Commit Graph

142 Commits

Author SHA1 Message Date
cf79a19598 Add Android 11+12 2022-05-04 19:12:03 +02:00
28e9ddeebd Teating of FFDHE groups
* readded to the markdown
* readded to the clientsimulations for Java 12
2022-05-04 18:29:29 +02:00
ac6f99fe1c correct FFDHE groups
... so that they a recognized by ~/utils/hexstream2curves.sh
2022-05-04 17:44:33 +02:00
c6491a3834 Correct spell checking error
and hint to missing ALPN
2022-05-04 15:56:25 +02:00
415043865a Add Java 17 LTS
plus

* amend documentation
* remove TLS 1.3 ciphers in ch_ciphers for consistency reasons
2022-05-04 15:46:36 +02:00
52ed4181f9 Add SSLSocketClient in Java
Note this doesn't add alpn (same as openssl). See here https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLSocket.html
if you want to add that.

This code is NOT GPLv2! It was taken from the Oracle web site which didn't list any license
(https://docs.oracle.com/javase/10/security/sample-code-illustrating-secure-socket-connection-client-and-server.htm).
2022-05-04 15:39:32 +02:00
d84492a75e Update openssl 3.0.3 2022-05-04 14:32:04 +02:00
cc7a88386d Update documention how to add a client simulation 2022-05-04 12:38:12 +02:00
03803cf0c9 Add Safari for macOS 2022-05-03 22:11:31 +02:00
50b09267d0 Try more ciphers
determine_optimal_sockets_params() makes two attempts to send a TLS 1.2 ClientHello, with each attempt trying 127 ciphers. However, this leaves 97 ciphers from etc/cipher-mapping.txt that are not tried, most of which use ARIA or CAMELLIA. This commit adds a third attempt a send a ClientHello that offers these 97 remaining ciphers. This helps to ensure that support for TLS 1.2 is detected and that later calls to tls_sockets() work, even if the server only supports the ARIA/CAMELLIA ciphers that are not included in TLS12_CIPHER or TLS12_CIPHER_2ND_TRY.
2022-04-18 11:53:28 -04:00
905f801309 Remove the expired DST Root CA X3 cert from all trust stores, and ensure Mozilla's is up to date (fixes ISRG X1 alternate path)
Remove changes to Dockerfiles

Update hashes for CA trust stores
2021-10-02 08:05:56 +10:00
2405176a26 Fix #1982: Newer openssl.cnf break openssl detection
Newer configuration files from openssl may include statements
which aren't compatible with our supplied old openssl version.
This commit adds an autodetection of such a file and uses a
openssl.cnf provided by this project then.
2021-09-15 09:31:03 +02:00
fcb282e3c3 Typos found by codespell
Run codespell in CI
2021-09-14 13:33:39 +02:00
b1f5c6c9af Trim excess whitespace 2021-09-04 13:28:30 +00:00
54dcecd184 Make text file not executable 2021-09-03 22:19:39 +00:00
7029ada0ba fixing typo in md file 2020-11-28 14:06:26 +01:00
57ffe08dd4 Adding a hex2curves util. 2020-11-28 14:04:00 +01:00
ce802634b6 Update remaining: Apple / Java / Microsoft
* also ca_hashes.txt

* Used Java SDK 15 instead of JRE 8
* Used Windows 20H2
* Java Keystore has added 5 certificates (90 --> 95)

Updated Readme and make it more reproducible
2020-11-13 22:01:17 +01:00
33ea2c710c updated Linux.pem + Mozilla.pem 2020-11-11 18:15:56 +01:00
851cd564e6 Check for bad OCSP intermediate certificates
This commit checks whether any intermediate certificates provided by the server include an extended key usage extension that asserts the OCSP Signing key purpose.

This commit replaces #1680, which checks for such certificates by comparing the server's intermediate certificates against a fixed list of known bad certificates.
2020-07-15 11:56:20 -04:00
eb7b0c9644 add hash file 2020-07-14 22:26:23 +02:00
82e939f2bd Add wiresharked Android 7.0 (native)
After being bitten by https://stackoverflow.com/questions/39133437/sslhandshakeexception-handshake-failed-on-android-n-7-0
I add a wiresharked Android 7.0 to reflect that bug in Android 7.0.
2020-06-23 15:26:31 +02:00
a9ab2bcd91 Update documentation (ADDITIONAL_CA_FILES -> ADDTL_CA_FILES)
which happened in d44a643fab in
testssl.sh .

This fixes it in the related files. See also #1581
2020-04-23 11:20:46 +02:00
46c05c6732 Fix client simulation
replace ciphers with ch_ciphers and sni with ch_sni in client simulation data file.
2020-01-31 10:52:50 -05:00
eeb1acd749 Android 9 still has 2 signature hash algos: x0201 + x0203 2020-01-22 11:41:42 +01:00
7c66ed47c0 All self retrieved Android handshakes modified to service ANY 2020-01-22 10:58:00 +01:00
a50a660d6c Add Android 10 client simulation 2020-01-22 10:54:50 +01:00
ddc7a56ab0 fix language 2020-01-17 11:59:41 +01:00
ac7a20f018 Update client-simulation.wiresharked.md 2020-01-16 22:46:43 +01:00
86afeabf8f Merge pull request #1438 from drwetter/update_clienthandshakes
Update clienthandshakes
2020-01-16 22:26:21 +01:00
13aa6aa433 Readd TLS 1.0 and TLS 1.1 to openssl 1.1.1d (Debian)
... see previous commit
2020-01-14 18:17:44 +01:00
09eda2aa97 Update openssl handshakes
to 1.1.0l and 1.1.1d. Seems that for the latter TLS 1.0 and 1.1
are disabled now, looking at the supported version extension.
However on the command line an s_client connect works. So
this commit need to be amended.
2020-01-14 18:02:43 +01:00
56e6fa4bb7 Remove FTP as a "service" from Firefox' client simulation
... as firefox never supported FTP over TLS or SSL, see

https://bugzilla.mozilla.org/show_bug.cgi?id=85464

In general browsers tend to remove noaways cleartext FTP from
browsers.
2020-01-13 23:11:59 +01:00
8cc3a5f514 Add firefox 71
... and
* deprecate openssl 1.0.1
* enable Chrome 74 instead of Chrome 65
2020-01-13 22:57:10 +01:00
420fa73f5a Fix Safari 13.0 Client Simulation
The ciphersuites string for Safari 13.0 ends with a colon (':'). which causes OpenSSL to reject the command line when client simulation testing is performed in --ssl-native mode. This PR fixes the problem by removing the trailing colon.
2020-01-13 10:31:20 -05:00
88ec92d622 Add recent Chrome and Opera handshakes
Chrome 78 and 79, Opera 65 and 66

Remove FTP from Chrome
2020-01-13 16:02:39 +01:00
a714aec912 Clarify / correct a few bits 2020-01-13 16:01:27 +01:00
cf8cb541d5 Update Thunderbird simulation to v68.3 2020-01-13 11:35:58 +01:00
0911d1ae31 For better recognition put readme in a separate file 2020-01-13 11:34:25 +01:00
a244ef7990 Needed update after putting all CA store here 2020-01-11 11:45:27 +01:00
88e670ab1f Update store
According to MS this is the latest which is from July 2019.
This is the biggest CA store (probably a lot of intermediate
certificates in there).

This was pulled from MS as described in the Readme.md . It
is exactly the same whether CertUtil will be run from Windows 7
(almost: RIP) or Windows 10.
2020-01-11 11:42:30 +01:00
40155ed222 Update Java store
Other than before teh Java store was extracted directly from a keystore
from a Java JRE from https://jdk.java.net/.

The Debian keystore used previously used the certificates from the Debian
machine itself (installation script in ``/etc/ca-certificates/update.d/``.
Check with ``keytool -list -rfc -keystore /etc/ssl/certs/java/cacerts | grep -i 'alias'``

As a consequence this store contains less certificates:

etc/Java.pem:90
etc/Linux.pem:128

and needs some testing whether it really should be still included.
2020-01-10 09:17:57 +01:00
7341cac3c2 -add-ca amended 2020-01-09 10:34:07 +01:00
3ff93b4fa6 Update for 3.0 2020-01-09 10:27:09 +01:00
23b845c11b Update Safari to 13.0 and macOS to 10.14
manually wiresharked, now with TLS1.3 for macOS as well.
2019-10-16 20:36:08 +02:00
80a725541b Allow TLS12_CIPHER to be changed
In some rare cases a server does not support any of the ciphers in $TLS12_CIPHER, but does support at least one cipher in $TLS12_CIPHER_2ND_TRY. In such cases, TLS12_CIPHER should be changed to $TLS12_CIPHER_2ND_TRY so that subsequent tests using $TLS12_CIPHER will succeed.
2019-09-23 15:54:44 -04:00
d5f90218d1 Deprecation of more clients
* Tor 17
* Android 4.2.2
* IE 7 Vista
2019-05-08 23:12:45 +02:00
7238a0167a Change the platform for Java from Ubuntu to OpenJDK 2019-05-07 19:39:20 +02:00
174f4ee527 Merge pull request #1268 from csett86/safari-macos
Add Safari 12.1 on macOS 10.13.6
2019-05-07 19:35:09 +02:00
c41b1f0055 Revert diff noise at end of file 2019-05-06 21:35:58 +02:00