Commit Graph

3961 Commits

Author SHA1 Message Date
David Cooper 64cca8c03a Reintroduce unused print functions
This commit adds back in the print functions (tm_*, tmln_*, pr_*, prln_*) that are defined but not used.
2020-11-13 15:32:21 -05:00
David Cooper 7d183ba8a2 This commit changes the colors that are used when generating HTML so that they comply with the minimum requirements for contrast in the W3C's Web Content Accessibility Guidelines (WCAG). 2020-11-13 14:48:14 -05:00
Dirk Wetter a019b3d396
--overwrite / X-XSS-Protection 2020-11-13 19:26:47 +01:00
Dirk Wetter 2098ea33c5
Merge pull request #1777 from drwetter/feature_overwrite
Introducing --overwrite option
2020-11-13 18:59:03 +01:00
Dirk Wetter 9d0744e229 Introducing --overwrite option
Sometimes it is needed to overwrite existing output files.
This has been requested in the past (#927). For safety reasons
it was not implemented.

However I realized that it could be useful. It requires some
responsible usage though.

Code added, help() and manpages added -- warnings added too.
2020-11-13 16:05:53 +01:00
Dirk Wetter 33ea2c710c updated Linux.pem + Mozilla.pem 2020-11-11 18:15:56 +01:00
Dirk Wetter 65586311f6
Merge pull request #1769 from drwetter/fix_1768
Fix perl style variable in starttls_full_read()
2020-11-05 14:07:42 +01:00
Dirk Wetter 19219dca2e Fix perl style variable in starttls_full_read()
This fixes #1768
2020-11-05 11:47:53 +01:00
Dirk Wetter b0c1f99923
Merge pull request #1766 from keisentraut/fix-gitignore-ignore-html-scan-results
.gitignore: ignore HTML scan results like example.com_p443-20201103-1…
2020-11-03 20:35:46 +01:00
Klaus Eisentraut da3be342bb .gitignore: ignore HTML scan results like example.com_p443-20201103-1037.html 2020-11-03 10:51:40 +01:00
Dirk Wetter 498dc80885
Merge pull request #1765 from drwetter/http_header_color
Remove lite cyan color for http header
2020-11-03 08:51:35 +01:00
Dirk 12bf2987a2 Remove lite cyan color for http header
While we are not sure yet how we deal with "other" colors and different
backgrounds users can have, I'll remove the light cyan here until we
settle on a standard. (other=not yellow,reds,brown,greens)
2020-11-03 08:44:40 +01:00
Dirk Wetter 8d812f5dc0
Merge pull request #1764 from keisentraut/fix-1762
fix #1762: Stop labeling X-XSS-Protection as green
2020-11-02 21:46:51 +01:00
Klaus Eisentraut 5949a0465a fix #1762: X-XSS-Protection is rated as INFO, fixed bug introduced in last commit 2020-11-02 19:58:49 +01:00
Klaus Eisentraut 6f3c957fe7 fix #1762: Stop labeling X-XSS-Protection as green 2020-10-30 22:45:16 +01:00
Dirk Wetter e3cd36a63b
Merge pull request #1760 from keisentraut/fix-1757
fix #1757: manpage: --c has one dash to much
2020-10-29 20:27:19 +01:00
Klaus Eisentraut d130d70e8b fix #1757: manpage: --c has one dash to much 2020-10-29 20:05:44 +01:00
Dirk Wetter 084a29409d
Merge pull request #1758 from drwetter/fix_1754
Fix run_freak() when sslv2 server hello is empty
2020-10-28 11:43:30 +01:00
Dirk Wetter faad7128a7 If we are sure we don't have sslv2 we don't need to test any RC4 SSLv2 ciphers 2020-10-28 10:13:22 +01:00
Dirk Wetter 3cd1273439 Address complaint by Travis
Despite the fact google doesn't support RC4 ciphers, testssl.sh called
sslv2_sockets(). Google answered with a >= TLS alert. Building a sum then
failed then in sslv2_sockets().

This fixes sslv2_sockets() and introduces count_chars() as a helper function
(tested also under old FreeBSD to make sure it works under MacOSX).
2020-10-28 10:06:39 +01:00
Dirk 888f4f9c5a Fix run_freak() when sslv2 server hello is empty
This fixes #1754 by avoiding further strings operations if the socket
reply is empty as bash 5.1 seems to have a problem with that. The fix
is done in sslv2_sockets() .

Also sslv2 is not being used in run_freak() if known not to be supported.
2020-10-27 22:36:42 +01:00
Dirk Wetter d531981e31
Merge pull request #1756 from drwetter/fix_1755
Fix issue with host certificate expiration
2020-10-26 21:45:41 +01:00
Dirk 45b5d7a5d8 Fix issue with host certificate expiration
- wrong certificate name
- fault logic (if statements) -- intermediate section looks not affected
2020-10-26 21:32:09 +01:00
Dirk Wetter 4af901683a
Merge pull request #1751 from tosticated/ssl_renego_mod
Modified ssl renegotiation attempts to be variable, default 6.
2020-10-20 21:00:02 +02:00
tosticated 45059ed769
Merge branch '3.1dev' into ssl_renego_mod 2020-10-20 19:40:58 +02:00
tosticated 3e2d1b943d Fixed whitespaces/tabs 2020-10-20 13:03:30 +02:00
Dirk Wetter 1049fe2330
Merge pull request #1749 from definity/3.1dev
Update man pages and CHANGELOG
2020-10-20 11:34:39 +02:00
j a252eeb11d Updated changelog 2020-10-19 22:37:10 +02:00
j e82d4e07ca Modified ssl renegotiation attempts to be variable, and default 6. 2020-10-19 22:12:59 +02:00
Chad Brigance 4d6dba79e6 Update man pages and CHANGELOG 2020-10-19 07:32:41 +00:00
Dirk Wetter e51301d9ee
Merge pull request #1748 from definity/3.1dev
Added support for custom user agent
2020-10-17 17:04:49 +02:00
Chad Brigance 59c24e33b0 fixed missing <user agent> in help text 2020-10-16 19:29:54 +00:00
Chad Brigance 11b30b9335 Added support for custom user agent 2020-10-16 15:35:46 +00:00
Dirk Wetter b873441238
Merge pull request #1746 from horazont/feature/xmpp-sni
Force SNI to be the --xmpphost if passed
2020-10-16 09:34:45 +02:00
Jonas Schäfer 769837bdaf Force SNI to be the --xmpphost if passed
XMPP can be used with SNI in two contexts:

- Standard RFC 6120 STARTTLS-based connections; in that case, SNI
  is most likely to be ignored, as XMPP uses another way to signal
  the target domain name (via the @to attribute on the stream
  header, which is already set correctly by testssl.sh). However,
  setting SNI to a different value than the @to attribute may
  lead to confusion.

- XEP-0368 (XMPP-over-TLS) connections which omit the STARTTLS
  phase and go right for TLS (and inside that, XMPP). In that case,
  SNI is obviously required to be correct. XEP-0368 specifies that
  the SNI name MUST be the domain name of the service (not
  necessarily the host name of the endpoint, thanks to SRV
  records).

Hence, this patch forces the SNI name to be the --xmpphost value,
if --xmpphost is given. Note that it blatantly ignores whether
XMPP is used otherwise.
2020-10-15 21:54:38 +02:00
Dirk Wetter b4c9437e95
Merge pull request #1741 from drwetter/intermediate_cert_improvements
Intermediate cert improvements
2020-10-03 10:21:31 +02:00
Dirk 4ca4e075a2 Use test::diff so that errors are spotted better 2020-10-02 13:07:13 +02:00
Dirk c3f8207d93 Fix Travis + mv issuer line down
Travis failure was due to debug output in function which return a string.
The debug statement was removed, (stderr would have been choice \#2).

Issuer is heading now the intermediate certificate section, not
sure whethe this is redundant info.
2020-10-02 13:00:21 +02:00
Dirk d5a64ff4b6 Further improvements to intermediate certs
* reorder sequence of checks in certificate info so that the chain relevant points are closer
  together
* determine_cert_fingerprint_serial() doesn't need fil input anymore, thus removed that part
* cert_validityPeriod in JSON/CSV may lead to misunderstandings, thus renamed to cert_extlifeSpan
* reorganized loop for the intermediate certificate checks, so that also i is used and not the variable
  which defines the number of certificates, i.e. certificates_provided. In addition made the counting
  more hiuma friendly, which starts now at 1 instead of 0
2020-10-02 08:43:17 +02:00
Dirk a7bcf9ec7f Further improvements to certificate_info()
* add cn and issuer_CN to the output both on screen and file
* the severity rating for intermediates are just a shot (20/40 days) and
  deserve a second thought
* replace the expiry check by one test statement and make grep futile
* replace at some places "$openssl x509 -in $filename"  by  "$openssl x509 <<< $var"
* the thing with 25*60*60 was fie readability. When it's used >20 times it maybe is not
  (and maybe costs to much time) --> replaced by $secsaday
* adjusted the loop for bad ocsp check for readability
2020-10-01 17:49:14 +02:00
Dirk 67afa6c372 MOre points added to complete intermediate cert section
* UI feed back for expiration date of intermediates: 20 days: HIGH, 40 days: MEDIUM
* also in JSON/CSV
* list the end date of validity
* works for >1 intermediates too
* section moved to the end of certificate_info()
* renamed  <cert#${certificate_number}> --> <hostCert#${certificate_number}> to avoid coinfusion with intermediate certs
* removed blanks in return values of determine_dates_certificate
2020-10-01 00:13:31 +02:00
Dirk 5eee67291e Outsourcing of certificate date properties determination
determine_dates_certificate() is now determining the important dates
of a certificate passed via argument. It works of course for host and
any other certificates.
   Returning multiple parameters is being done via CSV and passed to a
read statement which seemed the best choice for bash.

ToDo:

* $expok is not set properly for intermediate certificates
* check if expired at least in the UI (JSON+CSV: echo the dates so far)
* for multiple host certificates the naming scheme (jsonID + intermediate
certnumnber kind of sucks:

          "id"           : "intermediate_cert_fingerprintSHA256 <cert#1> 1",
	  "id"           : "intermediate_cert_notAfter <cert#2> 1",

The whole thing is kind of hackish as the code has been historically grown.
At some certian point we may want to reconsider how we determine properties of
certificates in certificate_info()
2020-09-30 15:44:23 +02:00
Dirk b625df87c1 Move determination of fingerprint and serial to determine_cert_fingerprint_serial()
.. so that it can be used for other certificates than the host certificate
2020-09-28 20:38:37 +02:00
Dirk 9094665768 Start for improving handling of intermediate certs
See #1683, #1653,  #1004, #1264

* separate code for bad ocsp a bit
* output intermediate cert in json/csv
* replace sed statements from cert_fingerprint* and -serial by bash funcs
2020-09-28 20:17:11 +02:00
Dirk Wetter 3d07f55f56
Merge pull request #1731 from drwetter/winshock_cipher_improvements
Further robustness checks for winshock (#1719)
2020-09-22 17:35:31 +02:00
Dirk 3d22115d92 Fix travis
and remove some not needed quotes in RHS at double square brackets
2020-09-22 16:40:59 +02:00
Dirk 721d046a7f Add the $EXPERIMENTAL part to winshock
... when checking other services as HTTP or RDP
2020-09-22 15:24:41 +02:00
Dirk 7d8cf71a94 Further robustness check to winshock (#1719)
This commit adds

* a check for the elliptical curves
* and a check for TLS extensions

which will again reduces false positives.

Background:
* https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Supported_elliptic_curves
* https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Extensions

Also:

* Docu phrased more precise (we're not checking ciphers and
  HTTP Server banner only
* As a last resort we also take 'Microsoft-HTTPAPI/2.0' as a server header on the HTTPS branch
  and query the HTTP branch for Microsoft-IIS/8.x.
* $EXPERIMENTAL overrides some banner and service related checks. So that e.g. SMTP servers can also
  be checked. Last but bot least ist's a vulnerability of the TLS stack.

For better debugging we'll keep the TLS extensions and offered curves in a file.
Also it adds a debug1() function which may be needed on other occasions.

Also the output is better coded as we put "check patches locally to confirm"
into a variable.

There's still room for improvement:

* More extensions (see https://raw.githubusercontent.com/cisco/joy/master/doc/using-joy-fingerprinting-00.pdf)
* We could need a separate determine_curves() function, see #1730 as otherwise
  we can't use the curves in a non-default run.
2020-09-22 13:04:18 +02:00
Dirk Wetter 8d4042c6b6
Merge pull request #1726 from drwetter/fix_1725_SCIR
Fix Secure Client-Initiated Renegotiation false positive (3.1dev)
2020-09-16 20:13:10 +02:00
Dirk ade010d4e7 Fix Secure Client-Initiated Renegotiation false positive
Server side closed the connection but openssl retrieved
a zero exit code. In addition now we look for "closed"
and if that was returned from the server we label it
as not vulnerable.

This fixes #1725
2020-09-16 18:06:21 +02:00