Commit Graph

2247 Commits

Author SHA1 Message Date
Dirk
c7a0de1280 fixed missing ps
and removed additional packages for dns clients
2017-11-16 21:16:06 +01:00
Dirk
54b9119162 FIX #897 2017-11-16 01:07:26 +01:00
Dirk
7ec0d7ffb7 Polish #846, correct level for OCSP and GOST 2017-11-14 20:50:14 +01:00
Dirk
e450eb34e4 FIX #846 -- add output filename prefix
This commit adds the possibility to supply a output
file name prefix via --outprefix or FNAME_PREFIX
2017-11-14 19:41:25 +01:00
Dirk Wetter
1a7b761f5b
Merge pull request #688 from dr4y/2.9dev
Dockerfile for testssl.sh
2017-11-14 17:39:43 +01:00
Dirk
6ce2a98637 updated
with TLS 1.3 and forgotten improvements so far.
Add interesting projekt privacyscore.
2017-11-14 13:52:13 +01:00
Dirk
2379af5a5f Rearranged credits
David needs really really to come first.
The remaining contributors now in alphabtical order
2017-11-14 13:49:27 +01:00
Dirk Wetter
ea86884e05
Merge pull request #895 from dcooper16/heartbleed_tls_sockets
Use tls_sockets() for run_heartbleed()
2017-11-13 16:20:47 +01:00
David Cooper
07d6aa8e60 Use tls_sockets() for run_heartbleed()
This PR changes run_heartbleed() to use tls_sockets() to send the ClientHello and to read the ServerHello.
2017-11-08 08:51:20 -05:00
Dirk Wetter
db9000a955
Merge pull request #894 from dcooper16/fix_std_cipherlists_false_positives
Fix false positive in std_cipherlists()
2017-11-08 08:46:30 +01:00
David Cooper
fdfaa01946
Fix false positive in std_cipherlists()
This PR fixes a false positive in std_cipherlists(). Currently, sclient_success is not initialized (so it initially set to 0). If a server is being tested that only supports TLSv1.3, the --ssl-native option is not used, and run_protocols() is run before run_std_cipherlists(), then for many of the calls to std_cipherlists() no tests are run and so sclient_success remains at its initial value (0), which is treated as success (i.e., the server supports at least one of the ciphers in the list).

The reason this happens is that in the testing loop, the TLSv1.3 test is skipped if the list of ciphers doesn't include any TLSv1.3 ciphers (and only the "Strong encryption" test includes TLSv1.3 ciphers) and the tests for each of lower versions of SSL/TLS is skipped since it was already determined in run_protocols() that those versions weren't supported.
2017-11-07 11:53:49 -05:00
Dirk Wetter
3c427c31a0
Remove Matt's pointer to the image
... until it is more up to date
2017-11-06 21:56:06 +01:00
Dirk
5bd8cb08ba fix #892 (trailing dot in supplied hostname)
... and do minor updates to do bash internal functions in ``parse_hn_port()``
2017-11-05 22:41:11 +01:00
Dirk
000f957646 minor changes on TLS 1.3 protocol tests (see #890) 2017-11-05 20:30:18 +01:00
Dirk Wetter
b613f3fcf0
Merge pull request #889 from dcooper16/run_pfs_tls13
Add TLSv1.3 support for run_pfs()
2017-11-05 14:40:06 +01:00
Dirk Wetter
a9c0804749
Merge pull request #890 from dcooper16/run_protocols_tls13
Add TLSv1.3 support for run_protocols()
2017-11-05 14:39:40 +01:00
David Cooper
a75617cfdb Add TLSv1.3 support for run_protocols()
This PR adds a check for TLSv1.3 support to run_protocols(), checking for support for the final version of TLSv1.3 (0x0304) as well as drafts 18, 19, 20, and 21 (0x7F12, 0x7F13, 0x7F14, and 0x7F15).
2017-11-02 17:22:04 -04:00
David Cooper
dd58fbb9aa
Add public keys
Add the public keys corresponding to the key pairs in TLS13_KEY_SHARES.
2017-11-02 11:44:29 -04:00
David Cooper
cd6c84bfd3
Add a secp224r1 key pair 2017-11-02 11:30:24 -04:00
David Cooper
a102ee8fb6
Add TLSv1.3 support for run_pfs()
This PR adds TLSv1.3 support for run_pfs().
2017-11-02 11:28:09 -04:00
Dirk
9daec2a515 Add "auto" keyword to -oA/-oa (FIX #887)
File names are now auto-generated by using "-oA auto" / -oa "auto"
--similar to --csv and friends.

Also the formerly hidden switches --outFile and --outfile were added in the
help and in the manual.
2017-11-01 09:58:52 +01:00
Dirk
9b7000e87e Final check to make sure fileout and pr*warning correlates
Made sure that if fileout has a WARN or DEBUG flag it is
consistent with pr*warning. FIX #518
2017-10-31 12:23:16 +01:00
Dirk
2aeabd19b2 Better clarification on bit size and encryption strength
Fix #770
2017-10-31 12:00:09 +01:00
Dirk
278202ace9 FIX #848 -- determine tls date only when instructed
Former code implied a determination of the TLS time in
every call of tls_sockets() despite the fact that the
value is only needed at one point in the run.

This removes this behaviour by introducing another global
boolean switch TLS_DIFFTIME_SET which determines whether
the additional cost will be paid or not.

The gain in execution time is a bit meager though. At
most it seems it's 1-3 seconds.
2017-10-31 11:27:19 +01:00
Dirk
dca4da4736 FIX #884, FIX #885
For servers with client authentication one would need to supply a x509
certificate to check session resumption by ID or ticket. This is not (yet?)
supported in testssl.sh.

This commit fixes the misleading error message so that it is clear what the
problem is.
2017-10-30 18:41:19 +01:00
Dirk Wetter
bec17e1ad6
Merge pull request #886 from dcooper16/Expect_CT_header
Add check for the Expect-CT header
2017-10-30 17:08:41 +01:00
David Cooper
ad6cde996a
Add check for the Expect-CT header
This commit adds a check for the Expect-CT header to run_more_flags().
2017-10-30 11:48:48 -04:00
Dirk Wetter
b9723424e7
Merge pull request #882 from dcooper16/suppress_config_file_warn
Suppress more config file warnings
2017-10-30 08:41:55 +01:00
Dirk Wetter
fd9ee18ab5
Merge pull request #883 from dcooper16/run_cipher_match_tls13
Add TLSv1.3 support for run_cipher_match()
2017-10-27 23:58:28 +02:00
David Cooper
24c342b34b
Add TLSv1.3 support for run_cipher_match()
This PR adds TLSv1.3 support for run_cipher_match(). It also addresses issue #660 for run_cipher_match().
2017-10-27 13:52:09 -04:00
David Cooper
1addd74178
Suppress more config file warnings
This PR is a continuation of #833.

With additional testing with different options I encountered more places where $OPENSSL was printing "WARNING: can't open config file: /usr/local/etc/ssl/openssl.cnf" where testssl.sh was not suppressing the error message.

This PR redirects stderr to /dev/null or to $ERRFILE for several more calls to $OPENSSL in order to suppress these warning messages.
2017-10-27 13:07:04 -04:00
Dirk Wetter
a0fc34763f
Merge pull request #881 from dcooper16/libressl_enc_names
Fix problem with LibreSSL encryption names
2017-10-27 17:55:15 +02:00
David Cooper
a25cbf5078
Fix problem with LibreSSL encryption names
For ciphers that use the ChaCha20-Poly1305 cipher, LibreSSL shows "Enc=ChaCha20-Poly1305" in the "openssl ciphers -V" command rather than "Enc=ChaCha20(256)" and for some GOST ciphers it shows "Enc=GOST-28178-89-CNT" rather than "Enc=GOST(256)". This causes a problem for neat_list() if information is being obtained from "$OPENSSL ciphers -V" rather than from the cipher-mapping.txt file.
2017-10-27 11:49:11 -04:00
Dirk Wetter
884fa3ffed Merge pull request #879 from dcooper16/use_helper_function
Use read_sigalg_from_file() helper function
2017-10-27 17:13:26 +02:00
David Cooper
06f842ae69 Use read_sigalg_from_file() helper function
This PR fixes several places where the read_sigalg_from_file() helper function isn't being used.
2017-10-27 10:34:04 -04:00
Dirk
a85ca3c250 FIX #765
Inconsistency in using optional and mandatory parameters in help and man page
2017-10-26 11:46:14 +02:00
Dirk
4e70ac6ad5 FIX #870 = testssl.sh -v/-b picks up wrong openssl binary 2017-10-22 23:41:17 +02:00
Dirk Wetter
f88e3d89f1 Merge pull request #826 from dcooper16/fix772
Complete fix of #772
2017-10-22 23:28:16 +02:00
Dirk Wetter
b16a86cf46 Merge pull request #827 from dcooper16/OpenSSL_111_fix
Another fix for OpenSSL 1.1.1
2017-10-22 23:27:50 +02:00
Dirk Wetter
90eb1f128c Merge pull request #873 from tomwassenberg/comment-fix
Correct small inconsistency in code comment
2017-10-21 11:49:08 +02:00
Tom Wassenberg
39bc207d0e
Correct small inconsistency in comment
The main parameter is referred to as "<URI>" everywhere, except for in one
comment, where it was "<host>". Made this consistent with other uses.
2017-10-20 21:36:41 +02:00
Dirk
e3b254d0a1 FIX #869 2017-10-20 19:58:20 +02:00
David Cooper
63fe5fa170 Complete fix of #772
PR #777 introduced a proposed solution to #772. This PR applies the proposed solution wherever it was not applied in #777.
2017-10-20 13:54:18 -04:00
David Cooper
0efaf9114f Another fix for OpenSSL 1.1.1
If testssl.sh is used with OpenSSL 1.1.1 and TLSv1.3 support is enabled, then the check for whether the server has a cipher order will always fail. The problem is that since the call to s_client doesn't specify a protocol a TLSv1.3 ClientHello will be sent. However, the call specifies a list of ciphers that doesn't include any TLSv1.3 ciphers. So, OpenSSL will fail with the error: "No ciphers enabled for max supported SSL/TLS version." The solution is to add the "-no_tls1_3" option.

This PR fixes the problem by taking advantage of the recently-added s_client_options() function. It adds a "-no_tls1_3" option whenever:
* $OPENSSL supports TLSv1.3
* The command line doesn't specify any protocol: -ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, or -tls1_3.
* The command line includes the -cipher option
* The list of ciphers that will be sent doesn't include any TLSv1.3 ciphers.

Add TLSv1.3 support to run_cipher_per_proto()

Fix branch
2017-10-20 13:51:29 -04:00
Dirk Wetter
f212b609ab Merge pull request #867 from dcooper16/tls13_for_run_allciphers
Add TLSv1.3 support for run_allciphers()
2017-10-20 18:12:02 +02:00
Dirk Wetter
d65566921f Merge pull request #868 from dcooper16/tls13_for_run_server_preference
Add TLSv1.3 support for run_server_preference()
2017-10-20 18:09:17 +02:00
David Cooper
ca7c8200eb Add TLSv1.3 support for run_server_preference()
This PR adds support for TLSv1.3 to run_server_preference(). It only provides partial support, as it only works if the support supports and earlier TLS protocol (in order to determine whether the server has a cipher order). It also will only show TLSv1.3 as the "Negotiated protocol" if $OPENSSL supports TLSv1.3.

This PR also fixes a bug in which the variable "proto" was defined as used as both a regular variable and as an array.
2017-10-20 11:40:19 -04:00
David Cooper
fb5c049fd7 Add TLSv1.3 support for run_allciphers()
This PR adds TLSv1.3 support for run_allciphers(). It also addresses issue #660 for run_allciphers().
2017-10-20 11:39:30 -04:00
Dirk
50fa1e74bd Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2017-10-20 16:45:59 +02:00
Dirk
d3795f1254 Add output options similar to nmap (FIX #861) 2017-10-20 16:32:57 +02:00