1
0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-07-18 03:31:58 +02:00
Commit Graph

1671 Commits

Author SHA1 Message Date
e7e9a3ed66 addressing before has been addressed 2017-02-24 16:26:22 +01:00
4361bb7cce housekeeping/ cleanup 2017-02-24 16:22:59 +01:00
b4f59e91be FIX 2017-02-23 17:19:52 +01:00
8919b419e5 Merge pull request from dcooper16/wrap_long_lines
Wrap long lines in display_rdns_etc()
2017-02-21 22:51:24 +01:00
6457775b5f Merge pull request from dcooper16/fix643
Fix issue 
2017-02-21 22:46:34 +01:00
191d19be32 Use egrep -v to remove unwanted lines 2017-02-21 15:47:59 -05:00
5aaf78cff6 Fix issue
It seems that the head command on OS X does not accept a negative number as a value for the "-n" parameter. This PR provides an alternative method for removing the "generator:  " line without using "head."
2017-02-21 15:22:47 -05:00
c3d59b655f Add $CORRECT_SPACES to indentation 2017-02-21 13:46:59 -05:00
62db2ae6bf Wrap long lines in display_rdns_etc()
Some sites have a long list of IP addresses and some IP addresses have a long list of DNS names that map to them.

This PR changes `display_rdns_etc()` to use `out_row_aligned_max_width()` to print the other IP addresses in `$IP46ADDRs` and to print `$rDNS`.
2017-02-21 13:36:23 -05:00
be079acb5e - collect more TLS extensions 2017-02-21 11:16:14 +01:00
34053e27cd Merge branch '2.9dev' of github.com:drwetter/testssl.sh into 2.9dev 2017-02-21 08:50:46 +01:00
0ce7a3b7d2 see diff ;-) 2017-02-21 08:50:09 +01:00
6b90152f52 Merge pull request from dcooper16/must_staple
OCSP must staple
2017-02-20 12:31:16 +01:00
52a0d44b90 Merge pull request from dcooper16/print_negotiaed_cipher
Printing Negotiated cipher
2017-02-20 11:46:24 +01:00
bfbaba4ea7 - trying to address . Better a bit pessimistic here... 2017-02-20 09:44:52 +01:00
c284185c56 - try to address 2017-02-18 13:22:17 +01:00
8c607d425e OCSP must staple
RFC 7633 introduces the TLS Features certificate extension, which contains "Features:
> The object member "Features" is a sequence of TLS extension identifiers (features, in this specification's terminology) as specified in the IANA Transport Layer Security (TLS) Extensions registry.  If these features are requested by the client in its ClientHello message, then the server MUST return a ServerHello message that satisfies this request.

The main purpose of this certificate extension is to implement "must staple." If the extension is present in a TLS server's certificate and it includes status_request, then the server MUST include a stapled OCSP response if the client requests one. (The same applies for the status_request_v2 extension.)

This PR adds a check to `certificate_info()` of whether the server supports must staple (i.e., whether its certificate includes a TLS Features extension with "status_request"). It also changes the output for "OCSP stapling" in the case that the server did not staple an OCSP response. It indicates that:
* it is a critical issue if the certificate specifies "must staple"
* it is a low severity issue if the certificate does not specify "must staple," but the certificate does include an OCSP URI.
* it is not an issue at all if the certificate does not specify "must staple" and certificate does not include an OCSP URI.
2017-02-17 15:20:37 -05:00
a26425af71 Printing Negotiated cipher
`run_server_preference()` prints out the server's Negotiated cipher in a different color depending on the quality of the cipher. However, there is a "FIXME" since CBC ciphers are supposed to be flagged, but it is not easy to identity all CBC ciphers from their OpenSSL names.

This PR partially addresses this. It creates a separate function for printing a cipher based on its quality. Whenever possible it determines the quality of the cipher based on the RFC name. However, if it is provided an OpenSSL name and no cipher-mapping.txt file is available, it will follow the current (imperfect) logic for determining the cipher's quality.

The function also returns a value that indicates the quality of the cipher provided, with higher numbers indicating better ciphers. This return value is used by `run_server_preference()` to determine how to populate the "severity" field when calling `fileout()`.
2017-02-17 11:20:11 -05:00
d2cbbaf0b1 - FIX
- polish
2017-02-16 19:10:59 +01:00
a973386c0a Merge pull request from dcooper16/run_protocols_bugfix
run_protocols() bug fix
2017-02-15 19:44:53 +01:00
c204a0b942 --proxy=auto takes now the value from https_proxy
- made DNS lookups safe (CNAME) and awk'd them almost completely ;-)
- invocation of just testssl.sh shows help again
2017-02-15 19:40:06 +01:00
2456c80821 Fix early newline
In the case that `tls_sockets()` is being used and the server incorrectly fails the connection rather than downgrading, testssl.sh is printing "not offered" on one line and then the error message on the next line, but all the text should appear on one line (as it does when testing TLS 1 and TLS 1.1).
2017-02-15 11:47:11 -05:00
efdb8c036d Merge branch '2.9dev' into run_protocols_bugfix 2017-02-15 08:45:01 -05:00
502601c95e Merge pull request from k0ste/2.9dev_newfeature
DNS CAA: drill query support.
2017-02-15 14:01:36 +01:00
cdc5e89b64 DNS CAA: drill query support. 2017-02-15 19:50:08 +07:00
004cbad07b run_protocols() bug fix
Since the test for TLS 1.2 in `run_protocols()` now uses `tls_sockets()` whenever `$ssl_native` is `true` (i.e., there is no longer a requirement for `$EXPERIMENTAL` to be true as well), the `$EXPERIMENTAL` flag should no longer be checked if the return value is 1.
2017-02-14 16:43:46 -05:00
4b193119b3 - made CCS I more robust, FIX
- removed cats ;-) FIX 
2017-02-14 21:56:31 +01:00
422171a0fa - fixed bug where terminal width was not inherited in file batch mode so that terminal wdith appeared to be 80 chars
- hint when URI is missing
- PFS_CIPHERs rather locally
2017-02-14 20:40:38 +01:00
a22e4e5228 - fix heartbleed detection which sometimes case false psoitives over slow connections like sattelite links, partially addressing
- start revamping run)ccs_injection
- fix missing space in BEAST after protocol
2017-02-14 19:45:14 +01:00
67fb3feff8 Merge pull request from dcooper16/show_rfc_
Option to show RFC cipher names
2017-02-14 09:28:15 +01:00
1dc132c6a4 Option to show RFC cipher names
When a list of cipher suites is being displayed using `neat_list()`, testssl.sh shows the cipher suite's OpenSSL name and (in most cases) the RFC name as well. However, in all other cases only the OpenSSL name is shown.

This PR adds the option to have cipher suite's RFC names shown instead of the OpenSSL name, by including `--mapping rfc` in the command line. [Note: if the cipher-mapping.txt file cannot be found, then the `--mapping rfc` option is ignored and the OpenSSL names are shown.]

This PR seems to be related to issue , but  may be been referring to the output created by `neat_list()`.
2017-02-13 16:07:25 -05:00
971c8e8b63 Update Readme.md 2017-02-13 09:33:50 +01:00
c252d5ab28 Update Readme.md 2017-02-13 09:33:03 +01:00
7d6f1eb46f polishing , mostly make sure we automatically align to terminal width 2017-02-13 09:06:10 +01:00
21cd97b08a Merge pull request from dcooper16/format_long_lines
Wrap long lines
2017-02-13 08:52:07 +01:00
d2f688e925 CAA RR belongs also in JSON, see 2017-02-11 14:16:18 +01:00
8dabc28280 also made sure that all old dns binaries work (SLES 11, FreeBSD 9) 2017-02-11 14:01:51 +01:00
45379ce1f9 Fix subjectAltName indendation
The PR didn't account for the indentation of the subjectAltName differing depending on whether the server has one or more than one certificate.
2017-02-09 13:29:22 -05:00
c92131c072 Don't collect number of bits in run_pfs()
The `bits` array is no longer needed in `run_pfs()` since the information collected is not being used.
2017-02-09 11:45:29 -05:00
d4455081f0 Wrap long lines
This PR addresses the issue raised in . This PR is based on the function `out_row_aligned_max_width()` that I proposed in , but the `out_row_aligned_max_width()` in this PR is a little different. It takes a fourth parameter, which is the function to use to print each word in the text string to be printed. This is used in `run_pfs()` so that the "Elliptic curves offered" can be printed using this function (some servers support 25 curves), while still having the curves printed using color-coding to indicate the quality of each curve.

I somewhat arbitrarily have each line wrap at 120 characters, but that could be changed (e.g., to `$TERM_WIDTH`).
2017-02-09 11:36:24 -05:00
386aa92448 keep detected status of WSL / bash on windows in a variable, see also 2017-02-08 09:08:05 +01:00
0200100750 see 2017-02-08 08:58:28 +01:00
0b7e9b18b8 Merge pull request from teward/2.9dev
Attempt to force system binaries for WSL
2017-02-08 08:54:20 +01:00
0810f2a719 Merge pull request from dcooper16/handle_supported_groups
Handle renaming of the Supported Elliptic Curves Extension
2017-02-08 08:11:23 +01:00
0d993427a3 - enabling TLS 1.2 via sockets
- enabling sockets in run_protocols STARTTLS per default
- minor output polishing
2017-02-07 23:08:29 +01:00
6140aa8b8c Attempt to force system binaries for WSL 2017-02-07 15:59:09 -05:00
edb358b3e0 Merge pull request from dcooper16/rename_ephemeral_DH_ciphers
Rename cipher lists for run_logjam()
2017-02-07 17:51:07 +01:00
4fab1830cb Merge branch '2.9dev' into handle_supported_groups 2017-02-06 13:49:05 -05:00
f03ae865d8 Merge branch '2.9dev' into rename_ephemeral_DH_ciphers 2017-02-06 13:48:35 -05:00
48e264a193 fixed regression 2017-02-06 17:47:17 +01:00