Commit Graph

4629 Commits

Author SHA1 Message Date
Brennan Kinney 1212ad8e59 refactor: Support syntax without BuildKit features
These have been available via opt-in prior to v23 of Docker Engine with `DOCKER_BUILDKIT=1` ENV as a prefix to running `docker build`, however it's been requested to avoid the syntax.

No HereDoc (multi-line RUN with EOF marker) or `RUN --mount` available. This makes the `busybox` approach a hassle, so I've brought back the explicit creation of user and home dir.

Without the cache mounts, bring back `zypper clean`. It's not doing much as the `--cache-dir` is still set, but should reduce disk space for the `builder` layer. Local builds will be slower as a result when this layer is invalidated.

AFAIK, this also makes it tricky to use the `ZYPPER_OPTIONS`? So no longer DRY.
2023-03-22 22:16:28 +13:00
Brennan Kinney 718eb3461c chore: Revise `Dockerfile`
- Removing bulk of the noise from inline documentation.
- Packages bundled into single line like previous the Alpine version had.
- `CACHE_ZYPPER` is only used as an `ARG` in the `builder` stage.
- `zypper clean` wasn't able to clear anything from the install root, other than the `CACHE_ZYPPER` mount.
2023-03-22 21:31:34 +13:00
Brennan Kinney 0b86094ab9 fix: `WORKDIR` before `adduser` avoids surprises
The additions from `adduser` reading `/etc` does not appear to apply if the directory already exists, and permissions (including SGID) are adjusted properly for the home dir.

This mean the excess backup copies in `/etc` are introduced again however.
2023-03-22 21:19:05 +13:00
Brennan Kinney 48c180d0d8 fix: Manually create `testssl` user and home
BusyBox `adduser` was reading config from `/etc` that unnecessarily populates the home folder with various dot files.

Alternative approach is to create the user and home folder manually. This avoids some extra files like the `-` suffixed backup copies from `adduser`.
2023-03-22 21:19:05 +13:00
Brennan Kinney 1392987f01 refactor: Change base image from `alpine:3.17` to `opensuse/leap:15.4` 2023-03-22 21:19:05 +13:00
Dirk d001bba86b Finalize DNS via Proxy
See #2328, original PR #2295 from @w4ntun .

Formally testssl.sh returned an error when it wasn't not possible to determine IP
addresses through DNS resolution, even if --proxy and --ip=proxy flags are set.
The main function always tried to determine IP addresses via DNS and exits with
a fatal error if it cannot do it. Although the client cannot get the IP, the
proxy could, so the SSL/TLS analysis is still possible.

This PR allows the analysis for an HTTP service via a proxy server and the DNS
traffic can be sent directly or through the proxy using the flag --ip=proxy.

ATTENTION: This may be a breaking change for those who don't have a local resolver.
They now have to add --ip=proxy.

In addition:
* help() was amended to add --ip=proxy (was only in the ~i/doc dir before)
* amending ~/doc dir to document it's better to add --nodns=min when there's
  no local resolver
2023-03-21 19:40:40 +01:00
Dirk Wetter cb451777d2
Merge pull request #2338 from drwetter/CAstores_update
CA astores update
2023-03-18 20:19:03 +01:00
Dirk Wetter aac696b0a0 Updated root CA stores 2023-03-17 18:06:57 +01:00
Dirk Wetter 6106887fdd Update DST CA 2023-03-17 18:06:03 +01:00
Dirk Wetter 419aae3c98 updates docu to reflekt actual status 2023-03-17 18:05:24 +01:00
Dirk Wetter 2659a13086
Merge pull request #2336 from drwetter/drwetter-patch-4
Update codespell.yml
2023-03-12 18:12:29 +01:00
Dirk Wetter 6cea273a68
Update codespell.yml
add exception for aNULL which should work now
2023-03-12 17:55:10 +01:00
Dirk Wetter b84e182ca2
Merge pull request #2332 from drwetter/sanitize_fileout
Make sure control chars from HTTP header don't end up in html,csv,json
2023-03-12 16:18:20 +01:00
Dirk Wetter 83f67b4fb7
Merge pull request #2333 from drwetter/drwetter-patch-4
Update .gitignore
2023-03-12 16:00:11 +01:00
Dirk Wetter 8643ed4c72
Update .gitignore 2023-03-12 15:57:01 +01:00
Dirk Wetter cacd8c57b1 Add variable htmlfile + filter GOST message
... which is needed for newer LibreSSL/OpenSSL versions
2023-03-12 15:09:24 +01:00
Dirk Wetter 2e33c483dd remove comma in tr as it was interpreted as such 2023-03-12 14:52:11 +01:00
Dirk Wetter fab67d0cca Remove CR in server banner
... which caused a problem in t/32_isHTML_valid.t.

Also the test for an empty server banner was simplified
2023-03-12 14:00:55 +01:00
Dirk Wetter d298b41d2c add aNULL exception to codespell 2023-03-11 14:06:47 +01:00
Dirk Wetter 06506b371e Make sure control chars from HTTP header don't end up in html,csv,json
This addresses the bug #2330 by implementing a function which removes
control characters from the file output format html,csv,json at the
output.

In every instance called there's a check before whether the string
contains control chars, hoping it'll save a few milli seconds.

A tr function is used, omitting LF.

It doesn't filter the terminal output and the log file output.
2023-03-11 13:38:28 +01:00
Dirk 9afa277c02 another indent correction 2023-03-03 12:50:02 +01:00
Dirk 2b6bd2f1dd fix indentation 2023-03-03 12:47:12 +01:00
Dirk 581788ff39 Merge branch '3.1dev' of https://github.com/w4ntun/testssl.sh into w4ntun-3.1dev 2023-03-03 12:31:26 +01:00
Dirk Wetter 88763f47a8
Merge pull request #2326 from drwetter/fix_mime-type
Fix Accept Header
2023-02-20 20:29:14 +01:00
Dirk a14fc5bdcf Fix Accept header
see #2325.

"whenever HTTP/1.1 is used then the Accept header uses "text/*" as a MIME type.
This causes some minor issues with some of the checks we are doing"
2023-02-20 15:01:40 +01:00
Dirk Wetter e57527f3ec
Merge pull request #2321 from drwetter/align_json+terminal@run_cipherlists
Rename 3 jsonIDs in run_cipherlists(): breaking change
2023-02-08 17:07:42 +01:00
Dirk Wetter 8260ca16e2
Merge pull request #2309 from polarathene/chore/dockerfile-improved-copy
chore: Use a single `COPY` by better leveraging `.dockerignore` patterns
2023-02-07 12:23:04 +01:00
Dirk Wetter 363c0d0a69
Merge pull request #2323 from drwetter/drwetter-patch-4
Remove mkdir in Dockerfile
2023-02-07 10:29:08 +01:00
Dirk Wetter f914423978
Remove mkdir in Dockerfile
see https://github.com/drwetter/testssl.sh/pull/2312#pullrequestreview-1286620850
2023-02-07 10:28:26 +01:00
Brennan Kinney 81634ce13d
chore: Bring back group value for `COPY --chown` 2023-02-07 21:36:47 +13:00
Dirk Wetter 1ee21b7f22
Merge pull request #2312 from polarathene/chore/dockerfile-simplify-user
chore(Dockerfile): Simplify `testssl` user creation
2023-02-07 09:03:23 +01:00
Dirk Wetter 64ae161218
Merge branch '3.1dev' into chore/dockerfile-simplify-user 2023-02-07 09:03:15 +01:00
Dirk Wetter 66ebfb2f58 Add changes to CSV baseline 2023-02-06 21:56:54 +01:00
Dirk Wetter 6f881dc70b Rename 3 jsonIDs in run_cipherlists(): breaking change
see #2316 / #2320

AVERAGE --> OBSOLETED
GOOD    --> STRONG_NOFS
STRONG  --> STRONG_FS
2023-02-05 19:32:08 +01:00
Dirk Wetter e87b745c93
Merge pull request #2316 from dcooper16/cipherlists_doc
Update documentation for cipherlists tests
2023-02-05 19:25:02 +01:00
Dirk Wetter 05b4cdcc0d
Merge pull request #2317 from dcooper16/fix_html
Fix HTML output in Bash 5.2 and newer
2023-02-04 09:22:03 +01:00
David Cooper 3d82f7cb21 Fix HTML output in Bash 5.2 and newer
As noted in #2304, the way that the '&' character is treated in the string part of a pattern substitution changed in Bash 5.2. As a result, the change that was made in #1481 to accommodate older versions of Bash (e.g., on MacOS) now causes testssl.sh to produce incorrect HTML output when run on Bash 5.2.

This commit encodes the '&' characters in the substitution strings in a way that produces correct results on multiple versions of Bash (3.2 on MacOS, 5.2 on Ubuntu 23.10, 5.0 on Ubuntu 20.04).
2023-02-03 14:18:02 -08:00
David Cooper b661f7b8d3 Update documentation for cipherlists tests
The sets of cipher lists checked by `run_cipherslists()` changed in 3.1dev, but the documentation was not updated.
2023-02-03 11:24:04 -08:00
Dirk Wetter 70237b2328
Merge pull request #2313 from polarathene/chore/dockerfile-remove-mkdir
chore: Remove redundant `mkdir`
2023-02-03 19:54:51 +01:00
Dirk Wetter 6c2663aeb6
Merge pull request #2311 from SSLbrain/3.1dev
Feature Trustcor certificates being removed/disabled from root stores #2293
2023-02-02 13:55:07 +01:00
Brennan Kinney 76b8f0c981 chore: Remove redundant `mkdir`
- If local folder ownership is for example `644` it will fail to handle the `COPY` regardless (while `744` would work).
- Creating the directory with higher permissions in the container does not appear to help.
2023-02-02 14:26:16 +13:00
Sole 3670c1e4ad Removed non-relevant CA's that no longer have active certificates. 2023-02-02 01:13:00 +00:00
Brennan Kinney dc7d13b853 chore(Dockerfile): Simplify `testssl` user creation
Create `testssl` user (_and group_) with no password (`-D`) and default their shell to bash (`-s`):
- A group will implicitly be created with the same value as the user. `addgroup testssl` and `-G testssl` are not needed.
- Gecos data (`-g "testssl user"`) doesn't appear relevant to the project to be required? The default gecos value (`Linux User,,,`) should be fine.
2023-02-02 14:07:51 +13:00
Sole 9fc8c33704 Change exception for removed root certificates into easy edit multi-value regular expression for Organization name and making it clear that CA's are actively removed from 1+ root stores. 2023-02-02 00:42:15 +00:00
Brennan Kinney 74892e45c5 chore: Use a single `COPY` by better leveraging `.dockerignore` patterns 2023-02-02 12:49:30 +13:00
Dirk Wetter e02e8be19f
Merge pull request #2306 from drwetter/upgrade_alpine_perf-fix
Upgrade Alpine version for both Dockerfiles
2023-02-01 19:45:57 +01:00
Dirk Wetter beb94d9efc Upgrade Alpine version for both Dockerfiles
... to improve/mitigate performance problems, see #2299.
(musl libc vs. glibc)
2023-02-01 19:40:40 +01:00
Dirk Wetter 5a1a114adc
Merge pull request #2300 from drwetter/dependabot/github_actions/docker/build-push-action-4.0.0
Bump docker/build-push-action from 3.3.0 to 4.0.0
2023-01-31 09:37:28 +01:00
Dirk Wetter 0b5c414970
Merge pull request #2303 from drwetter/nntp_ci_remove
Remove NNTP from CI tests
2023-01-31 09:37:06 +01:00
Dirk Wetter 2e0898c9ef Remove NNTP from CI tests
Maybe for the future we should check whether host is available and
if so then run the test
2023-01-31 09:34:18 +01:00