Commit Graph

3578 Commits

Author SHA1 Message Date
Magnus Larsen b4ad0d2425 Less aggresive TLS_FALLBACK_SCVS checks 2020-04-17 15:31:29 +02:00
Dirk Wetter d9f2ca80d6 fix conditional statement (regression) 2020-04-17 14:54:11 +02:00
Dirk Wetter 2c10676e03 Output polish, minor code polish to grading
... and squash the TLS 1.2 grading cap for TLS 1.3 only server
2020-04-17 14:49:35 +02:00
Dirk Wetter 359965dc17 First round of polishing @magnuslarsen's contribution
* instead of DISABLE_GRADING we use do_grading as for run_* functions we currently don't
  support global variables
* Add AEAD cipher set_grade_cap (needs to be tested though)

* remove redundant quotes
* be to be safe add double quotes at other places
* Fix typos
* Polishing output

Tasks (not complete):

* Review whether it is rated as intended
* Do we want to mofify SSL Lab's rating? (SSLv3 e.g., T for SHA1 certificate?)
* Does JSON output work?
* TLS 1.3 only server are not rated properly --> wait for SSLlabs?
* SWEET32: rating refers to TLS 1.1 atm. SSLlabs docu doesn't give a hint
  (is their docu incomplete?)
* Rating for STARTTLS at all?
2020-04-17 13:24:32 +02:00
Dirk Wetter 64735d0241 Remove env variable DISABLE_GRADING
as for run_* functions we currntly don't have that.

Also AEAD as WIP we can remove that from the doc
2020-04-17 13:22:30 +02:00
Dirk Wetter 9de5421e5c Merge branch 'grading_dev' of git://github.com/magnuslarsen/testssl.sh into magnuslarsen-grading_dev 2020-04-17 10:52:44 +02:00
Dirk Wetter e0d7945c8a
Merge pull request #1570 from petecooper/3.1dev
README version bump for .zip download
2020-04-15 17:16:06 +02:00
Pete Cooper 0a1b632ddc
Update Readme.md
Bump version for zip download
2020-04-15 16:10:11 +01:00
Magnus Larsen e4cef5438d Added grading based on ssllabs 2020-04-15 15:06:08 +02:00
Dirk Wetter 8ce781c71d
Merge pull request #1567 from drwetter/renamed_to_fs
Rename PFS/perfect forward secrecy - ->  FS/forward secrecy
2020-04-14 20:21:52 +02:00
Dirk Wetter 150fd156bb
Merge pull request #1565 from drwetter/cvs_remove
Polishing
2020-04-14 16:41:50 +02:00
Dirk Wetter 8c466bf2ee Rename PFS/perfect forward secrecy to FS/forward secrecy
In all instances:

* command line (will break things)
* JSON IDs (will break things)
* in the documentation
* in the travis checks where used
* everywhere in the code: variables, functions, comments
2020-04-14 15:53:05 +02:00
Dirk 67cfe013b1 Polishing
* remove CVS variables
* add 2x https links instead of http in code doc
2020-04-14 13:35:26 +02:00
Dirk Wetter 663d592466
Merge pull request #1526 from dcooper16/fix1514
Fix #1514
2020-04-14 12:52:38 +02:00
Dirk e345abb023 Merge branch 'multiflexi-3.1dev' into 3.1dev 2020-04-13 23:01:15 +02:00
Dirk ae7b74cf73 Tuning multiflexi's fixes 2020-04-13 22:59:13 +02:00
Dirk Wetter 9d2901edd0
Merge pull request #1471 from drwetter/docu_update
Documention update
2020-04-09 19:57:10 +02:00
Jaroslav Svoboda 7eba0fbb41 FIxed links
Links in comments with http:// changed to https://. Some non working links fixed.
2020-04-09 16:18:33 +02:00
David Cooper 04e51db402 Fix #1514
This commit is an attempt to fix #1514. The commit is mostly based on a suggestion at https://unix.stackexchange.com/questions/57940/trap-int-term-exit-really-necessary. Even with that change, it seemed that if testssl.sh were in the middle of executing run_cipher_per_proto() when it received a signal, it would not stop until that function had completed. This seems to have something to do with subshells. Changing the while loop in run_cipher_per_proto() seems to have fixed that issue. So, I also made similar changes to the while loops in prettyprint_local().
2020-04-02 08:03:45 -04:00
Dirk Wetter dbff4a3706
Merge pull request #1554 from dcooper16/align_run_cipherlists
Align run_cipherlists() with pr_cipher_quality()
2020-04-02 13:53:54 +02:00
Dirk Wetter f16c7af687
Merge pull request #1553 from dcooper16/pr_cipher_quality_gost
Handle GOST ciphers in pr_cipher_quality()
2020-04-02 13:53:28 +02:00
Dirk Wetter d5d702104f
Merge pull request #1556 from dcooper16/fix1551
Fix #1551
2020-04-01 22:28:25 +02:00
David Cooper b6050e68de Fix #1551
This commit fixes #1551 by changing get_cipher() to recognize RFC names that begin with SSL_*. It also modifies run_beast() so that it does not get stuck in an infinite loop if get_cipher() doesn't return a valid cipher name.
2020-04-01 13:34:29 -04:00
David Cooper 08d5146223 Align run_cipherlists() with pr_cipher_quality()
This commit modifies run_cipherlists() to align with pr_cipher_quality().

The biggest change made by this commit is that it breaks the current list of STRONG ciphers into two lists: one for AEAD ciphers that offer forward secrecy (STRONG) and one for AEAD ciphers that do not offer forward secrecy (GOOD).

The remaining changes are just minor tweaks:

* A few ciphers that use MD5 are moved from AVERAGE and 3DES to LOW.

* '!AECDH' was added to the OpenSSL description for LOW to catch one cipher in OpenSSL 1.0.2-chacha that offers no authentication that was being included in the LOW list.

This commit also changes sub_cipherlists() to change the output when a cipherlist with a rating of 6 is not present. There was a "FIXME" associated with this output, but it didn't matter before since there were no cipherlists with a rating of 6.
2020-04-01 11:27:24 -04:00
David Cooper 40dfd8b53b Handle GOST ciphers in pr_cipher_quality()
This PR modifes pr_cipher_quality() as proposed in #1548 so that GOST ciphers are handled correctly. It changes pr_cipher_quality() so that the OpenSSL name is used in cases in which no RFC name is defined. It also adds a case statement for GOST so that GOST ciphers (that do not use MD5 or Null encryption) are marked as pr_svrty_low (as they are in run_cipherlists) rather than just being assigned the default rating (5).
2020-04-01 11:18:50 -04:00
Dirk Wetter 061732a5fb
Merge pull request #1552 from drwetter/drwetter-patch-1
Badges from shields.io / Monitoring Links
2020-04-01 12:41:16 +02:00
Dirk Wetter 333ccdfb41
Badges from shields.io / Monitoring Links 2020-04-01 12:40:56 +02:00
Dirk Wetter d32743b2eb
Merge pull request #1548 from dcooper16/adjust_pr_cipher_quality
Adjust pr_cipher_quality ratings
2020-03-31 14:09:47 +02:00
David Cooper 72dae035b5 Remove redundant entries
This commit removes two entries from a "case" test that were already covered by a previous entry.
2020-03-25 16:07:22 -04:00
David Cooper e15aea4790 Modify pr_cipher_quality to handle ARIA
This commit fixes the way pr_cipher_quality handles the OpenSSL names of some ARIA ciphers that either provide no authentication or that use CBC padding.
2020-03-25 15:57:00 -04:00
David Cooper d177a90bbe Adjust pr_cipher_quality ratings
This commit makes several changes to the way that ciphers are rated by pr_cipher_quality:

* It upgrades SEED ciphers to considered as strong as the corresponding AES ciphers.

* It downgrades ciphers that use AEAD, but that use a non-FS key exchange (TLS_DH_*, TLS_ECDH*, TLS_PSK_WITH_*) from best to good, thus giving them the same rating as AEAD ciphers that use static RSA (TLS_RSA_*).

* It downgrades some CBC ciphers to low (4) that are currently rated as neither good nor bad (5).

* It modifies the ratings created using OpenSSL names to provide the same ratings as those created using RFC names.
2020-03-25 15:28:08 -04:00
Dirk Wetter 8ff45208c3
Merge pull request #1546 from dcooper16/display_ciphernames_bug
Fix bug in setting DISPLAY_CIPHERNAMES
2020-03-25 18:28:03 +01:00
David Cooper 5ab73d1a1a Fix bug in setting DISPLAY_CIPHERNAMES
The permitted values for $DISPLAY_CIPHERNAMES are "rfc-only", "openssl-only", "openssl", and "rfc". However, get_install_dir() incorrectly sets $DISPLAY_CIPHERNAMES to "no-rfc" if it cannot find the $CIPHERS_BY_STRENGTH_FILE. ("no-rfc" is the string users would specify at the command line for the --mapping option, but not the value that $DISPLAY_CIPHERNAMES is set to internally).
2020-03-25 12:53:28 -04:00
Dirk Wetter 1e94d5a2f6
Merge pull request #1544 from mkauschi/replace-printf-with-tm_out
Replace printf with tm_out
2020-03-24 10:56:10 +01:00
manuel 31a9dafe94 replace printf with tm_out one further place 2020-03-23 17:39:14 +01:00
manuel e7c89cb264 replace printf with tm_out 2020-03-23 16:53:32 +01:00
Dirk Wetter 3a003d9ab9
Merge pull request #1538 from mkauschi/fix_bug_with_basicauth_generation
Fix basicauth bug where a newline is added to the user:password string before encoding
2020-03-18 14:51:18 +01:00
manuel 7fffe53d0a replace echo with the safe_echo function 2020-03-18 13:53:58 +01:00
manuel 1a3c01899f fix basicauth bug where a newline was added to the user:password string 2020-03-17 14:34:00 +01:00
Dirk Wetter 32df6b8bef
Merge pull request #1533 from drwetter/breach_output31
Fix output for BEAST when no SSL3 or TLS
2020-03-07 12:16:11 +01:00
Dirk 8242607d94 Fix output for BEAST when no SSL3 or TLS
LF added
2020-03-06 22:06:13 +01:00
Dirk Wetter 9cd4cf3eb9
Merge pull request #1531 from dcooper16/fix_typo_emphasize_stuff_in_headers
Fix typo in emphasize_stuff_in_headers()
2020-03-06 21:28:28 +01:00
David Cooper 58353d3522 Fix typo in emphasize_stuff_in_headers()
This commit fixes a typo in emphasize_stuff_in_headers() wherer ${yellow} was used rather than ${html_yellow} in the creation of the HTML output.
2020-03-06 14:25:07 -05:00
Dirk Wetter 5aadc1951d
Merge pull request #1523 from drwetter/pwdfix3.1
Avoid external "/bin/pwd"
2020-03-06 14:59:15 +01:00
Dirk Wetter 6f02101ae0
Merge pull request #1499 from dcooper16/fix_printing_percent
Fix printing percent characters
2020-03-06 14:35:31 +01:00
David Cooper 37dbe14def Fix printing percent characters
As noted in #1481, testssl.sh has a problem with printing percent ('%') characters.

At one point, the function out() was implemented as `/usr/bin/printf -- "${1//%/%%}"`. When this was the case, any '%' needed to be replaced with '%%' since '$1' was being used as the format string. This was changed, however, by 8a2fe5915a. Since the format string is now "%b" rather than '$1', the replacement is not needed anymore. Instead, the replacement now causes any '%' to be printed to be duplicated.

This problem does not happen very often, but does sometimes occur when a '%' character appears in a URI, such as in an HTTP redirect, a certificate revocation list, or an OCSP URI.
2020-03-06 08:28:52 -05:00
Dirk Wetter 466f08c846
Merge pull request #1481 from dcooper16/fix_html
Fix HTML generation
2020-03-06 13:40:41 +01:00
Dirk Wetter 0469d6a2b1 Avoid external "/bin/pwd"
.. as it may not be available everywhere, see #1521 (NixOS).

This commit replaces all instances from pwd or /bin/pwd by $PWD.
It is a bash internal and the fastest. Also it added some quotes
to PWD a it may contain white spaces in the future (currently
there's a check for it that it won't)
2020-03-06 13:24:56 +01:00
Dirk Wetter b8d1a3506a
Merge pull request #1525 from drwetter/update_template
Update ISSUE_TEMPLATE.md
2020-03-06 13:01:03 +01:00
Dirk Wetter 9f1fa04e07
Update ISSUE_TEMPLATE.md 2020-03-03 21:18:09 +01:00