All cases could be handled by the single openssl s_client invocation
loop:
- dispatch and adjust comments to not loose them
- remove the first s_client invocation: stuck connections are allready
handled by the main loop
- remove the second s_client invocation: normal case and server closed
connections are allready handled by the main loop. The loop take care
of the race between server connection close and s_client terminating
too by doing another loop run, not closing STDIN.
- special non HTTP case equivalent to ssl_reneg_attempts=2
- specialcase only the HTTP result printing to not change the output
- openssl-timeout option clashe badly with the main loop logic:
Introduce $OPENSSL_NOTIMEOUT
This commit adds support for the two cipher suites in RFC 9150, TLS_SHA256_SHA256 and TLS_SHA384_SHA384. These are authentication and integrity-only cipher suites.
LibreSSL 4.0.0 was recently released. This commit modified the version check in determine_trust() so that there isn't an incorrect warning suggesting that LibreSSL 4.0.0 "<= 1.0.2 might be too unreliable to determine trust."
This commit modifies check_revocation_ocsp() to check the revocation status of a certificate in a stapled OCSP response whether the response uses SHA-1 or SHA-256 in CertID.
As EOL comes closer for openSUSE Leap 15.5 (https://en.opensuse.org/Lifetime)
an update is needed.
``busybox-util-linux`` and ``busybox-vi`` had to be removed as they don't exist
anymore. Busybox was added but hexdump was not provided by the vendor.
As busybox was compiled "properly" hexdump can be added by just linking to it.
This fixes#2563
In rare cases testssl.sh writes in the terminal output "likely not offered" but
misses the "likely" in the json/csv output.
This fixes#2575 by adding that word and amending the return value 4 with
a comment.
While in 3.2 there was only a hint how to deal with TLS 1.3 only hosts, a restart
with --openssl=/usr/bin/openssl or setting of OSSL_SHORTCUT-true was required.
This PR changes the behavior: if an openssl version can be found in /usr/bin/openssl
(or SUPPLIED via OPENSSL2=/home/version/ofopenssl testssl <cmdline>) which
supports TLS 1.3 it switches automatically and informs the user that it has done so.
This message is asynchonous and is implemented with a new function check_msg()
and a global OPEN_MSG, so that we maintain the formatting. Otherwise it would have
appeared between rDNS and service detection. Now it's nicely after service detection.
