This PR implements a check for TLS early data. It needs a compatible OpenSSL or
LibreSSL version. For modern OS versionis it should automagically pick the right,
modern binary for the check.
Mitigations like Defer processing or HTTP 425 are not yet tested.
To clarify is
* whether to penalize SSLlabs rating (@magnuslarsen). testssl.net has it
enabled but the Web UI claims it's not a/v, see
https://www.ssllabs.com/ssltest/analyze.html?d=testssl.net&s=172.67.205.231&hideResults=on&latest
* Man pages
To be in line with other HAS2_* global vars (HAS2_QUIC, HAS2_UDS), the following
vars were renamed from their OPENSSL2_HAS_* counter parts:
- HAS2_TLS13
- HAS2_CHACHA20=false
- HAS2_AES128_GCM=false
- HAS2_AES256_GCM=false
It seems needed to introduce two variables for upcoming early data tests,
see #1186. This is not needed for OpenSSL as it introduced that
together with TLS 1.3. For LibreSSL it is though.
* keys now always with v, like supportedciphers_TLSv1_2 and also
ciphers (e.g. TLSv1.2 x35 AES256-SHA)
* add word "server" to file output so that it reads "NOT a server cipher order configured"
Fixes#2884
This commit fixes#2896. This commit avoids modifying the ADDTL_CA_FILES environment variable, and instead substitutes spaces for commas whenever the variable is used.
As suggested in https://github.com/testssl/testssl.sh/pull/2885 parsing
of the server determined HTTP age var wasn't strict enough.
https://www.rfc-editor.org/rfc/rfc7234#section-1.2.1 requires the
variable to be a non-negative integer but testssl.sh assumed it was
like that but did't check whether that really was the case. This was
labled as a (potential) security problem. Potential as it didn't
look exploitable after review -- the header as a whole was already
sanitized.
This PR fixes the typs confusion and the garbled screen by checking
the variable early in run_http_header() and reset it to NaN. That
will be used later in run_http_date() to raise a low severity finding.
Kudos to @Tristanhx for catching this and for the suggested PR.
Also, only when running in debug mode, this PR fixes that during
service_detection() parts of the not-yet-sanitized header ended
up on the screen. The fix just calls sanitze_http_header() for the
temporary variable $TMPFILE.
... which leads to a performance gain., most noteably on Macs.
All times when calling were re-adjusted.
Also:
* PROXY_WAIT was decrease to 10 seconds. 20 seemed just too much
* passed var to `starttls_just_read()` was simplyfied
