Commit Graph

1635 Commits

Author SHA1 Message Date
David Cooper f839aab044
Fix determine_trust() for OpenSSL 1.1.1
determine_trust() uses the output of "$OPENSSL verify" to determine whether OpenSSL can construct a valid certification path for the server's certificate. If it does not find a string of the form "error [1-9][0-9]? at [0-9]+ depth lookup:" in the output, then it assumes that validation was successful. In current versions of OpenSSL, when this error is created it is printed to stdout, but in OpenSSL 1.1.1 is it printed to stderr. Since testssl.sh only checks the output sent to stdout, it incorrectly treats all certificates as valid if OpenSSL 1.1.1 is used.

This commit fixes the problem by checking the text that is sent to both stdout and stderr.

This commit also fixes a typo in the call to "$OPENSSL verify" which resulted in the environment variables SSL_CERT_DIR and SSL_CERT_FILE not being set to "/dev/null".
2018-02-01 16:51:12 -05:00
Dirk 20d33da11b unifying output for missing must_staple xt and CT 2018-01-31 20:38:40 +01:00
Dirk d2d62a9c55 jsonID changed (server defaults), host certificate in JSON, HOSTCERT_TXT
In ``must_staple()`` and ``certificate_info()``  were the jsonIDs
changed to OpenSSLi / IETF names so that testssl.sh is more compliant
to the rest of the world. There might be still space for improvements
are far as common naming scheme is concerned.

The host certificate is now being delivered in JSON and CSV. For
further usage " " needs to be converted back to linefeeds.

Certificate Expiration was renamed to Certificate Validity.

The order of outputting the certificate serial and SHA1 fingerprint
has been swapped.

Also ``certificate_info()`` makes more use of HOSTCERT_TXT.
2018-01-31 20:01:12 +01:00
Dirk 656016eae4 Changes to outputs: certificate start+end time, CRL+OCSP
For certificate start+end time it is now displaying the
time on UTC and without mentioning the timezone twice.

Also if neither CRL nor OCSP URI is provided it'll appear
on the screen below those two checks. JSON/CSV has then an
additional finding
2018-01-31 17:23:50 +01:00
Dirk 02b5497864 remove string GMT from certificate start+end time 2018-01-29 23:54:22 +01:00
Dirk 6d0123d33c changes + bug fix for certificate expiration time
This PR fixes one minor bug where the start and end time were
displayed in different time formats.

It now displays both time values in GMT.
2018-01-29 23:12:15 +01:00
Dirk d7a1236e9b Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2018-01-29 20:06:31 +01:00
Dirk 88cd5528e7 HOSTCERT_TXT populated, certificate end+startdate in JSON
HOSTCERT_TXT is now generated each time a HOSTCERT is
written. For now it is just being used in ``read_sigalg_from_file()``.
More to come.

Also in JSON output the start date and end date of the certificate
are now in separate objects. (the time format could need some polishing though).
2018-01-29 20:03:00 +01:00
Dirk Wetter 4cb43733d6
Merge pull request #973 from dcooper16/tls13_run_server_defaults
Add TLSv1.3 support for run_server_defaults()
2018-01-27 10:30:44 +01:00
Dirk Wetter 52feb4f578
Merge pull request #972 from dcooper16/fix_HRR
Fix HelloRetryRequest
2018-01-27 10:18:40 +01:00
David Cooper ee0b12bfca
Label elliptic curve public keys as "EC"
In the output created by certificate_info(), the "Server key size" line labels an elliptic curve key as "ECDSA." This commit changes the label to "EC." I believe this a more correct label since ECDSA is a signature algorithm, not a key type. Also, while unlikely, an elliptic curve key in a certificate may be used for ECDH (e.g, in TLS_ECDH_RSA_WITH_AES_128_CBC_SHA) rather than ECDSA.

Note that this does not impact the JSON or CSV output, since the corresponding fileout command already uses "$cert_keysize EC bits"
2018-01-26 17:27:10 -05:00
David Cooper fa87f8ffd5
Add TLSv1.3 support for run_server_defaults()
This commit adds TLSv1.3 support for run_server_defaults(). It uses get_server_certificate() to run separate checks for RSA and ECDSA certificates by sending TLSv1.3 ClientHello messages with different signature_algorithms values. A similar change is made to certificate_transparency() in order to check for certificate transparency support for certificates returned over TLSv1.3. It also modifies the check for certificates offered without SNI by including an option to use tls_sockets() with servers that support TLSv1.3 if OpenSSL does not support TLSv1.3.
2018-01-26 16:56:31 -05:00
David Cooper f8df2432ef
Fix HelloRetryRequest
In TLSv1.3, if a HelloRetryRequest needs to be sent and the call to tls_sockets() includes additional request extensions (other than key_share or cookie), then resend_if_hello_retry_request() adds an extra comma between extensions in the value sent to socksend_tls_clienthello(), which creates errors. This commit fixes the problem by removing the extra comma.
2018-01-26 16:49:08 -05:00
Dirk c1d75f65ce polish screen output for (extended) keyusage 2018-01-26 17:02:00 +01:00
Dirk 61764f332c Fix error where cipherlist checks run always 2018-01-26 15:57:42 +01:00
Dirk efbc1a4e92 Minor changes on id and findings
``run_tls_fallback_scsv()`` was upgraded to the new scheme.

It also changes a couple of more functions using a variable ``$jsonID`` instead
of a repeating fixed value for `fileout()`.

Also some it adds some ``fileout`` calls which were missing.
2018-01-25 17:35:47 +01:00
Dirk Wetter c8178b03d9
Merge branch '2.9dev' into extract_certificates_function 2018-01-25 16:39:30 +01:00
Dirk Wetter 513d21244f
Merge branch '2.9dev' into new_json_for_serverdefaults 2018-01-25 15:49:44 +01:00
Dirk ed4262f74f Further changes to JSON ID + finding for JSON, std cipherlists
In the sense of the previous commits this one adds
further changes to the JSON output parameters ID and findings.
Findings in JSON are now more crunchy and don't repeat parts
of ID. Also ID changed so that it is more reflecting what
has been tested.

As the cipherlist checks in the beginning have been less
and less to do with the OPsnSSL standard lists
a change to remove the word "standard" was long overdue.
That has been addressed now alos in the code and in the
JSON/CSV output.

$HOSTCERT has now an .pem file extension. $HOSTCERT_TXT
will contain the text putput of the x509 openssl operation
on the certificate which enables testssl.sh to remove
some of the redundant "openssl x509 -in $HOSTCERT -text"
calls.

fileout <somestrings> has not been consistently replaced
by fileout $jsonID yet.
2018-01-25 15:05:57 +01:00
David Cooper 288175a61f Define extract_certificates() function
This PR defines an extract_certificates() function in order to remove some redundant code from get_server_certificate(). Currently, nearly identical code appears in two places in get_server_certificate() to extract certificates from the output of `$OPENSSL sclient`, in one place for SSLv2 responses and in another for SSLv3 through TLSv1.2. The code to get the certificates used with TLSv1.3 (see https://github.com/dcooper16/testssl.sh/tree/extended_tls_sockets) would have added a third place where this same code would be needed. This PR allows the code to be written once and used in all three places.
2018-01-23 10:16:43 -05:00
Dirk 1cec0181af More changes ID + Finding for JSON outside server defaults
This commit just adds more changes to those two parameters.
It is not completely done yet (see downgrade protection via SCSV).

Also json_prefix was changed to jsonID. The complete change of the fist
fileout field is pending.
2018-01-23 15:16:05 +01:00
Dirk Wetter cd45a2ec19
Merge pull request #969 from drwetter/keyUsage
Key usage
2018-01-23 12:10:07 +01:00
Dirk c4e4720133 slight contextual rearrangements for help() 2018-01-23 11:49:53 +01:00
Dirk 8327171935 simplify few cert checks messages + hopefullt make Travis work again 2018-01-23 11:46:24 +01:00
Dirk 0ec5586dfb Changing JSON objects in server defaults ATTENTION: breaking change!!
The server default run had several JSON objects which weren't, looking at just
    the ID, either clear or contained a redundant explanation in "finding". Purely
    certificate related JSON objects are now having the id "cert_<object>" like
    cert_CN or cert_SAN.

    This commit changes all this, also it avoids another colon in finding (see #830).

    Also the implicit strategy "output for the screen s followed by only one output with
    fileout" has been relaxed -- which results on more, better parsable JSON objects.

    Some example of the changes:

    Old:
    ----
    {
        "id"           : "Server Certificate #1 fingerprint",
        "severity"     : "INFO",
        "finding"      : "Fingerprints / Serial: SHA1 2940BC13ECF7DAF30B9084CC734C3B971D73B3BB / 01BFD1DC15006E0ABBA7C670FF5E1101, SHA256 30BA61012FFE7CEAAF9A148A0CB0C5C852A9C04F4B1C27DB6
    EFA9919C7F49CCF"
    }
    [..]
    {
        "id"           : "Server Certificate #2 ocsp_stapling",
        "severity"     : "OK",
        "finding"      : "OCSP stapling : offered"
    }

    New:
    ----
    {
        "id"           : "cert_key_size <cert#1>",
        "severity"     : "INFO",
        "finding"      : "Server keys 2048 bits"
    },{
        "id"           : "cert_fingerprint_SHA1 <cert#1>",
        "severity"     : "INFO",
        "finding"      : "2940BC13ECF7DAF30B9084CC734C3B971D73B3BB"
    },{
        "id"           : "cert_fingerprint_SHA256 <cert#1>",
        "severity"     : "INFO",
        "finding"      : "30BA61012FFE7CEAAF9A148A0CB0C5C852A9C04F4B1C27DB6EFA9919C7F49CCF"
    },{
        "id"           : "cert_serial <cert#1>",
        "severity"     : "INFO",
        "finding"      : "01BFD1DC15006E0ABBA7C670FF5E1101"
    }
    [..]
    {
            "id"           : "OCSP_stapling <cert#2>",
            "severity"     : "OK",
            "finding"      : "offered"
    }

    This PR also fixes the JSON output where for "OCSP must staple" the id was just
    'id"           : "OCSP must staple: ocsp_must_staple",' for multiple server
    certificates without the certificate number.

    As far as the code is concerned: $json_prefix should be a variable which is
    used for the id object.  If there was more then one certificates for a single
    host  detected, $json_postfix carries the certificate number.

    Unit tests need to be fixed -- if possible.
2018-01-22 23:56:03 +01:00
Jack Stevens 4cca15027d
Fix typos in HSTS tests: days -> seconds 2018-01-22 22:46:48 +00:00
Dirk f5c2199369 Polishing #965
Add fileout() to #965. This commit also contains a change which needs
to be commited before: separation of ``json_prefix`` from ``json_postfix``.

Open issue: sed in openssl x509 statments look GNUish ([ \t]). Needs clarification.
2018-01-22 19:50:50 +01:00
David Cooper f0c9875696 Check keyUsage and extended key usage extensions
This commit prints the contents of the keyUsage and extended key usage extensions in certificates and checks the public keys in the certificates are not being used in a manner that is inconsistent with these extensions.
2018-01-19 11:36:22 -05:00
David Cooper db0efc48b5 run_tls_fallback_scsv() improvements
This PR is intended to improve the functionality of run_tls_fallback_scsv().

The original goal of this PR was to address servers that support TLSv1.3 when using OpenSSL 1.1.1. That does not seem to be an issue, as using `$OPENSSL s_client` with the `-no_tls1_2` flag results in a TLSv1.1 ClientHello, even if `$OPENSSL` supports TLSv1.3. However, if the server supports TLSv1.3, then a message that says "No fallback possible, TLS 1.2 is the only protocol (OK)" isn't entirely correct.

The main issue this PR fixes is some false positives in servers that do not support TLSv1.2. On a few servers that I tested, the current code incorrectly reports "Downgrade attack prevention NOT supported." Some of the servers only support TLSv1, so it should report that fallback is not possible. Another server supports TLSv1.1 and TLSv1, and it supports fallback protection. In both cases, the current code produces a false positive, since it assumes that TLSv1.2 is supported.
2018-01-19 11:19:13 -05:00
Dirk 7a10e5514f add a comment for STARTTLS + TLS 1.3
related to David's comment in https://github.com/drwetter/testssl.sh/pull/958#issuecomment-358990186
2018-01-19 16:35:28 +01:00
David Cooper 58d495e249
Fix #962
This commit fixes issue #962 by reordering the items in fileout_json_section() to match the order in which the tests are called in lets_roll().
2018-01-19 09:54:21 -05:00
Dirk Wetter bce69e8583
Merge pull request #961 from tissieres/2.9dev
Certificate-based auth host scanning produces invalid JSON output
2018-01-19 14:10:29 +01:00
Dirk Wetter 966ef3286e
Merge pull request #958 from dcooper16/tls13_draft23
Add support for TLSv1.3 draft 23
2018-01-19 12:55:43 +01:00
Cédric Tissières e0d6bb3aba Certificate-based auth host scanning produces invalid JSON output 2018-01-18 14:30:22 +01:00
David Cooper 42bea1d0cf
TLSv1.3 related bugfix
In three different places there is a line that is supposed to check whether the list of ciphers to be tested contains any TLSv1.3 ciphers. This check currently fails if there is only one TLSv1.3 cipher in the list and it is the first cipher in the list. This commit fixes the problem.
2018-01-17 11:06:21 -05:00
David Cooper 7387f87597 Add support for TLSv1.3 draft 23
This commit adds support for draft 23, which contains 2 changes that are relevant for testssl.sh. It adds a few new values for the signature_algorithms extension and it changes to extension number for the key_share extension from 40 to 51.

With the change in the extension number, it is no longer possible to send a single ClientHello that works for all supported drafts of TLSv1.3. (I tried sending a ClientHello with two key share extensions, 40 and 51, but that didn't work.) So, this commit adds a test to determine_optimal_proto() to determine whether TLSv1.3 is supported and if so whether draft 23 is supported or only some earlier draft (18-22). In subsequent tests, the ClientHello uses the appropriate number for the key share (40 or 51) and specifies the appropriate draft version(s) in the supported_versions extension (either 23 or 18-22). In the case of run_protocols() the test for each draft version uses the appropriate key share extension number so that servers that support both draft 23 and an earlier draft can be detected.
2018-01-17 10:56:48 -05:00
Dirk b0f4253ff2 add X-Permitted-Cross-Domain-Policies 2018-01-14 12:22:06 +01:00
Dirk 77071bf50d a few IBM data power headers added 2018-01-11 17:28:48 +01:00
Dirk a3b4609d24 make 0964cbc5d3 easier in execution (session resumption) 2017-12-31 21:10:41 +01:00
Dirk 0964cbc5d3 OpenSSL 1.1.1 seems to have changed the behaviour regarding Session ID
support. If the server doesn't supply an session identifier the file
is just empty.

This commit fixes that by adding a separate case for OpenSSL 1.1.1
and an empty file. It is deliberately only changing this as this
was tested to work.

It is prelimary and a save-the-work-patch as it might be better
to catch this earlier.
2017-12-31 11:49:25 +01:00
Dirk 75e9add0f1 make ID for session_resumption_id common (allo lowercase) 2017-12-31 09:12:16 +01:00
Dirk c4c8ff4434 fix needed answer "YES" in protocol section 2017-12-29 23:14:14 +01:00
Dirk 85c470fcdc Merge branch 'jp-host+port' into 2.9dev 2017-12-27 10:14:21 +01:00
Dirk 0bc1f6f708 make MAX_PARALLEL and MAX_WAIT_TEST configurable + documentation 2017-12-27 09:50:34 +01:00
Dirk 9981d76879 Move target host + port to different JSON (pretty) object
For JSON pretty the host specific parameters target host + port
could be better placed in the scanResult object.

It is still under discussion as logically the parent object is deduced
the command line.
2017-12-25 17:42:27 +01:00
Dirk Wetter eeaceb2845
Merge pull request #949 from dcooper16/run_crime_ossl111
run_crime() and OpenSSL 1.1.1
2017-12-25 16:56:03 +01:00
Dirk 7a1fb66957 Further (slight) update on cipher quality coloring
TLS_RSA_* which don't fall into the aleady mentioned
    categories (CBC cipher, export, RC4 etc.) are now
    a bit more more penalized. Those are the ones which have
    an RSA key exchange AND a modern encryption.

    pr_cipher_quality() needs to be redone after carefully
    reconsidered which cipher should have which rating.
2017-12-25 14:55:12 +01:00
Dirk 85fa5f4fa9 Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2017-12-25 14:17:06 +01:00
Dirk 8fbbb211b9 Fix error where a ECDHE-GCM cipher was labeled low
FIX #953
2017-12-25 14:15:17 +01:00
David Cooper 581b7cf579
run_crime() and OpenSSL 1.1.1
This PR is similar to #944. If using OpenSSL 1.1.1 to connect to a server that supports TLSv1.3, `run_crime()` will connect to the server using TLSv1.3, which does not support TLS-level compression. So, the server will be reported as "not vulnerable" even if would use compression for connections at TLSv1.2 and below.

I have not encountered any "live" servers that support both TLSv1.3 and TLS-level compression. I verified this problem by using OpenSSL 1.1.1 to create a server that supports both TLSv1.3 and TLS-level compression:
```
openssl111 s_server -cert cert.pem -key key.pem -accept 8443 -WWW -comp
```
I then tested the server using `testssl.sh --crime` with both openssl111 and OpenSSL 1.0.2-chacha.
2017-12-21 11:22:08 -05:00