Commit Graph

3961 Commits

Author SHA1 Message Date
David Cooper b2de5c4ac9 Merge branch '2.9dev' into print_two_CRL_or_OCSP_URI 2017-02-03 08:46:40 -05:00
David Cooper f273b5ed8c Merge branch '2.9dev' into handle_supported_groups 2017-02-03 08:45:40 -05:00
David Cooper da59ea11c2 Merge branch '2.9dev' into neat_list_camelliagcm 2017-02-03 08:44:36 -05:00
David Cooper 1079a05d42 Merge branch '2.9dev' into rename_ephemeral_DH_ciphers 2017-02-03 08:44:07 -05:00
Dirk 925e1061b2 - renamed pr_svrty_minor --> pr_svrty_low to reflect the level literally
- minor polishing
2017-02-03 13:03:22 +01:00
Dirk b9232fd5d0 Fix TLS_FALLBACK_SCSV detection for non RFC compliants F5 loadbalancers. They pass now the test but get additonally penalized for their non compliance, see also https://github.com/drwetter/testssl.sh/issues/121#issuecomment-113790270 2017-02-03 11:47:21 +01:00
David Cooper e7c7e7ba19 Update fix to 587
In the revised code that was created to address #587, nothing is printed after "OCSP URI" if there is neither an OCSP URI nor a CRL URI. Instead, "--" should be printed.

I still believe that there is an inconsistency in the reporting of the output, however. At the moment, the "Certificate Revocation List" and "OCSP URI" lines indicate it is acceptable as long as the certificate contains either a CRL URI or an OCSP URI. However, the "OCSP stapling" line reports a minor finding if an OCSP response was not included in the server's reply. Shouldn't we just assume that if the certificate doesn't include an OCSP URI, then it wouldn't be possible for the server to obtain an OCSP response to staple to its reply? If so, then it seems that no OCSP stapling should only be considered a finding if an OCSP URI is present.
2017-02-02 15:52:32 -05:00
David Cooper e9d6ac8ad1 Fix Two CRL and/or two OCSP URLs
This PR fixes issue #601.

The fix for OCSP URLs was easy. I don't entirely understand the first `awk` command in the line to extract the CRL URLs, but I tested it on several certificates and it seems to work correctly (ensuring that the only "URI" lines in the input to the second `awk` command are from the CRL Distribution Points extension).
2017-02-02 13:04:49 -05:00
David Cooper 7a378c44dc Merge branch '2.9dev' into handle_supported_groups 2017-02-02 09:13:33 -05:00
David Cooper 898438ec17 Merge branch '2.9dev' into neat_list_camelliagcm 2017-02-02 09:12:42 -05:00
David Cooper a9ffc5f61f Merge branch '2.9dev' into rename_ephemeral_DH_ciphers 2017-02-02 09:12:03 -05:00
Dirk ec7aa2481a - SWEET32. Note this is still NOT COMPLETE (ciphers!) and needs more testing 2017-02-02 14:42:06 +01:00
AlGreed 4775515bd7 Merge branch 'drwetter/2.9dev' into 2.9dev 2017-02-02 09:16:22 +01:00
David Cooper f1eb3b85de Handle renaming of the Supported Elliptic Curves Extension
RFC 4492 introduced the Supported Elliptic Curves Extension, but this extension was renamed Supported Groups in RFC 7919. Following RFC 7919 (and TLSv1.3), `parse_tls_serverhello()` refers to this extension as "supported groups/#10". Since, at the moment, OpenSSL's s_client refers to this extension as "elliptic curves/#10", the extension sometimes appears twice in the "TLS extensions" line, if it is detected by both OpenSSL (in `get_server_certificate()`) and `tls_sockets()` (in `determine_tls_extensions()`):
```
 TLS extensions (standard)    "renegotiation info/#65281" "elliptic curves/#10" "EC point formats/#11" "supported groups/#10"
```
This PR fixes the problem of the extension appearing twice in the "TLS extensions" line by replacing any instances of "elliptic curves/#10" with "supported_groups/#10" in the `$tls_extensions` line extracted from `$OPENSSL s_client`. This PR also changes "supported groups/#10" to "supported_groups/#10" in `parse_tls_serverhello()`, since the current development branch of OpenSSL uses "supported_groups" to refer to this extension (see https://github.com/openssl/openssl/pull/1825).
2017-02-01 15:43:15 -05:00
David Cooper d93f7031ac Fix neat_list() for Camellia GCM
This PR increases the width of the "Encryption" column printed by `neat_list()` in order to allow room to print "CamelliaGCM."

This is the alternative fix to the problem that was first addressed in #524. This PR obsoletes PR #530.
2017-02-01 13:31:58 -05:00
David Cooper 11b5e00602 Merge branch '2.9dev' into rename_ephemeral_DH_ciphers 2017-01-30 13:36:12 -05:00
Dirk Wetter c0cf622aff Merge pull request #600 from dcooper16/unsupported_ciphers_in_litegrey
Print unsupported ciphers in light grey
2017-01-30 18:29:57 +01:00
David Cooper 392dac0e39 Just print entire line in light grey 2017-01-30 09:32:47 -05:00
David Cooper 17db208756 Merge branch '2.9dev' into unsupported_ciphers_in_litegrey 2017-01-30 09:02:15 -05:00
David Cooper 2a2f2b2c3b Merge branch '2.9dev' into rename_ephemeral_DH_ciphers 2017-01-30 09:01:40 -05:00
AlGreed 2c363942fd Merge branch 'drwetter/2.9dev' into 2.9dev 2017-01-29 16:31:02 +01:00
Dirk a7dff83160 $NODE is fine, removing $MX_HOSTNAME, #603 2017-01-29 10:46:35 +01:00
Dirk Wetter 1e16ac8ad6 Merge pull request #603 from AlGreed/2.9dev
Better output for --MX in JSON-PRETTY
2017-01-29 10:40:23 +01:00
AlGreed f07c723d59 added mx hostname for json-pretty output 2017-01-28 18:11:39 +01:00
AlGreed 80314f0602 Merge branch 'drwetter/2.9dev' into 2.9dev 2017-01-28 15:12:23 +01:00
Dirk Wetter 2ea3789b91 Merge pull request #602 from AlGreed/2.9dev
Support of multiple servers for JSON-PRETTY
2017-01-28 10:27:45 +01:00
AlGreed fcd208b2c9 ... 2017-01-28 08:09:02 +01:00
AlGreed 04c653646e ... 2017-01-28 07:54:58 +01:00
AlGreed 29d6cbc125 Added support of multiple servers to json-pretty format; added fileout for smtp 2017-01-28 07:17:58 +01:00
AlGreed ae6462fe65 Merge branch 'drwetter/2.9dev' into 2.9dev 2017-01-28 00:13:22 +01:00
David Cooper d47601f413 Print unsupported ciphers in light grey
This PR changes testssl.sh so that when ciphers are being listed in wide mode (i.e., using `neat_list()`) and the `--show-each` option is set, ciphers that are not available are printed in light grey, whereas ciphers that are available continue to be printed in black. This makes it easier to distinguish between ciphers that are available and those that are not (the "available/"not a/v" column remains).

This PR does not change the way that ciphers that are available are printed, but it includes a hook that would allow that to change. For example, for ciphers that are available, the name of the cipher suite could be printed in a different color depending on its quality (as is done for the "Negotiated cipher" in `run_server_preference()`). The same could be done for the "Encryption" and "Bits" columns.
2017-01-25 10:41:36 -05:00
David Cooper 324fb059b3 Merge branch '2.9dev' into rename_ephemeral_DH_ciphers 2017-01-25 09:11:55 -05:00
Dirk Wetter 0bb792225e Merge pull request #599 from dcooper16/fix_tls_sockets_typo
Fix typo in tls_sockets()
2017-01-25 15:00:33 +01:00
David Cooper 1ee75689e0 Fix typo in tls_sockets()
This PR just fixes a minor bug in `tls_sockets()`, changing
```
debugme "stuck on sending: $ret"
```
to
```
debugme echo "stuck on sending: $ret"
```
2017-01-25 08:57:20 -05:00
David Cooper 597e87f330 Merge branch '2.9dev' into rename_ephemeral_DH_ciphers 2017-01-24 16:09:19 -05:00
Dirk Wetter bc31639179 Merge pull request #545 from dcooper16/cipher_order_sockets
Use sockets to determine cipher order
2017-01-24 20:26:05 +01:00
David Cooper c09a77006e Rename cipher lists for run_logjam()
This PR renames the cipher lists for `run_logjam()` in generate_static_cipher_lists.sh to align with their names in testssl.sh, as requested in #590.

I think these names are still open for misinterpretation, however, since its not clear whether "dh_cipher" refers to ciphers that use static DH keys, ephemeral DH keys, or both.
2017-01-24 10:49:59 -05:00
David Cooper db4108cec5 Merge branch '2.9dev' into cipher_order_sockets 2017-01-24 08:46:40 -05:00
Dirk 2a5d56a9d6 help aviod misunderstanding, see #594 and some reordering 2017-01-24 08:37:19 +01:00
David Cooper 156787adec Merge branch '2.9dev' into cipher_order_sockets 2017-01-23 11:22:42 -05:00
Dirk 4911aaf05b Fix #593 2017-01-23 11:33:18 +01:00
Dirk Wetter 8988411fbc Merge pull request #565 from dcooper16/run_server_preference_sockets
Use sockets in run_server_preference()
2017-01-21 19:55:37 +01:00
Dirk f80e1ecfdb - enable CAA per default (#588)
- hex2ascii() for converting strings
- swap quoted output in -S to italic (mostly)
2017-01-21 19:43:07 +01:00
Dirk f2303a0d79 - poodle output polishing
- minor polish of #552
2017-01-21 18:08:31 +01:00
Dirk Wetter d448ebbc77 Merge pull request #552 from dcooper16/run_beast_sockets
run_beast() speedup + sockets
2017-01-21 18:01:55 +01:00
Dirk 2b440f15ea - polishing #570
- run_logjam() terminates if no local DH export ciphers are configured
2017-01-21 16:52:02 +01:00
Dirk Wetter 20cc3bc435 Merge pull request #570 from dcooper16/run_ssl_poodle_sockets
Use sockets for run_ssl_poodle()
2017-01-21 14:37:36 +01:00
Dirk f3666a13c5 - add crypotsense prefined DH groups
- final FIX #589
2017-01-20 18:14:48 +01:00
Dirk e083fab130 - run_logjam(): run_logjam(0 fixed error where logjam couldn't parse "ServerKeyExchange" message using SSL_NATIVE -- if TLS != 1.2 was returned
- run_logjam(): determine dh bit size and based on this mark the common primes as more or less vulnerable
- run_logjam(): renamed remaining dhe variable to dh
- further house keeping in run_logjam()
2017-01-19 14:45:19 +01:00
Dirk Wetter 9c3ab427b6 Merge pull request #590 from dcooper16/dhe_cipher_list
Generate list of all DHE ciphers
2017-01-18 22:08:43 +01:00