David Cooper
e2042e99d6
Initial support for certificate compression
...
draft-ietf-tls-certificate-compression specifies a new TLS extension that allows a client to indicate support for receiving the server's certificates in compressed form. This PR adds initial support for that extension to testssl.sh. It was developed based on an announcement that facebook.com has implemented support for the extension.
This PR does not add a test for a server's support for the new extension, it just adds code to parse_tls_serverhello() that will parse a compressed certificate message if one is present in the server's response. So, in practice, the code in this PR will not actually be used until additional code has been added that sends a ClientHello with the compress_certificate extension.
The code in this PR can be tested by using the --devel option and by changing line 19347 from
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "ephemeralkey"
to
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all+" "00,1b, 00,03, 02, 00,01"
testssl.sh can then be called using
testssl.sh --debug 3 --devel 04 "13,01" facebook.com
Note that this PR adds a test for zlib support to find_openssl_binary(). The test uses $OPENSSL zlib in the same way it is used in parse_tls_serverhello(). The test asks $OPENSSL zlib to uncompress the compressed version of the string "zlib" and the checks to see whether the decompression was performed correctly. There is already a test for zlib support in run_crime(), but I did not check to see whether the check in run_crime() could be replaced with a check of the new $HAS_ZLIB variable.
2019-06-06 12:17:32 -04:00
Dirk Wetter
91e98f1fc3
Merge pull request #1274 from dcooper16/pwnedkeys
...
Check pwnedkeys.com database
2019-05-23 10:45:57 +02:00
David Cooper
0d2b955e21
Check pwnedkeys.com database
...
This PR adds a check of whether the server's public key appears in the https://pwnedkeys.com database.
2019-05-22 10:11:34 -04:00
Dirk Wetter
d6fb232152
Merge pull request #1271 from drwetter/depr_clients
...
Depreciation of more clients
2019-05-08 23:18:03 +02:00
Dirk
d5f90218d1
Deprecation of more clients
...
* Tor 17
* Android 4.2.2
* IE 7 Vista
2019-05-08 23:12:45 +02:00
Dirk Wetter
0c750c212c
Merge pull request #1270 from drwetter/ubuntu2openjdk
...
Change the platform for Java from Ubuntu to OpenJDK
2019-05-07 19:43:58 +02:00
Dirk Wetter
7238a0167a
Change the platform for Java from Ubuntu to OpenJDK
2019-05-07 19:39:20 +02:00
Dirk Wetter
174f4ee527
Merge pull request #1268 from csett86/safari-macos
...
Add Safari 12.1 on macOS 10.13.6
2019-05-07 19:35:09 +02:00
Dirk Wetter
9273661779
Merge pull request #1269 from csett86/deprecate-java9
...
Deprecate Java 9, its EOL since March 2018
2019-05-07 08:02:44 +02:00
Christoph Settgast
c41b1f0055
Revert diff noise at end of file
2019-05-06 21:35:58 +02:00
Christoph Settgast
fa77a9c80e
Deprecate Java 9, its EOL since March 2018
...
No current distro (Ubuntu, Debian, Fedora) is still shipping it,
Oracle has EOLed it in March 2018 according to
https://www.oracle.com/technetwork/java/java-se-support-roadmap.html
2019-05-06 21:26:30 +02:00
Christoph Settgast
a17f45b563
Add Safari 12.1 on macOS 10.13.6
...
manually wiresharked
2019-05-06 21:19:46 +02:00
Dirk Wetter
1ccc8bdcb8
Merge pull request #1263 from csett86/java
...
Add Java 11 and 12 client simulations
2019-05-06 19:40:33 +02:00
Dirk Wetter
4cae781d98
Merge pull request #1267 from drwetter/hexstream2cipher_fix
...
Don't include SSLv2 ciphers in hexstream2cipher.sh
2019-05-06 19:37:44 +02:00
Dirk
13d3b7329b
Don't include SSLv2 ciphers in hexstream2cipher.sh
2019-05-06 19:35:12 +02:00
Christoph Settgast
8c8a626b49
Remove erroneous DES-CBC-MD5 from Java 11 and 12
...
DES-CBC-MD5 was included by utils/hexstream2cipher.sh,
heres the relevant snippet, line 160:
148: c025 --> 0xc0,0x25 --> ECDH-ECDSA-AES128-SHA256
152: c029 --> 0xc0,0x29 --> ECDH-RSA-AES128-SHA256
156: 0067 --> 0x00,0x67 --> DHE-RSA-AES128-SHA256
160: 0040 --> 0x00,0x40 --> DHE-DSS-AES128-SHA256 DES-CBC-MD5
164: c009 --> 0xc0,0x09 --> ECDHE-ECDSA-AES128-SHA
168: c013 --> 0xc0,0x13 --> ECDHE-RSA-AES128-SHA
172: 002f --> 0x00,0x2f --> AES128-SHA
176: c004 --> 0xc0,0x04 --> ECDH-ECDSA-AES128-SHA
Unfortunately I don't know how to fix utils/hexstream2cipher.sh,
but I have manually removed the erroneous cipher and space from
the client-sim.
2019-05-06 18:07:43 +02:00
Dirk Wetter
29a74713ee
Merge pull request #1266 from drwetter/more_unittests1
...
t/25_baseline_starttls in line with the new scheme now
2019-05-06 14:08:54 +02:00
Dirk Wetter
33ece6858d
In line with the new scheme now
2019-05-06 14:07:08 +02:00
Dirk Wetter
c5d76fec27
Merge pull request #1265 from drwetter/more_unittests1
...
Another (minor) step forwad for unit tests
2019-05-06 11:22:42 +02:00
Dirk Wetter
51e8373efb
Update to newest template
...
* die statement if testssl.sh cannot be found from the current path
* comment everything out for JSON
* don't repeat the pattern, use a variable
* use "speaking" variable names
2019-05-06 11:20:28 +02:00
Dirk Wetter
802d0defe7
Better phrased and provide examples
2019-05-06 11:13:37 +02:00
Dirk Wetter
cf7c1ba4ae
Merge pull request #1262 from drwetter/more_unittests1
...
More unit / integration tests + Fix client simulation with OpenSSL, LDAP
2019-05-05 18:43:13 +02:00
Dirk Wetter
710017ba57
Merge branch 'more_unittests1' of github.com:drwetter/testssl.sh into more_unittests1
2019-05-05 15:08:18 +02:00
Dirk Wetter
15df3316c1
Formatting fixed
2019-05-05 15:07:55 +02:00
Dirk Wetter
62bd23a632
add headline+note
2019-05-05 13:54:56 +02:00
Dirk Wetter
3785e9d622
Proper formatting
2019-05-05 13:45:23 +02:00
Dirk Wetter
c3ff9e85f9
Rename file according to new scheme
...
... Readme.md
2019-05-05 13:44:02 +02:00
Dirk Wetter
666e897623
renamed
2019-05-05 13:42:48 +02:00
Dirk Wetter
b63c389b54
Renamed
2019-05-05 12:58:49 +02:00
Dirk Wetter
b9aee02978
Split IPv6 + IPv4
...
... and disable IPv6 test as it is NOT supported by Travis CI,
see https://docs.travis-ci.com/user/reference/overview/#virtualisation-environment-vs-operating-system
The *.disabled file should provide a start if it'll be available
at some time or one can manage this in travis with a docker container,
see https://github.com/travis-ci/travis-ci/issues/8891
2019-05-05 12:53:07 +02:00
Dirk Wetter
50a83235fe
Renamed + testssl.net (IPv6)
2019-05-05 12:08:13 +02:00
Christoph Settgast
11416790cd
Add Java 12 from Ubuntu 19.04
...
manually wiresharked, detailed version info:
$ java -version
openjdk version "12.0.1" 2019-04-16
OpenJDK Runtime Environment (build 12.0.1+12-Ubuntu-1)
OpenJDK 64-Bit Server VM (build 12.0.1+12-Ubuntu-1, mixed mode, sharing)
2019-05-04 22:30:46 +02:00
Christoph Settgast
c4b5f33532
Add Java 11 from Ubuntu 18.04
...
manually wiresharked, detailed version info:
$ java -version
openjdk version "11.0.2" 2019-01-15
OpenJDK Runtime Environment (build 11.0.2+9-Ubuntu-3ubuntu118.04.3)
OpenJDK 64-Bit Server VM (build 11.0.2+9-Ubuntu-3ubuntu118.04.3, mixed mode)
2019-05-04 22:20:53 +02:00
Dirk Wetter
df88577ec4
Add basline test for IPv4 and IPv6
...
... client simulations come later. One pattern for
failed output added
2019-05-04 13:51:20 +02:00
Dirk Wetter
19e9137f79
Add --vulnerabilities and LDAP constraints to documentation
2019-05-04 11:57:03 +02:00
Dirk Wetter
9c0a1459c0
Merge pull request #1261 from drwetter/safari-fix
...
Fix error + round brackets
2019-05-04 11:09:10 +02:00
Dirk Wetter
bfd6caa624
Fix error + round brackets
...
PR #1260 missed a 'current' line which caused an output problem.
I'd like to add round brackets to the displayed name so that we remember
what comes from wireshark and waht from SSLlabs
2019-05-04 11:05:57 +02:00
Dirk Wetter
d15fbedaa1
Merge pull request #1260 from csett86/safari121-ios122
...
Add Safari 12.1 from iOS 12.2
2019-05-04 10:53:48 +02:00
Christoph Settgast
67c0dd106e
Add Safari 12.1 from iOS 12.2
...
Manually Wiresharked
2019-05-04 00:58:31 +02:00
Dirk Wetter
dc64753085
Add error catcher also for --ssl-native + FTP
2019-05-03 20:46:06 +02:00
Dirk Wetter
de45440279
better use the right protocol when checking ldap
2019-05-03 20:26:59 +02:00
Dirk Wetter
9257654522
fix wrong variable
2019-05-03 20:11:42 +02:00
Dirk Wetter
b60dbc0fa6
Code + Fix
...
- Removed doubled declaration (my)
- hopefully fix error in FTPs (should maybe think about changing
the line in testssl.sh or filter here always)
2019-05-03 20:08:31 +02:00
Dirk Wetter
72136437bb
Proper file naming
2019-05-03 19:32:59 +02:00
Dirk Wetter
1825a8ca33
Fix output for POP (STARTTLS unit test)
2019-05-03 19:32:25 +02:00
Dirk Wetter
2996d24176
Add several unit tests for STARTTLS protocols
...
- SMTP via sockets+OpenSSL
- POP3 via sockets+OpenSSL
- IMAP via sockets+OpenSSL
- XMPP via sockets+OpenSSL
- FTP via sockets+OpenSSL
- LDAP via OpenSSL
- NNTPS via sockets+OpenSSL
Open: IRC, LTMP, mysql, postgres
This PR fixes #923 . Partly it addresses #1254
2019-05-03 19:27:31 +02:00
Dirk Wetter
2d719e5ebe
Add cmdlines
...
* t / --starttls irc/ircs (which will fail later for now)
* --vulnerabilities : not yet the moment for renaming
2019-05-03 19:25:37 +02:00
Dirk Wetter
bb5450e3f5
Make STARTTLS + LDAP work again (via sockets)
...
A couple of checks required sockets but e.g. LDAP via STARTTLS
throwed an error (FIXME: LDAP+STARTTLS over sockets not supported yet)
in fd_sockets().
This adds a temporary workaround so that those functions are bypassed
and LDAP via STARTTLS can be used again.
See also #1258
2019-05-03 18:55:28 +02:00
Dirk Wetter
bdbc194491
Beautify and simplify the code
2019-05-03 16:38:44 +02:00
Dirk Wetter
c38a1e6896
Major imporvement to unit test for client simulations
...
- we don't check the head line only but errors
- don't use "pass" if you didn't run a test
- add simulation for http too
2019-05-03 16:24:57 +02:00