Commit Graph

4603 Commits

Author SHA1 Message Date
Dirk Wetter f71619326d
Merge pull request #2362 from drwetter/fix_2361_dnsminimal
Fix misleading output
2023-05-16 10:44:56 +02:00
Dirk Wetter 9b8dc3a07e Fix misleading output
... when instructed to do no DNS queries at all
2023-05-16 09:05:04 +02:00
Dirk Wetter be987d17a0
Merge pull request #2360 from mum-viadee/run_renego_sni_patch
Secure renegotiations tests need servername for servers that use SNI
2023-05-15 15:26:37 +02:00
mum-viadee 22a4f52774 Clarify comment, redone 2023-05-15 15:20:54 +02:00
mum-viadee 6216bcd635 Revert "Update testssl.sh"
This reverts commit e33e0bc204.
2023-05-15 15:16:16 +02:00
Dirk Wetter e33e0bc204
Update testssl.sh
clarify comment
2023-05-15 15:04:59 +02:00
mum-viadee 93466806f5 Added SNI to openssl call for testing secure client-initiated renegotiation 2023-05-15 08:13:21 +02:00
mum-viadee f0f6b1a4fb Typo in comment corrected 2023-05-12 14:26:27 +02:00
mum-viadee 04f7b34028 Added SNI to openssl call for testing secure renegotiation 2023-05-12 13:53:54 +02:00
Dirk Wetter aa5235e658
Merge pull request #2346 from Odinmylord/3.1dev
Add information to RSA-PSS report
2023-04-01 09:51:27 +02:00
Dirk Wetter a04291fdb1
Merge pull request #2352 from dcooper16/pss_cert_tls13
Find RSASSA-PSS certificates with TLS 1.3
2023-03-31 16:38:14 +02:00
Dirk Wetter 13b42069d5
Merge pull request #2353 from dcooper16/brainpooltls13
Add support for brainpool curves with TLS 1.3
2023-03-31 16:36:33 +02:00
David Cooper dc996ba2b9 Find RSASSA-PSS certificates with TLS 1.3
This commit fixes get_server_certificate() so that it can obtain certificates with RSASSA-PSS subject public keys over TLS 1.3.
2023-03-28 14:31:28 -07:00
David Cooper 5002dd23b1 Add support for brainpool curves with TLS 1.3
This commit adds support for the curves brainpoolP256r1tls13, brainpoolP384r1tls13, and brainpoolP512r1tls13.
2023-03-28 08:53:20 -07:00
Dirk Wetter 82fbd8076e
Merge pull request #2347 from drwetter/suse_docker
Switching from Alpine Image to multistaged opensuse/leap
2023-03-24 09:23:26 +01:00
Dirk 91f3d9716b amending previous commit 2023-03-23 15:05:15 +01:00
Dirk 90aa86ce6b add another contributor and change
(not related to this PR but it'll be forgotten otherwise)
2023-03-23 14:45:51 +01:00
Dirk Wetter f95d0dd09a
Merge pull request #2328 from drwetter/w4ntun-merge
fixed DNS via Proxy
2023-03-23 14:31:17 +01:00
Dirk bad5dedf42 correcting Brennan's name 2023-03-23 14:22:05 +01:00
Dirk 48a597e19d don't forget the kudos ;-) 2023-03-23 09:11:14 +01:00
Odinmylord 035996cc44 updated default_testssl.csvfile with new RSA-PSS 2023-03-23 00:14:15 +01:00
Odinmylord cf0c1c1f5f Added more details to the SignatureAlgorithms 2023-03-22 23:14:56 +01:00
Dirk Wetter 37c17a5e09
Merge pull request #2344 from polarathene/refactor/dockerfile-to-opensuse
refactor(dockerfile): Change base Alpine (3.17) => openSUSE Leap (15.4)
2023-03-22 11:10:21 +01:00
Brennan Kinney 6af0a801ec chore: Bring back `ZYPPER_OPTIONS` 2023-03-22 22:56:59 +13:00
Brennan Kinney 1212ad8e59 refactor: Support syntax without BuildKit features
These have been available via opt-in prior to v23 of Docker Engine with `DOCKER_BUILDKIT=1` ENV as a prefix to running `docker build`, however it's been requested to avoid the syntax.

No HereDoc (multi-line RUN with EOF marker) or `RUN --mount` available. This makes the `busybox` approach a hassle, so I've brought back the explicit creation of user and home dir.

Without the cache mounts, bring back `zypper clean`. It's not doing much as the `--cache-dir` is still set, but should reduce disk space for the `builder` layer. Local builds will be slower as a result when this layer is invalidated.

AFAIK, this also makes it tricky to use the `ZYPPER_OPTIONS`? So no longer DRY.
2023-03-22 22:16:28 +13:00
Brennan Kinney 718eb3461c chore: Revise `Dockerfile`
- Removing bulk of the noise from inline documentation.
- Packages bundled into single line like previous the Alpine version had.
- `CACHE_ZYPPER` is only used as an `ARG` in the `builder` stage.
- `zypper clean` wasn't able to clear anything from the install root, other than the `CACHE_ZYPPER` mount.
2023-03-22 21:31:34 +13:00
Brennan Kinney 0b86094ab9 fix: `WORKDIR` before `adduser` avoids surprises
The additions from `adduser` reading `/etc` does not appear to apply if the directory already exists, and permissions (including SGID) are adjusted properly for the home dir.

This mean the excess backup copies in `/etc` are introduced again however.
2023-03-22 21:19:05 +13:00
Brennan Kinney 48c180d0d8 fix: Manually create `testssl` user and home
BusyBox `adduser` was reading config from `/etc` that unnecessarily populates the home folder with various dot files.

Alternative approach is to create the user and home folder manually. This avoids some extra files like the `-` suffixed backup copies from `adduser`.
2023-03-22 21:19:05 +13:00
Brennan Kinney 1392987f01 refactor: Change base image from `alpine:3.17` to `opensuse/leap:15.4` 2023-03-22 21:19:05 +13:00
Dirk d001bba86b Finalize DNS via Proxy
See #2328, original PR #2295 from @w4ntun .

Formally testssl.sh returned an error when it wasn't not possible to determine IP
addresses through DNS resolution, even if --proxy and --ip=proxy flags are set.
The main function always tried to determine IP addresses via DNS and exits with
a fatal error if it cannot do it. Although the client cannot get the IP, the
proxy could, so the SSL/TLS analysis is still possible.

This PR allows the analysis for an HTTP service via a proxy server and the DNS
traffic can be sent directly or through the proxy using the flag --ip=proxy.

ATTENTION: This may be a breaking change for those who don't have a local resolver.
They now have to add --ip=proxy.

In addition:
* help() was amended to add --ip=proxy (was only in the ~i/doc dir before)
* amending ~/doc dir to document it's better to add --nodns=min when there's
  no local resolver
2023-03-21 19:40:40 +01:00
Dirk Wetter cb451777d2
Merge pull request #2338 from drwetter/CAstores_update
CA astores update
2023-03-18 20:19:03 +01:00
Dirk Wetter aac696b0a0 Updated root CA stores 2023-03-17 18:06:57 +01:00
Dirk Wetter 6106887fdd Update DST CA 2023-03-17 18:06:03 +01:00
Dirk Wetter 419aae3c98 updates docu to reflekt actual status 2023-03-17 18:05:24 +01:00
Dirk Wetter 2659a13086
Merge pull request #2336 from drwetter/drwetter-patch-4
Update codespell.yml
2023-03-12 18:12:29 +01:00
Dirk Wetter 6cea273a68
Update codespell.yml
add exception for aNULL which should work now
2023-03-12 17:55:10 +01:00
Dirk Wetter b84e182ca2
Merge pull request #2332 from drwetter/sanitize_fileout
Make sure control chars from HTTP header don't end up in html,csv,json
2023-03-12 16:18:20 +01:00
Dirk Wetter 83f67b4fb7
Merge pull request #2333 from drwetter/drwetter-patch-4
Update .gitignore
2023-03-12 16:00:11 +01:00
Dirk Wetter 8643ed4c72
Update .gitignore 2023-03-12 15:57:01 +01:00
Dirk Wetter cacd8c57b1 Add variable htmlfile + filter GOST message
... which is needed for newer LibreSSL/OpenSSL versions
2023-03-12 15:09:24 +01:00
Dirk Wetter 2e33c483dd remove comma in tr as it was interpreted as such 2023-03-12 14:52:11 +01:00
Dirk Wetter fab67d0cca Remove CR in server banner
... which caused a problem in t/32_isHTML_valid.t.

Also the test for an empty server banner was simplified
2023-03-12 14:00:55 +01:00
Dirk Wetter d298b41d2c add aNULL exception to codespell 2023-03-11 14:06:47 +01:00
Dirk Wetter 06506b371e Make sure control chars from HTTP header don't end up in html,csv,json
This addresses the bug #2330 by implementing a function which removes
control characters from the file output format html,csv,json at the
output.

In every instance called there's a check before whether the string
contains control chars, hoping it'll save a few milli seconds.

A tr function is used, omitting LF.

It doesn't filter the terminal output and the log file output.
2023-03-11 13:38:28 +01:00
Dirk 9afa277c02 another indent correction 2023-03-03 12:50:02 +01:00
Dirk 2b6bd2f1dd fix indentation 2023-03-03 12:47:12 +01:00
Dirk 581788ff39 Merge branch '3.1dev' of https://github.com/w4ntun/testssl.sh into w4ntun-3.1dev 2023-03-03 12:31:26 +01:00
Dirk Wetter 88763f47a8
Merge pull request #2326 from drwetter/fix_mime-type
Fix Accept Header
2023-02-20 20:29:14 +01:00
Dirk a14fc5bdcf Fix Accept header
see #2325.

"whenever HTTP/1.1 is used then the Accept header uses "text/*" as a MIME type.
This causes some minor issues with some of the checks we are doing"
2023-02-20 15:01:40 +01:00
Dirk Wetter e57527f3ec
Merge pull request #2321 from drwetter/align_json+terminal@run_cipherlists
Rename 3 jsonIDs in run_cipherlists(): breaking change
2023-02-08 17:07:42 +01:00