1
0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-03-16 06:35:24 +01:00

1622 Commits

Author SHA1 Message Date
AlGreed
694e4c7b6e pretty json format + severity levels filter 2016-10-28 15:30:07 +02:00
David Cooper
95f583322a Merge branch 'master' into no_version_tolerance_test 2016-10-27 16:51:50 -04:00
Dirk
99300a0059 bump version 2016-10-27 22:02:35 +02:00
Dirk
1613bb214e Merge branch 'master' into CA_pinning
Conflicts:
	testssl.sh
2016-10-27 21:59:10 +02:00
David Cooper
4614e56022 Fix for when no mapping file is present
Now that the mapping file is no longer used, `$ADD_RFC_STR` should not be unset just because the mapping file cannot be found.

In addition, since `show_rfc_style()` is now used in `parse_tls_serverhello()`, it cannot return an empty string just because the user set "--mapping no-rfc" on the command line. Instead, `neat_list()` should check the value of `$ADD_RFC_STR` and not call `show_rfc_style()` if it has been unset.

Finally, since `show_rfc_style()` no longer returns strings with extra spaces, there is no need to call `strip_spaces()`
2016-10-27 14:28:16 -04:00
David Cooper
c8ff119316 Add option to retrieve entire server response
In some cases the server's response to a ClientHello spans more than one packet. If the goal is just to determine whether the connection was successful and to extract a few pieces of information from the ServerHello message, then this is unlikely to be a problem. However, if there is a desire to extract the server's certificate chain (Certificate message) or to determine the type and size of the server's ephemeral public key (ServerKeyExchange message), then the entire response needs to be obtained, even if it spans multiple packets.

This PR adds a new function, `check_tls_serverhellodone()`, that checks whether the entire response has been received (e.g., whether the ServerHelloDone message has been received). If the response indicates that the response is incomplete, then `tls_sockets()` requests more data from the server until the response is complete or until the server doesn't provide any more data in response.

The PR only changes the behavior of `tls_sockets()` if the caller indicates that it wants to extract the ephemeral key or that it wants the entire response to be parsed. Otherwise, only the first packet returned by the server is sent to `parse_tls_serverhello()`. [The value of `$process_full` is not used at the moment, but will be in a subsequent PR that modifies `parse_tls_serverhello()`.]

This PR also changes `tls_sockets()` to send a close_notify to the server if the connection was successfully established.
2016-10-25 11:04:23 -04:00
Thomas Alexander Frederiksen
217f2fb91a Apple ATS9 client test 2016-10-19 10:54:37 +02:00
Dirk
ef78aec50b FIX 2016-10-15 22:56:53 +02:00
Dirk
5e5edd5c89 FIX 2016-10-15 22:55:24 +02:00
mailsvb
4ce4d922ac remove additional pr_off at the end of sslv2 check 2016-10-12 22:32:35 +02:00
Dirk
6723622024 - do not do HTTP2+SPDY checks if non-STARTTLS but also non-HTTP
- ASSUMING_HTTP --> ASSUME_HTTP
- minor cleanups
2016-10-11 22:30:30 +02:00
David Cooper
3c55eec654 Remove test of version tolerance
PR  added a test for version tolerance to `run_protocols()`, but I think it may now be more appropriate to remove that test. Draft -16 of TLS 1.3, which was posted on September 22, changed the way that version negotiation is handled for TLS 1.3 and above. The current version tolerance test sends a ClientHello with the version field set to "03, 05", to represent a TLS 1.4 ClientHello. While this was consistent with RFC 5246 and with drafts of TLS 1.3 up to -15, draft -16 changed the version field to `legacy_version` and declared that its value should be "03, 03" for TLS 1.2 and above. (For TLS 1.3 and above a Supported Versions extension is included to inform the server which versions of TLS the client supports.) The change in draft -16 was made as a result of the problems with servers not handling version negotiation correctly.

Since the current draft suggests that a server should never be presented with a ClientHello with a version higher than "03, 03" (even for clients that support TLS versions higher than 1.2), it seems there is no reason to include the version tolerance test anymore.

For servers that do not support TLS 1.2, the additional checks that were added by PR  will already detect if the server cannot perform version negotiation correctly.
2016-10-11 11:01:04 -04:00
David Cooper
140ff91c60 Use printf in asciihex_to_binary_file
Use `printf` in `asciihex_to_binary_file()` rather than `echo -e -n`
2016-10-11 10:08:59 -04:00
Dirk
77f98e73e2 medium only for "Secure Client-Initiated Renegotiation" != HTTP 2016-10-10 23:27:34 +02:00
mailsvb
5a967302dc fix usage of CA_BUNDLES_PATH env for local ca_bundles 2016-10-08 22:50:44 +02:00
Dirk
1c5eb17729 (saving work): major cleanups for output readability and code 2016-10-06 18:53:25 +02:00
Dirk
bd64fb4214 minor putput cleanup for headers 2016-10-03 21:17:29 +02:00
Dirk Wetter
19b63aa8a9 duplicate headers fixed, #FIX 488, outstanding: proper treatment of simulatenous Public-Key-Pins|Public-Key-Pins-Report-Only 2016-10-03 18:52:48 +02:00
Dirk
e2023f51ac evaluate env TESTSSL_INSTALL_DIR and CA_BUNDLES_PATH for CA bundles and/or RFC/IANA mapping, FIX , 2016-10-02 18:15:13 +02:00
Dirk
fd6e2c0682 cleanup of 2016-10-01 22:25:14 +02:00
Dirk
09c19b4654 FIX , clear warning if >=1 HSTS headers are present 2016-10-01 10:04:33 +02:00
David Cooper
76a79a1f42 Merge branch '2.9dev' into full_parse_sslv2 2016-09-30 11:30:14 -04:00
Dirk
a5adb2f3ec fixing last T CI run 2016-09-29 21:20:13 +02:00
Dirk
c785087d15 - save 1x sed in count_lines/words 2016-09-29 21:03:48 +02:00
Dirk
05a0e555a7 - save 1x sed in count_lines/words 2016-09-29 20:59:13 +02:00
David Cooper
0676866e91 Add option for extract data from SSLv2 ServerHello
This PR adds the option for `parse_sslv2_serverhello()` to extract information from the ServerHello (server key size and cipher suites supported) and write the information to `$TMPFILE` as well as to write the server's certificate to `$HOSTCERT`.
2016-09-28 17:15:37 -04:00
David Cooper
1dddad20c9 Don't use mapping-rfc.txt
The mapping file is now only used in `show_rfc_style()`. This PR changes `show_rfc_style()` to use the `$TLS_CIPHER_HEXCODE` and `$TLS_CIPHER_RFC_NAME` arrays.

Note that `get_install_dir()` still searches for the mapping-rfc.txt in order to determine `$INSTALL_DIR`. `$INSTALL_DIR` is only used to determine the location of the CA bundles in `determine_trust()`:
```
     local ca_bundles="$INSTALL_DIR/etc/*.pem"
```
2016-09-28 15:36:49 -04:00
Dirk
d786a94a8c output + code polishing, phrasing. lf still has space for improvements 2016-09-28 20:32:01 +02:00
David Cooper
4751a58d56 Allow cipher list to be passed to sslv2_sockets()
This PR changes `sslv2_sockets()` so that a list of ciphers may optionally be passed as an argument. This will support the use of `sslv2_sockets()` in some places where `$OPENSSL s_client` is currently used.
2016-09-28 13:46:43 -04:00
Dirk
a54df8a55b fix if statement 2016-09-28 08:00:56 +02:00
Dirk
9f313f15ea added --openssl-timeout in help 2016-09-27 23:38:47 +02:00
Dirk
4d1303f5b9 TLS 1.2 sockets not anymore experimental 2016-09-27 23:33:38 +02:00
Dirk
e1f9209c23 corrected version 2016-09-27 23:32:24 +02:00
Dirk
aab0487a96 Merge branch 'dcooper16-openss2rfc_rfc2openssl' into 2.9dev 2016-09-27 22:55:54 +02:00
Dirk
c028ec4ed6 Merge branch 'dcooper16-remove_sockread' into 2.9dev 2016-09-27 22:33:53 +02:00
Dirk
2036e1e9e0 polish: filename fix for windows, handling of existence and type of timeout 2016-09-27 22:15:57 +02:00
Dirk
bf4dd76995 Merge branch 'master' of https://github.com/TKCERT/testssl.sh into TKCERT-master 2016-09-27 21:48:43 +02:00
David Cooper
6ded937b14 Merge branch 'master' into remove_sockread 2016-09-26 17:02:53 -04:00
David Cooper
ee0279edd7 Merge branch 'master' into openss2rfc_rfc2openssl 2016-09-26 17:01:46 -04:00
Dirk Wetter
2201c59ba3 FIX : check also for ALPN as TLS extension 2016-09-26 21:47:57 +02:00
David Cooper
98663b4c72 Merge branch 'master' into remove_sockread 2016-09-26 09:46:27 -04:00
David Cooper
1c3bf3e592 Merge branch 'master' into openss2rfc_rfc2openssl 2016-09-26 09:45:28 -04:00
Dirk Wetter
fcdc15b24b no STARTTLS for NPN, preparing 2016-09-24 16:59:28 +02:00
Dirk Wetter
0cadeefb05 cleanup 2016-09-24 16:07:23 +02:00
Dirk Wetter
679d1b9c1f Merge pull request from nachtgeist/issue-467
Fix handling of empty argument to "-nextprotoneg" parameter
2016-09-24 16:01:47 +02:00
Weida Hong
566623c4a9 Remove duplicated do_rc4 in debug_globals() 2016-09-24 15:10:10 +08:00
Daniel Reichelt
4f04820c76 Fix handling of empty argument to "-nextprotoneg" parameter
s_client's manpage states for -nextprotoneg:

"Empty list of protocols is treated specially and will cause the client
to advertise support for the TLS extension but disconnect just after
reciving ServerHello with a list of server supported protocols."

Consequently, the previous workaround of just quoting an empty variable
is insufficient and the "-nextprotoneg" parameter has to be removed
entirely from the command-line in case of an empty argument.

In other locations where "-nextprotoneg" is used
- its argument cannot be empty ($NPN_PROTOs is initialized to a non-
  empty value and set read-only) or
- its argument is intended to be empty (line 3724) or
- the command will not be invoked at all (for-loop parameter, line 3725)

This fixes  - again.

Additionally this patch prefers usage of -alpn over -nextprotoneg if the
openssl binary used supports it.
2016-09-22 16:53:54 +02:00
David Cooper
b01f9c8132 Merge branch 'master' into remove_sockread 2016-09-21 16:12:39 -04:00
David Cooper
73d535ebb4 Merge branch 'master' into openss2rfc_rfc2openssl
Conflicts:
	testssl.sh
2016-09-21 16:11:55 -04:00
Dirk Wetter
ddbf4caa46 FIX 2016-09-21 21:59:50 +02:00