OpenSSL shows certificate serial numbers >35 with a LF (0A). Testssl.sh
just output that which makes JSON invalid and displays the LF in the terminal
too.
This commit fixes that (#2010) by adding filters so that the
serialnumber is not a multiline string.
Also this commit introduces a new function: a size check of the cert serial.
Below 8 bytes the CAB Forum's lower limit is hit which says the *entropy*
from a CSPRNG should be at least 64 bits. It is assumed that below 8 bytes
length this requirement isn't possible to meet (needs to be clarified with
Shannon, 8 bytes seems to low to me).
The high threshold is according to RFC 5280, Section-4.1.2.2 .
See also #2013.
The output has changed, so that on the terminal the serial has one line,
SHA1 and SHA256 each one line. The new json key is "cert_serialNumberLen".
In order to save time and to spare WSL users lame DNS lookups
I removed a couple of connect calls from 14 to 4:
$OPENSSL s_client -ssl2 -connect invalid.
-->
OPENSSL s_client -ssl2
NXCONNECT to localhost IP and port 0 is now the default when WSL
is detected. Not sure whether this is working under all circumstances,
so this needs some testing.
This commit provides a global variable to the RFC 6761 use of "invalid."
which WSL clients doen't seem to handle very well, see #1738, #1812.
With this commit it e.g. is possible to use
NXCONNECT=localhost:0 ./testssl.sh <TARGET>
to save some time.
This commit will be amended later.
Newer configuration files from openssl may include statements
which aren't compatible with our supplied old openssl version.
This commit adds an autodetection of such a file and uses a
openssl.cnf provided by this project then.
A longer while back the section ~ "Testing standard ciphers" was
renamed to "Testing cipher categories". However the internal help
didn't reflect that.
This fixes that, including an addtion to the documentation.
Note: the help still lists "-s --std, --standard" as a cmd line
switch.
* the ignore ~/.digrc option from dig is now parsed from the builtin help
* there was a potential DNS call which is now avoided
* for +noidnout check however there's a call to invalid. added
* the OPENSSL_CONF="" in check_resolver_bins() was moved a few lines
higher to avoid other errors in the terminal
Tested on (EOL) Ubuntu 14.04 which only has dig in an older version
See also #1950
This commit fixes#1961 in the 3.1dev branch by leaving NODEIP set to the server's IP address rather than changing it to the DNS name in the case of STARTTLS XMPP.
In order to address the problem of $OPENSSL s_client not working with STARTTLS XMPP if an IP address is provided to -connect, the -xmpphost option is used to provide the DNS name.
