Commit Graph

123 Commits

Author SHA1 Message Date
Dirk
0e6fb44bd3 add xmpp-server 2020-05-01 18:31:35 +02:00
Dirk Wetter
2b174821e4
Merge pull request #1575 from horazont/feature/xmpp-server
STARTTLS: add support for xmpp-server
2020-05-01 17:53:34 +02:00
Jonas Schäfer
4daf20585d STARTTLS: add support for xmpp-server
XMPP client-to-server and server-to-server links historically use
different XML namespaces. Some server implementations are strict
about this and will not proceed with the connection attempt when
the client namespace (`jabber:client`) is used on a
server-to-server link.

openssl s_client also supports `xmpp-server`.
2020-05-01 17:44:30 +02:00
Dirk
ebe75252fa Merge branch '3.1dev' into magnuslarsen-grading_dev 2020-05-01 17:36:29 +02:00
Dirk
a9d28949fe Clarify responsilility for rating 2020-04-28 21:13:36 +02:00
Dirk Wetter
97ac4c452e Update documentation (ADDITIONAL_CA_FILES -> ADDTL_CA_FILES)
which happened in d44a643fab in
testssl.sh .

This fixes it in the related files. See also #1581
2020-04-28 15:07:33 +02:00
Dirk
13a76bc719 (try to) resolve merge conflict 2020-04-28 13:35:24 +02:00
Dirk Wetter
680aff48e4 Update documentation related to extended run_server_preference() 2020-04-27 17:19:30 +02:00
Dirk Wetter
a9ab2bcd91 Update documentation (ADDITIONAL_CA_FILES -> ADDTL_CA_FILES)
which happened in d44a643fab in
testssl.sh .

This fixes it in the related files. See also #1581
2020-04-23 11:20:46 +02:00
Dirk Wetter
c3f09f56f7 Grading --> Rating
but we still hand out grades
2020-04-20 22:41:14 +02:00
Dirk Wetter
64735d0241 Remove env variable DISABLE_GRADING
as for run_* functions we currntly don't have that.

Also AEAD as WIP we can remove that from the doc
2020-04-17 13:22:30 +02:00
Magnus Larsen
e4cef5438d Added grading based on ssllabs 2020-04-15 15:06:08 +02:00
Dirk Wetter
8c466bf2ee Rename PFS/perfect forward secrecy to FS/forward secrecy
In all instances:

* command line (will break things)
* JSON IDs (will break things)
* in the documentation
* in the travis checks where used
* everywhere in the code: variables, functions, comments
2020-04-14 15:53:05 +02:00
Dirk Wetter
4603d924be Last fine tuning for http basic auth
* create roff file and HTML
* add hint to $ENV

Avoid 1x subshell

See #1451.
2020-01-16 14:29:53 +01:00
manuel
942cf3d374 add description for HTTP basic auth credentials switch in the docs 2020-01-16 10:11:22 +01:00
Dirk Wetter
c228b578dd Remove --warnings=false from documenation
... and reorder manpages also so that --warnings, --connect-timeout
and --openssl-timeout appear in the "input parameter" section.

The HTML manpage looks in the diff view quite different as previously
another computer was used for converting the source format with ronn(1).

The manpage in (g)roff format was manually edited with .RE / .RS
for provide indented bulletpoints.

See also #1419
2020-01-08 14:24:41 +01:00
Dirk
3fdb5617db --connect-timeout 2019-12-10 20:44:55 +01:00
Dirk Wetter
b1f4713287 Merge branch '3.0' of https://github.com/goncalor/testssl.sh into goncalor-3.0 2019-12-06 16:29:45 +01:00
Dirk Wetter
dc658637a5
add </b>
.. so to speak in addition to #1376
2019-11-19 12:38:58 +01:00
Alexander Naumov
966b464802
--html option looks like all others 2019-11-13 21:23:33 +01:00
Gonçalo Ribeiro
5485ebe439 Update man page to include --connect-timeout 2019-10-10 04:41:10 +01:00
Dirk Wetter
15df3316c1 Formatting fixed 2019-05-05 15:07:55 +02:00
Dirk Wetter
19e9137f79 Add --vulnerabilities and LDAP constraints to documentation 2019-05-04 11:57:03 +02:00
Dirk
c9ec73bce8 Add documentation to #1245
it accepts a directory.

This PR adds documenation for it.
2019-04-25 22:40:32 +02:00
Dirk Wetter
e92b7326bc Extra warning for certificates >= 5yrs, italics handling for BSDs
This PR fixes #803 and emit an extra warning if the certificate
has a lifetime longer or equal of five years which happens often
on appliances with self signed certificates. (CAs do not offer
such a long certificate lifetime.) This was tested under Linux,
FreeBSD and OpenBSD. On the latter however we only check the
years as opposed to other OS where we have a finer granularity
(seconds).

On the screen there's only an output if the lifetime is too long,
using JSON or CSV formats, it is always displayed (ID: cert_validityPeriod).

Also this PR changes the ID cert_expiration_status to cert_expirationStatus.

Older FreeBSD and OpenBSD can't deal with italics characters but it output
the escape codes which could result in a different markup. This PR detects
such OS and just doesn't dsiplay the escape sequence.

Also the manpage is reflecting the change and has updates in the server
defaults and standard cipher checks section.
2019-04-09 11:46:53 +02:00
Dirk
e29b1f40e6 Improve HTML-Formatting, minor additions
The HTML manual is now post processed through tidy
which removes the problem of ">" not HTML encoded.

--color 0 is now explicitly mentioned to avoid escaped codes in the
output.

Minor changes wrt certificate stores
2019-01-08 13:56:55 +01:00
Dirk
d10f66a4c5 Minor additions
1) add --add-ca option and remove eother references to ADDITIONAL_CA_FILES
2) add a paragraph 'TUNING OPTIONS'
3) add -iL as a n alternative to --file
2018-12-17 21:04:47 +01:00
Dirk
1416ff620b Major update, review
Review: grammar, spelling.  Errorneous and obsolete description.
        Some items reordered.

Updated: to reflect the current capabilities.

Moreover: (Almost) complete the tuning variables section.
2018-12-13 18:07:20 +01:00
Dirk
ab7ca281c0 Minor polishing 2018-12-07 14:35:49 +01:00
Dirk
6fe5adbbc3 Improved connection failure conditions
As a kind of a pre-warning this commit allows the n-1 connection problem to
give feedback on the screen (that wasn't working before).

Also the message on the screen is now more clear and the manpage
gives better advice.

Related to #1172
2018-12-05 16:09:36 +01:00
Dirk
6ce0ad80e6 fit HTML man page to page width 2018-11-23 23:47:21 +01:00
Dirk
f591126a1b Minor updates
added: client simulation, requirements.

Updated number of ciphers.
2018-11-12 21:36:43 +01:00
Dirk
da233c939e RFC --> IANA
The cipher suites names in the RFCs stem (mostly) from IANA, see
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

This PR corrects that in places visible to the user. For backwards
compatibility the cmd line switches still work as before, but there's
a preference to IANA. The RFC naming is labeled as to be retired
in the future.
2018-11-08 20:26:52 +01:00
Dirk
44570541c0 Tell which OpenSSL versions support IPv6 out of the box 2018-09-10 09:52:59 +02:00
Dirk
8d7dd663f9 Finalizing proxy support for OCSP checks
As mentioned in #1106 proxying ocsp protocol doesn't work (yet)
This commit notifies the user that it is not possible. One
can ignore that and try by supplying IGN_OCSP_PROXY=true.

It also fixes a typo I probably introduced (pVULN_THRESHLD).
2018-08-24 15:43:25 +02:00
Dirk
3fdcd034f3 Fine tuning of --outprefix
The standard separator after $FNAME_PREFIX is now '-'.
You can as well supply a different <fname_prefix> ending in '.',  '_' or ',' , then
no no additional '-' will be appended.

Also a small bash function get_last_char() has been introduced which returns
the last char from a supplied string.
2018-08-23 11:40:50 +02:00
Dirk
5837e82c85 Supplying of both -6 and --ip=one results in picking an IPv6 address
... previously it depended on the order of DNS replies otherwise. This was
one outcome of discussion in #1026 where it seemed more logical
to pick an IPv6 address as opposed to an abitrary (v4/v6) address.
2018-08-16 12:03:56 +02:00
Dirk
33cf1d524c Fine tuning if Jac2NL's commit of IDS evasion
Reduce the offensive tests to 4: the others are "just" / mostly cipher
based checks which should not cause an IDS to block. (This maybe
subject to reconsider at a later time.)

Added a switch --ids-friendly

Updated VULN_COUNT accordingly

Added this (including PHONE_OUT to env debugging output)

Added help()

Manual section added
2018-06-26 13:04:30 +02:00
Dirk
87f0cda234 Fix #1071 : typos and link in docu 2018-06-25 18:31:55 +02:00
Dirk
aa0f33e984 Update RFC section in ~/doc with soon to be TLS 1.3 RFC
See PR #1072, title taken from
https://github.com/ietf/draft-ietf-tls-tls13/blob/master/rfc8446.xml
(maybe subject to change).

Todo: Handle the obsolted ones, maybe by adding "obsolete"
2018-06-20 09:41:51 +02:00
Dirk
c3927d00c8 Document --phone-out 2018-04-27 21:37:44 +02:00
Dirk
ddf5ff6bc9 Minor additions wrt --color=3 and fname prefix 2018-04-26 09:39:30 +02:00
Dirk
e7619fa8d9 Documenting exit error codes improvements
See prevoius commit b2be380b54 and
issue #985 / #752.
2018-04-12 18:14:14 +02:00
Dirk
36247fecf2 fix no-DNS related error in documentation 2018-04-12 01:19:02 +02:00
Dirk
2a4de68c59 Merge branch 'nodns-935' into 2.9dev 2018-04-12 01:06:33 +02:00
Dirk
557942cb0a Change logic and add conservative value for -n/--nodns (#935)
This PR changes the logic the no-DNS switch works. The switch
now expects a value. "min" does minimum lookups, "none" does
no lookups at all (details see testssl.sh(1) ). "none" is
equivalent to the paranoid (boolean) value "true" before.
2018-04-12 00:19:52 +02:00
Karsten Weiss
eead9f62d9 Fix typos found by codespell 2018-04-10 17:37:04 +02:00
Dirk
eb3b3a1988 be more verbose what --warnings=batch means (see #1027) 2018-04-05 22:02:35 +02:00
Dirk
1924c9a0a6 Connectivity problems, man page update
See previous commit

This commit finally fixes #1005 so that either a --ssl-native scan
terminates on the next (defined) occasion if there are network connectivity
problems. It introduces another set of variables (MAX_OSSL_FAIL vs. NR_OSSL_FAIL).
As "openssl s_client connect" is sometimes still being used without --ssl-native
it also shortens the wait for regular scans if an outage is encountered.
To make things easier bot sets (incl. *_SOCKET_FAIL) of variables are independent.

For the seldom case that somebody uses --ssl-native with client checks an exception
had to be made as otherwise only MAX_OSSL_FAIL client check would be performed.
This hasn't been understood yet...

As sometimes HTTP header requests (over OpenSSL) fail repeatedly in a way that an empty
reply is returned, the same strategy of detecting problems is applied here,
using MAX_HEADER_FAIL and NR_HEADER_FAIL.

All three detection mechanisims share a new function connectivity_problem().
2018-03-28 17:48:04 +02:00
Dirk
2e5dd0439a document variable for previous commit 080840f 2018-03-02 20:57:06 +01:00
Dirk
b5fcc00031 reflect previous commit of changed treatment of --severity
... and some minor polishing
2018-03-01 15:13:55 +01:00
Dirk
ba8d613aa5 Add documentation about the current and corrected exit codes 2018-02-14 23:40:08 +01:00
Dirk
01f7612bd0 add keys to server defaults, cert start/end time in GMT 2018-01-29 23:43:25 +01:00
Dirk
659a6176b6 Add TLS 1.3, better explanation for -6 2018-01-28 12:47:05 +01:00
Dirk
0bc1f6f708 make MAX_PARALLEL and MAX_WAIT_TEST configurable + documentation 2017-12-27 09:50:34 +01:00
Dirk
1488baeac5 Documentation of CA_BUNDLES_PATH
See also #941
2017-12-20 09:00:00 +01:00
Dirk
1984d7fc90 html version of man page added 2017-12-14 10:25:59 +01:00
Dirk
c23f47858d Overwrite as a default empty files
This commit tries to address #934. Empty files can now
be overwritten without exiting with an error.
2017-12-14 10:06:19 +01:00
David Cooper
5de873f8bc Test for vulnerability to Bleichenbacher attack
This PR adds a test to check whether a server that supports ciphers suites that use RSA key transport (TLS_RSA) are vulnerable to Bleichenbacher attacks (see http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf).
2017-12-12 09:51:48 -05:00
Dirk
47409a32d6 delayed commit for file prefix
Also added David
2017-11-24 23:13:38 +01:00
Dirk
e450eb34e4 FIX #846 -- add output filename prefix
This commit adds the possibility to supply a output
file name prefix via --outprefix or FNAME_PREFIX
2017-11-14 19:41:25 +01:00
Dirk
9daec2a515 Add "auto" keyword to -oA/-oa (FIX #887)
File names are now auto-generated by using "-oA auto" / -oa "auto"
--similar to --csv and friends.

Also the formerly hidden switches --outFile and --outfile were added in the
help and in the manual.
2017-11-01 09:58:52 +01:00
Dirk
2aeabd19b2 Better clarification on bit size and encryption strength
Fix #770
2017-10-31 12:00:09 +01:00
Dirk
a85ca3c250 FIX #765
Inconsistency in using optional and mandatory parameters in help and man page
2017-10-26 11:46:14 +02:00
Dirk
d3795f1254 Add output options similar to nmap (FIX #861) 2017-10-20 16:32:57 +02:00
Dirk
e32479818d mentioning BiGIP cookies and MongoDB 2017-09-27 09:25:22 +02:00
Dirk
f6cf96d916 polish help for -g option 2017-09-23 12:54:44 +02:00
Dirk
68509694d4 NO_ENGINE (#834) and GREASE (#814) 2017-09-23 11:55:09 +02:00
David Cooper
a6f7121d25 Correct typos 2017-09-20 12:10:29 -04:00
Dirk
9345b55865 added ALL_CLIENTS for client siumulation 2017-08-30 23:40:47 +02:00
Dirk
8b2dfb81c5 reflect 37c8ee8c4e: debug level 2 is showing only minimal information like rough status and errors 2017-07-26 23:13:57 +02:00
Dirk
28fe4c48de manpage not for editing
Generated via ``ronn -r testssl.1.md`` from the md source. Can be viewed
e.g. by ``nroff -man testssl.1 [| less]``
2017-07-13 12:35:13 +02:00
Dirk
f2d07ec22b First draft of the manpage
Until the content is finalized the plan is to keep it in MD format.
For medium terms it is something which needs to be reconsidered
as markdown as the source format for documentation has too many limits.
Happy for suggestions here.

In the meantime here's what needs to be done:

* finalizing (see comments)
* proofreading 1: accuracy, logic, more content related
* proofreading 2: grammar, spelling
* more? pls let me know
2017-07-13 12:27:28 +02:00