Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
3,242 Commits 14 Branches 30 Tags 211 MiB
eeb1acd749
Commit Graph

3242 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dirk Wetter
eeb1acd749 Android 9 still has 2 signature hash algos: x0201 + x0203 2020-01-22 11:41:42 +01:00
Dirk Wetter
7c66ed47c0 All self retrieved Android handshakes modified to service ANY 2020-01-22 10:58:00 +01:00
Dirk Wetter
a50a660d6c Add Android 10 client simulation 2020-01-22 10:54:50 +01:00
Dirk Wetter
ca8054184b remove also leading colon in helper script bc of GREASE 2020-01-22 10:52:07 +01:00
Dirk Wetter
c08250d1bb
Merge pull request #1461 from drwetter/ci_setx 
add check for forgotten "set -x" + provide defined start conditions
 2020-01-20 12:20:07 +01:00
Dirk
45f28d8166 Revert "Shortcuts for TLS13 only servers in renegotiation checks" 
This reverts commit 747fb039ed.
 2020-01-18 21:55:35 +01:00
Dirk
44d1139e99 Revert "Complete shortcut checks (Renegotiation and CRIME)" 
This reverts commit 8c24d1a6f2.
 2020-01-18 21:54:42 +01:00
Dirk
f109d3bbd6 add unlink / start with a clean state 
... good when running "prove -v" locally and previously
the run was interrrupted by e.g. ^C
 2020-01-18 21:47:44 +01:00
Dirk
cb6677e2d3 removed comment 2020-01-18 21:45:32 +01:00
Dirk
bec9ebdda8 only one ip 2020-01-18 21:44:24 +01:00
Dirk
2563dfb5e5 add set -x 2020-01-18 21:36:19 +01:00
Dirk
8c24d1a6f2 Complete shortcut checks (Renegotiation and CRIME) 
This also makes a short exit when the server side
supports TLS 1.3 only as this protocol doesn't support
TLS renegotiation or compression.

Also it fixes the logic flaw from the previous
commit that "-no_tls1_3" has to be supplied.

Furthermore, it unifies the output presented to the user.
 2020-01-18 12:31:38 +01:00
Dirk Wetter
155824214b
Merge pull request #1460 from drwetter/drwetter-patch-1 
add also here -z
 2020-01-17 15:26:09 +01:00
Dirk Wetter
adfa411e24
add also here -z 2020-01-17 15:24:36 +01:00
Dirk
747fb039ed Shortcuts for TLS13 only servers in renegotiation checks 
As noted in #1444 a few vulnerability checks don't make sense
or aren't working.  This commit addresses the renegotiation checks.

Also a few redundant quotes in parse_tls_serverhello() and
run_crime() were removed.
 2020-01-17 15:16:26 +01:00
Dirk Wetter
71b6305e00
Merge pull request #1458 from drwetter/drwetter-patch-2 
fix language
 2020-01-17 11:59:50 +01:00
Dirk Wetter
ddc7a56ab0
fix language 2020-01-17 11:59:41 +01:00
Dirk Wetter
a094ebc981
Merge pull request #1457 from drwetter/drwetter-patch-2 
fix missing -z
 2020-01-17 11:57:36 +01:00
Dirk Wetter
1fb2db02a7
Update docker-debian10.tls13only.start.sh 2020-01-17 11:57:13 +01:00
Dirk Wetter
03fb04a9f9
Merge pull request #1455 from drwetter/drwetter-patch-1 
Warning for handshake retrieved by Google apps
 2020-01-16 22:48:07 +01:00
Dirk Wetter
ac7a20f018
Update client-simulation.wiresharked.md 2020-01-16 22:46:43 +01:00
Dirk Wetter
86afeabf8f
Merge pull request #1438 from drwetter/update_clienthandshakes 
Update clienthandshakes
 2020-01-16 22:26:21 +01:00
Dirk Wetter
c2060c08f3
Merge pull request #1454 from dcooper16/basic_auth_polishing 
More polishing of http basic auth
 2020-01-16 20:24:39 +01:00
David Cooper
4b6bdf8cdf
More polishing of http basic auth 
* Replace "! -z" with "-n"
* Replace "openssl' with "$OPENSSL"
* Redirect stderr output of $OPENSSL to /dev/null to supress "WARNING: can't open config file: /usr/local/etc/ssl/openssl.cnf" message (see #833)
* Remove unnecessary spaces from $GET_REQ11 string.
 2020-01-16 13:41:27 -05:00
Dirk Wetter
91e14a3840
Merge pull request #1452 from drwetter/add_1451 
Last fine tuning for http basic auth
 2020-01-16 16:34:09 +01:00
Dirk Wetter
0691dc1bf8
Merge pull request #1453 from mkauschi/add-cache-control-header-check 
Check for the Cache-Control and Pragma header
 2020-01-16 16:25:18 +01:00
manuel
e498ffbdb2 add Pragma header to other_header_variable 2020-01-16 15:01:48 +01:00
manuel
5813e40e6b chore: add cache control header to other_header variable 2020-01-16 14:55:15 +01:00
Dirk Wetter
4603d924be Last fine tuning for http basic auth 
* create roff file and HTML
* add hint to $ENV

Avoid 1x subshell

See #1451.
 2020-01-16 14:29:53 +01:00
Dirk Wetter
700a727f3f
Merge pull request #1451 from mkauschi/http-basic-auth-support 
Add support for HTTP Basic Auth
 2020-01-16 14:13:59 +01:00
manuel
ddd29dafdd instantiate BASICAUTH variable 2020-01-16 10:15:07 +01:00
manuel
51fb849954 change basicauth_header variable to a local variable 2020-01-16 10:13:16 +01:00
manuel
942cf3d374 add description for HTTP basic auth credentials switch in the docs 2020-01-16 10:11:22 +01:00
manuel
87b46a54fe add support for http basic auth 2020-01-15 16:46:03 +01:00
Dirk Wetter
787e575085
Merge pull request #1450 from drwetter/826days_towarn 
Add one second for 825 day validity test
 2020-01-15 15:38:26 +01:00
Dirk Wetter
38a00f7170 Add one second for 825 day validity test 
The CA browser form agreed on a validity period of 825 days or less
(https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.3-redlined.pdf,
p4).

PR #1427 addressed that. However when an issuer signed/issued a certificate
with exactly 825 days, the check reported incorrectly that the life time
is too long.

This commit addressed that by adding a second to the calulation. Also the
output takes into account that it must be over ('>') 825 days, not '>='.
 2020-01-15 15:32:32 +01:00
Dirk Wetter
520a4fbf75
Merge pull request #1449 from drwetter/pr_1070 
Reimplement mitigation check (renegotiation->node.js)
 2020-01-15 13:09:39 +01:00
Dirk Wetter
2ed317441f Reimplement mitigation check (renegotiation->node.js) 
See #1070, kudos @poupas.

In addition it checks whether the first result was positive (in
terms of a finding). If so it does 4 rounds and checks the
result. So that other servers won't be penalized with 4 seconds.
 2020-01-15 12:11:57 +01:00
Dirk Wetter
2a87f7505d
Merge pull request #1445 from drwetter/alternative_temppath 
Try temp file creation in a different location
 2020-01-15 09:59:12 +01:00
Dirk Wetter
50ea6b1891 $PWD check : negate pattern + add $BASH_REMATCH 2020-01-14 22:52:47 +01:00
Dirk Wetter
50c9075ba8 Provide whitelist for $PWD 
see #1445
 2020-01-14 20:41:08 +01:00
Dirk Wetter
e75ed94573
Merge pull request #1446 from dcooper16/add_missing_declarations 
Add missing variable declarations
 2020-01-14 20:17:07 +01:00
Dirk Wetter
f0f8f3a318 Remove TEMPPATH, make sure PWD doesn't contain a blank 2020-01-14 20:09:46 +01:00
David Cooper
477b113fe6
Add missing variable declarations 
derive-handshake-traffic-keys() uses the variables `derived_secret`, `server_write_key`, and `server_write_iv`, but they are not declared as local variables of the function. This PR fixes that.
 2020-01-14 13:53:36 -05:00
Dirk Wetter
8518284795 Try temp file creation in a different location 
... if the standard directory /tmp is not allowed to write to.
As noted in #1273 this might be the case for Termux on Android.
 2020-01-14 18:55:09 +01:00
Dirk Wetter
8d864aba2e Output adjustments closer to a more common format 2020-01-14 18:44:11 +01:00
Dirk Wetter
13aa6aa433 Readd TLS 1.0 and TLS 1.1 to openssl 1.1.1d (Debian) 
... see previous commit
 2020-01-14 18:17:44 +01:00
Dirk Wetter
09eda2aa97 Update openssl handshakes 
to 1.1.0l and 1.1.1d. Seems that for the latter TLS 1.0 and 1.1
are disabled now, looking at the supported version extension.
However on the command line an s_client connect works. So
this commit need to be amended.
 2020-01-14 18:02:43 +01:00
Dirk Wetter
6378371baa
Merge pull request #1443 from dcooper16/no_stdout 
Don't write to /dev/stdout
 2020-01-14 17:59:32 +01:00
Dirk Wetter
331b5cb750 Output changes 
* add TLS_EMPTY_RENEGOTIATION_INFO_SCSV in screen output
* remove trailing ":" to be sure no one copies it, see also #1440
 2020-01-14 17:38:02 +01:00