If a user chose a broken umask testssl.sh will start but emits
subsequent errors.
This patch adds two sanity checks whether it is allowed to create
and read files in the temp directory.
Fixes#2449
As suggested in #1844, this commit changes testssl.sh so that the parent process quits immediately if there is an error in the command line for one of the child processes.
Currently, a signal is sent to the parent process to quit if the child process encounters an error and calls help(), but sometimes parse_cmd_line() just prints an error message and calls fatal() rather than help(), in which case the parent process does not stop. This commit addresses the issue by creating a new function, fatal_cmd_line(), which is almost the same as fatal(), but additionally sends a signal to the parent indicating that the parent should stop. This commit also changes calls to fatal() to calls to fatal_cmd_line() if json_header(), csv_header(), html_header(), or prepare_logging() encounter a problem. The same is done if prettyprint_local() with the command-line option provided for it.
There may be other places in which it would be appropriate to call fatal_cmd_line() rather than fatal() (e.g., in parse_hn_port() or check_proxy()), but those changes are not made in this commit.
What was problematic was the error message when the certificate
stores were missing. This fixes it by redirecting the error
message to /dev/null so that if the sub function detects the missing
file it returns with an error by the program and not by executing
"basename"
RFC 8996, Deprecating TLS 1.0 and TLS 1.1, states that TLS clients MUST NOT send a TLS 1.0 or TLS 1.1 ClientHello and MUST respond to a TLS 1.0 or TLS 1.1 ServerHello with a "protocol_version" alert.
At the moment, all versions of OpenSSL support TLS 1.0, TLS 1.1, and TLS 1.2. However, TLS 1.0 and TLS 1.1 are disabled in LibreSSL 3.8.1 and it is possible to compile OpenSSL without support for these protocols (using the configure options no-tls1, no-tls1_1, and no-tls1_2). This commit adds support for versions of $OPENSSL that do not support TLS 1.0 or TLS 1.1.
As suggested in #2381 this parses strictly the value for mag-age
in the HSTS header line. While it is implemented only in run_hsts()
it could be extracted to a separate functioni in the future and used
elsewhere too.
The improvement is more strict and catches e.g. '==' signs and issues
a warning. See https://www.rfc-editor.org/rfc/rfc6797#section-6.1.1 .
Also it is picky regarding quotes now which are only allowed enclosing
the value.
As this option shows inconsistencies / wrong results and a fix would require
too much work at this moment this option is being hidden from the help. It
wasn't in the ~/doc .
See #849 , #2382, #1732 etc.
If we run with supplied binary AND /usr/bin/openssl supports TLS 1.3
we now have a variable OPENSSL2_HAS_TLS_1_3 which is set to true.
It can be used for subsequent changes where we need TLS 1.3 for or
where it would be better to use TLS 1.3.
If downloaded CRL file is already in PEM format, openssl command will fail as it is always trying to convert from a DER-encoded CRL.
This commit is for adding a test of the CRL format prior to running the openssl crl conversion.
Note: as the openssl verify command then assumes that a .pem tmpfile has been generated by the conversion, there would be an issue when the conversion was not needed (i.e. CRL already PEM-encoded) as that .pem would be missing; therefore I also added a copy of the .crl file to a .crl.pem file before the optional conversion.
See #2328, original PR #2295 from @w4ntun .
Formally testssl.sh returned an error when it wasn't not possible to determine IP
addresses through DNS resolution, even if --proxy and --ip=proxy flags are set.
The main function always tried to determine IP addresses via DNS and exits with
a fatal error if it cannot do it. Although the client cannot get the IP, the
proxy could, so the SSL/TLS analysis is still possible.
This PR allows the analysis for an HTTP service via a proxy server and the DNS
traffic can be sent directly or through the proxy using the flag --ip=proxy.
ATTENTION: This may be a breaking change for those who don't have a local resolver.
They now have to add --ip=proxy.
In addition:
* help() was amended to add --ip=proxy (was only in the ~i/doc dir before)
* amending ~/doc dir to document it's better to add --nodns=min when there's
no local resolver
