Commit Graph

1577 Commits

Author SHA1 Message Date
Dirk 83d2a63e0f - Stronger warning if ~/etc is missing, also requires more explicit consent to continue
- fix lfs for -e -E if openssl has not DH/ECDH
- further minor output corrections
2016-12-28 23:47:35 +01:00
David Cooper 88f4c77078 Merge branch '2.9dev' into run_std_cipherlists_sockets 2016-12-28 11:27:22 -05:00
David Cooper 324a78a47d Merge branch '2.9dev' into run_logjam_sockets 2016-12-28 11:26:20 -05:00
David Cooper 6ed620d740 Merge branch '2.9dev' into run_freak_sockets 2016-12-28 11:25:26 -05:00
David Cooper 322703d39f Merge branch '2.9dev' into run_ssl_poodle_sockets 2016-12-28 11:24:44 -05:00
David Cooper 44c766b993 Merge branch '2.9dev' into test_just_one_sockets 2016-12-28 11:23:54 -05:00
David Cooper 88658f8b89 Merge branch '2.9dev' into run_beast_sockets 2016-12-28 11:23:05 -05:00
David Cooper 1b70bc5994 Merge branch '2.9dev' into run_server_preference_sockets 2016-12-28 11:22:18 -05:00
David Cooper da217f2136 Merge branch '2.9dev' into run_pfs_sockets 2016-12-28 11:21:30 -05:00
David Cooper ccebf47f56 Merge branch '2.9dev' into cipher_order_sockets 2016-12-28 11:19:32 -05:00
Dirk Wetter 5e43739224 Merge pull request #575 from dcooper16/fix_run_protocols
Minor bug fixes in run_protocols()
2016-12-27 23:08:38 +01:00
David Cooper fd2e52c396 Minor bug fixes in run_protocols()
In a few places `run_protocols()` specifies the wrong TLS version as the "ID" when calling `fileout()`.
2016-12-27 14:14:20 -05:00
David Cooper fddc8a012e Merge branch '2.9dev' into run_std_cipherlists_sockets 2016-12-23 14:32:08 -05:00
David Cooper b88cc4af71 Merge branch '2.9dev' into run_logjam_sockets 2016-12-23 14:31:13 -05:00
David Cooper 2bdc63e47d Merge branch '2.9dev' into run_freak_sockets 2016-12-23 14:28:18 -05:00
David Cooper 6084968b7a Merge branch '2.9dev' into run_ssl_poodle_sockets 2016-12-23 14:27:18 -05:00
David Cooper 3050a4c1fc Merge branch '2.9dev' into test_just_one_sockets 2016-12-23 14:25:23 -05:00
David Cooper ba2f07bc0b Merge branch '2.9dev' into run_beast_sockets 2016-12-23 14:24:14 -05:00
David Cooper 64bd786daf Merge branch '2.9dev' into run_server_preference_sockets 2016-12-23 14:22:47 -05:00
David Cooper 48f33fff5a Merge branch '2.9dev' into run_pfs_sockets 2016-12-23 14:21:23 -05:00
David Cooper fba1793c5a Merge branch '2.9dev' into cipher_order_sockets 2016-12-23 14:20:16 -05:00
Dirk Wetter 725488449c Merge pull request #574 from dcooper16/run_http2_sockets
Use sockets for run_http2()
2016-12-23 18:31:03 +01:00
David Cooper dc98371ed0 Use sockets for run_http2()
This PR changes `run_http2()` so that it uses `tls_sockets()` rather than failing, if `$OPENSSL` does not support the `-alpn` option. If `$OPENSSL` supports the `-alpn` option (or if `$SSL_NATIVE` is true), then this PR has no effect.
2016-12-23 11:02:31 -05:00
David Cooper 90812a2732 Use sockets for run_std_cipherlists()
This PR change `run_std_cipherlists()` to use sockets. As noted in isse #554, I have some questions about the definitions of the cipher lists, but I wrote the code so that the ciphers that are tested when using sockets are the same as those that are tested when using OpenSSL. For a few of the cipherlists, the sockets version tests a few additional ciphers; but these are ciphers that are not supported by OpenSSL, and whose definitions are consistent with the ciphers that OpenSSL includes.

As written, `std_cipherlists` will use sockets for testing by default, except in two cases:
* If the `$SSL_NATIVE` is true, then only OpenSSL is used, and if OpenSSL doesn't support any ciphers in the cipherlist, then the test is skipped.
* If `$FAST` is true (but `$SSL_NATIVE` is false), then OpenSSL is used whenever it supports at least one cipher from the cipherlist, and `tls_sockets()` (or `sslv2_sockets()`) is only used when OpenSSL doesn't support any ciphers from the cipherlist.
2016-12-22 15:46:01 -05:00
David Cooper 0d75bae195 Use sockets for run_logjam()
This PR changes `run_logjam()` to use sockets.
2016-12-21 14:55:01 -05:00
David Cooper 815e21e9b5 Use sockets for run_freak()
This PR changes `run_freak()` to use sockets.

I added two ciphers to `$exportrsa_cipher_list`: EXP1024-RC4-MD5 (0x00,0x60) and EXP1024-RC2-CBC-MD5 (0x00,0x61). So, the list is now as follows:
```
      0x00,0x62 - EXP1024-DES-CBC-SHA            TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA                SSLv3      Kx=RSA(1024)   Au=RSA     Enc=DES(56)                    Mac=SHA1     export    
      0x00,0x61 - EXP1024-RC2-CBC-MD5            TLS_RSA_EXPORT1024_WITH_RC2_56_MD5                 SSLv3      Kx=RSA(1024)   Au=RSA     Enc=RC2(56)                    Mac=MD5      export    
      0x00,0x64 - EXP1024-RC4-SHA                TLS_RSA_EXPORT1024_WITH_RC4_56_SHA                 SSLv3      Kx=RSA(1024)   Au=RSA     Enc=RC4(56)                    Mac=SHA1     export    
      0x00,0x60 - EXP1024-RC4-MD5                TLS_RSA_EXPORT1024_WITH_RC4_56_MD5                 SSLv3      Kx=RSA(1024)   Au=RSA     Enc=RC4(56)                    Mac=MD5      export    
      0x00,0x14 - EXP-EDH-RSA-DES-CBC-SHA        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA              SSLv3      Kx=DH(512)     Au=RSA     Enc=DES(40)                    Mac=SHA1     export    
      0x00,0x08 - EXP-DES-CBC-SHA                TLS_RSA_EXPORT_WITH_DES40_CBC_SHA                  SSLv3      Kx=RSA(512)    Au=RSA     Enc=DES(40)                    Mac=SHA1     export    
      0x00,0x06 - EXP-RC2-CBC-MD5                TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5                 SSLv3      Kx=RSA(512)    Au=RSA     Enc=RC2(40)                    Mac=MD5      export    
 0x04,0x00,0x80 - EXP-RC2-CBC-MD5                SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5               SSLv2      Kx=RSA(512)    Au=RSA     Enc=RC2(40)                    Mac=MD5      export    
      0x00,0x0E - EXP-DH-RSA-DES-CBC-SHA         TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA               SSLv3      Kx=DH/RSA      Au=DH      Enc=DES(40)                    Mac=SHA1     export    
      0x00,0x03 - EXP-RC4-MD5                    TLS_RSA_EXPORT_WITH_RC4_40_MD5                     SSLv3      Kx=RSA(512)    Au=RSA     Enc=RC4(40)                    Mac=MD5      export    
 0x02,0x00,0x80 - EXP-RC4-MD5                    SSL_CK_RC4_128_EXPORT40_WITH_MD5                   SSLv2      Kx=RSA(512)    Au=RSA     Enc=RC4(40)                    Mac=MD5      export
```
2016-12-21 13:16:10 -05:00
David Cooper f450bc66cd Use sockets for run_ssl_poodle()
This PR changes `run_ssl_poodle()` to use sockets. This PR is particularly useful when $OPENSSL is OpenSSL 1.1.0, since OpenSS 1.1.0 does not support SSLv3 by default. But, it is also useful if $OPENSSL supports some, but not all, of the CBC ciphers.

As with `run_beast()`, there is a small change to `$cbc_cipher_list`. The following two ciphers were added:
```
          0x00,0x0B - EXP-DH-DSS-DES-CBC-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=DES(40)   Mac=SHA1 export
          0x00,0x0E - EXP-DH-RSA-DES-CBC-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=DES(40)   Mac=SHA1 export
```
The ciphers that were removed are all SSLv2 ciphers:
```
     0x07,0x00,0xC0 - DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5 
     0x06,0x00,0x40 - DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5 
     0x04,0x00,0x80 - EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
     0x05,0x00,0x80 - IDEA-CBC-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=MD5 
     0x03,0x00,0x80 - RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
```
(EXP-RC2-CBC-MD5 is both an SSLv2 and an SSLv3 cipher. Previously it was listed twice in `$cbc_cipher_list`, now it appears once.)
2016-12-21 10:36:09 -05:00
David Cooper b04bb8d82a Merge branch '2.9dev' into test_just_one_sockets 2016-12-21 09:07:13 -05:00
David Cooper 09aad7489d Merge branch '2.9dev' into run_beast_sockets 2016-12-21 09:06:21 -05:00
David Cooper a387566fb7 Merge branch '2.9dev' into run_server_preference_sockets 2016-12-21 09:05:17 -05:00
David Cooper eaf5671b17 Merge branch '2.9dev' into run_pfs_sockets
Conflicts:
	testssl.sh
2016-12-21 09:04:11 -05:00
David Cooper 9d44bb6abd Merge branch '2.9dev' into cipher_order_sockets 2016-12-21 09:01:47 -05:00
Dirk Wetter 7a4c6294ac Merge pull request #567 from dcooper16/run_rc4_e
Mark export ciphers in run_rc4()
2016-12-21 12:56:26 +01:00
Dirk Wetter 298ed4e67e Merge pull request #569 from dcooper16/fix_hang
testssl.sh hangs on local testing
2016-12-21 12:54:27 +01:00
David Cooper 378f4439a3 testssl.sh hangs on local testing
In a few places testssl.sh tries to determine $OPENSSL s_client's capabilities by calling `$OPENSSL s_client` without specifying a host to which to connect. For example:
```
$OPENSSL s_client -no_ssl2 2>&1
```
This idea is that `$OPENSSL s_client` should reveal something about its capabilities without actually trying to connect to a host.

This works in most cases. However, the manual pages for s_client states:
```
-connect host:port
    This specifies the host and optional port to connect to. If not specified then an attempt is made to connect to the local host on port 4433.
```
So, the above call is actually trying to connect to the local host on port 4433. If the local host is running `$OPENSSL s_server`, then `$OPENSSL s_server` will by default be listening on port 4433, and the connection attempt will most likely succeed. Since the `OPENSSL s_client` command does not include a `< /dev/null`, the `OPENSSL s_client` will just hang waiting for additional input.

Adding `-connect x` to the `$OPENSSL s_client` prevents $OPENSSL from trying to connect to a host, but seems to still provide the necessary information about OpenSSL's capabilities.
2016-12-20 14:02:29 -05:00
David Cooper 4af01a6c1b test_just_one() sockets
This PR implements `test_just_one()` in a similar manner to `run_allciphers()`
2016-12-20 13:14:40 -05:00
David Cooper 1a7d1f73d2 Mark export ciphers in run_rc4()
This PR adds ",exp" to the bits column when `run_rc4()` is run in the "--wide" mode and the cipher is an export cipher. This makes the wide mode of `run_rc4()` align with other functions, such as `run_allciphers()`.
2016-12-20 13:11:03 -05:00
David Cooper cfaeb51395 Show "exp" bits column for export ciphers 2016-12-20 12:59:26 -05:00
David Cooper 8a26186862 Merge branch '2.9dev' into run_server_preference_sockets 2016-12-20 08:52:10 -05:00
David Cooper 9f8aff5758 Merge branch '2.9dev' into run_pfs_sockets 2016-12-20 08:50:59 -05:00
David Cooper 5b52e81c20 Merge branch '2.9dev' into run_beast_sockets 2016-12-20 08:50:09 -05:00
David Cooper 8c33562ba7 Merge branch '2.9dev' into cipher_order_sockets 2016-12-20 08:49:10 -05:00
Dirk ea7edaf59f - unify timeout msgs on the console 2016-12-20 14:17:14 +01:00
David Cooper dd5487b213 Ensure cipher[i]="" in SSLv3 test 2016-12-19 17:06:45 -05:00
David Cooper 6492954735 Fix alignment 2016-12-19 16:59:27 -05:00
David Cooper b1d231ff85 Use sockets in `run_server_preference()`
This PR adds the use of sockets to `run_server_preference()` to determine the "Negotiated cipher per proto." It only uses sockets in two cases:
* For SSLv2, if $OPENSSL does not support SSLv2.
* For SSLv2, if $OPENSSL does not support SSLv3.

This PR will have no effect if the provided OpenSSL binaries are used.
2016-12-19 16:56:12 -05:00
David Cooper 2db0894ae6 Merge branch '2.9dev' into run_pfs_sockets 2016-12-19 09:09:45 -05:00
David Cooper fbf40474a9 Merge branch '2.9dev' into run_beast_sockets 2016-12-19 09:08:26 -05:00
David Cooper f553e72dd4 Merge branch '2.9dev' into cipher_order_sockets 2016-12-19 09:07:03 -05:00
Dirk Wetter 8e9a8faca4 Merge pull request #541 from dcooper16/run_cipher_per_proto_sockets
run_cipher_per_proto() speedup + sockets
2016-12-17 12:17:45 +01:00