Commit Graph

2421 Commits

Author SHA1 Message Date
Dirk
d1f0380173 add coreutils to provide full date command 2018-02-08 21:50:20 +01:00
Dirk
46fa94fa33 Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2018-02-08 21:15:12 +01:00
Dirk
cbe38cc4bb convert Dockerfile to alpine linux 2018-02-08 21:06:19 +01:00
Dirk Wetter
38f0aa04b3
Merge pull request #984 from dcooper16/fix983
Fix #983
2018-02-08 18:24:41 +01:00
Dirk
8930fe7fb3 add a imssing blank between Access-Control-Allow-Origin Upgrade X-Served-By Referrer-Policy X-UA-Compatible and their value 2018-02-08 18:20:24 +01:00
David Cooper
3084f241af Fix #983
This commit fixes #983 by ensuring that the line printed just before calling "return" prints a newline character. It also fixes the problem that no output is sent to the JSON/CSV file in some cases in which no fallback is possible since the server does not support two different protocols below TLSv1.3.
2018-02-08 12:02:02 -05:00
Dirk
7bf070b016 Changes in NPN+ALPN, internal improvements for all *_done_* calls
In order to be more consistent with the other output functions having
"svrty" in their name, *_done_best and *_done_good were changed to
*_svrty_best and *_svrty_good.

run_spdy/run_http2 were renamed to run_npn and run_alpn as this is
what is actually being tested. Also the terminal and file output
is now reflecting this.

Also #980 was fixed in a sense that (only) for ALPN the protocol
h2 will get a "good". There will be an additional CSV/JSON line
for this.
2018-02-08 14:02:24 +01:00
Dirk Wetter
eb6f9788f6
Merge pull request #982 from dcooper16/fix_981
Fix #981
2018-02-08 11:39:10 +01:00
David Cooper
39990f5ace Fix #981
This commit fixes #981 by using a while loop instead of a for loop to check each DNS name in the SAN extension, copying the syntax used in certificate_info() to display all of the SANs.
2018-02-07 13:18:43 -05:00
Dirk
364011b6ca add missing space for RC4 screen output 2018-02-05 18:56:33 +01:00
Dirk
3cfe3ab87e polish #977 -> re-add commas in screen/html output (not JSON/CSV) 2018-02-05 13:27:25 +01:00
Dirk Wetter
8289e8ba88
Merge pull request #978 from dcooper16/hostcert_txt
Fix HOSTCERT_TXT
2018-02-03 10:22:28 +01:00
David Cooper
8bf21d90e2
Save all server certificates for debugging
This commit adds code to run_server_defaults() so that in debug mode all of the server's certificates are saved in $TMPDIR in both PEM-encoded format and pretty-print text format.
2018-02-02 15:31:49 -05:00
David Cooper
3bee522a4c
Fix HOSTCERT_TXT
testssl.sh was recently changed to store the text printout of the host's certificate in a file, $HOSTCERT_TXT, and then use this file in some places rather than calling "$OPENSSL x509 -in $HOSTCERT -text -noout". There was a problem, however, in cases in which the server had more than one certificate (including cases in which the server returned an unrelated certificate when sent a ClientHello w/o SNI), since the contents of $HOSTCERT_TXT was not always being updated whenever $HOSTCERT changed.

This commit fixes that problem by replacing the previous solution with a less ambitious one. In this version, the global variable is eliminated and instead run_server_defaults() stores a text version of each certificate it finds in an array. This value is then passed to certificate_transparency() and certificate_info() for use. It is also passed from certificate_info() to must_staple().
2018-02-02 10:26:27 -05:00
Dirk Wetter
46539d4adf
Merge pull request #977 from AresS31/2.9dev
Remove CVEs commas for better consistency
2018-02-02 12:54:55 +01:00
Alexandre Teyar
195fcf09ad Remove CVE commas for consistency 2018-02-02 11:50:45 +00:00
Dirk Wetter
e4d3ccc725
Merge pull request #975 from dcooper16/determine_trust_ossl111
Fix determine_trust() for OpenSSL 1.1.1
2018-02-02 12:43:22 +01:00
Alexandre Teyar
530710f65f Add CVE commas for consistency 2018-02-02 02:04:31 +00:00
David Cooper
f839aab044
Fix determine_trust() for OpenSSL 1.1.1
determine_trust() uses the output of "$OPENSSL verify" to determine whether OpenSSL can construct a valid certification path for the server's certificate. If it does not find a string of the form "error [1-9][0-9]? at [0-9]+ depth lookup:" in the output, then it assumes that validation was successful. In current versions of OpenSSL, when this error is created it is printed to stdout, but in OpenSSL 1.1.1 is it printed to stderr. Since testssl.sh only checks the output sent to stdout, it incorrectly treats all certificates as valid if OpenSSL 1.1.1 is used.

This commit fixes the problem by checking the text that is sent to both stdout and stderr.

This commit also fixes a typo in the call to "$OPENSSL verify" which resulted in the environment variables SSL_CERT_DIR and SSL_CERT_FILE not being set to "/dev/null".
2018-02-01 16:51:12 -05:00
Dirk
7585ab60e5 fix Travis CI 2018-01-31 21:44:33 +01:00
Dirk
20d33da11b unifying output for missing must_staple xt and CT 2018-01-31 20:38:40 +01:00
Dirk
d2d62a9c55 jsonID changed (server defaults), host certificate in JSON, HOSTCERT_TXT
In ``must_staple()`` and ``certificate_info()``  were the jsonIDs
changed to OpenSSLi / IETF names so that testssl.sh is more compliant
to the rest of the world. There might be still space for improvements
are far as common naming scheme is concerned.

The host certificate is now being delivered in JSON and CSV. For
further usage " " needs to be converted back to linefeeds.

Certificate Expiration was renamed to Certificate Validity.

The order of outputting the certificate serial and SHA1 fingerprint
has been swapped.

Also ``certificate_info()`` makes more use of HOSTCERT_TXT.
2018-01-31 20:01:12 +01:00
Dirk
656016eae4 Changes to outputs: certificate start+end time, CRL+OCSP
For certificate start+end time it is now displaying the
time on UTC and without mentioning the timezone twice.

Also if neither CRL nor OCSP URI is provided it'll appear
on the screen below those two checks. JSON/CSV has then an
additional finding
2018-01-31 17:23:50 +01:00
Dirk
02b5497864 remove string GMT from certificate start+end time 2018-01-29 23:54:22 +01:00
Dirk
01f7612bd0 add keys to server defaults, cert start/end time in GMT 2018-01-29 23:43:25 +01:00
Dirk
6d0123d33c changes + bug fix for certificate expiration time
This PR fixes one minor bug where the start and end time were
displayed in different time formats.

It now displays both time values in GMT.
2018-01-29 23:12:15 +01:00
Dirk
d7a1236e9b Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2018-01-29 20:06:31 +01:00
Dirk
88cd5528e7 HOSTCERT_TXT populated, certificate end+startdate in JSON
HOSTCERT_TXT is now generated each time a HOSTCERT is
written. For now it is just being used in ``read_sigalg_from_file()``.
More to come.

Also in JSON output the start date and end date of the certificate
are now in separate objects. (the time format could need some polishing though).
2018-01-29 20:03:00 +01:00
Dirk
659a6176b6 Add TLS 1.3, better explanation for -6 2018-01-28 12:47:05 +01:00
Dirk Wetter
4cb43733d6
Merge pull request #973 from dcooper16/tls13_run_server_defaults
Add TLSv1.3 support for run_server_defaults()
2018-01-27 10:30:44 +01:00
Dirk Wetter
52feb4f578
Merge pull request #972 from dcooper16/fix_HRR
Fix HelloRetryRequest
2018-01-27 10:18:40 +01:00
Dirk Wetter
018af9972f
Merge pull request #974 from dcooper16/relabel_ec_bits
Label elliptic curve public keys as "EC"
2018-01-27 10:16:58 +01:00
David Cooper
ee0b12bfca
Label elliptic curve public keys as "EC"
In the output created by certificate_info(), the "Server key size" line labels an elliptic curve key as "ECDSA." This commit changes the label to "EC." I believe this a more correct label since ECDSA is a signature algorithm, not a key type. Also, while unlikely, an elliptic curve key in a certificate may be used for ECDH (e.g, in TLS_ECDH_RSA_WITH_AES_128_CBC_SHA) rather than ECDSA.

Note that this does not impact the JSON or CSV output, since the corresponding fileout command already uses "$cert_keysize EC bits"
2018-01-26 17:27:10 -05:00
David Cooper
fa87f8ffd5
Add TLSv1.3 support for run_server_defaults()
This commit adds TLSv1.3 support for run_server_defaults(). It uses get_server_certificate() to run separate checks for RSA and ECDSA certificates by sending TLSv1.3 ClientHello messages with different signature_algorithms values. A similar change is made to certificate_transparency() in order to check for certificate transparency support for certificates returned over TLSv1.3. It also modifies the check for certificates offered without SNI by including an option to use tls_sockets() with servers that support TLSv1.3 if OpenSSL does not support TLSv1.3.
2018-01-26 16:56:31 -05:00
David Cooper
f8df2432ef
Fix HelloRetryRequest
In TLSv1.3, if a HelloRetryRequest needs to be sent and the call to tls_sockets() includes additional request extensions (other than key_share or cookie), then resend_if_hello_retry_request() adds an extra comma between extensions in the value sent to socksend_tls_clienthello(), which creates errors. This commit fixes the problem by removing the extra comma.
2018-01-26 16:49:08 -05:00
Dirk
c1d75f65ce polish screen output for (extended) keyusage 2018-01-26 17:02:00 +01:00
Dirk
61764f332c Fix error where cipherlist checks run always 2018-01-26 15:57:42 +01:00
Dirk
efbc1a4e92 Minor changes on id and findings
``run_tls_fallback_scsv()`` was upgraded to the new scheme.

It also changes a couple of more functions using a variable ``$jsonID`` instead
of a repeating fixed value for `fileout()`.

Also some it adds some ``fileout`` calls which were missing.
2018-01-25 17:35:47 +01:00
Dirk Wetter
ae94b392e1
Merge pull request #951 from dcooper16/extract_certificates_function
Define extract_certificates() function
2018-01-25 16:55:00 +01:00
Dirk Wetter
c8178b03d9
Merge branch '2.9dev' into extract_certificates_function 2018-01-25 16:39:30 +01:00
Dirk Wetter
e446c80851
Merge pull request #971 from drwetter/new_json_for_serverdefaults
New JSON id and findings (breaks things!)
2018-01-25 16:11:24 +01:00
Dirk Wetter
513d21244f
Merge branch '2.9dev' into new_json_for_serverdefaults 2018-01-25 15:49:44 +01:00
Dirk
ed4262f74f Further changes to JSON ID + finding for JSON, std cipherlists
In the sense of the previous commits this one adds
further changes to the JSON output parameters ID and findings.
Findings in JSON are now more crunchy and don't repeat parts
of ID. Also ID changed so that it is more reflecting what
has been tested.

As the cipherlist checks in the beginning have been less
and less to do with the OPsnSSL standard lists
a change to remove the word "standard" was long overdue.
That has been addressed now alos in the code and in the
JSON/CSV output.

$HOSTCERT has now an .pem file extension. $HOSTCERT_TXT
will contain the text putput of the x509 openssl operation
on the certificate which enables testssl.sh to remove
some of the redundant "openssl x509 -in $HOSTCERT -text"
calls.

fileout <somestrings> has not been consistently replaced
by fileout $jsonID yet.
2018-01-25 15:05:57 +01:00
David Cooper
288175a61f Define extract_certificates() function
This PR defines an extract_certificates() function in order to remove some redundant code from get_server_certificate(). Currently, nearly identical code appears in two places in get_server_certificate() to extract certificates from the output of `$OPENSSL sclient`, in one place for SSLv2 responses and in another for SSLv3 through TLSv1.2. The code to get the certificates used with TLSv1.3 (see https://github.com/dcooper16/testssl.sh/tree/extended_tls_sockets) would have added a third place where this same code would be needed. This PR allows the code to be written once and used in all three places.
2018-01-23 10:16:43 -05:00
Dirk
1cec0181af More changes ID + Finding for JSON outside server defaults
This commit just adds more changes to those two parameters.
It is not completely done yet (see downgrade protection via SCSV).

Also json_prefix was changed to jsonID. The complete change of the fist
fileout field is pending.
2018-01-23 15:16:05 +01:00
Dirk Wetter
cd45a2ec19
Merge pull request #969 from drwetter/keyUsage
Key usage
2018-01-23 12:10:07 +01:00
Dirk
c4e4720133 slight contextual rearrangements for help() 2018-01-23 11:49:53 +01:00
Dirk
8327171935 simplify few cert checks messages + hopefullt make Travis work again 2018-01-23 11:46:24 +01:00
Dirk Wetter
2e54b9a439
Merge pull request #968 from jpstevens/patch-1
Fix typos in HSTS tests: days -> seconds
2018-01-23 09:50:09 +01:00
Dirk
0ec5586dfb Changing JSON objects in server defaults ATTENTION: breaking change!!
The server default run had several JSON objects which weren't, looking at just
    the ID, either clear or contained a redundant explanation in "finding". Purely
    certificate related JSON objects are now having the id "cert_<object>" like
    cert_CN or cert_SAN.

    This commit changes all this, also it avoids another colon in finding (see #830).

    Also the implicit strategy "output for the screen s followed by only one output with
    fileout" has been relaxed -- which results on more, better parsable JSON objects.

    Some example of the changes:

    Old:
    ----
    {
        "id"           : "Server Certificate #1 fingerprint",
        "severity"     : "INFO",
        "finding"      : "Fingerprints / Serial: SHA1 2940BC13ECF7DAF30B9084CC734C3B971D73B3BB / 01BFD1DC15006E0ABBA7C670FF5E1101, SHA256 30BA61012FFE7CEAAF9A148A0CB0C5C852A9C04F4B1C27DB6
    EFA9919C7F49CCF"
    }
    [..]
    {
        "id"           : "Server Certificate #2 ocsp_stapling",
        "severity"     : "OK",
        "finding"      : "OCSP stapling : offered"
    }

    New:
    ----
    {
        "id"           : "cert_key_size <cert#1>",
        "severity"     : "INFO",
        "finding"      : "Server keys 2048 bits"
    },{
        "id"           : "cert_fingerprint_SHA1 <cert#1>",
        "severity"     : "INFO",
        "finding"      : "2940BC13ECF7DAF30B9084CC734C3B971D73B3BB"
    },{
        "id"           : "cert_fingerprint_SHA256 <cert#1>",
        "severity"     : "INFO",
        "finding"      : "30BA61012FFE7CEAAF9A148A0CB0C5C852A9C04F4B1C27DB6EFA9919C7F49CCF"
    },{
        "id"           : "cert_serial <cert#1>",
        "severity"     : "INFO",
        "finding"      : "01BFD1DC15006E0ABBA7C670FF5E1101"
    }
    [..]
    {
            "id"           : "OCSP_stapling <cert#2>",
            "severity"     : "OK",
            "finding"      : "offered"
    }

    This PR also fixes the JSON output where for "OCSP must staple" the id was just
    'id"           : "OCSP must staple: ocsp_must_staple",' for multiple server
    certificates without the certificate number.

    As far as the code is concerned: $json_prefix should be a variable which is
    used for the id object.  If there was more then one certificates for a single
    host  detected, $json_postfix carries the certificate number.

    Unit tests need to be fixed -- if possible.
2018-01-22 23:56:03 +01:00