Commit Graph

1432 Commits

Author SHA1 Message Date
Weida Hong
566623c4a9 Remove duplicated do_rc4 in debug_globals() 2016-09-24 15:10:10 +08:00
Daniel Reichelt
4f04820c76 Fix handling of empty argument to "-nextprotoneg" parameter
s_client's manpage states for -nextprotoneg:

"Empty list of protocols is treated specially and will cause the client
to advertise support for the TLS extension but disconnect just after
reciving ServerHello with a list of server supported protocols."

Consequently, the previous workaround of just quoting an empty variable
is insufficient and the "-nextprotoneg" parameter has to be removed
entirely from the command-line in case of an empty argument.

In other locations where "-nextprotoneg" is used
- its argument cannot be empty ($NPN_PROTOs is initialized to a non-
  empty value and set read-only) or
- its argument is intended to be empty (line 3724) or
- the command will not be invoked at all (for-loop parameter, line 3725)

This fixes #467 - again.

Additionally this patch prefers usage of -alpn over -nextprotoneg if the
openssl binary used supports it.
2016-09-22 16:53:54 +02:00
David Cooper
b01f9c8132 Merge branch 'master' into remove_sockread 2016-09-21 16:12:39 -04:00
David Cooper
73d535ebb4 Merge branch 'master' into openss2rfc_rfc2openssl
Conflicts:
	testssl.sh
2016-09-21 16:11:55 -04:00
Dirk Wetter
ddbf4caa46 FIX #476 2016-09-21 21:59:50 +02:00
Dirk Wetter
802a6da92c - centralized some HAS_* vars from s_client 2016-09-21 21:42:45 +02:00
Dirk Wetter
9afbba1e04 - 3DES removed from \'MEDIUM\'
- preparation to show cipher string in std_cipherlists
- global var for HTTP_STATUS_CODE, allowing a hint for web application wrt to e.g. cookies
2016-09-21 20:32:04 +02:00
David Cooper
b7fbd13f1a Merge branch 'master' into remove_sockread 2016-09-14 14:37:14 -04:00
David Cooper
63fec45f3f Merge branch 'master' into openss2rfc_rfc2openssl 2016-09-14 14:36:15 -04:00
Dirk Wetter
05fe064763 Merge pull request #472 from knweiss/referenced_but_not_assigned3
run_rp_banner(), run_application_banner(): Three issues
2016-09-14 16:33:47 +02:00
Karsten Weiss
42e9406ee1 run_rp_banner(): Fix indentation. 2016-09-14 12:24:54 +02:00
Karsten Weiss
6a6d4880d6 run_application_banner(): Fix modified in subshell bug.
Refactor the while loop so it doesn't use a subshell anymore. Also use
"read -r" to prevent backslash escaping.

```
In testssl.sh line 1193:
               app_banners="$app_bannersline"
               ^-- SC2030: Modification of app_banners is local (to subshell caused by pipeline).

In testssl.sh line 1195:
          fileout "app_banner" "WARN" "Application Banners found: $app_banners"
                                                                  ^-- SC2031: app_banners was modified in a subshell. That change might be lost.
```

Found by ShellCheck.
2016-09-14 12:24:44 +02:00
Karsten Weiss
beae0ce195 run_{rp,application}_banner(): Fix unassigned variables.
This commit fixes the following two instances of referenced but not assigned
variables:

```
In testssl.sh line 1159:
               rp_banners="$rp_bannersline"
                           ^-- SC2154: rp_bannersline is referenced but not assigned.

In testssl.sh line 1193:
               app_banners="$app_bannersline"
                            ^-- SC2154: app_bannersline is referenced but not assigned.
```

Found by ShellCheck.
2016-09-14 12:24:28 +02:00
Dirk Wetter
10b3e7db55 Merge pull request #471 from nachtgeist/issue-467
quote argument for s_client's -nextprotoneg parameter
2016-09-14 07:24:29 +02:00
Daniel Reichelt
2a926609ca quote argument for s_client's -nextprotoneg parameter
The argument to -nextprotoneg is provided in sometimes empty an unquoted
variables. Because of the missing quotes, the next word on the line "-status"
gets parsed as "-nextprotoneg"'s argument instead of enabling the OCSP status
check.

This fixes #467.
2016-09-13 21:22:35 +02:00
Dirk
cca1b49890 - fixing wrong cipher order for URL=ipaddress 2016-09-12 21:54:51 +02:00
Dirk Wetter
4158372ab7 Merge pull request #468 from knweiss/referenced_but_not_assigned
compare_server_name_to_cert(): Fix unassigned vars.
2016-09-12 16:51:34 +02:00
Dirk Wetter
93c240278a Merge pull request #469 from knweiss/referenced_but_not_assigned2
certificate_info(): Fix unassigned variable.
2016-09-12 16:49:33 +02:00
Karsten Weiss
b9d9a909b1 certificate_info(): Fix unassigned variable.
Fix referenced but not assigned variable 'sign_algo'.

In testssl.sh line 4309:
               fileout "${json_prefix}algorithm" "DEBUG" "Signature Algorithm: $sign_algo"
                                                                               ^-- SC2154: sign_algo is referenced but not assigned.

Found by ShellCheck.
2016-09-12 16:20:05 +02:00
Karsten Weiss
7dbbe42ea0 compare_server_name_to_cert(): Fix unassigned vars.
Two instances of referenced but not assigned variables ('req' instead of
'ret').

In testssl.sh line 4130:
     if [[ $req -eq 0 ]]; then
           ^-- SC2154: req is referenced but not assigned.

Found by ShellCheck.
2016-09-12 16:12:18 +02:00
Dirk
f0132dcb7f stringer usabiliy warning for SHA1 + HTTP 2016-09-07 21:34:27 +02:00
David Cooper
7932d34fda Updates to cipher suite table
Changed `Enc=CHACHA20/POLY1305(256)` to `Enc=ChaCha20(256)` and `Enc=GOST-28178-89-CNT(256)` to `Enc=GOST(256)` in order to shorten the names that are printed, so that they fit in the allocated column.

Added the four experimental post-quantum cipher suites mentioned in #462.
2016-09-06 14:47:20 -04:00
David Cooper
3b3d16849d Merge branch 'master' into remove_sockread
Conflicts:
	testssl.sh
2016-09-06 11:38:54 -04:00
David Cooper
950b39122e Merge branch 'master' into openss2rfc_rfc2openssl 2016-09-06 10:34:53 -04:00
Dirk
d1cc7b3755 FIX #426 2016-09-06 08:32:05 +02:00
Dirk
c00c98caa2 warning for SHA1 sig algo and web servers 2016-09-05 10:01:46 +02:00
David Cooper
44c37e3177 Merge branch 'master' into remove_sockread 2016-09-02 10:50:28 -04:00
David Cooper
f17a09e1d9 Merge branch 'master' into openss2rfc_rfc2openssl 2016-09-02 10:47:36 -04:00
Dirk Wetter
228296e175 Merge pull request #290 from andreild/issue-289-domain-resolution-etc-hosts
Fix #289 - the grep that decides whether a domain is a local address …
2016-09-02 15:38:28 +02:00
Dirk Wetter
fdcdad3faa Merge pull request #345 from dcooper16/more_sslv2_sslv3_fixes
More SSLv2 (and SSLv3) related fixes
2016-09-02 09:06:52 +02:00
Dirk Wetter
caec8029f2 Merge pull request #461 from dcooper16/tls_sockets_and_no_SNI
Fix tls_sockets() when SNI empty
2016-09-02 08:50:35 +02:00
David Cooper
a9002ba6e6 Fix tls_sockets() when SNI empty
`socksend_tls_clienthello()` always includes a server name extension in the ClientHello (for TLS 1.0 and above), even if `$SNI` is empty. If `$NODE` is an IP address, then the IP address is placed in the extension, even though RFC 6066 says that only DNS names are supported in the extension.

This PR changes `socksend_tls_clienthello()` so that the server name extension is only included in the ClientHello is `$SNI` is not empty.
2016-09-01 13:22:39 -04:00
Dirk
2313aee22d fix for previously borken HPKP_MIN value 2016-09-01 19:09:12 +02:00
Dirk
1c53160348 ups ;-) 2016-09-01 19:04:47 +02:00
David Cooper
305c8c0063 Merge branch 'master' into remove_sockread 2016-09-01 10:57:43 -04:00
David Cooper
59d4acec11 Merge branch 'master' into more_sslv2_sslv3_fixes 2016-09-01 10:56:57 -04:00
David Cooper
e10d256ae6 Merge branch 'master' into openss2rfc_rfc2openssl 2016-09-01 10:55:29 -04:00
Dirk
d665f69c72 fix #436 2016-09-01 12:42:56 +02:00
David Cooper
9ef0d1f4ea 20 lines is 320 bytes, not 160 2016-08-31 17:07:53 -04:00
David Cooper
a2f968d4ad Undo changed behavior for CCS 2016-08-31 17:03:50 -04:00
David Cooper
d9578bb975 Merge branch 'master' into remove_sockread 2016-08-31 17:02:18 -04:00
Dirk Wetter
2613d20375 Merge pull request #460 from dcooper16/certificate_info
Display SNI information in "Server Certificate" line
2016-08-31 18:26:45 +02:00
David Cooper
e79e980336 Display SNI information in "Server Certificate" line
This PR is an attempt to address issue #447. If more than one certificate is being displayed, then a parenthetical saying "(in response to request w/o SNI)" is added for any certificate that was obtained using `$SNI=""`.

In addition, if the certificate was obtained without SNI, then `certificate_info()` doesn't call `$OPENSSL s_client` in order to obtain the non-SNI host certificate and it does not display a separate "Trust (hostname)" finding for the non-SNI certificate.
2016-08-30 15:22:46 -04:00
David Cooper
1b548cee10 Follow https://github.com/Tripwire/OpenSSL-CCS-Inject-Test
Attempt to rewrite `run_ccs_injection()` to follow the logic from https://github.com/Tripwire/OpenSSL-CCS-Inject-Test.
2016-08-30 11:38:43 -04:00
David Cooper
f88ad58e72 Merge branch 'master' into openss2rfc_rfc2openssl 2016-08-29 15:03:35 -04:00
David Cooper
6e6fdf6410 Merge branch 'master' into more_sslv2_sslv3_fixes 2016-08-29 15:02:40 -04:00
David Cooper
9bcf232f0f Check for empty byte6 2016-08-29 14:10:16 -04:00
David Cooper
3dc8754a0e Merge branch 'master' into remove_sockread 2016-08-29 14:07:43 -04:00
Dirk Wetter
ba1ea6dcba Merge pull request #455 from dcooper16/unsupported_purpose
Output correct error for unsupported certificate purpose
2016-08-29 17:39:00 +02:00
David Cooper
957225595f Merge branch 'master' into unsupported_purpose 2016-08-29 10:17:27 -04:00