Commit Graph

60 Commits

Author SHA1 Message Date
David Cooper dd58fbb9aa
Add public keys
Add the public keys corresponding to the key pairs in TLS13_KEY_SHARES.
2017-11-02 11:44:29 -04:00
David Cooper cd6c84bfd3
Add a secp224r1 key pair 2017-11-02 11:30:24 -04:00
David Cooper ca7c8200eb Add TLSv1.3 support for run_server_preference()
This PR adds support for TLSv1.3 to run_server_preference(). It only provides partial support, as it only works if the support supports and earlier TLS protocol (in order to determine whether the server has a cipher order). It also will only show TLSv1.3 as the "Negotiated protocol" if $OPENSSL supports TLSv1.3.

This PR also fixes a bug in which the variable "proto" was defined as used as both a regular variable and as an array.
2017-10-20 11:40:19 -04:00
David Cooper fd1f4b3b43 Add TLSv1.3 ciphers
This commit adds the 5 TLSv1.3 ciphers to the list.
2017-10-06 10:05:18 -04:00
David Cooper 555ce31ab8 Fix incorrect client simulation data
In the data provided by https://api.dev.ssllabs.com/api/v3/getClients, Chrome 57 Win 7 and Firefox 53 Win 7 send ClientHellos that indicate support for TLSv1.3 draft 18, but the highest_protocol for each of these is specified as 0x0303. The result is that if the server being tested supports TLSV1.3 draft 18, `run_client_simulation()` will incorrectly report "No connection" for these servers since the DETECTED_TLS_VERSION (0x0304) will be higher than the specified highest_protocol.

This PR fixes the problem by changing the highest_protocol to 0x0304. Note that another solution to this problem would be to change the ClientHello messages for these two browsers. It is my understanding that TLSv1.3 is disabled by default for these browsers, so presumably the ClientHello messages would not specify TLSv1.3 support if they were configured with TLSv1.3 support disabled.
2017-10-03 16:34:56 -04:00
Dirk b9b09f586e added MS CA store, see #825
Finally complete, thx @naumanshah03
2017-09-19 15:15:54 +02:00
Dirk Wetter f48deaaa9d Update README.md 2017-09-19 14:50:08 +02:00
Dirk Wetter 95af735862 Update README.md 2017-09-18 23:33:25 +02:00
Dirk Wetter 3caa73c1b8 Update README.md 2017-09-18 23:32:35 +02:00
Dirk f014a1853b missing update from 985c845486 2017-09-18 23:01:37 +02:00
Dirk 8b076e9841 relect what to do for updtaing ca_hashes.txt 2017-09-18 14:20:56 +02:00
Dirk 985c845486 update of certificate stores, except MS 2017-09-18 14:18:00 +02:00
Dirk Wetter 54539e9da3 rename client simulation file (das is more consistent)
update client simulation: now has every client from SSLlabs and
it is properly ordered
2017-08-30 23:00:32 +02:00
Dirk Wetter 8be7dcbf09 Reorder client simulation data (see #776) and update README 2017-08-30 20:35:15 +02:00
David Cooper 6460de39a2 Add OpenSSL names for ARIA ciphers
A PR was just accepted into the master branch of https://github.com/openssl/openssl that specifies OpenSSL names for the ARIA GCM cipher suites: bc32673869. This PR adds these OpenSSL names to the cipher-mapping.txt file. It also changes the description of the encryption algorithm for these ciphers from "ARIA" to "ARIAGCM" to be consistent with OpenSSL and with the other GCM ciphers in the cipher-mapping.txt file.

In addition, OpenSSL names for some of the ARIA CBC ciphers are provided in https://github.com/openssl/openssl/blob/master/doc/man1/ciphers.pod, and this PR adds those OpenSSL names to the cipher-mapping.txt file as well.
2017-08-30 11:12:11 -04:00
Dirk Wetter 5ea2b7c612 typo 2017-08-13 11:32:24 +02:00
David Cooper 966f9c499a Update README.md for etc directory 2017-08-04 09:10:41 -04:00
Dirk 9540224722 adding comments for David's PR #807 and pointing to the cipher list in #806 2017-07-31 12:59:36 +02:00
David Cooper ee40625d40 Fix typo in comment
$TLS12_CIPHER only includes 123 standard ciphers; 0x00,0xFF doesn't count as a "standard cipher."
2017-07-28 12:23:21 -04:00
David Cooper 7ccb611d13 Update TLS12_CIPHER
Update `$TLS12_CIPHER` to contain only 128 ciphers (so that it will work with servers that can't handle larger ClientHello messages), and also add some newer ciphers to `$TLS12_CIPHER`. Also define  a `$TLS12_CIPHER_2ND_TRY` containing a list of 127 ciphers that do not appear in `$TLS12_CIPHER`. `$TLS12_CIPHER_2ND_TRY` is used in `run_protocols()` in order to perform a second test against servers that do not establish a TLSv1.2 connection when offered `$TLS12_CIPHER`.
2017-07-28 12:14:44 -04:00
Dirk Wetter 26bf3300e8 Delete mapping.txt
has been replaced in 2.9dev by cipher-mapping.txt
2017-05-22 11:38:23 +02:00
David Cooper 005fe3f27e Remove unnecessary spaces 2017-03-23 14:15:26 -04:00
Dirk 8c0b0083d0 further separation of data / code 2017-03-21 09:15:30 +01:00
Dirk Wetter ca18433959 Update README.md 2017-02-24 17:55:20 +01:00
Dirk Wetter 3f0a98b635 Generated from utils/update_client_sim_data.pl and manually massaged ;-)
Note that the internal data from testssl.sh will disappear
2017-02-24 17:45:23 +01:00
Dirk f3666a13c5 - add crypotsense prefined DH groups
- final FIX #589
2017-01-20 18:14:48 +01:00
Dirk 05d27ff1be - FIX for the last mess submitted ;-) 2017-01-18 18:09:39 +01:00
Dirk b1c80512e6 first bunch of common primes, see #589 + #576 + #120. License of nmap is also GPLv2: no conflicts 2017-01-18 12:44:15 +01:00
David Cooper b0ac21fe31 Add two missing OpenSSL cipher names 2016-11-15 15:13:09 -05:00
Dirk 08384920a9 Cipher mapping externalized by using David's extended mapping. Also implemented warnings
and fallback to openssl if this file cannot be found and thus sockets can't be used
2016-11-15 15:20:48 +01:00
Dirk 1613bb214e Merge branch 'master' into CA_pinning
Conflicts:
	testssl.sh
2016-10-27 21:59:10 +02:00
Dirk d32dbdaff3 Updating MS store, sill small, still not automated/cumbersome not sure if ok 2016-10-12 21:15:37 +02:00
Dirk eb1f6e05bb update, thanks to Niko78, see #371 2016-10-02 10:04:25 +02:00
Dirk fd83509ae5 update 2016-09-29 23:23:44 +02:00
Frank Breedijk 5d7367a68d Shell script to generate ca_hashes.txt (OSX only) 2016-07-25 09:47:24 +02:00
Dirk Wetter 12c7af11c6 fixed hashes 2016-07-20 19:11:38 +02:00
Dirk Wetter 9b8fc2c6f0 rename old alg chacha/poly ciphers according to SSLlabs (#379 / https://github.com/PeterMosmans/openssl/issues/43) 2016-06-15 20:14:08 +02:00
Dirk 1fae394b04 2013 --> OLD for CHACHA/POLY ciphers 2016-06-13 21:38:02 +02:00
Peter Mosmans a06c71d915 Updated ChaCha20 cipher names
See https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305-04 (the latest version as of this writing is 04).
The previous version received the suffix _2013. See https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04
2016-06-13 10:34:04 +10:00
Dirk d561687554 initial commit 2016-06-09 15:06:42 +02:00
Dirk 6b07b89946 - added values to curve448 + 25519 2016-06-09 13:18:55 +02:00
Dirk 1ea6e944f3 - new chacha/poly ciphers 2016-03-29 21:56:54 +02:00
David Cooper 02e41951cb Fix typo in mapping-rfc.txt
There is a tab on the line for SSL_CK_RC2_128_CBC_WITH_MD5. When testssl.sh is called with "-E" and "--show-each," this causes the string "not a/v" to be printed two characters to the right of the same string on every other line (at least on Linux systems). This PR just deletes the tab character.
2016-03-29 09:23:59 -04:00
Dirk c684ba7d9c - polishing 2016-03-25 11:52:23 +01:00
Niko78 e233480ca2 Update README.md 2016-03-25 09:20:20 +01:00
Dirk Wetter a95c807c5e Delete microsoft.pem 2016-03-25 09:07:45 +01:00
Dirk Wetter 7bb8ecc566 - now the stores are properly named 2016-03-24 18:56:26 +01:00
Dirk Wetter 53b0843664 - added Apple certificate store
- renamed the other stores accordingly (caps in the beginng)
2016-03-24 18:52:10 +01:00
Dirk Wetter a0b7d04974 Update README.md 2016-03-14 22:40:29 +01:00
Dirk Wetter 50660e9edd typos, minor additions 2016-03-13 21:13:03 +01:00