Commit Graph

92 Commits

Author SHA1 Message Date
David Cooper
5002dd23b1 Add support for brainpool curves with TLS 1.3
This commit adds support for the curves brainpoolP256r1tls13, brainpoolP384r1tls13, and brainpoolP512r1tls13.
2023-03-28 08:53:20 -07:00
Dirk Wetter
de48956639
Merge pull request #2237 from a1346054/which
Use bash-builtin `command -v` instead of external `which`
2022-09-14 21:25:14 +02:00
a1346054
902bdf3d92
Use bash-builtin command -v instead of external which
`command -v` is a bash builtin and is a standardized version of `which`
2022-09-12 23:24:26 +00:00
a1346054
4712c48597
Use grep -E instead of egrep 2022-09-12 20:12:28 +00:00
Dimitri Papadopoulos
fcb282e3c3
Typos found by codespell
Run codespell in CI
2021-09-14 13:33:39 +02:00
a1346054
1b17a2c67d Fix shellcheck warnings 2021-09-03 22:19:39 +00:00
Dirk
59c0b38140 see previous commit 2021-07-25 17:14:12 +02:00
Dirk
b1c1d250cf Redo utils/gmap2testssl.sh
.. mainly copied from testssl.sh. Also it adds a detection for the
strings ssl and https. If those run at non-stanadard ports but nmap
detected it, it'll show up in the output file.

That will be backported to the main program, see #1931 .
2021-07-25 16:28:50 +02:00
Dirk Wetter
2d3bd724fc
Merge pull request #1912 from PeterDaveHello/MakeShellScriptShebangConsistent
Make Shell Scripts' Shebang more consistent
2021-06-18 08:59:22 +02:00
Peter Dave Hello
ce634f7deb Correct exit using, the exit status should be 0~255
According to the POSIX Programmer's Manual, the exit status specified by
the unsigned decimal integer. If n is specified, but its value is not
between 0 and 255 inclusively, the exit status is undefined.

By cross reference the usage between different scripts in this project,
it looks like we could simply remove the `-` before the number.
2021-06-15 16:04:23 +08:00
Peter Dave Hello
4de952a4dd Make Shell Scripts' Shebang more consistent
Consider most of the scripts use bash in the project, should maybe just
use it, instead of /bin/sh in all the scripts.
2021-06-15 15:52:49 +08:00
Peter Dave Hello
cbae32e5a4 Add missing vim modeline config in sh & perl files, cc #1901 2021-06-01 14:40:24 +08:00
Peter Dave Hello
9e61b8ba13 Make vim modeline config consistent, cc #1901 2021-06-01 14:31:31 +08:00
Peter Dave Hello
50ee914ee4 Make Shell Scripts' Shebang more consistent and portable 2021-05-31 15:27:37 +08:00
Peter Dave Hello
8d42528ec6 Correct "GitHub" case as it should be 2021-05-30 01:19:58 +08:00
Alexander Troost
57ffe08dd4 Adding a hex2curves util. 2020-11-28 14:04:00 +01:00
Dirk Wetter
75be8d9f38 remove jq and beautify last line 2020-02-15 12:09:33 +01:00
David Cooper
46c05c6732 Fix client simulation
replace ciphers with ch_ciphers and sni with ch_sni in client simulation data file.
2020-01-31 10:52:50 -05:00
Dirk Wetter
ca8054184b remove also leading colon in helper script bc of GREASE 2020-01-22 10:52:07 +01:00
Dirk Wetter
adfa411e24
add also here -z 2020-01-17 15:24:36 +01:00
Dirk Wetter
1fb2db02a7
Update docker-debian10.tls13only.start.sh 2020-01-17 11:57:13 +01:00
Dirk Wetter
331b5cb750 Output changes
* add TLS_EMPTY_RENEGOTIATION_INFO_SCSV in screen output
* remove trailing ":" to be sure no one copies it, see also #1440
2020-01-14 17:38:02 +01:00
Dirk
ce0be5fefc Handle problem when pulling fails
... when e.g. sitting in a German train with bad internet connection
2019-12-09 10:26:39 +01:00
Dirk Wetter
326558dec1
Remove c&p relict 2019-10-28 18:36:39 +01:00
Dirk Wetter
bcc1298eb3
0-RTT dockerfile script for nginx 2019-10-02 17:52:34 +02:00
Dirk Wetter
fe43d9dd0c
Docker files for testing
docker-debian10.tls13only.start.sh can be linked to e.g. docker-debian10.tls13.start.sh, then also TLS 1.2 is added.
2019-10-02 17:50:11 +02:00
pihug12
dbacbe7912 Fix "make-openssl111.sh" 2019-07-10 08:54:55 +02:00
Dirk
c335ded6d3 Enable more tests, change to newer JSON scheme 2019-07-09 22:49:12 +02:00
Dirk
13d3b7329b Don't include SSLv2 ciphers in hexstream2cipher.sh 2019-05-06 19:35:12 +02:00
Dirk
5f047db92f Add client simlation data and provide howto
While we are thankful that Ivan Ristic permitted to use the client
data from SSLlabs, it became of bit outdated now (see #1158). Also
as sslhaf [1] was used, the data comes from HTTP traffic only.

This is a start to address it. It provides data from Android 9
(connecting to the play store, so that it is sure we don't capture
a ClientHello from an application having an own TLS stack.

Also it provides documentation how to grab data yourself, and
provide it back to testssl.sh.

Aim is at least for testssl.sh 3.0 to add Android 8 and OpenSSL 1.1.1 (@drwetter).

My hope others can assist with  Safari on OSX 11 and 12. Java 10 and 11,
and a recent Opera and Edge version. (Firefox and Chrome are out of
date too)

Mail clients to follow later.

[1] https://github.com/ssllabs/sslhaf
2019-04-18 10:06:01 +02:00
Dirk
e768ab3f7b Remove file as Not needed 2019-04-18 10:04:08 +02:00
Dirk
44881d5eba Revert change for MacOSX as hinted 2019-03-19 10:00:13 +01:00
Dirk
57054bc149 minor code improvements 2019-02-22 15:09:05 +01:00
Dominik Herrmann
9d26b86030
Update make-openssl.sh: Darwin compatibility
- Darwin doesn't build with -static (removed; file name suffix changed to "dynamic" in this case)
- Darwin has a different openssldir (/private/etc/ssl)
- script doesn't fail any more at make clean step in case there is no Makefile yet
- Darwin 64 bit compilation needs ./Configure instead of ./config and an explicit reference to darwin64-x86_64-cc
2019-02-22 11:17:57 +01:00
Dirk
ed7e7d8d50 Add line for Darwin
not sure whether -static just works. TBD
2019-02-22 10:07:46 +01:00
Dirk
0431b7166a Check for OpenSSL + use unames 2018-11-12 20:52:36 +01:00
Dirk
de7f7b6cab Check for OpenSSL + use unames 2018-11-12 20:46:35 +01:00
Dirk
ee8c70bce3 Minor polish
Typos, cleanup ec_nistp_64_gcc_128 (for 64 bit at least), add -DOPENSSL_TLS_SECURITY_LEVEL=0
2018-07-18 00:57:32 +02:00
Dirk
5d5d21af04 Make script for OpenSSL 1.1.1 tree 2018-07-17 00:41:21 +02:00
Dirk Wetter
55adbf905f
Merge pull request #1033 from dcooper16/client_sim_data_tls13
TLS 1.3 clients in update_client_sim_data.pl
2018-04-16 09:07:35 +02:00
David Cooper
f0ebf0339b
update_client_sim_data.pl and GREASE ciphers
Two GREASE ciphers currently appear in https://api.dev.ssllabs.com/api/v3/getClients: 0x3A3A for Chrome 57 and 0xAAAA for Chrome 65.

update_client_sim_data.pl currently only recognizes 0x3A3A as a GREASE cipher and so prints a "FIXME" for 0xAAAA. This PR fixes the problem by adding all 16 ciphers from https://tools.ietf.org/html/draft-ietf-tls-grease-00 to update_client_sim_data.pl.
2018-04-13 17:19:27 -04:00
David Cooper
639b1af916 TLS 1.3 clients in update_client_sim_data.pl
https://api.dev.ssllabs.com/api/v3/getClients incorrectly indicates a highestProtocol of 771 (TLS 1.2) for clients that support TLS 1.3, which leads run_client_simulation() to incorrectly report "no connection" if the client would have actually connected using TLS 1.3.

This has been addressed by manually editing etc/client-simulation.txt to set the highest_protocol to 0x0304 for the clients that support TLS 1.3.

This PR modifies update_client_sim_data.pl to automatically apply the fix for clients that support TLS 1.3 in order to avoid a possible regression when etc/client-simulation.txt is updated.
2018-04-13 16:51:06 -04:00
David Cooper
cd8ceae80e Add curve information to SSL native client simulations
When performing client simulations in "--ssl-native" mode, provide the client's list of supported curves to "$OPENSSL s_client" in order to make the results even more accurate.
2018-04-11 13:48:40 -04:00
David Cooper
39db50eea2 Improve SSL native client simulation
This PR improves client simulation in "--ssl-native" mode:

* It changes ${protos[i]} to list the protocols that should be disabled rather than those that should be enabled, except in the case that the client only supports one protocol.

* It sets the values for ${tlsvers[i]}, which is used in run_client_simulation(), but was not defined.

* It adds a new variable, ${ciphersuites[i]}, that lists the TLSv1.3 cipher suites supported by a client.

Client simulation still produces false results in "--ssl-native" mode, but the results are better than before.
2018-04-10 16:57:24 -04:00
Karsten Weiss
eead9f62d9 Fix typos found by codespell 2018-04-10 17:37:04 +02:00
Dirk
407358623e Fix, header restore, TLS13 ciphers
This fixes a bug which prevented the script from running properly. Also
the commit restores writing a correct comment header. In addition it
adds TLS 1.3 ciphers.
2018-01-03 21:41:09 +01:00
Dirk
26c77cc3c2 any openssl will do 2017-09-18 14:02:12 +02:00
Dirk Wetter
4379174970 rename generated file, comment it better + take care of one GREASE cipher 2017-08-30 23:02:21 +02:00
Dirk
69fa8ca378 several improvements
timeout: the TLS ticket check has a timeout, so that early on non-reachable hosts
are determined. If it is running into the timeout, it quits early. The
timeout is configurable via environment e.g. TIMEOUT=16 ./ticketbleed.bash <host>

Also other ports are allowed albeit it probably it is of limited use

Supplying no arg is now more user-friendly
2017-06-09 12:45:22 +02:00
Dirk
15219475e9 strip supplied port automatically 2017-06-09 11:27:59 +02:00