* keys now always with v, like supportedciphers_TLSv1_2 and also
ciphers (e.g. TLSv1.2 x35 AES256-SHA)
* add word "server" to file output so that it reads "NOT a server cipher order configured"
Fixes#2884
This commit fixes#2896. This commit avoids modifying the ADDTL_CA_FILES environment variable, and instead substitutes spaces for commas whenever the variable is used.
As suggested in https://github.com/testssl/testssl.sh/pull/2885 parsing
of the server determined HTTP age var wasn't strict enough.
https://www.rfc-editor.org/rfc/rfc7234#section-1.2.1 requires the
variable to be a non-negative integer but testssl.sh assumed it was
like that but did't check whether that really was the case. This was
labled as a (potential) security problem. Potential as it didn't
look exploitable after review -- the header as a whole was already
sanitized.
This PR fixes the typs confusion and the garbled screen by checking
the variable early in run_http_header() and reset it to NaN. That
will be used later in run_http_date() to raise a low severity finding.
Kudos to @Tristanhx for catching this and for the suggested PR.
Also, only when running in debug mode, this PR fixes that during
service_detection() parts of the not-yet-sanitized header ended
up on the screen. The fix just calls sanitze_http_header() for the
temporary variable $TMPFILE.
... which leads to a performance gain., most noteably on Macs.
All times when calling were re-adjusted.
Also:
* PROXY_WAIT was decrease to 10 seconds. 20 seemed just too much
* passed var to `starttls_just_read()` was simplyfied
The site from that billioniare who made nazi gestures delivers a UDP
response without proper TLS handshake. This led to a false positive
as if the site supports QUIC via h3.
This PR makes the detection of QUIC more robust by adding a certificate check
and also take better the return values from `wait_kill()` into account.
It also introduces a function to remove any non printable chars (depending
on the LC_ALL var): `filter_printable()`
Also `sanitze_http_header()` doesn't operate anymore on a global variable
which is kind of not best practise as it is easily to avoid here.
... for t/32_isHTML_valid.t .
Github.com seems to be most reliable from the ones tested so far.
bahn.de has one IP to the outside however Session resumption seems
to come from different hosts behind that IP. Bad choice for this
test.
Seems the patch in #2856 wasn't complete. So that it was forgotten to add also manually specified IPv6 addresses to the IP addresses to show and to scan.
This makes sure it does, so this fixes#2854 finally.
Also statements were added to reset do_ipv4_only and do_ipv6_only correctly so that later the output "Testing all IP** addresses" is correct.
