC occuring in it would be right if it’s
about the RFC name of the cipher but not so with the openssl naming. Since CBC ciphers are not going to be continued anyway, I think it’s safe to take
a static list. However, it’s easy to extract it from the cipher list in openssl-rfc.mapping.html, but we certainly don’t want to require that file to
be shipped all the time.
 2015-09-30 12:44:27 +02:00
Dirk
1c1eaa53d8 - fix for renamed http_header function 2015-09-29 18:47:49 +02:00
Dirk
cac49cb1f1 - "--file" implicitly does "--warnings=batch" 
- "--file" works now fine with equal sign
- fixed load balancer issue where header request stalled and testssl.sh consequently too
- http_date needed to be changed too because of that
- needed to estimate then the http_date when request was killed (HAD_SLEPT)
  will Mr. Spock like this??
- fixed load balancer issue where header request for breach test stalled and thus an error was displayed
- code improvements
 2015-09-28 22:54:00 +02:00
Dirk
feaef680aa - IPv6 #11 is 80% working (whohoo!). Needed is an openssl capable IPv6 and HAS_IPv6=true in the environment 
- FIX #191
 2015-09-26 22:44:33 +02:00
Dirk Wetter
cc81642ee3 - #FIX 202 (EV detection from TERENA/Digicert) 2015-09-25 14:35:42 +02:00
Dirk
a2efc201b7 - added a failure condition for trust check 2015-09-24 09:10:43 +02:00
Dirk
06466cca92 - proxy in determine_trust was missing 2015-09-23 09:03:47 +02:00
Dirk
0b1e573fc9 - FIX #190: Server temp key backport for RH-ish systems works now automagically 
- just to be sure there's a cmd line flag --has-dhbit / env HAS_DH_BITS
- some reordering
 2015-09-22 20:09:26 +02:00
Dirk
4b57a22f6e - FIX #198 (date env problem under BSD and maybe others) 2015-09-22 17:14:36 +02:00
Dirk
1668daa04e - NEW: chain of trust -- for openssl 1.0.2 only 
- FIX #97
 2015-09-22 15:05:59 +02:00
Dirk
3eeb1f9d9d - check whether dig, host or nslookup is there. The error message is now describing the cause 2015-09-21 16:43:47 +02:00
Dirk
23802e219d - #FIX 197 
- renamed a variable
 2015-09-21 14:03:48 +02:00
Dirk
6406e1828d - minor polish of output 2015-09-19 15:03:40 +02:00
Dirk
413b64c44a - fixed proxy name resolution and make it more robust 
- additional line if a proxy is used above rDNS
 2015-09-18 15:12:01 +02:00
Dirk
945d26d222 - changed version number 
- retabed to five spaces
 2015-09-17 15:30:15 +02:00
Dirk
58096d6633 2.6 release 2015-09-15 08:49:00 +02:00
Dirk
467988fb0a - improved resilience in cipher order check 
- improved also there compatibility with intolerant IIS6 servers
 2015-09-14 12:54:54 +02:00
Dirk
a2ba43ec78 - litemagenta should be used for not fatal conditions / magenta for fatal conditions (prg terminates then) 2015-09-14 11:12:37 +02:00
Dirk
9b08cb7584 - FIX /workaround for #188 (https://github.com/drwetter/testssl.sh/issues/188) 
- bumped up version to rc4
 2015-09-14 11:03:10 +02:00
Dirk
a9f231b3ff - fix where an $PID"ERRFILE" was written 2015-09-09 16:41:32 +02:00
Dirk
d28317f2d0 - exit code always 0 unless an error occured 
- enable devel feaure of SSLv2 via socket
 2015-09-08 19:30:03 +02:00
Dirk
566a059250 - fix for issue when a non-HTTP service indicates a misleading non-match of certificate 
- wildcard check
 2015-09-06 18:21:08 +02:00
Dirk Wetter
b9bfa2355a fix for scott helme's multiple keys (https://scotthelme.co.uk/hpkp-toolset) 2015-09-04 14:19:06 +02:00
Dirk Wetter
422b4d511a minor cleanups for finding openssl binaries 2015-09-04 10:04:56 +02:00
Dirk Wetter
6a036cd7d4 removed hardcoded obsolete paths for binaries 2015-09-03 13:26:02 +02:00
Dirk
1c5870e3e3 typo, fix from Stefan Stidl (thx!) 2015-09-03 12:17:32 +02:00
Dirk
489baa1299 unitize programming styles: ${var} --> $var, double square brackets instead of single 2015-09-03 12:14:47 +02:00
anoma
6b22851104 Typo. Inconsistent CVE string format 
Trivial typo. All other CVE outputs are in the form CVE-XXXX-YYYY
 2015-09-03 09:10:06 +01:00
Dirk Wetter
90930a2f78 - changed return code if someone dares to use dash as it hiccups 
- catch users try to use sh instead of real bash (#184),  see http://www.gnu.org/software/bash/manual/bashref.html#Bash-POSIX-Mode)
 2015-09-02 12:56:03 +02:00
Dirk Wetter
45eb3ed662 better phrasing for LOGJAM, see #181 2015-08-28 17:43:38 +02:00
Dirk Wetter
90ead7a301 FIX #183 2015-08-28 17:06:07 +02:00
Dirk Wetter
412fb6fb05 FIX #182 2015-08-28 16:46:28 +02:00
Dirk Wetter
9b718d39d0 - removed VERBERR (is now DEBUG=2) 
- hex2dec uses now internal echo instead of printf (which has problems with some chars if unexpected content if not properly used)
 2015-08-28 14:59:04 +02:00
Dirk
b5818f6034 - FIX $177 
- some by-catches whle shellchecking
- minor cleanups
 2015-08-28 00:15:51 +02:00
Dirk
c102bb6712 micro fix for the ESC code orgination fron tput test 2015-08-27 20:39:20 +02:00
Dirk
0d9370237c - FIX #172 
- labeled TLS_FALLBACK_SCSV as experimental, to be improved in next release (remarks in code)
- removed experimental from FREAK check
- separated headerfile from errorfile, TLS handshake oids were sometimes misinterpreted as IPv4 addreses in header
- bumped up rc version
- linefeeds
 2015-08-27 11:25:12 +02:00
Dirk Wetter
c93dc01b41 better service detection, dedicated line for NNTP and certificate stuff redirected to ERRFILE 2015-08-26 20:06:53 +02:00
Dirk Wetter
838112e6d2 - LibreSSL compatibility: recent pull spits out an error if cnf file isn't found (oh well) ==> introduction of #ERRFILE, good idea anyway 
- commented what I wanted to achieve with the colors
- code cleanups
 2015-08-24 23:50:03 +02:00
Dirk
aa91990fb3 - fix bug where a host name like AAA.BBB.CCC.DDD.in-addr.arpa.DOMAIN.TLS was taken as an ipv4 address 
- freebsd 9 supports now also colors with setaf, Darwin?
- correct indentation of help
- improved parsing in command line so that where a distinct option is required it is also tested in the 1st place
- removed -q in help (deprecated as we might want to use it for other things in the future)
- fix: if $PWD/openssl was a dir it bailed out
- cleanup of fatal errors ==> provide ONE function
 2015-08-24 22:17:35 +02:00
Dirk
83bf9067aa FIX #167 (# of certificates provided) 2015-08-23 21:16:34 +02:00
Dirk Wetter
6baf5e377c - sanitize '%' in general output function, avoids hiccups in url encoded strings 
- FIX #178 (Security headers only key in green, not value)
- CSP rule for facebook hast 127.0.0.1 which is labeled as IP address
 2015-08-21 18:10:45 +02:00
Dirk Wetter
87cef93b6c - more solid parsing for HPKP header (FIX #163) 
- X-UA-Compatible is now an "other" flag and key won't be swallowed
 2015-08-21 12:43:10 +02:00
Dirk Wetter
394bde8ff5 output FIX for multiple CRLs (#165) 2015-08-21 10:47:29 +02:00
Peter Mosmans
cd4ba60f16 Fixes #174 
Thanks to Ligushka
 2015-08-18 16:07:24 +02:00
Jonathon Rossi
e8cbf1a699 Fix subject alternative name on darwin 2015-08-18 17:15:17 +10:00
Dirk
9afab04012 FIX #162 (leading space for rp banner and missing lf) 2015-08-17 20:13:52 +02:00
Dirk
405b0f10bf FIX #161 + small improvemnet on rengotiation 2015-08-15 21:33:17 +02:00
Dirk
e3fcd786f7 - FIX #160 -- removed code from #27 
- bumped up version to 2.6rc2
 2015-08-15 18:48:49 +02:00
Dirk Wetter
58a1c1c1da - expiration variables tunable via ENV 
- cleanups expire section
 2015-08-13 16:56:12 +02:00
Thomas Kähn
8963916b3b Fix certificate expiration check 2015-08-12 18:28:50 +02:00
Dirk Wetter
719536a44e FIX: Dilyans bug where a STARTTLS servive runs on a different port 2015-08-12 13:58:45 +02:00
Dirk
5bc6e5fda9 - if a record is local host it is shown now 
- also look in etc hosts for MSYS2
- cosmetic improvements
 2015-08-12 00:17:28 +02:00
Dirk Wetter
81b158431f NEW: showing # of detected pinned keys (HPKP) 2015-08-10 15:58:56 +02:00
Dirk Wetter
72aa8add5c FIX for missing CN (e.g. cloudflare) 2015-08-10 15:17:42 +02:00
Dirk Wetter
e6f0f79157 - FIX: rDNS ignores CNAME now 
- some code beautified
 2015-08-10 14:47:11 +02:00
Dirk
aa2b33fdb4 rp header fine tuning 2015-08-08 13:42:31 +02:00
Dirk
dc60d9360a reverse proxy banner alignment 2015-08-08 13:37:05 +02:00
Dirk
56e6f90308 FIX #158 (pagesspeed header was identified as IPv4 addr) 2015-08-08 10:20:13 +02:00
Dirk Wetter
70ff293fb7 - fix for #156 
- reverting #27. Catch is the functions are being initiated at a fixed time instead of while calling. This conflicts with the --color option which is done late. Other solution?
 2015-08-05 11:31:55 +02:00
Dirk
f1fe2c3286 just renaming as rc1 for 2.6 2015-08-02 01:25:39 +02:00
Dirk
fcb8c5d0bc - FIX for multiple ip addresses for one mx host (didn't expect a matroshka ;-)) 
- make dotted lines smaller
 2015-08-02 01:16:27 +02:00
Dirk
ea1ab3b911 help for mass testing option in #153 2015-08-02 00:26:34 +02:00
Dirk
325abcfc06 - first shot for szepeviktor's color function maker #27 2015-08-02 00:03:30 +02:00
Dirk
9006234c34 - NEW: mass testing via --file 
- FIX: ipv6 address in rDNS was ..umm err ....missing some chars
- rough ipv6 address detection (fixes single colon in "further ip addresses")
- FIX: facebook has EC certificate but signing algo is not EC
- FIX for wrong openssl location in banner
 2015-08-01 23:11:27 +02:00
Peter Mosmans
c04497f2f6 Another fix for #140 
Suppress awk warnings
Don't try to retrieve header information from openssl stderr output
 2015-07-27 12:16:03 +02:00
Dirk
f45f91a07e - quiet mode for mass testing (see #148) w/o banner 
- -q is now --devel
 2015-07-25 14:33:08 +02:00
Dirk
d4f7dd0f91 * squash dirname err msg on FreeBSD 
* numerous DNS related internal improvements
* FIX #137
* FIX #147
 2015-07-23 17:11:33 +02:00
Dirk
013a24caea * - improved DNS parser again, see #141 #140 
* at least exit with -250 or worse if a problem occurs (rest still undefined, needs to be fixed, see #145/#100)
* renamed all top level tests in "run_" for better code
 2015-07-22 13:11:20 +02:00
Dirk
c66a2c8f2e FIX #144: reverse screw up of hpkp function for BSD/Darwin 2015-07-21 20:35:49 +02:00
Dirk
784294b52d awk fixes for MSYS2 FIX #141, #FIX 140 2015-07-21 14:20:15 +02:00
Jonathon Rossi
298a91d743 Fix bash 3 support 
Mac OS X ships with bash 3, not 4. The case statement fallthrough and
continue operators were added in bash 4.
 2015-07-21 15:11:20 +10:00
Dirk Wetter
f81b3a5c25 * GOST ciphers sometimes missing during scan 
* help was not precise wrt some arg w no params
 2015-07-20 14:05:35 +02:00
Dirk Wetter
66f0b22adb word match for -V / -x now only for non-numbers: testssh.sh -x cc google.com tests for chaha ciphers 
(before only word matching was done e.g.: testssl.sh -x ECDH chase.com
 2015-07-17 15:58:07 +02:00
Dirk Wetter
d9b9d2c2fb * path display error in banner fixed 2015-07-17 14:58:12 +02:00
Dirk Wetter
cda5eff12e * STARTTLS_SLEEP 
* resolved misleading output STARTTLS + socket
* fixed poodle ciphers in code (but not used yet)
 2015-07-17 14:33:23 +02:00
Dirk Wetter
f04ee57e79 * display shortend path to $OPENSSL in banner 2015-07-17 13:25:39 +02:00
Harald Wagener
4df61eed14 Update testssl.sh 
Fix typo.
 2015-07-17 11:05:07 +02:00
Dirk Wetter
54290b220a - Provide Darwin binaries and paths thereto 
- provide also other static bins in $PWD/bin
 2015-07-16 23:01:10 +02:00
Dirk Wetter
b157a26632 * EV certificate detection 
* SSLv2 + STARTTLS protocol check always uses sockets now
* STARTTLS protocol now returns over sockets the TLS time (if available)
* few LibreSSL output oddities fixes
* output corrections for STARTTLS
* additional path for binaries (we change the path soon but leave both in the code for now)
 2015-07-16 17:58:03 +02:00
Dirk
4c033bc0cc * header flags added 2015-07-14 20:44:04 +02:00
Dirk
2e40c2bde6 * misleading warning for DH bits for Negotiated cipher omitted if no DH or EC and OPENSSL <= 1.0.1 2015-07-14 19:58:04 +02:00
Dirk
32325d0643 * fix for scanning an IP address only 
* server_preference: cipher adjusted
* some [[ and ]] in loops, hoping to speed up processing a bit
* cosmetic stuff
 2015-07-14 17:13:58 +02:00