Commit Graph

4666 Commits

Author SHA1 Message Date
ba58458909 Restrict tests to those which use openssl 2025-01-22 18:37:48 +01:00
37d987684e remove comment sign from testing 2025-01-22 18:25:54 +01:00
a499233df2 Add unittest for diffrent openssl versions
This adds a unit test to compare a run against google with the supplied openssl
version vs /usr/bin/openssl .

This would fix #2626.

It looks like there are still points to clarify
* NPN output is different (bug)
* Newer openssl version claims it's ECDH 253 instead of ECDH 256.
* Newer openssl version claims for 130x cipher it's ECDH 253, via sockets it´s ECDH/MLKEM. This seems a bug (@dcooper)

A todo is also restricing the unit test to the one where openssl is being used. E.g. the ROBOT check and more aren't done with openssl. So there's no value checking this here.
2025-01-22 18:12:53 +01:00
17f2a5d5b9 Merge pull request #2622 from dcooper16/draft-kwiatkowski-tls-ecdhe-mlkem
Support draft-kwiatkowski-tls-ecdhe-mlkem
2025-01-22 11:03:11 +01:00
023fd0278a Merge pull request #2625 from dcooper16/fix_x5519_and_x448_check
Fix checks for whether X25519 and X448 are supported
2025-01-22 11:01:25 +01:00
a85073bf0d Fix checks for whether X25519 and X448 are supported
In some cases OpenSSL returns an "unsupported" message rather than a "not found" message if X25519 and X448 are not supported. This commit changes the check for whether X5519 and X448 are supported for checking for either response.
2025-01-21 09:10:33 -08:00
11d7979f41 Support draft-kwiatkowski-tls-ecdhe-mlkem and draft-tls-westerbaan-xyber768d00
This commit adds support for the three code points in draft-kwiatkowski-tls-ecdhe-mlkem and the code point 0x6399 from draft-tls-westerbaan-xyber768d00. The group 0x6399 uses a pre-standard version of Kyber and is considered obsolete.
2025-01-21 09:00:21 -08:00
0c71658457 Merge pull request #2621 from dcooper16/fix2614
Fix #2614
2025-01-17 16:47:27 +01:00
95b6258f82 Fix #2614
Currently `compare_server_name_to_cert()` only indicates whether the server's host name matches a wildcard name in the certificate. So, it does not indicate if the certificate includes a wildcard name that does not match the server's host name. As a result, if a certificate includes the names "api.sub.example.tld" and "*.api.sub.example.tld," then a wildcard certificate warning will be issued for host names such as www.api.sub.example.tld, but not for api.sub.example.tld.

This commit changes `compare_server_name_to_cert()` to indicate whether the certificate is a wildcard certificate in addition to providing information about how the certificate matches the server's host name. Functions that use this function's response are then changed to extract the information they need (matching or wildcard) from the return value.
2025-01-17 05:43:39 -08:00
daf0671878 Merge pull request #2617 from dcooper16/fix2615
Fix #2615
2025-01-16 16:51:47 +01:00
8e184b886e Fix #2615
The server mentioned in #2615 has a bug, which results in it sending a handshake_failure alert rather than a successful connection if the signature_algorithms extension lists RSA+MD5 before one of the signature algorithms that it supports.

This commit works around this issue by reversing the order in which it lists the signature algorithms in the signature_algorithms extension, thus (generally) listing stronger options first.

This change should not affect the testing, except that it will result in the order of the supported signature algorithms being reversed in the output, if the server respects the client's preferences.
2025-01-16 06:55:54 -08:00
ef92cc70c9 Merge pull request #2616 from testssl/dependabot/github_actions/docker/build-push-action-6.12.0
Bump docker/build-push-action from 6.11.0 to 6.12.0
2025-01-16 12:20:07 +01:00
582d4658ae Bump docker/build-push-action from 6.11.0 to 6.12.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.11.0 to 6.12.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v6.11.0...v6.12.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-16 00:29:43 +00:00
90a51e7975 Merge pull request #2612 from testssl/dependabot/github_actions/docker/setup-qemu-action-3.3.0
Bump docker/setup-qemu-action from 3.2.0 to 3.3.0
2025-01-09 09:53:54 +01:00
723b1c17ee Merge pull request #2613 from testssl/dependabot/github_actions/docker/build-push-action-6.11.0
Bump docker/build-push-action from 6.10.0 to 6.11.0
2025-01-09 09:52:52 +01:00
9c74fe8f31 Bump docker/build-push-action from 6.10.0 to 6.11.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.10.0 to 6.11.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v6.10.0...v6.11.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-09 00:23:31 +00:00
b6aa4c3214 Bump docker/setup-qemu-action from 3.2.0 to 3.3.0
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3.2.0 to 3.3.0.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](https://github.com/docker/setup-qemu-action/compare/v3.2.0...v3.3.0)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-09 00:23:29 +00:00
6d77c93109 Merge pull request #2610 from testssl/links
Change orga from drwetter --> testssl
2025-01-06 16:20:53 +01:00
5f4ca15e57 Merge branch '3.2' into links 2025-01-06 15:41:16 +01:00
b708026151 Change orga from drwetter --> testssl
... to avoid redirects on the client side and to make repo migration better visible.

Also amend 'Status' and 'Contributing' in Readme.md. bluesky added, albeit mastodon
seems more interactive. Clarify twitter account is not in use anymore.
2025-01-06 15:34:45 +01:00
b5ad5bd859 Merge pull request #2604 from drwetter/dependabot/github_actions/docker/build-push-action-6.10.0
Bump docker/build-push-action from 6.9.0 to 6.10.0
2024-12-06 15:03:47 +01:00
3e7efb7dd6 Bump docker/build-push-action from 6.9.0 to 6.10.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.9.0 to 6.10.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v6.9.0...v6.10.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-28 00:10:10 +00:00
701c606eac Merge pull request #2597 from Tazmaniac/quick-fix-2590
Quick fix for #2590
2024-11-27 11:39:25 +01:00
662a99fdce Merge pull request #2602 from dcooper16/fix2599
Fix #2599
2024-11-27 11:35:41 +01:00
26a3a8fd51 Fix #2599
This commit fixes #2599 by not wrapping fileout() messages in a "clientProblem" wrapper if TLS13_ONLY is set. The TLS13_ONLY flag being set is an indicator that fileout_banner() has already been called.
2024-11-26 09:13:11 -08:00
65c463fcbf Merge pull request #2600 from janbrasna/fix/ci-badge
Fix CI badge
2024-11-19 20:49:27 +01:00
d4fa5df475 Fix CI badge 2024-11-19 20:42:08 +01:00
601dddd388 Quick fix for #2590
Proper fix need another refactoring/cleanup of the renego test.
2024-11-04 11:38:18 +01:00
245ad2ae4a Merge pull request #2592 from dcooper16/integrity_only_ciphersuites
Support RFC 9150 cipher suites
2024-10-29 00:35:34 +01:00
192505d700 Merge pull request #2591 from dcooper16/libressl4
Support LibreSSL 4.0.0
2024-10-29 00:30:38 +01:00
e17b1c17bb Support RFC 9150 cipher suites
This commit adds support for the two cipher suites in RFC 9150, TLS_SHA256_SHA256 and TLS_SHA384_SHA384. These are authentication and integrity-only cipher suites.
2024-10-28 15:07:22 -07:00
3c54474061 Support LibreSSL 4.0.0
LibreSSL 4.0.0 was recently released. This commit modified the version check in determine_trust() so that there isn't an incorrect warning suggesting that LibreSSL 4.0.0 "<= 1.0.2 might be too unreliable to determine trust."
2024-10-25 12:24:06 -07:00
6452ec997e Merge pull request #2589 from dcooper16/sha256_stapled_ocsp
Accept stapled OCSP responses that use SHA-256 in CertID
2024-10-17 09:46:10 +02:00
1f37a8406f Accept stapled OCSP responses that use SHA-256 in CertID
This commit modifies check_revocation_ocsp() to check the revocation status of a certificate in a stapled OCSP response whether the response uses SHA-1 or SHA-256 in CertID.
2024-10-16 10:49:40 -07:00
b2e6f990b9 Merge pull request #2588 from drwetter/fix_2582
Mute socat killing & improve STARTTLS grading explanation
2024-10-15 12:26:35 +02:00
0abca6f067 Mute socat killing & improve STARTTLS grading explanation
Fixes #2582 .
2024-10-15 10:56:29 +02:00
ba51ca7879 Merge pull request #2587 from drwetter/fix_hexdump_docker
Add link for hexdump correctly
2024-10-15 09:57:08 +02:00
fc309b7ee0 Add link for hexdump correctly
... in Dockerfile, see #2586
2024-10-15 09:54:35 +02:00
5064d3073c Merge pull request #2584 from drwetter/upgradeDockerfile_Lep15.6
Upgrade Dockerfile to leap 15.6
2024-10-14 18:13:35 +02:00
b7a4d5c692 Merge pull request #2583 from drwetter/minor_polish_unitTests
Minor polish unit tests
2024-10-14 18:08:35 +02:00
0f44d6777a Upgrade Dockerfile to leap 15.6
As EOL comes closer for openSUSE Leap 15.5 (https://en.opensuse.org/Lifetime)
an update is needed.

``busybox-util-linux`` and ``busybox-vi`` had to be removed as they don't exist
anymore. Busybox was added but hexdump was not provided by the vendor.
As busybox was compiled "properly" hexdump can be added by just linking to it.

This fixes #2563
2024-10-14 17:51:24 +02:00
656726eaab Merge pull request #2580 from drwetter/fix_2575
Fix json/csv output when STARTTLS problem is passed back
2024-10-14 17:16:09 +02:00
e0e742379c see previous commit 2024-10-14 17:15:43 +02:00
ae77349f3a see previous commit 2024-10-14 17:11:55 +02:00
9b48c1641b Minor polish unit tests
This PR (re-)names the unit test starter properly and improves for some unit tests the phrasing and formatting.
2024-10-14 17:08:12 +02:00
33fd749af8 Fix json/csv output when STARTTLS problem is passed back
In rare cases testssl.sh writes in the terminal output "likely not offered" but
misses the "likely" in the json/csv output.

This fixes #2575 by adding that word and amending the return value 4 with
a comment.
2024-10-14 16:15:18 +02:00
fee04f2db8 Merge pull request #2579 from drwetter/merge_2568
Merge 2568
2024-10-14 15:55:40 +02:00
fa5664f434 Polish comment + grade cap reason for STARTTLS 2024-10-14 14:17:02 +02:00
7c0ccb3da7 Fix HTML output in #2568 2024-10-14 13:08:45 +02:00
6c771f7902 Merge branch '3.1dev' of https://github.com/magnuslarsen/testssl.sh into magnuslarsen-3.1dev 2024-10-14 13:03:46 +02:00