Commit Graph

5451 Commits

Author SHA1 Message Date
Dirk 8e25163625 Remove QUIC from runner 2026-06-10 10:03:25 +02:00
Dirk Wetter 37135fa752 Save work
- dig needs to be called with $DIG_R
- basic parsing for alpn on Mac should be fine now

- case statement filled with moste of the functions
- port function tested + added, but not called yet
- ipv4hint function tested + added  but not called yet
- ipv6hint function tested + added  but not called yet. Doesn't do compression of ipv6 address yet
- stub functions dohpath+ech
2026-06-09 22:14:45 +02:00
Dirk 457f8fd0a0 Provide better debugging means
This is just to assist debugging of the runners, so that
we can grab in a case needed the screen and stderr .

* there's a script t/03_debug.t.DISABLED which needs to be renamed then
* it utilises IPC::Run3
- also showing the PATH is added for both runners
- Readme amended accordingly
2026-06-09 13:43:43 +02:00
Dirk Wetter c25a0ad491 Merge pull request #3057 from testssl/drwetter-patch-1
Hide CI badges for now
2026-06-09 10:39:41 +02:00
Dirk Wetter 2f591423f2 fix spelling 2026-06-09 10:39:03 +02:00
Dirk Wetter 5205310c0c Remove CI badges
... as they reflect the PR status and not the current branch

See #2794
2026-06-09 10:36:24 +02:00
Dirk Wetter e7204bd524 Merge pull request #3056 from testssl/revert-3055-drwetter-patch-1
Revert "Trying to fix the badge issue"
2026-06-09 10:32:16 +02:00
Dirk Wetter f634570af7 Revert "Trying to fix the badge issue" 2026-06-09 10:31:37 +02:00
Dirk Wetter fbedfe5f5f Merge pull request #3055 from testssl/drwetter-patch-1
Trying to fix the badge issue
2026-06-09 10:19:40 +02:00
Dirk Wetter 01f9b49549 Update unit_tests_ubuntu.yml
... also for the ubuntu runner
2026-06-09 10:18:52 +02:00
Dirk Wetter b9dda9312d Trying to fix the badge issue
... by having the runner only act on 3.3dev. Sounds counter intuitive but I was recommended to try
2026-06-09 10:16:50 +02:00
Dirk Wetter db014a6289 Merge pull request #3054 from testssl/drwetter-patch-1
Fix badges, try 2
2026-06-09 09:58:42 +02:00
Dirk Wetter ea16c81e97 Fix badges, try 2
* comment in status badges (try)
* stars getting to work again
2026-06-09 09:57:21 +02:00
Dirk Wetter fe080150cf Merge pull request #3053 from testssl/drwetter-patch-1
Handle badges, remove 1 bracket
2026-06-09 09:45:10 +02:00
Dirk Wetter 1bf15f41e1 Handle badges 2026-06-09 09:42:50 +02:00
Dirk Wetter cfde1df489 Merge pull request #3050 from potato-20/add-modern-security-headers
Report additional modern security headers (INFO)
2026-06-09 09:22:54 +02:00
Dirk Wetter 8f588813c0 Merge pull request #3049 from potato-20/fix-mx-host-port-2986
Fix --mx host:port parsing and incorrect no-MX message (#2986)
2026-06-08 18:33:32 +02:00
Dirk Wetter 62701f2d5e Merge branch '3.3dev' into https_rr 2026-06-08 17:50:20 +02:00
Dirk Wetter 654dc18760 Merge pull request #3052 from testssl/mac_runner_update
Update runner to macos-26 (arm64 as before)
2026-06-08 17:08:16 +02:00
Dirk Wetter 3c5b733431 Update runneer to macos-26 (arm64 as before)
... as they were strange failures in the past.

Supported runners: https://docs.github.com/en/actions/reference/runners/github-hosted-runners#single-cpu-runners .
Details: https://github.com/actions/runner-images/blob/main/images/macos/macos-26-arm64-Readme.md
2026-06-08 16:41:37 +02:00
potato-20 0a7aff701e Report additional modern security headers as INFO
Adds X-Permitted-Cross-Domain-Policies (already highlighted in emphasize_stuff_in_headers() but never reported), Origin-Agent-Cluster, Document-Policy, Clear-Site-Data, Reporting-Endpoints, Report-To and NEL to run_security_headers(), all presence-only/INFO, matching how COOP/COEP/CORP were added in #2619.
2026-06-06 16:27:55 +05:30
potato-20 1704bdfa79 Fix --mx host:port parsing and incorrect no-MX message (#2986)
When a port was appended to the domain (e.g. "--mx example.com:25"), the suffix was passed straight into the MX DNS lookup, so no MX records were found. Strip a trailing :port off the domain before the lookup and use it as the port to test. Also fix the no-MX message, which printed $1 (the run date) instead of the domain, plus a "records(s)" typo.
2026-06-06 15:48:17 +05:30
Dirk Wetter 51ba8327a8 introduce subfunctions decode_*
First implemented and tested working is decode_https_rr_alpn().
Also we use the svk params in a case statement to decipher the
hexstream better.

The hexstream ($line) has now no blanks anymore. They seem to be
arbitrary.

Variables need to be declared in get_https_rrecord() .
2026-06-02 19:04:17 +02:00
Dirk Wetter a92cd8f702 fix shellcheck complaint 2026-06-01 16:56:47 +02:00
Dirk Wetter 84bd9dd1a3 Updatesr get_https_rrecord()
- quote vars (hoping it'll resolve the Mac runner issue)
- make sure CNAMEs are properly parsed
- end get_https_rrecord() earlier when there's no record but DNS binaries are "HTTPS record aware"
- while loop was redundant
- better comments

Elsewhere:

make sure get_https_rrecord is called with a trailing dot for the NODE
2026-06-01 16:14:29 +02:00
Dirk Wetter ba7d9604a9 Getting from github runner under MacOS
as there is an inexplicable difference between a real Mac
which passes the run and the one in github

-"DNS_HTTPS_rrecord","testssl.sh/81.169.235.32","443","OK","81.169.235.32","",""
+"DNS_HTTPS_rrecord","testssl.sh/81.169.235.32","443","OK","1 . alpn='h2'","",""

The first line comes from the runner
2026-06-01 10:14:25 +02:00
Dirk Wetter e365ccf03f try to squash the baseline comparison check 2026-05-31 19:59:01 +02:00
Dirk Wetter 7f63e73ec3 Merge pull request #3046 from SteveVaneeckhout/fix-permissions-policy-duplicate
Fix Permissions-Policy header listed twice in output
2026-05-30 17:47:56 +02:00
Dirk Wetter e0c0a6658f Provide HTTPS RR functionality
This is a fresh start for #2484 as the PR wasn't ready yet for 3.2 by the time it was released. And it continues #2866
which was kind of messed up by accident.

The info for the HTTPS RR shows up in the very beginning, i.e. in `service_detection()`. All keys are listed now in bold, values in a regular font.

`get_https_rrecord()` was introduced by copying and modifying `get_caa_rr_record()`.

There's a similar obstacle as with CAA RRs: older binaries show the  resource records binary encoded. Thus a new set of global vars is introduced HAS_*_HTTPS which check whether the binaries support decoding the RR directly. As of now raw decoding doesn't work completely.

Todo:
- Add logic in QUIC
    - if RR is detected and not QUIC is possible
    - add time for QUIC detection when RR is retrieved
- show full HTTPS RR record, at least when having a new DNS client
- coninue with raw decoding, if possible (otherwise problematic for MacOS)
- shorten the comments in `get_https_rrecord()`
- man page
- when ASSUME_HTTP is set and no services was detected: this needs to be handled
- The placement of the output should be reconsidered and/or cached when multiple IPs belong to a FQDN
2026-05-30 17:40:34 +02:00
Steve f9061aa341 Fix -4/-6 flag being ignored when no specific test is selected
set_scanning_defaults() reset do_ipv4_only/do_ipv6_only to false. When
no individual test is requested on the command line, count_do_variables
returns 0 and parse_cmd_line() calls set_scanning_defaults() to enable
the standard test suite, which silently wiped out the user's -4/-6
selection. As a result determine_ip_addresses() fell through to its
"scan everything" branch and scanned both the A and AAAA records,
producing one scanResult per IP.

The IP-version flags are connection options, not test-selection state,
and are already initialized in initialize_globals(), so remove the
stray resets from set_scanning_defaults().

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 12:18:12 +02:00
Steve 989870e07b Fix Permissions-Policy header listed twice in output
run_security_headers() listed "Permissions-Policy" twice in its
header_and_svrty checklist: once as OK (since 2020) and again as INFO
(accidentally added in 12036fb). The loop matched the same header on
both iterations, emitting two entries to JSON (headerResponse) and the
terminal output. Remove the duplicate INFO entry, keeping the intended
OK classification.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 12:18:05 +02:00
Dirk Wetter 316b1a8014 Merge pull request #3045 from testssl/add_fs_data_clientsimulation_json
Add fs data clientsimulation json
2026-05-29 16:07:24 +02:00
Dirk 209e76541e Using a compariable Linux distro in the firstplace for updating handshake would have been great ;-) 2026-05-29 15:20:17 +02:00
Dirk ec99148700 Fix html output runner 2026-05-29 13:00:58 +02:00
Dirk 1ee1a60a99 var name append_fileout is clearer 2026-05-29 10:53:28 +02:00
Dirk 566e1b1f65 Fix diff complaint raised by ./t/12_diff_opensslversions.t 2026-05-29 10:33:03 +02:00
Dirk cff2c0810c Add Linux, not Mac baseline ;-) 2026-05-28 20:41:00 +02:00
Dirk Wetter 01d58f5e9c update client simulation data 2026-05-28 19:07:28 +02:00
Dirk Wetter cf66ad61bd Add forward secrecy data to file output
This fixes #3040 .

Also this removes the debug lines within the if statement (bottom of run_client_simulation() ), probably
a historic leftover.
2026-05-28 19:03:39 +02:00
Dirk Wetter 9567e65a01 Merge pull request #3043 from testssl/issue_cmdline_warnings
Introduce early warning function
2026-05-28 13:31:27 +02:00
Dirk Wetter 75376d38bf Introduce early warning function
... which warns also via file output when not recommended command
line options are used.

This function named issue_cmdline_warnings() is being called in
lets roll after all fileout() functions has been initialized.
It needs to make use of fileout_insert_warning() though because
otherwise the JSON output is not correct.

Besides the previoulsy introduced warning when scanning IP addresses,
warnings of usage of '--fast' and '--ssl-native' will end up also
in a file now which gives ther tools using the machine readable
output to detect bad scan conditions.

Also warnings when scanning the most known IPv4 addresses
from Cloudflare, Google and Quad9, are avoided.
2026-05-28 10:37:16 +02:00
Dirk Wetter ca99b45f1f Merge pull request #3042 from testssl/grhza-3.3dev
Improve PR #3041
2026-05-27 18:16:42 +02:00
Dirk Wetter f8af511952 Improve PR #3041
* move message when scanning IP address to the very beginning, inside parse_cmd_line()
* improve message
* just check whether there are no chars a-zA-Z

* move [[ $caa_node =~ '.'$ ]] || caa_node+="." into the while loop
2026-05-27 16:53:06 +02:00
Raymond Huygen d4f1b31f0d Fix DNS CAA check for IP scans and subdomains
- Skip CAA lookup entirely when NODE is an IP address; show
  "not checked (IP address scan)" instead of spuriously querying
  IP octets as domain labels and reporting "not offered"
- Force FQDN (trailing dot) on the initial caa_node before the
  walk loop so dig does not apply the resolv.conf search domain
  to the first query, which could return a false result
- Add a visible warning in the scan header when scanning by IP
  address, noting that trust/CAA and other domain-specific checks
  may be unreliable and the user should rescan with the hostname
2026-05-25 17:01:11 +02:00
Dirk Wetter 2f51cff728 Merge pull request #3039 from phpipam/3.3dev
Added link to php-ssl Certificate scanning integration
2026-05-19 17:27:07 +02:00
Dirk Wetter 84235d35c0 Merge pull request #3038 from testssl/more_handshakes_updates
Client handshake updates
2026-05-18 22:14:26 +02:00
Dirk 7871d800f9 adjust baseline runner output 2026-05-18 21:30:57 +02:00
Dirk 01b7ad7cc8 correct name 2026-05-18 21:30:34 +02:00
Dirk 56697cee48 Consolidate handshakes for all Safaris 26.4
Looked before at ja3, but for Chromium-browsers ja4 is relevant.
The client column needed to be extended with 1 space.
2026-05-18 21:16:43 +02:00
Dirk b4e58dfbb5 Consolidated Handshakes
went through a couple of pcap files and determined ja3 + ja4 sums.

- Android 15/16 are the same (previously ja3 taken instead of ja4 and wrong host. One has to use chrome !)
- Edge 101/Chrome 101 are the same (will be deprated next time)
- surprisingly Java 17.0.3 and 21.0.6 were the same.

- Added: Ja3/ja4 for old Apple Mail and Thunderbird
2026-05-18 18:45:04 +02:00