1
0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-07-20 04:31:45 +02:00
Commit Graph

3475 Commits

Author SHA1 Message Date
bbd46b4e03 Merge pull request from dcooper16/has_sigalgs
Implement $HAS_SIGALGS
2020-05-09 10:38:03 +02:00
cc8a83ccc0 Merge pull request from dcooper16/cipher_pre_check_local_problem
Fix "local problem" output in ciher_pref_check()
2020-05-09 10:36:17 +02:00
6897b4abeb Merge pull request from unit193/3.1dev
Fix a couple typos in the documentation.
2020-05-09 10:34:44 +02:00
871db32fb5 Fix a couple typos.
enviroment → environment
ususally → usually
2020-05-08 22:48:20 -04:00
4f802502a0 Implement $HAS_SIGALGS
The "-sigalgs" option is used in get_server_certificate() to obtain certificates the server uses with TLS 1.3. get_server_certificate() is currently designed to use $OPENSSL, if $OPENSSL supports TLS 1.3.

LibreSSL 3.1.{0,1} has added client support for TLS 1.3, but does not support the "-sigalgs" option. So, this commit determines whether the "-sigalgs" option is supported, and if it isn't, then uses tls_sockets().
2020-05-08 16:15:32 -04:00
ec4feb52e7 Fix "local problem" output in ciher_pref_check()
When cipher_pref_check() is called in "--ssl-native" mode and the specified protocol is not supported, the message indicating a "local problem" is not properly formatted.
2020-05-08 16:13:30 -04:00
4f868a76a7 Merge pull request from dcooper16/bad_exponent_rating
Rate RSA e=1 as CRITICAL
2020-05-08 17:13:09 +02:00
cde2ecdc5d Rate RSA e=1 as CRITICAL
PR  set the grade cap to 'F' is the server has a certificate with an RSA with e=1, however, it did not change the rating in the JSON/CSV output. This commit changes the cert_keySize rating to CRITICAL for an RSA key with e=1, regardless of the size of the modulus. It also uses pr_svrty_critical() to print the exponent in this case.
2020-05-08 08:23:14 -04:00
d16f8a20c5 Merge pull request from drwetter/drwetter-patch-1
Labelling, look @ 3.0.2
2020-05-07 19:57:49 +02:00
e53ea4a115 Merge pull request from dcooper16/fix_cp_error
Fix copy and paste error
2020-05-07 19:38:28 +02:00
a137f73926 Merge pull request from dcooper16/improve_key_exchange_grading
Improve key exchange grading
2020-05-07 19:37:36 +02:00
e243b3d77a Merge pull request from dcooper16/fix_1576
Fix 
2020-05-07 19:35:42 +02:00
8697e3417a Fix copy and paste error
This commit fixes a bug that was introduced by an accidental copy and paste.
2020-05-07 12:33:23 -04:00
6fa82ea2f7 Fix typos 2020-05-07 17:15:11 +02:00
7b3adf8195 Labelling, look @ 3.0.2
* label 3.1dev it as a ~rolling release
* outlook to 3.0.2 (~tomorrow)
2020-05-07 10:50:41 +02:00
46bf8c90ac Improve key exchange grading
This commit makes a couple of improvements to set_key_str_score().

It rates (finite-field) DH keys the same as RSA and DSA keys.

Second, in the case of a server that has more than one certificate, the current code sets $KEY_EXCH_SCORE based on the length of the public key in the last certificate that is parsed. This commit changes set_key_str_score() so that $KEY_EXCH_SCORE is set based on the weakest public key.

Note that there is still the issue that the key exchange score does not take into account any ephemeral keys used. However, that needs to be addressed by callling set_key_str_score() from run_fs() and run_logjam(), as certificate_info() cannot provide information about ephemeral keys.
2020-05-06 14:30:44 -04:00
a8c9133fc6 Check for RSA exponent of 1
As suggested in , set the grade cap to F if the RSA key has an exponent of 1.
2020-05-06 14:25:59 -04:00
9dba2a8c9c Fix
This commit adds additional information to the "Server key size" line for a certificate if the subject public key is RSA, ECDSA, or DH.

For RSA it show the public exponent. For ECDSA, it shows the curve. For DH, it shows the group used, if it is a common prime.
2020-05-06 12:16:15 -04:00
f492cf0336 Merge pull request from dcooper16/tls_sockets_return_value
tls_sockets() return value
2020-05-06 16:34:40 +02:00
7c5fc48d25 Merge pull request from dcooper16/fix_1433
Fix 
2020-05-06 15:42:05 +02:00
329ba95d5b Fix
This commit fixes  by adding "@SECLEVEL=0" to the "$OPENSSL s_client" and "$OPENSSL ciphers" command lines if that option is supported. Adding this option configures OpenSSL to support some weak ciphers that it would not use in the default configuration.
2020-05-06 08:43:13 -04:00
84a82dbddc tls_sockets() return value
There is one place in parse_tls_serverhello() that returns 8 if the server's response is not well-formed TLS. However, there is no code in testssl.sh that is prepared to handle this return value. Every function except run_protocols() only distinguishes between 0, 2, and everything else. run_protocols(), however, gets confused if tls_sockets() returns a value that it is not expecting. So, this commit changes parse_tls_serverhello() to return 1 whenever the server's response can not be parsed.
2020-05-06 08:31:09 -04:00
693cb216f7 Merge pull request from drwetter/license_patch3.1dev
Amendment to "Relax the possible GPL license contradiction"
2020-05-06 09:18:51 +02:00
908975380d Amendment to "Relax the possible GPL license contradiction"
fix it also in the man pages. See  / 
2020-05-06 09:17:42 +02:00
41259d2f1b Merge pull request from drwetter/TYPO3-Parsetime
Add X-TYPO3-Parsetime
2020-05-05 19:53:15 +02:00
918d358e95 Add X-TYPO3-Parsetime 2020-05-05 13:37:58 +02:00
ec37a6e1bd Merge pull request from drwetter/xmpp_improvements
Fix STARTTLS pretests, improve XMPP handshakes
2020-05-05 08:47:34 +02:00
d949b305c0 Fix STARTTLS pretests, improve XMPP handshakes
There was a empty variable in determine_optimal_proto() which prevented to save
STARTTLS_OPTIMAL_PROTO. This is fixed.

The buffers and return codes for XMPP in starttls_io() were under not every
circumstances correct. This fixes those cases and making that in general more
robust (hopefully).  (There's still code commented out which I'll leave it for
now).

When openssl did not support -starttls xmpp-server there was a copy
and paste error saying that -xmpphost option was not supported.
2020-05-04 22:38:02 +02:00
1a0ade585e Merge pull request from dcooper16/check_server_response
Check server's response
2020-05-04 21:35:50 +02:00
308582bd0e Merge pull request from drwetter/1590_2_3.1dev
Address further potential license restriction
2020-05-04 20:35:37 +02:00
cdc1a08819 Address further potential license restriction
.. see https://github.com/drwetter/testssl.sh/issues/1590#issuecomment-623526604

Added some formatting and verbal improvements in the intruductory comment section.
2020-05-04 20:34:32 +02:00
ae8a056afe Check server's response
There is code at the beginning of parse_tls_serverhello() that checks whether the server's response appears to consist of a sequence of messages of the form <protocol><content type><content>. However, at the moment the check is only performed if "$do_starttls" is false. This commit changes parse_tls_serverhello() so that the check is always performed.
2020-05-04 14:29:13 -04:00
934c5fc60c Merge pull request from drwetter/aes_cgm_doc
Fix typo in docs: Strong grade Ciphers / AEAD
2020-05-02 19:54:54 +02:00
381fdfa985 Fix typo in docs: Strong grade Ciphers / AEAD 2020-05-02 19:49:01 +02:00
8e6c80ffba Merge pull request from drwetter/xmpp_server_polish
STARTTLS xmpp-server polish
2020-05-02 19:41:24 +02:00
7981a238a5 Comment out S2S XMPP server test for now 2020-05-02 19:40:45 +02:00
05c90d4c3a remove add_tls_offered 2020-05-02 18:37:02 +02:00
485bcc1888 Change Travis/CI environment to bionic
... as it comes with openssl 1.1.1 and we can check also XMPP S2S
protocol
2020-05-02 18:34:10 +02:00
5da54b9ce8 fix var declaration 2020-05-01 21:42:41 +02:00
9e61d6605e Perl needs a semicolon ;-/ 2020-05-01 19:17:58 +02:00
191c69fbdd Minor probe for STARTTLS xmpp-server
... don't know whether this gets through -- depends on the
version openssl used (1.0.2 doesn't have that)
2020-05-01 18:39:36 +02:00
1d7adebb4e Add HAS_XMPP_SERVER
... see also 
2020-05-01 18:32:22 +02:00
0e6fb44bd3 add xmpp-server 2020-05-01 18:31:35 +02:00
53ee37b046 XMPP server 2020-05-01 18:03:19 +02:00
2b174821e4 Merge pull request from horazont/feature/xmpp-server
STARTTLS: add support for xmpp-server
2020-05-01 17:53:34 +02:00
4daf20585d STARTTLS: add support for xmpp-server
XMPP client-to-server and server-to-server links historically use
different XML namespaces. Some server implementations are strict
about this and will not proceed with the connection attempt when
the client namespace (`jabber:client`) is used on a
server-to-server link.

openssl s_client also supports `xmpp-server`.
2020-05-01 17:44:30 +02:00
f5a1884439 Merge branch 'magnuslarsen-grading_dev' into 3.1dev 2020-05-01 17:37:13 +02:00
ebe75252fa Merge branch '3.1dev' into magnuslarsen-grading_dev 2020-05-01 17:36:29 +02:00
aa702369c1 Merge pull request from dcooper16/use_has_x25519
Use $HAS_X25519 and $HAS_X448
2020-05-01 16:21:47 +02:00
ece209886c Merge pull request from dcooper16/improve_libressl_302_compat
Improve compatibility with LibreSSL 3.0.2 and earlier
2020-05-01 16:16:28 +02:00