Commit Graph

3283 Commits

Author SHA1 Message Date
Dirk 8c24d1a6f2 Complete shortcut checks (Renegotiation and CRIME)
This also makes a short exit when the server side
supports TLS 1.3 only as this protocol doesn't support
TLS renegotiation or compression.

Also it fixes the logic flaw from the previous
commit that "-no_tls1_3" has to be supplied.

Furthermore, it unifies the output presented to the user.
2020-01-18 12:31:38 +01:00
Dirk Wetter 155824214b
Merge pull request #1460 from drwetter/drwetter-patch-1
add also here -z
2020-01-17 15:26:09 +01:00
Dirk Wetter adfa411e24
add also here -z 2020-01-17 15:24:36 +01:00
Dirk 747fb039ed Shortcuts for TLS13 only servers in renegotiation checks
As noted in #1444 a few vulnerability checks don't make sense
or aren't working.  This commit addresses the renegotiation checks.

Also a few redundant quotes in parse_tls_serverhello() and
run_crime() were removed.
2020-01-17 15:16:26 +01:00
Dirk Wetter 71b6305e00
Merge pull request #1458 from drwetter/drwetter-patch-2
fix language
2020-01-17 11:59:50 +01:00
Dirk Wetter ddc7a56ab0
fix language 2020-01-17 11:59:41 +01:00
Dirk Wetter a094ebc981
Merge pull request #1457 from drwetter/drwetter-patch-2
fix missing -z
2020-01-17 11:57:36 +01:00
Dirk Wetter 1fb2db02a7
Update docker-debian10.tls13only.start.sh 2020-01-17 11:57:13 +01:00
Dirk 2ea57f0701 Update attributions and Changes for release
If anything is missing or wrong please let us know or do a PR.

(This is until from earlier time to ~2018. >2019 need to follow)
2020-01-17 11:01:41 +01:00
Dirk Wetter 03fb04a9f9
Merge pull request #1455 from drwetter/drwetter-patch-1
Warning for handshake retrieved by Google apps
2020-01-16 22:48:07 +01:00
Dirk Wetter ac7a20f018
Update client-simulation.wiresharked.md 2020-01-16 22:46:43 +01:00
Dirk Wetter 86afeabf8f
Merge pull request #1438 from drwetter/update_clienthandshakes
Update clienthandshakes
2020-01-16 22:26:21 +01:00
Dirk Wetter c2060c08f3
Merge pull request #1454 from dcooper16/basic_auth_polishing
More polishing of http basic auth
2020-01-16 20:24:39 +01:00
David Cooper 4b6bdf8cdf
More polishing of http basic auth
* Replace "! -z" with "-n"
* Replace "openssl' with "$OPENSSL"
* Redirect stderr output of $OPENSSL to /dev/null to supress "WARNING: can't open config file: /usr/local/etc/ssl/openssl.cnf" message (see #833)
* Remove unnecessary spaces from $GET_REQ11 string.
2020-01-16 13:41:27 -05:00
Dirk Wetter 91e14a3840
Merge pull request #1452 from drwetter/add_1451
Last fine tuning for http basic auth
2020-01-16 16:34:09 +01:00
Dirk Wetter 0691dc1bf8
Merge pull request #1453 from mkauschi/add-cache-control-header-check
Check for the Cache-Control and Pragma header
2020-01-16 16:25:18 +01:00
manuel e498ffbdb2 add Pragma header to other_header_variable 2020-01-16 15:01:48 +01:00
manuel 5813e40e6b chore: add cache control header to other_header variable 2020-01-16 14:55:15 +01:00
Dirk Wetter 4603d924be Last fine tuning for http basic auth
* create roff file and HTML
* add hint to $ENV

Avoid 1x subshell

See #1451.
2020-01-16 14:29:53 +01:00
Dirk Wetter 700a727f3f
Merge pull request #1451 from mkauschi/http-basic-auth-support
Add support for HTTP Basic Auth
2020-01-16 14:13:59 +01:00
manuel ddd29dafdd instantiate BASICAUTH variable 2020-01-16 10:15:07 +01:00
manuel 51fb849954 change basicauth_header variable to a local variable 2020-01-16 10:13:16 +01:00
manuel 942cf3d374 add description for HTTP basic auth credentials switch in the docs 2020-01-16 10:11:22 +01:00
manuel 87b46a54fe add support for http basic auth 2020-01-15 16:46:03 +01:00
Dirk Wetter 787e575085
Merge pull request #1450 from drwetter/826days_towarn
Add one second for 825 day validity test
2020-01-15 15:38:26 +01:00
Dirk Wetter 38a00f7170 Add one second for 825 day validity test
The CA browser form agreed on a validity period of 825 days or less
(https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.3-redlined.pdf,
p4).

PR #1427 addressed that. However when an issuer signed/issued a certificate
with exactly 825 days, the check reported incorrectly that the life time
is too long.

This commit addressed that by adding a second to the calulation. Also the
output takes into account that it must be over ('>') 825 days, not '>='.
2020-01-15 15:32:32 +01:00
Dirk Wetter 520a4fbf75
Merge pull request #1449 from drwetter/pr_1070
Reimplement mitigation check (renegotiation->node.js)
2020-01-15 13:09:39 +01:00
Dirk Wetter 2ed317441f Reimplement mitigation check (renegotiation->node.js)
See #1070, kudos @poupas.

In addition it checks whether the first result was positive (in
terms of a finding). If so it does 4 rounds and checks the
result. So that other servers won't be penalized with 4 seconds.
2020-01-15 12:11:57 +01:00
Dirk Wetter 2a87f7505d
Merge pull request #1445 from drwetter/alternative_temppath
Try temp file creation in a different location
2020-01-15 09:59:12 +01:00
Dirk Wetter 50ea6b1891 $PWD check : negate pattern + add $BASH_REMATCH 2020-01-14 22:52:47 +01:00
Dirk Wetter 50c9075ba8 Provide whitelist for $PWD
see #1445
2020-01-14 20:41:08 +01:00
Dirk Wetter e75ed94573
Merge pull request #1446 from dcooper16/add_missing_declarations
Add missing variable declarations
2020-01-14 20:17:07 +01:00
Dirk Wetter f0f8f3a318 Remove TEMPPATH, make sure PWD doesn't contain a blank 2020-01-14 20:09:46 +01:00
David Cooper 477b113fe6
Add missing variable declarations
derive-handshake-traffic-keys() uses the variables `derived_secret`, `server_write_key`, and `server_write_iv`, but they are not declared as local variables of the function. This PR fixes that.
2020-01-14 13:53:36 -05:00
Dirk Wetter 8518284795 Try temp file creation in a different location
... if the standard directory /tmp is not allowed to write to.
As noted in #1273 this might be the case for Termux on Android.
2020-01-14 18:55:09 +01:00
Dirk Wetter 8d864aba2e Output adjustments closer to a more common format 2020-01-14 18:44:11 +01:00
Dirk Wetter 13aa6aa433 Readd TLS 1.0 and TLS 1.1 to openssl 1.1.1d (Debian)
... see previous commit
2020-01-14 18:17:44 +01:00
Dirk Wetter 09eda2aa97 Update openssl handshakes
to 1.1.0l and 1.1.1d. Seems that for the latter TLS 1.0 and 1.1
are disabled now, looking at the supported version extension.
However on the command line an s_client connect works. So
this commit need to be amended.
2020-01-14 18:02:43 +01:00
Dirk Wetter 6378371baa
Merge pull request #1443 from dcooper16/no_stdout
Don't write to /dev/stdout
2020-01-14 17:59:32 +01:00
Dirk Wetter 331b5cb750 Output changes
* add TLS_EMPTY_RENEGOTIATION_INFO_SCSV in screen output
* remove trailing ":" to be sure no one copies it, see also #1440
2020-01-14 17:38:02 +01:00
David Cooper f181efb352
Don't write to /dev/stdout
As noted in #1273, there are some environments that will not allow writing to /dev/stdout. PR #1277 was an attempt to address that problem (along with an unrelated problem), but it appears that work on #1277 has been abandoned.

At the moment, "/dev/stdout" is only used as a parameter to asciihex_to_binary_file (in fact, most calls to asciihex_to_binary_file specify "/dev/stdout" as the file parameter). This PR removes the file parameter from asciihex_to_binary_file (and so renames it asciihex_to_binary). In most cases, this just means removing "/dev/stdout" as a parameter to the function. In the few cases in which a parameter other than "/dev/stdout" was provided to asciihex_to_binary_file, this PR just uses a redirect (">" or ">>") to accomplish the same result as providing the output file to asciihex_to_binary_file().

Note that #1273 and #1277 raised the issue of trying to write to /tmp, and this PR does not attempt to address that.
2020-01-14 09:10:23 -05:00
Dirk Wetter 58498583c9 Modified LFs 2020-01-13 23:50:14 +01:00
Dirk ee11ea408e bump version to final 2020-01-13 23:27:00 +01:00
Dirk Wetter 56e6fa4bb7 Remove FTP as a "service" from Firefox' client simulation
... as firefox never supported FTP over TLS or SSL, see

https://bugzilla.mozilla.org/show_bug.cgi?id=85464

In general browsers tend to remove noaways cleartext FTP from
browsers.
2020-01-13 23:11:59 +01:00
Dirk Wetter 89275f7ea9 Redefine numbering scheme 2020-01-13 23:00:10 +01:00
Dirk Wetter 8cc3a5f514 Add firefox 71
... and
* deprecate openssl 1.0.1
* enable Chrome 74 instead of Chrome 65
2020-01-13 22:57:10 +01:00
Dirk Wetter be5a258383
Merge pull request #1441 from dcooper16/fix_run_server_preference
Fix run_server_preference() in --ssl-native mode
2020-01-13 17:41:02 +01:00
Dirk Wetter 91f8f33a6c add new basic checks, rename ca_hashes_up_to_date 2020-01-13 17:36:40 +01:00
Dirk Wetter ddbfe2d79d
Merge pull request #1440 from dcooper16/fix_client_sim
Fix Safari 13.0 Client Simulation
2020-01-13 17:14:43 +01:00
David Cooper 855758b3af
Fix run_server_preference() in --ssl-native mode
This PR fixes two problems that occur when testing a server that supports TLSv1.3 using OpenSSL 1.1.1 in --ssl-native mode.

First, when testing whether the server has a cipher order, the value of $sclient_success is checked after each call to tls_sockets(), but $sclient_success. As the goal is just to verify that the connection was successful (and didn't downgrade), $? can be checked rather than $sclient_success. [When not in --ssl-native mode, this problem is masked since $sclient_success is set to 0 earlier in the function.]

The second problem is that line 6646 tries to copy "$TEMPDIR/$NODEIP.parse_tls13_serverhello.txt", but this file is currently only created (on line 6287) if tls_sockets() is used to determine the negotiated protocol. This PR fixes the problem by also populating "$TEMPDIR/$NODEIP.parse_tls13_serverhello.txt" when OpenSSL is used to determine the negotiated protocol.
2020-01-13 10:51:34 -05:00