Commit Graph

3961 Commits

Author SHA1 Message Date
Dirk Wetter e871bd0911 Polish PR #2032 + Additions
* address my comments
* add json fields HTTP_headerTime + HTTP_headerAge if they exists
* output HTTP_AGE if it was detected
* do stripping of line feeds closer to where variables were set
2021-12-10 14:27:30 +01:00
Dirk Wetter d6398c3167 Merge branch 'fixhttpclockskew' of https://github.com/Wahnes/testssl.sh into Wahnes-fixhttpclockskew 2021-12-10 12:06:19 +01:00
Dirk Wetter 2dce751bfa
Merge pull request #2055 from dcooper16/fix2053
Fix #2053
2021-12-09 17:03:57 +01:00
David Cooper ff8e9f49cc Fix #2053
This commit fixes #2053 by setting $FIRST_FINDING to false after a section footer is output.
2021-12-09 10:13:24 -05:00
Dirk Wetter 0118603401
Merge pull request #2064 from dcooper16/fix_json_headers
Fix JSON section headers
2021-12-09 13:16:50 +01:00
David Cooper e1600e3f62 Fix JSON section headers
This commit fixes two issues with the headers in the structured JSON output. First, if run_cipher_match() is performed the header this is used is "pretest" rather than "singleCipher". Second, the headers for "serverPreferences" and "fs" are swapped.
2021-12-08 14:13:10 -05:00
Dirk Wetter beac382673
Merge pull request #2063 from dcooper16/keyopts
Document $keyopts
2021-12-08 19:29:40 +01:00
David Cooper f2a4ee1090 Document $keyopts
Shellcheck complains on line 2234 that keyopts is referenced but not assigned and there is no explanation in the code (or in the documentation) why "$keyopts" is there. This commit adds a comment so that "$keyopts" isn't deleted as part of a code cleanup.
2021-12-08 11:50:35 -05:00
Dirk Wetter dc782a895c
Merge pull request #2059 from dcooper16/simplify_git_rel
Simplify extracting Git information
2021-12-08 11:50:55 +01:00
Dirk Wetter 187854bd60
Merge pull request #2061 from dcooper16/update_reset_hostdepended_vars
Update reset_hostdepended_vars()
2021-12-08 11:49:10 +01:00
David Cooper edbc66c78d Update reset_hostdepended_vars()
This commit adds several variables to reset_hostdepended_vars() that are not currently being reset for each host being tested, but that should be reset.
2021-12-07 14:45:19 -05:00
David Cooper 019c7fa57a Simplify extracting Git information
testssl.sh currently calls "git log --format='%h %ci' -1 2>/dev/null" three times. This commits changes testssl.sh to make this call just once and then use Bash string manipulation to extract the necessary information from the result.
2021-12-07 14:38:14 -05:00
Dirk Wetter 04b7e1e7c3
Merge pull request #2060 from dcooper16/shellcheck
Fix some Shellcheck issues
2021-12-07 20:26:00 +01:00
David Cooper d701e69e20 Fix some Shellcheck issues
This commit fixes a number of issues raised by Shellcheck and removes unnecessary quotation marks in a number of places.
2021-12-07 09:22:34 -05:00
Dirk Wetter 0eb73d949a
Merge pull request #2056 from drwetter/update_ua_sneaky
Update Firefox UA used in sneaky mode
2021-12-07 08:55:54 +01:00
Dirk Wetter 22272105c4
Merge pull request #2057 from mspncp/git-simplify-worktree-check
Simplify check for git working tree
2021-12-06 18:35:24 +01:00
Dr. Matthias St. Pierre 1e3f932932 Simplify check for git working tree
Sending the entire log to /dev/null is a rather expensive way of checking whether
we are inside a git working tree. Use `git rev-parse --is-inside-work-tree` instead.
2021-12-06 17:35:54 +01:00
Dirk Wetter 914dde501a Update Firefox UA used in sneaky mode
From FF 52 to FF 94.

Also one double quote was removed
2021-12-03 13:15:13 +01:00
Dirk Wetter f6571c7c76
Merge pull request #2050 from dcooper16/fix2049
Fix #2049
2021-11-30 11:19:44 +01:00
David Cooper 708cc672a2 Fix #2049
This commit fixes #2049 by converting newline characters to spaces in JSON and CSV findings.

fileout() calls newline_to_spaces() on the $findings that are to be written to JSON and CSV files. However, this only affects actual newline characters in the string, not escaped newline characters (i.e., "\n"). Escaped newline characters pass through this function unchanged, but then get converted to newline characters when they are written to the JSON and/or CSV files. This commit fixes the problem by also converting escaped newline characters ("\n") to spaces.
2021-11-29 14:36:29 -05:00
Dirk Wetter b40d38fc37
Merge pull request #2047 from drwetter/fix_badFileDescriptor
Fix for "Bad file descriptor" with --connect-timeout option
2021-11-28 18:11:36 +01:00
Dirk aca75822c1 Fix for "Bad file descriptor" with --connect-timeout option
This fixes #1834 and #1435.

The --connect-timeout option had the problem that under certain circumstances
like parallel mass scanning it didn't work. The culprit was that a subshell command
was used to connect to the target but the file descriptor wasn't exported.

The commit changes tha logic so that this connect is still done in a subshell
as a pre-check if it's possible to connect. If this fails it proceeds with
error handling if NR_SOCKET_FAIL is above threshold. Otherwsie it just connects
again.

When testing of the alexa 500 it worked for me(tm). It would be great if others
can give it a try.
2021-11-26 17:24:02 +01:00
Dirk Wetter f253920e92
Merge pull request #2044 from dcooper16/fix_sub_cipherlists
Fix sub_cipherlists()
2021-11-23 09:59:41 +01:00
David Cooper 6b7836d350 Fix sub_cipherlists()
This commit fixes a bug in sub_cipherlists() when using sockets to test whether a server supports a set of ciphers with SSLv2. Code that is supposed to extract the list of SSLv2 ciphers to test for is incorrectly reading from the list of non-SSLv2 ciphers.
2021-11-22 12:25:20 -05:00
Dirk Wetter 7e7458bff0
Merge pull request #2043 from dcooper16/shellcheck
Fix some Shellcheck issues
2021-11-16 17:28:14 +01:00
Dirk Wetter 92a0da1d75
Merge pull request #2042 from dcooper16/check_file_permissions
Check file permissions on ./testssl.sh
2021-11-16 17:25:38 +01:00
David Cooper 64d110f19d
Check file permissions on ./testssl.sh
This commit adds a check that ./testssl.sh has both read and execute permission. If ./testssl.sh is lacking execute permission, it will pass the tests in 00_testssl_help.t and 01_testssl_banner.t that run the program as `bash ./testssl.sh`, but will fail the subsequent tests that run the program as `./testssl.sh`, but the reason for the failure will not be clear.
2021-11-15 07:25:08 -05:00
David Cooper 80934c85e8 Fix some Shellcheck issues
This commit fixes a few issues found by Shellcheck.
2021-11-12 16:20:41 -05:00
Dirk Wetter 1b11575c28
Merge pull request #2040 from dcooper16/ossl31
Support OpenSSL 3.0.1-dev and 3.1.0-dev
2021-11-10 08:12:30 +01:00
Dirk Wetter 883d7bd237
Merge pull request #2039 from dcooper16/fix_debugme1_redirect
Fix calls to debugme1() with redirects
2021-11-10 08:09:22 +01:00
David Cooper f1df111a32 Fix calls to debugme1() with redirects
As noted in https://github.com/drwetter/testssl.sh/pull/1963#issuecomment-954935175, there are two places in which debugme1() is called in which the command to be run prints something to stdout, which is then redirected to a file. Now that debugme1() includes a redirect from stdout to stderr, these two lines do not work as expected. The output appears in the terminal and an empty file is created.

This commit fixes the issue by not using the debugme1() function in these two places.
2021-11-09 15:36:30 -05:00
David Cooper 095433774d Support OpenSSL 3.0.1-dev and 3.1.0-dev
This commit changes a few lines of code that checks OpenSSL version numbers to recognize 3.0.1 and 3.1.0 in addtion to 3.0.0.

According to https://www.openssl.org/blog/blog/2018/11/28/version, API/ABI compatibility is guaranteed for the same MAJOR version number (starting with version 3), so it should be sufficient to just check that $OSSL_VER_MAJOR is 3.
2021-11-08 08:04:34 -05:00
Dirk Wetter b7d6b7ca7b
Merge pull request #2034 from magnuslarsen/3.1dev
[Rating] Fix cipher rating, and add penalty for weak ciphers
2021-11-06 12:20:18 +01:00
Magnus Larsen 2b490bd3d3 Also calculate correct final score 2021-11-06 09:06:33 +01:00
Magnus Larsen cc25613138 [Rating] Fix cipher strength rating, and add penalty for weak cipher suites 2021-11-06 08:45:55 +01:00
Jens Wahnes 31c2ecfcb1 Consider HTTP 'Age' header field when calculating HTTP clock skew. 2021-11-01 19:08:37 +01:00
Dirk Wetter 75dd8fc89b
Merge pull request #2031 from dcooper16/fix2030
Fix 2030
2021-10-29 09:14:27 +02:00
David Cooper 3d9f109780
Fix 2030
Fix CI issue created by #2028 and by new certificate fingerprint.
2021-10-28 08:13:34 -04:00
Dirk Wetter b00e065546
Merge pull request #2028 from dcooper16/prioritize_chacha
Fix #1733
2021-10-28 09:09:53 +02:00
David Cooper 43f3b507c1 Fix #1733
This commit adds PrioritzeChaCha detection, as requested in #1733. If the server (1) enforces a cipher order for a given protocol, (2) supports at least one non-ChaCha cipher for that protocol, and (3) supports at least one ChaCha cipher that would normally be less preferred than the ChaCha cipher, then a test is performed to see if the server selects the ChaCha cipher if it is listed first in the ClientHello.
2021-10-27 13:53:30 -04:00
Dirk Wetter 1dc858dc90
Merge pull request #2026 from dcooper16/speedup_cipher_pref_check
Speedup cipher_pref_check()
2021-10-27 10:04:13 +02:00
Dirk Wetter 6f6eec25c1
Merge pull request #2025 from dcooper16/remove_extra_colon
Remove extra colon
2021-10-27 10:02:47 +02:00
David Cooper 15e3d61ddc Speedup cipher_pref_check()
While OpenSSL 1.0.2-chacha supports more than 128 cipher suites, other versions of OpenSSL tend to support far fewer than that.

Calling check_tls12_pref() adds to the run time of cipher_pref_check(), but is only needed if OpenSSL would otherwise send a ClientHello with more than 128 cipher suites. So, this commit adds another check and only calls check_tls12_pref() if the server has the size limit bug and OpenSSL supports more than 127 ciphers.
2021-10-26 15:56:08 -04:00
David Cooper d4606ad9f8 Remove extra colon
The code added by #2024 creates a cipher list with two consecutive colons. While this doesn't seem to be a problem, the commit removes the extra colon.
2021-10-26 15:43:01 -04:00
Dirk Wetter dc074ebdf1
Merge pull request #2024 from dcooper16/improve_cipher_pref_check
Improve cipher_pref_check()
2021-10-26 20:40:58 +02:00
David Cooper 2b752feea0 Remove unnecessary quotes 2021-10-26 12:05:36 -04:00
David Cooper 4536e933f9 Improve cipher_pref_check()
Some servers are configured to prioritize ChaCha ciphers if those ciphers are preferred by the client, even if the server is generally configured to use the server's cipher preferences rather than the client's. As a result of this, if a ChaCha cipher appears in the ClientHello before a non-ChaCha cipher, the server may select the ChaCha cipher even if the server is configured to prefer the non-ChaCha cipher.

In a few cases, e.g., cloudflare.com for TLS 1.2, this affects the ordering of the ciphers presented by cipher_pref_check(). This commit fixes the problem by having cipher_pref_check() (and check_tls12_pref()) always place any ChaCha ciphers at the end of the cipher list in the ClientHello. This ensures that cipher_pref_check() presents the ciphers in the server's preference order.
2021-10-25 14:28:51 -04:00
Dirk Wetter 1a66155c4a
Merge pull request #2022 from dcooper16/fix_s_client_options
Fix s_client_options()
2021-10-25 19:02:07 +02:00
David Cooper 00fb68f47c Fix s_client_options()
This commit fixes an error in s_client_options() when the function is called with an empty "-cipher" list and $OPENSSL supports "@SECLEVEL". This happens, for example, when ciphers_by_strength() is called for TLS 1.3.

The call to `openssl s_client` will fail is the cipher option is provided with an empty list or a list that just contains "@SECLEVEL=0". So, "@SECLEVEL=0" should only be added if the "$ciphers" list is non-empty. If "$ciphers" remains empty, then the "-cipher" option will not be added to the command line.
2021-10-25 12:15:13 -04:00
Dirk Wetter e36cfffb2c
Merge pull request #2020 from drwetter/improve_precheck_curves
Improve precheck for curves
2021-10-23 23:02:21 +02:00