This is tha same update as #2740 (for 3.2).
Despite using ``./utils/create_ca_hashes.sh`` git claims ``ca_hashes.txt`` hasn't changed here too.
This fixes#2739.
On MacOS run_http_header() hiccuped when in any place of the web site unprintable chars were
returned, see https://github.com/testssl/testssl.sh/issues/2708#issuecomment-2738347784 .
This PR fixes that by moving the sanitization to a separate function and run it earlier before
any processing of the returned content (header plus body) takes place.
Output was:
``
'HTTP Status Code awk: towc: multibyte conversion failure on: '� disabilitato");
input record number 36, file /tmp/testssl.FHu8E0/AAA.BBB.CCC.DDD.http_header.txt
source line number 1
'wk: towc: multibyte conversion failure on: '� disabilitato");
input record number 36, file /tmp/testssl.FHu8E0/AAA.BBB.CCC.DDD.http_header.txt
source line number 1
200 OK
``
The current code for setting $host_header in check_revocation_ocsp() will not work for LibreSSL 3.*. In addition, the code uses $OPENSSL2, which is not defined. This commit fixes these issues.
As `--phone-out` sometimes doesn't work with our binary we switch transparently/automagically
to the vendor support openssl binary -- if available. This is the PR for 3.0, for 3.2 see #2695 .
This fixes at least #2516 where the issue has been explained/debugged in detail.
See also #2667 and #1275.
OpenSSL 3.X outputs a different error message than previous versions when $OPENSSL s_client -curves X ... is called with an unsupported curve. This was resulting in the check within find_openssl_binary() adding every curve to $OPENSSL_SUPPORTED_CURVES, even ones that were not supported. This commit changes to check in order to detect the new error message.
.... by forbidding spaces in supplied CA files/directories
Also now we're sanitizing the cmd line parameter better `using safe_echo()`
See also #2647 .
When testing a TLS 1.3 host s_client_options used TLS 1.3 ciphers to test for NPN. As that is not implemented we nee dto make sure any other version is used.
This PR ensures that --after testing whether it's a TLS 1.3-only host where this test doesn't make any sense in the first place.
Fix for #2633
In some cases OpenSSL returns an "unsupported" message rather than a "not found" message if X25519 and X448 are not supported. This commit changes the check for whether X5519 and X448 are supported for checking for either response.
This commit fixes#2599 by not wrapping fileout() messages in a "clientProblem" wrapper if TLS13_ONLY is set. The TLS13_ONLY flag being set is an indicator that fileout_banner() has already been called.
In rare cases testssl.sh writes to the terminal output "likely not offered" but misses the "likely" in the json/csv output.
This fixes#2575 for the 3.0 branch by adding that word and amending the return value 4 with a comment.
Dirk Wetter