For some reason CVE-2009-3555 ended up in Secure Renegotiation,
whereas CVE-2009-3555 is in fact the Insecure Client-Side Renegotiation
vulnerability with the MiTM problem <= OpenSSl 0.9.8k.
This fixes that (see also #1086 and #933, #907) by removing the CVE #
from the output. Also tyhe output was changed for Secure Renegotiation
into supported/not vulnerable vs. Not supported / VULNERABLE
Some comments were added.
As noted in #1249 STARTTLS with sockets doesn't
work.
This commit fixes that by correcting the STARTTLS
handshake for postgresql. It has to be send via
sockets instead of echo. The server side then will
respond with "S" when STARTTLS is supported. For this
starttls_io() was slightly modified so that also
an input (from the server perspective) is not necessary.
It's fast too
As noted in #1288 with some terminal settings under Linux there
appeared some ~garbage on the screen.
This fixes that by partly reverting 695d02157a .
At least now and under an older OpenBSD like 6.2 this doesn't seem
to be necessary.
CERT_COMPRESSION was declared always with fast in ... so that the variable
was always false. This PR fixes that. In addition a informational line
that the new TLS extension has been added (if $DEBUG >3).
Also determine_optimal_proto() is not being run if devel mode
($do_tls_sockets) is enabled.
Furthermore as David added HAS_ZLIB as a global run_crime() now makes
use of it too.
This PR addresses #316 and #1280: it implements server name indication
also for STARTTLS which has been supported by a number of server
implemantations, in the meantime.
Also it does a final polish to David's pwnedkeys PR #1274 a while back:
UI improvement and detection of network problems.
In addition to PR #1279 it introduces a env variable to devel
mode so that "CERT_COMPRESSION=true ./testssl.sh --devel <params> <target>"
can be used to explore certificate compression on a host.
draft-ietf-tls-certificate-compression specifies a new TLS extension that allows a client to indicate support for receiving the server's certificates in compressed form. This PR adds initial support for that extension to testssl.sh. It was developed based on an announcement that facebook.com has implemented support for the extension.
This PR does not add a test for a server's support for the new extension, it just adds code to parse_tls_serverhello() that will parse a compressed certificate message if one is present in the server's response. So, in practice, the code in this PR will not actually be used until additional code has been added that sends a ClientHello with the compress_certificate extension.
The code in this PR can be tested by using the --devel option and by changing line 19347 from
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "ephemeralkey"
to
tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER" "all+" "00,1b, 00,03, 02, 00,01"
testssl.sh can then be called using
testssl.sh --debug 3 --devel 04 "13,01" facebook.com
Note that this PR adds a test for zlib support to find_openssl_binary(). The test uses $OPENSSL zlib in the same way it is used in parse_tls_serverhello(). The test asks $OPENSSL zlib to uncompress the compressed version of the string "zlib" and the checks to see whether the decompression was performed correctly. There is already a test for zlib support in run_crime(), but I did not check to see whether the check in run_crime() could be replaced with a check of the new $HAS_ZLIB variable.
A couple of checks required sockets but e.g. LDAP via STARTTLS
throwed an error (FIXME: LDAP+STARTTLS over sockets not supported yet)
in fd_sockets().
This adds a temporary workaround so that those functions are bypassed
and LDAP via STARTTLS can be used again.
See also #1258
... which led to a false output in OpenSSL based handshake simulations.
secp256r1 is prime256v1
secp192r1 is prime192v1
Also a few varaiables were added in debug output (environment.txt)
This PR changes run_protocols() so that, when using tls_sockets(), support for TLSv1.3 is only marked as pr_svrty_best() if the final (RFC 8446) version is supported. It also changed run_protocols() so that support for TLSv1.3 is marked as pr_svrty_best() if OpenSSL is used (i.e., if the --ssl-native option is specified).
One potential issue is that the --ssl-native version assumes that if OpenSSL supports TLSv1.3 it supports the final (RFC 8446) version of the protocol. If the tester is using a development version of OpenSSL 1.1.1 rather than the final version, then the protocol test will actually be indicating whether the server supports the same draft version of OpenSSL as the $OPENSSL being used to perform the tests.
Currently the -outfile, -oa, -outFile, and -oA assume that <fname> being provided is to be used as a filename, unless it is "auto." However, all of the individual options (e.g., --logfile) allow for a directory name to be provided instead of a file name.
This PR changes the handling of the -outfile, -oa, -outFile, and -oA options so that if a directory name is provided, the files are created in that directory.
This PR fixes#1243 by modifying create_mass_testing_cmdline() to handle the --outfile, -oa, --outFile, and -oA options in the case that the filename provided is not "auto." It also modifies create_mass_testing_cmdline() so that in the case of serial testing -oj and -oJ are treated the same as --jsonfile and --jsonfile-pretty, respectively.
As a result of #1225 every Linux binary needed was not allowed
to come from busybox. Which caused the Dockerfile in this repo
and the image @ dockerhub to fail.
This PR relaxes that so that busybox binaries which proved to
work can be used. A whitelist was defined.
This PR addresses the following issues raised by shellcheck:
In ../github/testssl_2.9dev_20190409b.sh line 1133:
if [[ "$BASH_VERSINFO" == 3 ]]; then
^-- SC2128: Expanding an array without an index only gives the first element.
In ../github/testssl_2.9dev_20190409b.sh line 4301:
tmpfile_handle $FUNCNAME.dd
^-- SC2128: Expanding an array without an index only gives the first element.
In ../github/testssl_2.9dev_20190409b.sh line 4388:
tmpfile_handle $FUNCNAME.dd
^-- SC2128: Expanding an array without an index only gives the first element.
In ../github/testssl_2.9dev_20190409b.sh line 4657:
tmpfile_handle $FUNCNAME$1.txt
^-- SC2128: Expanding an array without an index only gives the first element.
In ../github/testssl_2.9dev_20190409b.sh line 5327:
tmpfile_handle $FUNCNAME.${debugname}.txt
^-- SC2128: Expanding an array without an index only gives the first element.
In ../github/testssl_2.9dev_20190409b.sh line 5943:
tmpfile_handle $FUNCNAME.byID.log $tmpfile || \
^-- SC2128: Expanding an array without an index only gives the first element.
In ../github/testssl_2.9dev_20190409b.sh line 5944:
tmpfile_handle $FUNCNAME.byticket.log $tmpfile
^-- SC2128: Expanding an array without an index only gives the first element.
In ../github/testssl_2.9dev_20190409b.sh line 12410:
tmpfile_handle $FUNCNAME.dd $SOCK_REPLY_FILE
^-- SC2128: Expanding an array without an index only gives the first element.
In ../github/testssl_2.9dev_20190409b.sh line 13164:
tmpfile_handle $FUNCNAME.dd
^-- SC2128: Expanding an array without an index only gives the first element.
In ../github/testssl_2.9dev_20190409b.sh line 13284:
tmpfile_handle $FUNCNAME.dd $SOCK_REPLY_FILE
^-- SC2128: Expanding an array without an index only gives the first element.
In ../github/testssl_2.9dev_20190409b.sh line 13388:
tmpfile_handle $FUNCNAME.dd $SOCK_REPLY_FILE
^-- SC2128: Expanding an array without an index only gives the first element.
--
In ../github/testssl_2.9dev_20190409b.sh line 13801:
[[ "$DEBUG" -ge 1 ]] && echo $tls_hello_ascii >$TEMPDIR/$FUNCNAME.tls_hello_ascii${i}.txt
^-- SC2128: Expanding an array without an index only gives the first element.
When users try to reinvent the wheel and write an own dockerfile
this PR checks when binaries come from busybox -- as it is the
case with Alpine Linux.
This PR fixes#803 and emit an extra warning if the certificate
has a lifetime longer or equal of five years which happens often
on appliances with self signed certificates. (CAs do not offer
such a long certificate lifetime.) This was tested under Linux,
FreeBSD and OpenBSD. On the latter however we only check the
years as opposed to other OS where we have a finer granularity
(seconds).
On the screen there's only an output if the lifetime is too long,
using JSON or CSV formats, it is always displayed (ID: cert_validityPeriod).
Also this PR changes the ID cert_expiration_status to cert_expirationStatus.
Older FreeBSD and OpenBSD can't deal with italics characters but it output
the escape codes which could result in a different markup. This PR detects
such OS and just doesn't dsiplay the escape sequence.
Also the manpage is reflecting the change and has updates in the server
defaults and standard cipher checks section.
This PR fixes#1223 by checking whether the stapled OCSP response from the server is an error message.
Another way to fix#1223 would be to just change line 8510 to:
```
if grep -a "OCSP Response Status" <<< "$ocsp_response_status" | grep -q successful || \
[[ "$ocsp_response" =~ Responder\ Error: ]]; then
```
However, I believe this alternative would lead to confusing results, testssl.sh would print
offered, error querying OCSP responder (tryLater)
I'm not sure whether it makes sense to say "offered" when the stapled response that is provided is just an error message, but I think it is important to make clear that the error response was received from the TLS server, and that it wasn't testssl.sh that tried querying the OCSP responder.
A private ~/.digrc overrides the commandline options from dig. So
we need to make sure that the output is still what is expected.
This commit addresses it by adding additional parameters, mostly
to existing awk commands so that only the fields we want are returned.
see #1220
- write to log file if there's a SERVER_SIZE_LIMIT_BUG
- write to screen if $DEBUG > 1
It's 128 + 00ff when the CISCO ACE hiccups (#1204)
Some minor improvements like removing redundant double quotes
As in #1219 reported it was possible to specify e.g.
--csv and --csvfile which was not intended.
This PR detects those conflicting options and
exists.
Also it removes 637812a022
"&& JSONHEADER=false" as it seems errorneous.
This commit fixes a the regression "Session Ticket RFC 5077 hint missing/incomplete" #1218.
Reason was that in some case where the ticket lifetime hint was not restrieved before, later
$OPENSSL s_client -connect with -cipher ALL:COMPLEMENTOFALL didn't get the ticket either.
Just using "$OPTIMAL_PROTO" instead of -cipher ALL:COMPLEMENTOFALL fixed it in the cases
tested so far.
Then a global variable is instroduced -- TLS_TICKETS. Which keeps in any case the
state whether session tickets are supported. This is being used to fix#1089. It
remains a bit unclear what is meant in https://tools.ietf.org/html/rfc5077#section-5.6
by "TLS clients MAY be given a hint of the lifetime of the ticket". We use this information
to chck for resumption by ticket which seems realistically the best solution.
Sessin resumption was also made a bit more reliably: The ServerHello is now
being tested for "New" also. If this and "Reused" wasn't detected, an error
is raised.
In general we could do better in keeping and reusing information of a ServerHello
in TMPDIR.
There is currently a bug in determine_optimal_proto_sockets_helper(). In two places there is code of the form:
tls_sockets ...
if [[ $? -eq 0 ]]; then
...
elif [[ $? -eq 2 ]]; then
...
fi
This code does not work as intended since the second check ("elif [[ $? -eq 2 ]]") is actually comparing the results of the first check to 2 rather than the results of the call to tls_sockets().
This PR fixes that problem and also speeds up the code. Since tls_sockets() sets $DETECTED_TLS_VERSION to the protocol version that was negotiated, there is no need to scan $TEMPDIR/$NODEIP.parse_tls_serverhello.txt for this information.
* changed = to ==
* fixed emphasize errors in emphasize_stuff_in_headers()
* add new debian version
* prospectively add Alt-Svc header, see #1209 (won't show up in output yet)
In order to handle better Cisco ACE loadbalancers (almost extinct species) which
have a problem with ClientHellos >127 ciphers we have had introduced a variable which
needs to be filled better with some sense.
This commit does that by introducing the function determine_sizelimitbug() which
is called in lets_roll().
It also removes then redundant code in cipher_pref_check().
Open:
* handle run_grease()
* do we want this information at least in a logfile
* or maybe eben on screen?
See also #1202 .
For non-EC public key algorithm of the server certificate
the terminal output contained the algorithm but not the
file out put. This PR fixes that, see also #1187 and puts
the public key algorithm first in the cert_keySize -- also
for EC cerificates.
In addition it fixes the recognition of ECDSA certificates
which were detected as DSA certificates (order in case
statement).
Also there were in a few double sqaure brackets an assignment operator
'=' instead of a test operator '=='
There were a few, mostly less common ciphers in this check missing.
This commit adds them and fixes#208.
It also removes redundant quotes in double square brackets and
updates documentation for determine_optimal_proto().
This is the last fix for #1087.
It determines STARTTLS_OPTIMAL_PROTO (unless --ssl-native is being used) with
sockets per default which removes cases where an openssl s_client
connect using STARTTLS failed with the initial message 'doesn't seem to be a TLS/SSL
enabled server' and prompt 'Really proceed ? ("yes" to continue)' now shouldn't
happen in those cases anymore.
To not have redundant code determine_optimal_proto_sockets_helper() is being
used for not STARTTLS and plain TLS/SSL.
In addition it looked like this determine_optimal_proto() was not always called in
the beginning when a STARTTLS scan was requested. Instead determine_service()
contained an openssl s_client connect called which was the wrong place and thus
removed. Also now determine_optimal_proto() also for STARTTLS will always being called.
