Commit Graph

1337 Commits

Author SHA1 Message Date
Dirk Wetter 48f2dc20a6 Merge pull request #428 from dcooper16/determine_optimal_proto_ssl2_fix
SSLv2 fixes for determine_optimal_proto()
2016-07-26 18:29:49 +02:00
Dirk Wetter 3f550d14cf Merge pull request #429 from dcooper16/old_openssl_warning
Don't ignore response to old OpenSSL warning
2016-07-26 18:27:33 +02:00
Dirk Wetter 8d3e157e35 Merge pull request #430 from dcooper16/minor_typos
Fix two minor typos
2016-07-26 18:25:39 +02:00
David Cooper 746eab7f6b Fix two minor typos
Fixes for two minor typos that were previously included in PR #345.
2016-07-26 12:07:08 -04:00
David Cooper 72bbdbf49b Remove fixes for minor typos 2016-07-26 12:00:46 -04:00
David Cooper 4ed1f2fc11 Don't ignore response to old OpenSSL warning
In the check for old versions of OpenSSL, the results of the call to `ignore_no_or_lame()` are ignored, and so the program continues even if the user enters `no`.
2016-07-26 11:29:25 -04:00
David Cooper bc6367d3ad Update testssl.sh 2016-07-26 11:21:23 -04:00
David Cooper b43562aabf Update testssl.sh 2016-07-26 11:13:45 -04:00
David Cooper 23d311b1fc SSLv2 fixes for determine_optimal_proto()
This PR makes three changes to `determine_optimal_proto()`:
* It no longer tries an empty string for `$OPTIMAL_PROTO` twice.
* It does not include `-servername` for `-ssl2` or `-ssl3`, since some versions of OpenSSL that support SSLv2 will fail if `s_client` is provided both the `-ssl2` and `-servername` options.
* It displays a warning if `$OPTIMAL_PROTO` is `-ssl2`, since some tests in testssl.sh will not work correctly for SSLv2-only servers.
2016-07-26 11:10:20 -04:00
David Cooper e9a2d27af3 Remove determine_optimal_proto() fix 2016-07-26 11:04:43 -04:00
David Cooper d67fff3223 SSLv2 fixes for server preference
This PR addresses two issues related to SSLv2 for "--server-preference" checks.

First, some versions of OpenSSL that support SSLv2 will fail if `s_client` is provided both the `-ssl2` and `-servername` options.

Second, the line for extracting the chosen cipher,`cipher=$(awk '/Cipher.*:/ { print $3 }' $TMPFILE)`, fails for SSLv2. For SSLv2, the output from `$OPENSSL s_client` is as shown below, and the `cipher=` line extracts the word `between` from `Ciphers common between both SSL endpoints:` rather than `IDEA-CBC-MD5` from `   Cipher    : IDEA-CBC-MD5`.

```
...
Ciphers common between both SSL endpoints:                                                                                                                                                                   
RC4-MD5         RC2-CBC-MD5     IDEA-CBC-MD5                                                                                                                                                                 
DES-CBC-MD5     DES-CBC3-MD5                                                                                                                                                                                 
---                                                                                                                                                                                                          
SSL handshake has read 1191 bytes and written 373 bytes                                                                                                                                                      
---                                                                                                                                                                                                          
New, SSLv2, Cipher is IDEA-CBC-MD5                                                                                                                                                                           
Server public key is 2048 bit                                                                                                                                                                                
Secure Renegotiation IS NOT supported                                                                                                                                                                        
Compression: NONE                                                                                                                                                                                            
Expansion: NONE                                                                                                                                                                                              
No ALPN negotiated                                                                                                                                                                                           
SSL-Session:                                                                                                                                                                                                 
    Protocol  : SSLv2                                                                                                                                                                                        
    Cipher    : IDEA-CBC-MD5
...
```
2016-07-26 10:22:36 -04:00
David Cooper 93ba2e5d65 Remove some server preference fixes 2016-07-26 10:11:22 -04:00
David Cooper 46323602b1 Merge branch 'master' into openss2rfc_rfc2openssl 2016-07-26 08:51:10 -04:00
David Cooper 6bd6b8959c Merge branch 'master' into more_sslv2_sslv3_fixes 2016-07-26 08:48:01 -04:00
Dirk Wetter 5a763ff8e1 Merge pull request #424 from dcooper16/run_rc4_ssl2_ciphers
SSLv2 fixes for run_rc4()
2016-07-26 12:08:17 +02:00
Dirk Wetter a8048ccfa0 Merge pull request #425 from dcooper16/test_just_one_ssl2_ciphers
SSLv2 fixes for test_just_one()
2016-07-26 07:54:29 +02:00
David Cooper add75caf82 SSLv2 fixes for test_just_one()
This PR changes test_just_one() to correctly handle SSLv2 ciphers.

As with PR #424, this PR addresses the problem in which servers that do not implement SSLv2, but that implement RC4-MD5, EXP-RC2-CBC-MD5, EXP-RC4-MD5, or NULL-MD5 are shown as implementing both the SSLv2 and SSLv3 versions of the ciphers, and that any SSLv2 ciphers that a server does implement are not shown as being implemented.
2016-07-25 17:00:49 -04:00
David Cooper db0a6db620 Remove fixes for test_just_one() 2016-07-25 16:54:19 -04:00
David Cooper 43d5ad5071 SSLv2 fixes for run_rc4()
This PR changes run_rc4() to correctly handle SSLv2 ciphers.

It addresses the problem in which servers that do not implement SSLv2, but that implement SSLv3 ciphers that share an OpenSSL name with an SSLv2 cipher (RC4-MD5 and EXP-RC4-MD5), are not incorrectly shown as having implemented the SSLv2 cipher.

It also addresses the problem that if a server does implement SSLv2 with an RC4 SSLv2-cipher suite, then that cipher suite it not shown as being implemented.
2016-07-25 16:42:04 -04:00
David Cooper d2f1e15243 Remove fixes for run_rc4() 2016-07-25 16:30:30 -04:00
David Cooper b142962063 Merge branch 'master' into more_sslv2_sslv3_fixes 2016-07-25 16:24:35 -04:00
Dirk Wetter 9b3cfab5b8 Merge pull request #341 from dcooper16/run_allciphers(),run_cipher_per_proto(),-and-SSLv2
run_allciphers(),run_cipher_per_proto(), and SSLv2
2016-07-25 20:04:14 +02:00
David Cooper bb29e3c917 Merge branch 'master' into run_allciphers(),run_cipher_per_proto(),-and-SSLv2 2016-07-25 09:39:28 -04:00
David Cooper 6d164d8a2e Merge branch 'master' into openss2rfc_rfc2openssl 2016-07-25 09:38:05 -04:00
David Cooper 36a3230b84 Merge branch 'master' into more_sslv2_sslv3_fixes 2016-07-25 09:36:50 -04:00
Dirk Wetter 364bea1da0 Merge pull request #422 from seccubus/CA_pinning
Updated CA pinning PR
2016-07-25 11:56:31 +02:00
Frank Breedijk dd10194977 Addressed comments by @drwetter
It is OK for a site to pin a CA that is not part of the chain (like github.com does)
This is a provision against a CA compromise (like diginotar) which could lead to a
briked site in case of CA compromise.

GitHub has built in multiple levels of security they have both backup pins for host
certs and back pins for CAs (and I wouldn;t be surprised if they have a backup
intermediate pin too).
2016-07-25 11:02:05 +02:00
Frank Breedijk 9133eddb9a Working unit tests again 2016-07-25 10:57:10 +02:00
Frank Breedijk 5d7367a68d Shell script to generate ca_hashes.txt (OSX only) 2016-07-25 09:47:24 +02:00
Frank Breedijk fccc5fe4fb Merge branch 'CA_pinning' of https://github.com/drwetter/testssl.sh into CA_pinning 2016-07-25 09:38:30 +02:00
Dirk 541690b46e - enabled+renamed tolerance test per default
- quoted some bool vars for faster execution
2016-07-23 15:12:13 +02:00
Dirk Wetter 38b61ed36f Merge pull request #346 from dcooper16/version_negotiation
Additional checks in run_protocols()
2016-07-23 14:54:50 +02:00
Dirk 3d588ddb20 change sequence of out output (trust checks together 2016-07-23 14:52:26 +02:00
Dirk Wetter 0c2acdd8fe Merge pull request #420 from dcooper16/signed-signed-check
Fix check for self-signed certificate
2016-07-23 14:47:14 +02:00
Dirk 1a099d35b7 - minor polishing #419 2016-07-23 11:17:49 +02:00
Dirk Wetter 9ef0cef8ef Merge pull request #419 from dcooper16/CN-hostname-match
CN <--> hostname match
2016-07-23 11:13:29 +02:00
David Cooper ae38670067 Fix check for self-signed certificate
The check for whether a certificate is self-signed was using the undefined variable $CN rather than $cn.
2016-07-22 12:06:52 -04:00
David Cooper 59002c1088 Update JSON id for chain-of-trust 2016-07-22 11:57:16 -04:00
David Cooper df64e47fb9 CN <--> hostname match
PR to address issue #94 (CN <--> hostname match)
2016-07-22 11:31:52 -04:00
Dirk Wetter ddead05825 Merge pull request #418 from dcooper16/issuer2
CA names with domain component attributes
2016-07-21 12:16:24 +02:00
David Cooper 603ed33f57 Merge branch 'master' into version_negotiation 2016-07-20 13:39:11 -04:00
David Cooper 6730ed8340 Merge branch 'master' into run_allciphers(),run_cipher_per_proto(),-and-SSLv2 2016-07-20 13:37:54 -04:00
David Cooper 89df7c5ec2 Merge branch 'master' into openss2rfc_rfc2openssl 2016-07-20 13:36:12 -04:00
David Cooper e8d10a5e05 Merge branch 'master' into more_sslv2_sslv3_fixes 2016-07-20 13:34:39 -04:00
Dirk Wetter 82c8663b4f speed improvement due to using a precomputed hash table for known CAs 2016-07-20 19:12:02 +02:00
Dirk Wetter 12c7af11c6 fixed hashes 2016-07-20 19:11:38 +02:00
Dirk Wetter fad41b059f - first set of patches 2016-07-20 19:01:02 +02:00
Dirk Wetter fddc533fc4 Merge branch 'seccubus-feature/ca-pinning' into CA_pinning 2016-07-20 18:48:09 +02:00
Dirk Wetter 535c37fbb3 Merge branch 'feature/ca-pinning' of https://github.com/seccubus/testssl.sh into seccubus-feature/ca-pinning 2016-07-20 18:47:05 +02:00
David Cooper bdea1a0971 Merge branch 'master' into issuer2
Conflicts:
	testssl.sh
2016-07-20 11:45:08 -04:00