Commit Graph

4073 Commits

Author SHA1 Message Date
Dirk db932c2bdc prevent CI from running in doc dir s/docs/doc/ 2022-04-01 14:14:59 +02:00
Dirk 28085e5ec9 Implement fixes in documentation from #2074
kudos @k0lter

* numbering
* some ticks / backticks

For now I left the html and roff files like they were. That should be reconsidered
later.
2022-04-01 13:12:02 +02:00
Dirk ab81558ba4 Merge branch 'k0lter-doc-fixes' into 3.1dev 2022-04-01 12:52:28 +02:00
David Cooper 9829105450 Reorder output of run_server_preference()
This commit reorders the output of run_server_preference() as discussed in #1311.
2022-04-01 12:50:12 +02:00
David Cooper c14ea2efc8 Use tls_sockets() in run_tls_fallback_scsv()
This commit adds the use of tls_sockets() to run_tls_fallback_scsv() to perform testing when the --ssl-native flag is not used. With this commit, run_tls_fallback_scsv() only uses tls_sockets() instead of $OPENSSL if the ClientHello needs to include the TLS_FALLBACK_SCSV flag, but it is not supported by $OPENSSL, or if the protocol that would be negotiated is SSLv3 and $OPENSSL does not support SSLv3.
2022-04-01 12:50:12 +02:00
dependabot[bot] b3979a8979 Bump docker/build-push-action from 2.9.0 to 2.10.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.9.0 to 2.10.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v2.9.0...v2.10.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-01 12:50:12 +02:00
David Cooper 16369853d5 Working NNTP server
Switch NNTP server testing to a currently working server from http://vivil.free.fr/nntpeng.htm.
2022-04-01 12:50:12 +02:00
enxio c0fb2d1f70 Declare missing variable, style. 2022-04-01 12:50:12 +02:00
enxio bcacee1e4c Conform to style with local variables: declare "ret" properly. 2022-04-01 12:50:12 +02:00
David Cooper 008fa228c0 Add DH groups to supported_groups
There is at least one server that will not negotiate TLS_DHE_* cipher suites with TLS 1.2 and below if the supported_groups extension is present but does not include any DH groups. This commit adds the DH groups that are currently in the TLS 1.3 ClientHello to the TLS 1.2 and earlier ClientHello.
2022-04-01 12:50:12 +02:00
David Cooper 7a3ce9c677 Fix sclient_auth
If $connect_success is false, then sclient_auth() does not "return" any value, and the calling function treats this as if sclient_auth() had returned 0.

This commit fixes sclient_auth() so that 1 is returned if $client_success is false.
2022-04-01 12:50:12 +02:00
David Cooper bddf9c967f Include RSA-PSS in ClientHello
This commit changes prepare_tls_clienthello() so that the RSA-PSS algorithms are offered in the signature algorithms extension of TLS 1.2 and below ClientHello messages.
2022-04-01 12:50:12 +02:00
enxio 1c2e340506 Conform to style. Add some more info on the TN3270 STARTTLS negotiation. 2022-04-01 12:50:12 +02:00
enxio 1eb5b2949e Add support for TN3270/telnet STARTTLS (similar to OpenSSL's approach). 2022-04-01 12:50:12 +02:00
dependabot[bot] 60885e0c15 Bump actions/checkout from 2 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-01 12:50:12 +02:00
dependabot[bot] 7a3b1f018f Bump docker/login-action from 1.13.0 to 1.14.1
Bumps [docker/login-action](https://github.com/docker/login-action) from 1.13.0 to 1.14.1.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.13.0...v1.14.1)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-01 12:50:12 +02:00
dependabot[bot] 00e7977a2c Bump docker/login-action from 1.12.0 to 1.13.0
Bumps [docker/login-action](https://github.com/docker/login-action) from 1.12.0 to 1.13.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.12.0...v1.13.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-01 12:50:12 +02:00
Dirk Wetter 1059b07909 Fix "ID resumption test failed" under Darwin
Under Darwin using LibreSSL it was not possible to test for session
resumption by session ID.

This fixes #2096 by checking not only the return value of the s_client
hello but also whether a probable certificate is being returned.
2022-04-01 12:50:12 +02:00
Dirk Wetter deef51305a Fix JSON output bc of missing locale in alpine (3.1dev)
It is now being tested whether the binary locale exists and
there's a global introduced for that.

Also there's no fileout warning at this early stage anymore
as it leads to non-valid JSON.

This fixes #2103 in 3.1dev.
2022-04-01 12:50:12 +02:00
Dirk Wetter dd5d91f527 Fix locale error message when en_US.UTF-8 isn't available
Therefore a new global function was declared checking whether any of
the known locales work on the client without seeting them.
C / POSIX should work as well for LC_COLLATE.

This fixes #2100 for 3.1dev.
2022-04-01 12:50:12 +02:00
Dirk Wetter 86853c4a5c correct English in comment 2022-04-01 12:50:12 +02:00
Dirk Wetter 8b4ebc385a Fix Darwin / LibreSSL startup problem
This PR addresses a bug where a user encountered the question "The results
might look ok but they could be nonsense. Really proceed".

That happened under Darwin and probably some LibreSSL versions when
checking some hosts. sclient_auth() returned 1 indicating no SSL/TLS
handshake could be established.

This PR modifies sclient_auth() so that in those cases 0 is returned by
skipping the check for the session ID. As NO_SSL_SESSIONID needs to
be set when there's no session ID, this is done separately.
2022-04-01 12:50:12 +02:00
dependabot[bot] a64094a804 Bump docker/build-push-action from 2.8.0 to 2.9.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.8.0 to 2.9.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v2.8.0...v2.9.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-01 12:50:12 +02:00
Dirk Wetter c5ed4c9e5e Add CI check
* for STARTTLS + LDAP
* for STARTTLS + POP3 reenable check with openssl as GH has not the time limits which Travis had
2022-04-01 12:50:12 +02:00
Dirk Wetter 05d94fa019 Update documentation
* remove hint that LDAP only works with STARTTLS
* Add the relevant LDAP RFC for STARTTLS
* Amend with sieve RFC
* Correct numbering order of RFC section
2022-04-01 12:49:53 +02:00
Dirk Wetter a778356cc3 Remove ldap protocol early returns
Partly revert bb5450e3f5
2022-04-01 12:45:59 +02:00
Dirk Wetter 9ec1ca30ba Amends LDAP + STARTTLS / rename sockread_serverhello()
This commit adds parsing the success value of the STARTTLS upgrade
in LDAP. Only possible values whould be 0 or one according to RFC 2380.
All values not equal to zero will terminate the check.

Also, this PR renames sockread_serverhello() to sockread() as the word
serverhello is pretty misleading. It just reads from ANY socket. (sorry
to confuse people here, that should have gone into a separate PR).
  Also sockread() and sockread_fast() are better documented.
2022-04-01 12:45:59 +02:00
Dirk Wetter 6bd0d9eba0 Add prototype for STARTTLS+ LDAP via sockets
See #1258

To do:
* more robustness. At least the success value from the response need to be retrieved and checked via starttls_io().
* double check the pre-handshake before the OID whether it's correct for every case
* documentation
* inline help

It seems to work though against db.debian.org
2022-04-01 12:45:59 +02:00
dependabot[bot] 4b973f242a Bump docker/build-push-action from 2.7.0 to 2.8.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.7.0 to 2.8.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v2.7.0...v2.8.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-01 12:45:59 +02:00
David Cooper 9a1f7f85b7 Fix potential stallling in HTTP query
In run_http_header() the GET command is first sent over TLS using a background process, and then if that does not hang, it is sent again in the foreground. Similarly, service_detection() runs the command in the background.

This commit changes determine_optimal_proto() to follow the example of run_http_header() as protection against the possibility of the HTTP query stalling.
2022-04-01 12:45:59 +02:00
David Cooper 4260ccbd1c Report if couldn't test for client authentication
This commit fixes determine_optimal_proto() and run_server_defaults() so that a "Local problem" is reported if a $URL_PATH is specified, the server is TLS 1.3-only, and $OPENSSL does not support -enable_pha (and the server does not offer client authentication as part of the initial TLS handshake).
2022-04-01 12:45:59 +02:00
David Cooper 0531d5df19 Improve check for client authentication with LibreSSL
Checking for client authentication with TLS 1.3 requires post-handshake authentication, which does not appear to be supported by LibreSSL. This commit improves the check for client authentication when testing a TLS 1.3 server using LibreSSL by having determine_optimal_proto() first test for connectivity with TLS 1.3 without checking for client authentication and then performing a separate check for client authentication using a non-TLS 1.3 protocol.

This commit only affects the flow of the program if a $URL_PATH is specified, the server supports TLS 1.3, and $OPENSSL supports TLS 1.3 but not -enable_pha.

testss.sh may still provide incorrect information about client authentication if a $URL_PATH is provided, the server is TLS 1.3-only, and LibreSSL is used.
2022-04-01 12:45:59 +02:00
David Cooper a66e3cd3ad Improve check for client authentication
Based on initial testing, this commit improves the check for client authentication in the case that the server only requests client authentication for specific URLs. However, it does not work correctly if the server supports TLS 1.3 and $OPENSSL is a version of LibreSSL that supports TLS 1.3 in s_client. The problem is that LibreSSL does not support post-handshake authentication with TLS 1.3
2022-04-01 12:45:59 +02:00
David Cooper 555c6eb4d0 WIP: Improve check for client authentication
As noted in #1709, some servers will only request client authentication if a specific URL is requested. This commit modifies the check for client authentication, in the case that a $URL_PATH is provided, by having testssl.sh perform a GET request on the URL provided on the command line.
2022-04-01 12:45:59 +02:00
Dirk Wetter e240b9db91
Merge pull request #2129 from dcooper16/reorder_server_preference
Reorder output of run_server_preference()
2022-04-01 12:38:39 +02:00
Dirk Wetter 064743b35b
Merge pull request #2130 from dcooper16/fallback_scsv_sockets
Use tls_sockets() in run_tls_fallback_scsv()
2022-04-01 11:55:19 +02:00
David Cooper fa5d13eb06 Reorder output of run_server_preference()
This commit reorders the output of run_server_preference() as discussed in #1311.
2022-03-22 15:40:49 -04:00
David Cooper 7e9d724d68 Use tls_sockets() in run_tls_fallback_scsv()
This commit adds the use of tls_sockets() to run_tls_fallback_scsv() to perform testing when the --ssl-native flag is not used. With this commit, run_tls_fallback_scsv() only uses tls_sockets() instead of $OPENSSL if the ClientHello needs to include the TLS_FALLBACK_SCSV flag, but it is not supported by $OPENSSL, or if the protocol that would be negotiated is SSLv3 and $OPENSSL does not support SSLv3.
2022-03-22 15:10:28 -04:00
Dirk Wetter 90c6134013
Merge pull request #2124 from drwetter/dependabot/github_actions/docker/build-push-action-2.10.0
Bump docker/build-push-action from 2.9.0 to 2.10.0
2022-03-16 15:25:06 +01:00
Dirk Wetter add41802c2
Merge pull request #2125 from dcooper16/nntp_server
Fix CI error
2022-03-16 15:22:42 +01:00
David Cooper 1814da4e53 Working NNTP server
Switch NNTP server testing to a currently working server from http://vivil.free.fr/nntpeng.htm.
2022-03-16 07:57:40 -04:00
Dirk Wetter 3750ebc4d9
Merge pull request #2123 from enxio/3.1dev
Improvements in local variable declaration in PR #2114
2022-03-16 09:51:12 +01:00
dependabot[bot] 9ae22434a0
Bump docker/build-push-action from 2.9.0 to 2.10.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.9.0 to 2.10.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v2.9.0...v2.10.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-15 00:27:58 +00:00
enxio 70c069381a Declare missing variable, style. 2022-03-14 15:27:55 +01:00
enxio 48ed6d483f Conform to style with local variables: declare "ret" properly. 2022-03-14 15:24:55 +01:00
Dirk Wetter 88cf7e657b
Merge pull request #2120 from dcooper16/supported_groups
Add FFDHE groups to supported_groups
2022-03-09 20:16:24 +01:00
David Cooper 3cd8e810ac Add DH groups to supported_groups
There is at least one server that will not negotiate TLS_DHE_* cipher suites with TLS 1.2 and below if the supported_groups extension is present but does not include any DH groups. This commit adds the DH groups that are currently in the TLS 1.3 ClientHello to the TLS 1.2 and earlier ClientHello.
2022-03-09 10:33:51 -05:00
Dirk Wetter b3e4ac8934
Merge pull request #2117 from dcooper16/fix_sclient_auth
Fix sclient_auth
2022-03-09 11:17:45 +01:00
David Cooper 909513773d Fix sclient_auth
If $connect_success is false, then sclient_auth() does not "return" any value, and the calling function treats this as if sclient_auth() had returned 0.

This commit fixes sclient_auth() so that 1 is returned if $client_success is false.
2022-03-08 14:57:47 -05:00
Dirk Wetter 55b654cbee
Merge pull request #2118 from dcooper16/rsapss
Include RSA-PSS in ClientHello
2022-03-08 20:07:29 +01:00