* the ignore ~/.digrc option from dig is now parsed from the builtin help
* there was a potential DNS call which is now avoided
* for +noidnout check however there's a call to invalid. added
* the OPENSSL_CONF="" in check_resolver_bins() was moved a few lines
higher to avoid other errors in the terminal
Tested on (EOL) Ubuntu 14.04 which only has dig in an older version
See also #1950
This commit fixes#1961 in the 3.1dev branch by leaving NODEIP set to the server's IP address rather than changing it to the DNS name in the case of STARTTLS XMPP.
In order to address the problem of $OPENSSL s_client not working with STARTTLS XMPP if an IP address is provided to -connect, the -xmpphost option is used to provide the DNS name.
The fact that debugme1() redirects to stderr and the calls to this functions
redo that is deliberately as in the future we might want to use debugme1
without redirection.
... to address #1956 and other places. Similar to #1957,
only for the 3.1dev rolling release branch.
Also it changes debugme1() back? to output debug
statements only when $DEBUG >= 1. Per default here
also stderr is used.
get_server_certificate() includes a few calls to tls_sockets() in which the response will be TLS 1.3 and in which the response will be useless if it cannot be decrypted (since the goal is to obtain the server's certificate). So, these calls to tls_sockets() should specify "all+" rather than "all".
This commit changes run_server_defaults() so that the test for certificate compression is not run in --ssl-native mode. This fixes an issue that was caught by 21_baseline_starttls.t.
This commit adds a check for whether the server supports certificate compression (RFC 8879). If it does, then the list of supprted compression methods is output in the server's preference order.
If the order of the cmdline is '-U --ids-friendly' then we need to make sure we catch --ids-friendly. Normally we do not,
see #1717. The following statement makes sure. In the do-while + case-esac loop the check for --ids-friendly will be
executed again, but it does not hurt
Newer dig versions have an option to ignore $HOME/.digrc, older don't.
This commit adds a patch checking for the availability of such an option and
uses it by default. See #1894 .
If this option doesn't exist then still dig is used and can still lead to
wrong output. Unfortunately Debian-based distros are not very
good at this. Debian 10, Ubuntu 18.04 still use dig 9.11, whereas
Opensuse 15.2 has 9.16. Debian 11 and Ubuntu 20.04 use that too.
This commit adds a new function, print_n_spaces(), which prints a sequence of (up to 80) space characters.
This new function is used to replace a few places in testssl.sh in which a sequence of space characters is printed by calling 'out " "' in a loop. The new function is much faster than the current code, so it will make testssl.sh run slightly faster.
As mentioned in #1931 the port detection for nmap greppable files
leaves space for improvements.
Ths PR adds a pattern detection of ssl and https in the forth or fifth
parameter of an open port, so those ports will be added to a scan when
a nmap greppable output file is as input to testssl.sh .
Also it does minor code adjustments to utils/gmap2testssl.sh .
.. mainly copied from testssl.sh. Also it adds a detection for the
strings ssl and https. If those run at non-stanadard ports but nmap
detected it, it'll show up in the output file.
That will be backported to the main program, see #1931 .
This addresses a bug filed in #1935 in 3.1dev when the supplied file
has a .txt extension. In this scenario the input file was nulled
as from the input file in nmap format an internal input file was
generated which has a .txt extension, in the same directory.
The idea was to persist the file for the user.
Now, this internal input file is ephemeral and only written to $TEMPDIR.