Commit Graph

3992 Commits

Author SHA1 Message Date
da3520f8b2 Update documentation
* remove hint that LDAP only works with STARTTLS
* Add the relevant LDAP RFC for STARTTLS
* Amend with sieve RFC
* Correct numbering order of RFC section
2022-01-31 11:05:52 +01:00
4639e996db Remove ldap protocol early returns
Partly revert bb5450e3f5
2022-01-31 10:36:51 +01:00
9447c8c866 Amends LDAP + STARTTLS / rename sockread_serverhello()
This commit adds parsing the success value of the STARTTLS upgrade
in LDAP. Only possible values whould be 0 or one according to RFC 2380.
All values not equal to zero will terminate the check.

Also, this PR renames sockread_serverhello() to sockread() as the word
serverhello is pretty misleading. It just reads from ANY socket. (sorry
to confuse people here, that should have gone into a separate PR).
  Also sockread() and sockread_fast() are better documented.
2022-01-27 18:35:40 +01:00
601ff16a0a Add prototype for STARTTLS+ LDAP via sockets
See #1258

To do:
* more robustness. At least the success value from the response need to be retrieved and checked via starttls_io().
* double check the pre-handshake before the OID whether it's correct for every case
* documentation
* inline help

It seems to work though against db.debian.org
2022-01-24 16:49:03 +01:00
06890d4506 Merge pull request #1990 from dcooper16/improve_client_auth
Improve check for client authentication
2022-01-10 11:19:10 +01:00
680dc9ee01 Fix potential stallling in HTTP query
In run_http_header() the GET command is first sent over TLS using a background process, and then if that does not hang, it is sent again in the foreground. Similarly, service_detection() runs the command in the background.

This commit changes determine_optimal_proto() to follow the example of run_http_header() as protection against the possibility of the HTTP query stalling.
2022-01-06 15:33:37 -05:00
50fe6ca96b Report if couldn't test for client authentication
This commit fixes determine_optimal_proto() and run_server_defaults() so that a "Local problem" is reported if a $URL_PATH is specified, the server is TLS 1.3-only, and $OPENSSL does not support -enable_pha (and the server does not offer client authentication as part of the initial TLS handshake).
2022-01-06 15:33:36 -05:00
48819c56e9 Improve check for client authentication with LibreSSL
Checking for client authentication with TLS 1.3 requires post-handshake authentication, which does not appear to be supported by LibreSSL. This commit improves the check for client authentication when testing a TLS 1.3 server using LibreSSL by having determine_optimal_proto() first test for connectivity with TLS 1.3 without checking for client authentication and then performing a separate check for client authentication using a non-TLS 1.3 protocol.

This commit only affects the flow of the program if a $URL_PATH is specified, the server supports TLS 1.3, and $OPENSSL supports TLS 1.3 but not -enable_pha.

testss.sh may still provide incorrect information about client authentication if a $URL_PATH is provided, the server is TLS 1.3-only, and LibreSSL is used.
2022-01-06 15:33:36 -05:00
7fb688a9d6 Improve check for client authentication
Based on initial testing, this commit improves the check for client authentication in the case that the server only requests client authentication for specific URLs. However, it does not work correctly if the server supports TLS 1.3 and $OPENSSL is a version of LibreSSL that supports TLS 1.3 in s_client. The problem is that LibreSSL does not support post-handshake authentication with TLS 1.3
2022-01-06 15:33:36 -05:00
e41a4c361a WIP: Improve check for client authentication
As noted in #1709, some servers will only request client authentication if a specific URL is requested. This commit modifies the check for client authentication, in the case that a $URL_PATH is provided, by having testssl.sh perform a GET request on the URL provided on the command line.
2022-01-06 15:33:36 -05:00
4a358e0489 Merge pull request #2081 from dcooper16/sclient_dev_null
Send /dev/null to s_client
2022-01-06 21:17:40 +01:00
9dac4592b7 Send /dev/null to s_client
As discussed in #2079, this commit adds "</dev/null" to calls "$OPENSSL s_client" that are intended to test whether a certain option is supported. This is done to prevent hanging in the case that the option is supported, a TLS server happens to be listening on the port to which s_client tries to connect, and the connection is successful.

This PR also adds a new helper function, sclient_supported(), which is called from locally_supported() and run_prototest_openssl(). The helper function makes use of the already defined variables $HAS_SSL2, $HAS_SSL3, and $HAS_TLS13 in order to avoid calling "$OPENSSL s_client" when it has already been determined whether $OPENSSL supports the specified protocol.
2022-01-05 16:26:22 -05:00
e35f0e8ed7 Merge pull request #2078 from drwetter/feature_dig_2077
Add +search to dig
2022-01-03 17:50:21 +01:00
c573984340 Add +search to dig
... for all forward + non-mdns lookups.

This might help to avoid supplying domain names to local hosts (they would need
to have a valid certificate for the short DNS name then).

Fixes #2077
2022-01-03 16:44:09 +01:00
3827521698 Merge pull request #2075 from drwetter/drwetter-patch-1
again wide screen mode for HTML
2021-12-27 17:11:36 +01:00
1012a28958 again wide screen mode for HTML
see discussion on #2072
2021-12-27 17:09:59 +01:00
9d37365a0d Merge pull request #2072 from k0lter/3.1dev
Add sieve protocol support when using STARTTLS
2021-12-27 17:07:10 +01:00
35ddd91813 Merge pull request #2073 from drwetter/dependabot/github_actions/docker/login-action-1.12.0
Bump docker/login-action from 1.10.0 to 1.12.0
2021-12-21 10:54:58 +01:00
c041e27ecf Bump docker/login-action from 1.10.0 to 1.12.0
Bumps [docker/login-action](https://github.com/docker/login-action) from 1.10.0 to 1.12.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.10.0...v1.12.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-12-21 00:24:46 +00:00
6e050a780d Update doc for (manage)sieve protocol when used with STARTTLS 2021-12-20 17:20:01 +01:00
4c2a1296a7 Add unit testing (manage)sieve protocol while using STARTTLS 2021-12-20 17:18:07 +01:00
bddf3a8189 Fix ports2starttls() to support (manage)sieve protocol while using STARTTLS 2021-12-20 17:16:16 +01:00
155b380509 Add (manage)sieve protocol support when using STARTTLS 2021-12-17 12:44:39 +01:00
2201a28070 Merge pull request #2069 from h3xx/refactor-strip_quote
Refactor strip_quote to use bash replacements instead of sed
2021-12-13 18:24:34 +01:00
c1e5ad82c1 Merge pull request #2070 from drwetter/gha_actions_improve
Also run GHA for PRs
2021-12-13 18:19:49 +01:00
1944eb8787 Refactor strip_quote to use bash replacements instead of sed 2021-12-11 12:43:46 -06:00
fbe04164d3 Also run GHA for PRs
(don't know whether this works.)
2021-12-11 19:40:29 +01:00
6da72bcfd7 Merge pull request #2067 from drwetter/polish_fixhttpclockskew
Consider HTTP 'Age' header field when calculating HTTP clock skew
2021-12-10 20:16:28 +01:00
fc06fcee56 fix travis 2021-12-10 18:26:03 +01:00
7974e57688 add extra line for Age 2021-12-10 16:06:26 +01:00
18f3ad7c31 fix travis 2021-12-10 15:58:10 +01:00
e871bd0911 Polish PR #2032 + Additions
* address my comments
* add json fields HTTP_headerTime + HTTP_headerAge if they exists
* output HTTP_AGE if it was detected
* do stripping of line feeds closer to where variables were set
2021-12-10 14:27:30 +01:00
d6398c3167 Merge branch 'fixhttpclockskew' of https://github.com/Wahnes/testssl.sh into Wahnes-fixhttpclockskew 2021-12-10 12:06:19 +01:00
2dce751bfa Merge pull request #2055 from dcooper16/fix2053
Fix #2053
2021-12-09 17:03:57 +01:00
ff8e9f49cc Fix #2053
This commit fixes #2053 by setting $FIRST_FINDING to false after a section footer is output.
2021-12-09 10:13:24 -05:00
0118603401 Merge pull request #2064 from dcooper16/fix_json_headers
Fix JSON section headers
2021-12-09 13:16:50 +01:00
e1600e3f62 Fix JSON section headers
This commit fixes two issues with the headers in the structured JSON output. First, if run_cipher_match() is performed the header this is used is "pretest" rather than "singleCipher". Second, the headers for "serverPreferences" and "fs" are swapped.
2021-12-08 14:13:10 -05:00
beac382673 Merge pull request #2063 from dcooper16/keyopts
Document $keyopts
2021-12-08 19:29:40 +01:00
f2a4ee1090 Document $keyopts
Shellcheck complains on line 2234 that keyopts is referenced but not assigned and there is no explanation in the code (or in the documentation) why "$keyopts" is there. This commit adds a comment so that "$keyopts" isn't deleted as part of a code cleanup.
2021-12-08 11:50:35 -05:00
dc782a895c Merge pull request #2059 from dcooper16/simplify_git_rel
Simplify extracting Git information
2021-12-08 11:50:55 +01:00
187854bd60 Merge pull request #2061 from dcooper16/update_reset_hostdepended_vars
Update reset_hostdepended_vars()
2021-12-08 11:49:10 +01:00
edbc66c78d Update reset_hostdepended_vars()
This commit adds several variables to reset_hostdepended_vars() that are not currently being reset for each host being tested, but that should be reset.
2021-12-07 14:45:19 -05:00
019c7fa57a Simplify extracting Git information
testssl.sh currently calls "git log --format='%h %ci' -1 2>/dev/null" three times. This commits changes testssl.sh to make this call just once and then use Bash string manipulation to extract the necessary information from the result.
2021-12-07 14:38:14 -05:00
04b7e1e7c3 Merge pull request #2060 from dcooper16/shellcheck
Fix some Shellcheck issues
2021-12-07 20:26:00 +01:00
d701e69e20 Fix some Shellcheck issues
This commit fixes a number of issues raised by Shellcheck and removes unnecessary quotation marks in a number of places.
2021-12-07 09:22:34 -05:00
0eb73d949a Merge pull request #2056 from drwetter/update_ua_sneaky
Update Firefox UA used in sneaky mode
2021-12-07 08:55:54 +01:00
22272105c4 Merge pull request #2057 from mspncp/git-simplify-worktree-check
Simplify check for git working tree
2021-12-06 18:35:24 +01:00
1e3f932932 Simplify check for git working tree
Sending the entire log to /dev/null is a rather expensive way of checking whether
we are inside a git working tree. Use `git rev-parse --is-inside-work-tree` instead.
2021-12-06 17:35:54 +01:00
914dde501a Update Firefox UA used in sneaky mode
From FF 52 to FF 94.

Also one double quote was removed
2021-12-03 13:15:13 +01:00
f6571c7c76 Merge pull request #2050 from dcooper16/fix2049
Fix #2049
2021-11-30 11:19:44 +01:00