Commit Graph

3961 Commits

Author SHA1 Message Date
Dirk Wetter 31162d2320 typo / wording 2021-10-23 18:40:29 +02:00
Dirk Wetter a11bd1585e Improvement for testing curves with several openssl / libressl versions
As noted in #2016 the detection of curves in find_openssl_binary()
copuld be improved.

This commit removes another connect call. Also it corrects the port statement
for LibreSSL-like pre-checks as port 0 generally seems to me better suited.
Inline documentation was added.

It worked so far with openssl 1.0.2, 1.1.1 and 3.0 and LibreSSL 3.4.

This needs to be backported to 3.0.
2021-10-23 18:38:04 +02:00
Dirk Wetter 6251a6c1d6
Merge pull request #2016 from drwetter/fix_double_ports
Fix double ports statement
2021-10-23 16:02:04 +02:00
Dirk Wetter 82fc8e7431
Update feature_request.md 2021-10-21 11:01:13 +02:00
Dirk Wetter d5e761e9e9
Update bug_report.md 2021-10-21 11:00:44 +02:00
Dirk Wetter 93c1180f9d
Update feature_request.md 2021-10-21 10:56:27 +02:00
Dirk Wetter ff919df2e0
Update bug_report.md 2021-10-21 10:52:34 +02:00
Dirk Wetter 489b63e9dd
Merge pull request #2017 from drwetter/cab_is4browsers
Add browser requirement for the entropy of cert serial
2021-10-21 09:51:00 +02:00
Dirk Wetter 110d1aa73c Add browser requirement for the entropy of cert serial 2021-10-20 19:26:23 +02:00
Dirk Wetter 3140352b0c Fix double ports statement
In order to be in line with 3.0 this adds a statement to avoid double port
statements for WSL users in a precheck condition

   $OPENSSL s_client -groups $curve -connect 127.0.0.1:0:8443

This commit changes that to $OPENSSL s_client -groups $curve -connect 127.0.0.1:8443
which could cause a delay for WSL users and needs further investigation.

Not clear why port 8443 was chosen.
2021-10-20 09:01:09 +02:00
Dirk Wetter 79df758023
Merge pull request #2014 from drwetter/fix_len_certserialnum
Check cert serial len + fix output when too big
2021-10-20 08:58:46 +02:00
Dirk Wetter 2edfa57eaa Check cert serial len + fix output when too big
OpenSSL shows certificate serial numbers >35 with a LF (0A). Testssl.sh
just output that which makes JSON invalid and displays the LF in the terminal
too.

This commit fixes that (#2010) by adding filters so that the
serialnumber is not a multiline string.

Also this commit introduces a new function: a size check of the cert serial.
Below 8 bytes the CAB Forum's lower limit is hit which says the *entropy*
from a CSPRNG should be at least 64 bits. It is assumed that below 8 bytes
length this requirement isn't possible to meet (needs to be clarified with
Shannon, 8 bytes seems to low to me).
  The high threshold is according to RFC 5280, Section-4.1.2.2 .

See also #2013.

The output has changed, so that on the terminal the serial has one line,
SHA1 and SHA256 each one line. The new json key is "cert_serialNumberLen".
2021-10-19 19:42:12 +02:00
Dirk Wetter 9683af44a2
Merge pull request #1988 from drwetter/windows_dns_fix
Addressing lame DNS responses on WSL
2021-10-18 16:52:35 +02:00
Dirk Wetter d496c0d44b
Merge pull request #2002 from smokris/1995-trusted-first
In determine_trust(), use the OpenSSL '-trusted_first' flag to ignore the now-expired DST Root CA X3 root certificate
2021-10-07 18:03:20 +02:00
Steve Mokris 5c4500ea4f Initialize/reset the TRUSTED1ST variable, in case determine_optimal_proto() changes the active openssl binary partway through execution 2021-10-06 16:01:13 -04:00
Steve Mokris 0012adf47e Add a test to verify that expired.badssl.com's chain of trust is expired. 2021-10-05 13:53:58 -04:00
Steve Mokris c98bbdc36d In determine_trust(), use the OpenSSL '-trusted_first' flag to ignore the now-expired DST Root CA X3 root certificate. Fixes #1995. 2021-10-05 13:45:26 -04:00
Dirk Wetter d720720150
Merge pull request #2005 from drwetter/fix_1992_certificateIssuerName
Fix invalid JSON when certificate issuer contains non-ASCII chars
2021-10-03 19:52:35 +02:00
Dirk a5aa3a4bbf Fix invalid JSON when certificate issuer contains non-ASCII chars
Changed printf %s to printf %b which cause now to output
UTF-8 correctly.

See #1992
2021-10-03 18:19:24 +02:00
Dirk Wetter b6b5a67b92 Save # of connects / WSL uses 127.0.0.1:0 by default
In order to save time and to spare WSL users lame DNS lookups
I removed a couple of connect calls from 14 to 4:

$OPENSSL s_client -ssl2 -connect invalid.
-->
OPENSSL s_client -ssl2

NXCONNECT to localhost IP and port 0 is now the default when WSL
is detected. Not sure whether this is working under all circumstances,
so this needs some testing.
2021-10-02 15:25:42 +02:00
Dirk Wetter 068e07c52c
Merge pull request #1997 from mig5/fix-letsencrypt-remove-dst-root-x3-ca-cert
Remove the expired DST Root CA X3 cert from all trust stores, and ensure Mozilla's is up to date (fixes ISRG X1 alternate path)
2021-10-02 08:38:34 +02:00
Dirk Wetter bab14124c1
Merge pull request #2001 from drwetter/revert-1998-1995-trusted-first
Revert "In determine_trust(), use the OpenSSL '-trusted_first' flag to ignore the now-expired DST Root CA X3 root certificate"
2021-10-02 08:34:07 +02:00
Dirk Wetter e874c1013b
Revert "In determine_trust(), use the OpenSSL '-trusted_first' flag to ignore the now-expired DST Root CA X3 root certificate" 2021-10-02 08:33:39 +02:00
Dirk Wetter 624e934f77
Merge pull request #1998 from smokris/1995-trusted-first
In determine_trust(), use the OpenSSL '-trusted_first' flag to ignore the now-expired DST Root CA X3 root certificate
2021-10-02 08:33:03 +02:00
Miguel Jacq 905f801309
Remove the expired DST Root CA X3 cert from all trust stores, and ensure Mozilla's is up to date (fixes ISRG X1 alternate path)
Remove changes to Dockerfiles

Update hashes for CA trust stores
2021-10-02 08:05:56 +10:00
Steve Mokris b0754ce0f1 In determine_trust(), use the OpenSSL '-trusted_first' flag to ignore the now-expired DST Root CA X3 root certificate. Fixes #1995. 2021-10-01 16:24:04 -04:00
Dirk Wetter 667c6e698c
Merge pull request #1996 from dcooper16/fix_md_formatting
Update testssl.1.md
2021-10-01 18:02:03 +02:00
David Cooper 8b129577a7
Update testssl.1.md
testssl.1.md included '.SS "SINGLE CHECK OPTIONS"', which belongs in testssl.1, but not in testssl.1.md. This commit removes this extra line.
2021-09-30 14:09:17 -04:00
Dirk Wetter b8bff805f7
Merge pull request #1991 from klaernie/contenttype
fix html output content type header
2021-09-24 14:21:04 +02:00
Andre Klaerner 4f72f2fa8e fix html output content type header 2021-09-24 11:36:29 +02:00
Dirk Wetter ae21ef7eab
Merge pull request #1987 from drwetter/fix_1982_kali.cnf
Fix #1982: Newer openssl.cnf break openssl detection
2021-09-15 11:19:05 +02:00
Dirk Wetter fe6c22f7fd Addressing lame DNS responses on WSL (WIP)
This commit provides a global variable to the RFC 6761 use of "invalid."
which WSL clients doen't seem to handle very well, see #1738, #1812.

With this commit it e.g. is possible to use

     NXCONNECT=localhost:0 ./testssl.sh <TARGET>

to save some time.

This commit will be amended later.
2021-09-15 09:53:20 +02:00
Dirk Wetter 2405176a26 Fix #1982: Newer openssl.cnf break openssl detection
Newer configuration files from openssl may include statements
which aren't compatible with our supplied old openssl version.
This commit adds an autodetection of such a file and uses a
openssl.cnf provided by this project then.
2021-09-15 09:31:03 +02:00
Dirk Wetter 3207357e8c
Merge pull request #1985 from DimitriPapadopoulos/codespell
Typos found by codespell
2021-09-14 13:37:59 +02:00
Dimitri Papadopoulos fcb282e3c3
Typos found by codespell
Run codespell in CI
2021-09-14 13:33:39 +02:00
Dirk Wetter 3dddcbf445
Merge pull request #1983 from drwetter/drwetter-patch-1
Update bug_report.md
2021-09-10 18:37:43 +02:00
Dirk Wetter 611754165f
Merge pull request #1984 from drwetter/drwetter-patch-2
Update feature_request.md
2021-09-10 18:37:17 +02:00
Dirk Wetter 5fc23932ac
Update feature_request.md 2021-09-10 18:37:02 +02:00
Dirk Wetter 2f173de7e0
Update bug_report.md 2021-09-10 18:33:39 +02:00
Dirk Wetter 1d4acd9027
Merge pull request #1981 from drwetter/fix_1978
Fix minor inconsistency in description of cipher categories
2021-09-10 08:09:21 +02:00
Dirk 529e9da823 Fix GHA (starttls nntp)
using another IP
2021-09-09 23:17:09 +02:00
Dirk 15cfd849fe Replace --standard by --categories 2021-09-09 22:07:44 +02:00
Dirk 739f45015f Fix minor inconsistency in description of cipher categories
A longer while back the section ~ "Testing standard ciphers" was
renamed to "Testing cipher categories". However the internal help
didn't reflect that.

This fixes that, including an addtion to the documentation.

Note: the help still lists "-s --std, --standard" as a cmd line
switch.
2021-09-08 08:46:47 +02:00
Dirk Wetter 8f20d11830
Merge pull request #1976 from ap-wtioit/3.1dev-fix_dig_r_check
Fix dig -r check to only run if dig is available
2021-09-06 10:19:41 +02:00
Andreas Perhab 5ec1f83434 Fix dig -r check to only run if dig is available 2021-09-06 08:35:00 +02:00
Dirk Wetter 15e6fb4c9c
Merge pull request #1975 from a1346054/fixes
WIP: Minor cleanup
2021-09-05 15:50:11 +02:00
a1346054 b1f5c6c9af Trim excess whitespace 2021-09-04 13:28:30 +00:00
a1346054 6782e2a3b9 Fix spelling 2021-09-04 12:39:03 +00:00
a1346054 1b17a2c67d Fix shellcheck warnings 2021-09-03 22:19:39 +00:00
a1346054 54dcecd184 Make text file not executable 2021-09-03 22:19:39 +00:00