Commit Graph

4131 Commits

Author SHA1 Message Date
dfbb9f8122 Fix Actions
this one works locally...
2022-05-30 13:37:07 +02:00
8d817e1dcf PR to merge #2189
added: changes in CI so that it goes through
2022-05-25 18:46:08 +02:00
f3fe2ac401 Merge branch 'EliteTK-fix-crime-tls1.3' into pr2189 2022-05-25 18:45:13 +02:00
fc0cc67d47 Make run_crime use $jsonID instead of repeating
This also seems more consistent across the code.
2022-05-23 13:57:31 +01:00
326a65e7ad Fix CRIME test on servers only supporting TLS 1.3
As jsonID is not set by run_crime, make the fileout invocation for
servers supporting only TLS 1.3 use the literal "CRIME_TLS" instead.

Previously running testssl with CSV or JSON output would produce an item
with the wrong ID.
2022-05-23 13:53:38 +01:00
d931eb470c Merge pull request #2186 from drwetter/censys_fix_2127
Fix censys link in DROWN section
2022-05-14 13:57:46 +02:00
04463784a8 Fix censys link in DROWN section
See #2127. the line seems very long though.

Note: this was previously commited as #2184 but as there were two mistakes
and one other thing which could be improved I decided to make a hard reset.

Apologize if it caused inconvenience.
2022-05-14 12:06:09 +02:00
b89574e5c7 Merge pull request #2180 from dcooper16/ossl_ffdhe
Check for OpenSSL support for ffdhe groups
2022-05-10 07:47:56 +02:00
66c3e35dba Check for OpenSSL support for ffdhe groups
OpenSSL 3.0.0 and later supports specifying the FFDHE groups from RFC 7919 in the "-groups" (or "-curves") option of s_client.

This commit modifies find_openssl_binary() to check whether $OPENSSL supports this. This information is then used by run_client_simulation(), if client simulation testing is being performed using $OPENSSL. If the "curves" for a client include FFDHE groups, then they will be included in the simulated ClientHello.
2022-05-09 09:46:40 -04:00
ff23a2ba22 Merge pull request #2177 from drwetter/dependabot/github_actions/docker/setup-buildx-action-2
Bump docker/setup-buildx-action from 1 to 2
2022-05-06 08:17:49 +02:00
4935679f50 Merge pull request #2176 from drwetter/dependabot/github_actions/docker/metadata-action-4
Bump docker/metadata-action from 3 to 4
2022-05-06 08:17:33 +02:00
f1ce1a21bb Merge pull request #2175 from drwetter/dependabot/github_actions/docker/setup-qemu-action-2.0.0
Bump docker/setup-qemu-action from 1.2.0 to 2.0.0
2022-05-06 08:17:09 +02:00
acfbaf8408 Merge pull request #2174 from drwetter/dependabot/github_actions/docker/login-action-2.0.0
Bump docker/login-action from 1.14.1 to 2.0.0
2022-05-06 08:16:42 +02:00
c332d03323 Merge pull request #2173 from drwetter/dependabot/github_actions/docker/build-push-action-3.0.0
Bump docker/build-push-action from 2.10.0 to 3.0.0
2022-05-06 08:15:59 +02:00
f434dd963d Bump docker/setup-buildx-action from 1 to 2
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1 to 2.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/v1...v2)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-06 00:31:01 +00:00
d40591bf00 Bump docker/metadata-action from 3 to 4
Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 3 to 4.
- [Release notes](https://github.com/docker/metadata-action/releases)
- [Upgrade guide](https://github.com/docker/metadata-action/blob/master/UPGRADE.md)
- [Commits](https://github.com/docker/metadata-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: docker/metadata-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-06 00:30:56 +00:00
44ae7c1604 Bump docker/setup-qemu-action from 1.2.0 to 2.0.0
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 1.2.0 to 2.0.0.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](https://github.com/docker/setup-qemu-action/compare/v1.2.0...v2.0.0)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-06 00:30:52 +00:00
172115501a Bump docker/login-action from 1.14.1 to 2.0.0
Bumps [docker/login-action](https://github.com/docker/login-action) from 1.14.1 to 2.0.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.14.1...v2.0.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-06 00:30:49 +00:00
7fb9039f83 Bump docker/build-push-action from 2.10.0 to 3.0.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.10.0 to 3.0.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v2.10.0...v3.0.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-06 00:30:45 +00:00
859da96ad0 Merge pull request #2167 from drwetter/fix_banner
Minor changes to banner
2022-05-04 10:48:18 +02:00
34cc20b0df Minor changes to banner
On macOS indark mode the git tag in grey wasn't visible. It was
changed now to light grey but it has to be tested how it looks
on a white terminal background.

Also CVS variables were removed which had no meaning.
2022-05-03 21:02:56 +02:00
0329eba688 Merge pull request #2164 from drwetter/ftp_starttls_auth_only
Relax STARTTLS FTP requirement
2022-04-27 14:49:02 +02:00
6c69fdbf4b Relax STARTTLS FTP requirement
In rare? occassions where the STARTTLS FEAT request only displays AUTH instead
of AUTH TLS, testssl.sh fails as it cannot upgrade to TLS.

Required by RFC 4217 is only AUTH ("MUST"), AUTH TLS is optional ("should"), see section 6.
This commit relaxes the presence of TLS after AUTH and it fixes #2132.
2022-04-27 13:34:03 +02:00
ab33f6c0b6 Merge pull request #2163 from drwetter/fix-permissions-githubdockeraction
Hotfix reenabling write permissions
2022-04-25 10:18:49 +02:00
e5efdd6cb4 Hotfix reenabling write permissions
see #2158
2022-04-25 10:17:05 +02:00
db80ef14f0 Merge pull request #2156 from dcooper16/fix_run_server_defaults
Fix run_server_defaults()
2022-04-25 08:54:52 +02:00
5053105d3f Merge pull request #2154 from dcooper16/server_pref_no_default_cipher
Fix run_server_preference() with no default protocol
2022-04-24 19:30:18 +02:00
cc8c02d653 Merge pull request #2139 from dcooper16/fix2131
Fix #2131
2022-04-24 18:17:17 +02:00
4d7357a64e Merge pull request #2158 from turrisxyz/setup-permissions
Set permissions for GitHub actions
2022-04-24 18:03:10 +02:00
61eb164875 Merge pull request #2157 from dcooper16/update_protos_offered
Update PROTOS_OFFERED
2022-04-22 15:45:49 +02:00
ca71b2e374 Merge pull request #2162 from dcooper16/ossl_ciphers
Fix calls to $OPENSSL ciphers
2022-04-22 15:38:30 +02:00
3a460b40e1 Merge pull request #2160 from dcooper16/try_more_ciphers
Try more ciphers
2022-04-22 15:26:07 +02:00
1e0c1a8134 Fix calls to $OPENSSL ciphers
This commit fixes testssl.sh's calls to the "$OPENSSL ciphers" command.

The main issue it fixes is when actually_supported_osslciphers() is called to get a list of non-SSLv2 ciphers supported by $OPENSSL. With OpenSSL 1.0.2, the "-tls1" option needs to be used to exclude SSLv2 ciphers. With LibreSSL, the "-tls1" option may be provided, but it has no effect. With OpenSSL 1.1.1 and newer, the "-tls1" option causes TLSv1.2-only ciphers (e.g., AES256-SHA256) to be excluded (when the "-s" option is also used).

This commit fixes the problem by allowing "-no_ssl2" to be provided as an option to actually_supported_osslciphers(). For versions of $OPENSSL that support SSLv2, "-no_ssl2" is replaced by "-tls1". For versions of $OPENSSL that do not support SSLv2, "-no_ssl2" is simply removed.

This commit also changes openssl2hexcode() to include the "-tls1" option when $OPENSSL supports SSLv2, since openssl2hexcode() should only return a non-SSLv2 cipher.
2022-04-19 14:35:02 -04:00
50b09267d0 Try more ciphers
determine_optimal_sockets_params() makes two attempts to send a TLS 1.2 ClientHello, with each attempt trying 127 ciphers. However, this leaves 97 ciphers from etc/cipher-mapping.txt that are not tried, most of which use ARIA or CAMELLIA. This commit adds a third attempt a send a ClientHello that offers these 97 remaining ciphers. This helps to ensure that support for TLS 1.2 is detected and that later calls to tls_sockets() work, even if the server only supports the ARIA/CAMELLIA ciphers that are not included in TLS12_CIPHER or TLS12_CIPHER_2ND_TRY.
2022-04-18 11:53:28 -04:00
2d03d82fd9 Set permissions for GitHub actions
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

 Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-04-15 21:17:06 -05:00
b90db257a1 Update PROTOS_OFFERED
In some rare cases, a connection to the server will fail with tls_sockets() but not with $OPENSSL. This can cause determine_optimal_sockets_params() to call add_proto_offered() to indicate that the protocol is not supported, and then determine_optimal_proto() to later call add_proto_offered() to indicate that it is supported. However, PROTOS_OFFERED does not get changed, since add_proto_offered() only modifies PROTOS_OFFERED if the protocol is not already listed.

This commit fixes the problem by allowing add_proto_offered() to change an entry for a protocol from "no" to "yes".

If determine_optimal_proto() happens to connect to the server using TLS 1.2, then this commit will set TLS12_CIPHER_OFFERED to the cipher from that connection, if TLS12_CIPHER_OFFERED was not set in determine_optimal_sockets_params(). This will allow run_protocols()'s test of a TLS 1.3 ClientHello to work better, if the problem is that no cipher supported by the server is included in TLS12_CIPHER or TLS12_CIPHER_2ND_TRY.
2022-04-15 09:40:02 -04:00
15f8fc5a3f Fix run_server_defaults()
PR #1960 created a bug by placing code between the call to determine_tls_extensions() and a check of its return code. This commit fixes the problem.
2022-04-14 11:01:26 -04:00
a2252168f1 Fix run_server_preference() with no default protocol
run_server_preference() calls "default_proto=$(get_protocol $TMPFILE)" even if all attempts to connect to the server failed. This will result in default_proto incorrectly being set to TLS 1.2. This commit fixes the issue by only calling get_protocol() if an attempt to connect to the server was successful.
2022-04-14 10:50:13 -04:00
0be5ca5309 Support DHE/ECDHE servers with uncommon curves
When running in --ssl-native mode, run_fs() will not detect ECDHE ciphers if the server supports both DHE and ECDHE ciphers and the ECDHE ciphers are only supported with curves that are not offered by $OPENSSL by default. This commit fixes this by adding extra connection attempts with the -curves parameter explicitly provided.
2022-04-14 08:51:25 -04:00
ac662f8699 Improve compatibility with LibreSSL
Older versions of LibreSSL that do not support TLS 1.3 only include a small list of curves in the supported_groups extension by default, so need to retry with curves explicitly defined even with versions of $OPENSSL that do not support TLS 1.3.
2022-04-14 08:51:25 -04:00
dd35be2e4b Fix #2131
This commit fixes #2131 by having run_fs() attempt a TLS 1.2 ClientHello if the initial TLS 1.3 ClientHello fails. The TLS 1.2 ClientHello will offer many more curves than the TLS 1.3 ClientHello offers, and so it may succeed if the server supports ECDHE ciphers, but only with curves that were removed by RFC 8446.
2022-04-14 08:51:25 -04:00
54e5469411 Merge pull request #2150 from dcooper16/no_session_id
Fix setting NO_SESSION_ID
2022-04-14 13:19:24 +02:00
225f1286b4 Merge pull request #2149 from dcooper16/fix2147
Fix #2147
2022-04-14 13:12:16 +02:00
cc74256091 Fix setting NO_SESSION_ID
With a TLS 1.3 connection using $OPENSSL, a session ID will only appears as part of a post-handshake session ticket. However, when $OPENSSL s_client is called as in determine_optimal_proto() (i.e., with "< /dev/null"), a post-handshake session ticket will not always be received, even if the server supports it. This can result in NO_SESSION_ID incorrectly being set to true. This commit fixes the issue by setting NO_SESSION_ID to true by default, and then setting it to false if a session ID is returned by any connection to the server.
2022-04-13 09:26:36 -04:00
70b1ee643f Fix #2147
This commit fixes #2147 by having awk search for additional possible strings to start the CRL Distribution Points output. Unless the CRLDP extension is malformed, it will begin with "Full Name", "Relative Name", "Reasons", or "CRL Issuer".
2022-04-12 14:01:02 -04:00
6054be6dff Merge pull request #2145 from dcooper16/ossl3_fix
More OpenSSL compatibility fixes
2022-04-12 18:50:26 +02:00
618de1c24e More OpenSSL compatibility fixes
This commit fixes two more issues with using OpenSSL 3.X. When $OPENSSL is used to obtain a fingerprint, OpenSSL 3.X prepends the fingerprint with "sha1" or "sha256" rather than "SHA1" or "SHA256". In addition, the way that OpenSSL 3.X writes distinguished names causes a space character to appear at the beginning of "$cn" and "$issuer_CN" in certificate_info().
2022-04-11 11:23:09 -04:00
e82178719d Merge pull request #2141 from dcooper16/ossl3_compat
OpenSSL compatibility fix
2022-04-07 21:29:20 +02:00
fc07b379d0 Merge pull request #2142 from dcooper16/fix_flat_json
Fix flat JSON file
2022-04-07 21:28:32 +02:00
09973c8c44 Fix flat JSON file
PR #2140 contains a bug when handling flat JSON files. FIRST_FINDING should only be set to true in the case of structured JSON output, since it is only in that case that fileout_insert_warning() appends a comma to the JSON file. This commit fixes the problem.
2022-04-07 13:57:49 -04:00