1
0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-07-15 02:01:57 +02:00
Commit Graph

3247 Commits

Author SHA1 Message Date
cce57c4613 Fix run_ssl_poodle()
PR  changed run_ssl_poodle() to only run the test if it is known that the server supports SSLv3. However, support for SSLv3 may be unknown at the time run_ssl_poodle() is run (e.g., if the server supports TLS 1 and SSLv3, and run_ssl_poodle() is the first test performed). So, run_ssl_poodle() should perform testing unless it is known that SSLv3 is not supported.
2020-01-22 11:20:34 -05:00
2181061c6e Merge pull request from drwetter/shortcurt_vulns
Shortcuts for vulnerability tests for TLS 1.3 only servers
2020-01-22 15:37:11 +01:00
d4d5a61a0b Hopefully make Travis shut up now
picked a TLS 1.2 host
2020-01-22 11:30:21 +01:00
cae052cfab Address some HTML check failures in travis
(shouldn't work too late)
2020-01-22 11:29:04 +01:00
39abb27dd9 cloudflare seems not good for html travis checks 2020-01-22 00:28:59 +01:00
80530aa34c remove fast as it makes problems especially with Travis+testssl.net 2020-01-21 23:53:52 +01:00
e0f8c8d43e Relax misunderstanding of DEBUG statemement
There's a check for >825 days certificate lifetime. That
check emits a debug statement when the lifetime is within
this limit. It does that also when the certificate expired.

This commit adds now the word "total"

DEBUG: all is fine with total certificate life time

to make sure the life time left not is what should be understood.
2020-01-21 22:47:53 +01:00
26a8f23ec1 Shutup Travis
... by adding the formerly intruoced "DEBUG" statement as a filter.
Note: "DEBUG" can now / should now be taken preferably for extra
output on debug level 1.

Replacing badssl.com by testssl.net. The former needed almost 5 min
for a run, whereas one IP of testssl.net needs ~80 secs. With --fast
even less.
2020-01-21 22:41:50 +01:00
952231dd94 Shortcuts for vulnerability tests
Several vulnerability checks add a time penalty when the server
side only support TLS 1.3 as The TLS 1.3 RFC 8446 and implementations
known so far don't support the flaws being checked for.

This PR adds "shortcut" checks for all TLS 1.3, assuming that the
TLS 1.3 implementation is correct which seems at this time a valid
assumpution. That either saves a TCP connect or at least some logic to
be executed.  Also in some cases a TLS 1.3 only server emitted unnecessary
warnings, see .

If $DEBUG -eq 1 then it outputs information that a shortcut was
used. It doesn't do that in other cases because the screen output
seems too obtrusive.

It also adds a shortcut for beast when SSL 3 or TLS 1.0 is is known
not to be supported.

This commit radds 747fb039ed which
was accidenially reverted in 45f28d8166.
It fixes .

See also .
2020-01-20 21:37:02 +01:00
c08250d1bb Merge pull request from drwetter/ci_setx
add check for forgotten "set -x" + provide defined start conditions
2020-01-20 12:20:07 +01:00
45f28d8166 Revert "Shortcuts for TLS13 only servers in renegotiation checks"
This reverts commit 747fb039ed.
2020-01-18 21:55:35 +01:00
44d1139e99 Revert "Complete shortcut checks (Renegotiation and CRIME)"
This reverts commit 8c24d1a6f2.
2020-01-18 21:54:42 +01:00
f109d3bbd6 add unlink / start with a clean state
... good when running "prove -v" locally and previously
the run was interrrupted by e.g. ^C
2020-01-18 21:47:44 +01:00
cb6677e2d3 removed comment 2020-01-18 21:45:32 +01:00
bec9ebdda8 only one ip 2020-01-18 21:44:24 +01:00
2563dfb5e5 add set -x 2020-01-18 21:36:19 +01:00
8c24d1a6f2 Complete shortcut checks (Renegotiation and CRIME)
This also makes a short exit when the server side
supports TLS 1.3 only as this protocol doesn't support
TLS renegotiation or compression.

Also it fixes the logic flaw from the previous
commit that "-no_tls1_3" has to be supplied.

Furthermore, it unifies the output presented to the user.
2020-01-18 12:31:38 +01:00
155824214b Merge pull request from drwetter/drwetter-patch-1
add also here -z
2020-01-17 15:26:09 +01:00
adfa411e24 add also here -z 2020-01-17 15:24:36 +01:00
747fb039ed Shortcuts for TLS13 only servers in renegotiation checks
As noted in  a few vulnerability checks don't make sense
or aren't working.  This commit addresses the renegotiation checks.

Also a few redundant quotes in parse_tls_serverhello() and
run_crime() were removed.
2020-01-17 15:16:26 +01:00
71b6305e00 Merge pull request from drwetter/drwetter-patch-2
fix language
2020-01-17 11:59:50 +01:00
ddc7a56ab0 fix language 2020-01-17 11:59:41 +01:00
a094ebc981 Merge pull request from drwetter/drwetter-patch-2
fix missing -z
2020-01-17 11:57:36 +01:00
1fb2db02a7 Update docker-debian10.tls13only.start.sh 2020-01-17 11:57:13 +01:00
03fb04a9f9 Merge pull request from drwetter/drwetter-patch-1
Warning for handshake retrieved by Google apps
2020-01-16 22:48:07 +01:00
ac7a20f018 Update client-simulation.wiresharked.md 2020-01-16 22:46:43 +01:00
86afeabf8f Merge pull request from drwetter/update_clienthandshakes
Update clienthandshakes
2020-01-16 22:26:21 +01:00
c2060c08f3 Merge pull request from dcooper16/basic_auth_polishing
More polishing of http basic auth
2020-01-16 20:24:39 +01:00
4b6bdf8cdf More polishing of http basic auth
* Replace "! -z" with "-n"
* Replace "openssl' with "$OPENSSL"
* Redirect stderr output of $OPENSSL to /dev/null to supress "WARNING: can't open config file: /usr/local/etc/ssl/openssl.cnf" message (see )
* Remove unnecessary spaces from $GET_REQ11 string.
2020-01-16 13:41:27 -05:00
91e14a3840 Merge pull request from drwetter/add_1451
Last fine tuning for http basic auth
2020-01-16 16:34:09 +01:00
0691dc1bf8 Merge pull request from mkauschi/add-cache-control-header-check
Check for the Cache-Control and Pragma header
2020-01-16 16:25:18 +01:00
e498ffbdb2 add Pragma header to other_header_variable 2020-01-16 15:01:48 +01:00
5813e40e6b chore: add cache control header to other_header variable 2020-01-16 14:55:15 +01:00
4603d924be Last fine tuning for http basic auth
* create roff file and HTML
* add hint to $ENV

Avoid 1x subshell

See .
2020-01-16 14:29:53 +01:00
700a727f3f Merge pull request from mkauschi/http-basic-auth-support
Add support for HTTP Basic Auth
2020-01-16 14:13:59 +01:00
ddd29dafdd instantiate BASICAUTH variable 2020-01-16 10:15:07 +01:00
51fb849954 change basicauth_header variable to a local variable 2020-01-16 10:13:16 +01:00
942cf3d374 add description for HTTP basic auth credentials switch in the docs 2020-01-16 10:11:22 +01:00
87b46a54fe add support for http basic auth 2020-01-15 16:46:03 +01:00
787e575085 Merge pull request from drwetter/826days_towarn
Add one second for 825 day validity test
2020-01-15 15:38:26 +01:00
38a00f7170 Add one second for 825 day validity test
The CA browser form agreed on a validity period of 825 days or less
(https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.3-redlined.pdf,
p4).

PR  addressed that. However when an issuer signed/issued a certificate
with exactly 825 days, the check reported incorrectly that the life time
is too long.

This commit addressed that by adding a second to the calulation. Also the
output takes into account that it must be over ('>') 825 days, not '>='.
2020-01-15 15:32:32 +01:00
520a4fbf75 Merge pull request from drwetter/pr_1070
Reimplement mitigation check (renegotiation->node.js)
2020-01-15 13:09:39 +01:00
2ed317441f Reimplement mitigation check (renegotiation->node.js)
See , kudos @poupas.

In addition it checks whether the first result was positive (in
terms of a finding). If so it does 4 rounds and checks the
result. So that other servers won't be penalized with 4 seconds.
2020-01-15 12:11:57 +01:00
2a87f7505d Merge pull request from drwetter/alternative_temppath
Try temp file creation in a different location
2020-01-15 09:59:12 +01:00
50ea6b1891 $PWD check : negate pattern + add $BASH_REMATCH 2020-01-14 22:52:47 +01:00
50c9075ba8 Provide whitelist for $PWD
see 
2020-01-14 20:41:08 +01:00
e75ed94573 Merge pull request from dcooper16/add_missing_declarations
Add missing variable declarations
2020-01-14 20:17:07 +01:00
f0f8f3a318 Remove TEMPPATH, make sure PWD doesn't contain a blank 2020-01-14 20:09:46 +01:00
477b113fe6 Add missing variable declarations
derive-handshake-traffic-keys() uses the variables `derived_secret`, `server_write_key`, and `server_write_iv`, but they are not declared as local variables of the function. This PR fixes that.
2020-01-14 13:53:36 -05:00
8518284795 Try temp file creation in a different location
... if the standard directory /tmp is not allowed to write to.
As noted in  this might be the case for Termux on Android.
2020-01-14 18:55:09 +01:00