Dirk
bfedc4bec9
FIX #144 : reverse screw up of hpkp function for BSD/Darwin
2015-07-21 20:35:49 +02:00
Dirk
9ffdf7f580
awk fixes for MSYS2 FIX #141 , #FIX 140
2015-07-21 14:20:15 +02:00
Jonathon Rossi
ff25b6e86f
Fix bash 3 support
...
Mac OS X ships with bash 3, not 4. The case statement fallthrough and
continue operators were added in bash 4.
2015-07-21 15:11:20 +10:00
Dirk Wetter
8edfa5e3ff
* GOST ciphers sometimes missing during scan
...
* help was not precise wrt some arg w no params
2015-07-20 14:05:35 +02:00
Dirk Wetter
cbbe7d8dce
word match for -V / -x now only for non-numbers: testssh.sh -x cc google.com tests for chaha ciphers
...
(before only word matching was done e.g.: testssl.sh -x ECDH chase.com
2015-07-17 15:58:07 +02:00
Dirk Wetter
51909825de
* path display error in banner fixed
2015-07-17 14:58:12 +02:00
Dirk Wetter
26a7d44137
* STARTTLS_SLEEP
...
* resolved misleading output STARTTLS + socket
* fixed poodle ciphers in code (but not used yet)
2015-07-17 14:33:23 +02:00
Dirk Wetter
b00cc33e4f
* display shortend path to $OPENSSL in banner
2015-07-17 13:25:39 +02:00
Harald Wagener
fc952b409a
Update testssl.sh
...
Fix typo.
2015-07-17 11:05:07 +02:00
Dirk Wetter
370bcc3339
- Provide Darwin binaries and paths thereto
...
- provide also other static bins in $PWD/bin
2015-07-16 23:01:10 +02:00
Dirk Wetter
f9fd900e0f
* EV certificate detection
...
* SSLv2 + STARTTLS protocol check always uses sockets now
* STARTTLS protocol now returns over sockets the TLS time (if available)
* few LibreSSL output oddities fixes
* output corrections for STARTTLS
* additional path for binaries (we change the path soon but leave both in the code for now)
2015-07-16 17:58:03 +02:00
Dirk
24b8164243
* header flags added
2015-07-14 20:44:04 +02:00
Dirk
8f9dfdf0a5
* misleading warning for DH bits for Negotiated cipher omitted if no DH or EC and OPENSSL <= 1.0.1
2015-07-14 19:58:04 +02:00
Dirk
bdc1146137
* fix for scanning an IP address only
...
* server_preference: cipher adjusted
* some [[ and ]] in loops, hoping to speed up processing a bit
* cosmetic stuff
2015-07-14 17:13:58 +02:00
Dirk
8713ff8a37
fix regression: port 25 is the one for --mx
2015-07-14 12:35:26 +02:00
Dirk
1ae4b121c4
FIX #132 (see also discussions in #133
2015-07-13 23:41:49 +02:00
Dirk
42ecd1b9dd
workaround / FIX #134 (OPENSSL_CONF destroyed lookup via host/dig/nslookup
2015-07-13 23:24:23 +02:00
Dirk
768cc55cb4
* Liferay in header will be marked in yellow
...
* more tries to find openssl binaries (also those in git)
2015-07-12 18:46:27 +02:00
Dirk
2157342d89
* FIX #131 (EC certificate key size was critized)
...
* FIX: if request w/o SNI didn't succeed it resulted in an ugly openssl error message
* FIX #51 (we try to initialize GOST engine before showing the banner)
2015-07-10 10:23:10 +02:00
Dirk Wetter
3d277b5129
* heartbleed and ccs check enabled per default for STARTTLS
...
* performance improvements for sockets+STARTTLS (still only enabled via EXPERIMENTAL=yes)
2015-07-08 21:30:31 +02:00
Dirk Wetter
02450ef491
cosmetic corrections (output)
2015-07-08 11:34:45 +02:00
Dirk Wetter
eb49c37718
* EXPERIMETAL=yes is used, testssl.sh uses for protocols, heartbleed, ccs sockets also for STARTTLS!
...
* it's slow though (to be improved)
* renamed vars for proxy
* cleanups
2015-07-07 22:59:31 +02:00
Dirk Wetter
b742c54358
* NEW: xmpphost support
...
* FIX for regression (80e26a75ef
), config file GOST
2015-07-06 20:42:43 +02:00
Dirk Wetter
c08baa94b3
* CHANGE: some tuning variable are now booleans (see help)
...
* help() to reflect this
* cleanups
2015-07-06 10:10:46 +02:00
Dirk
80e26a75ef
* Warning if LibreSSL is used #126
...
* FIX for screwed up output for fixed ciphers (FREAK, LOGJAM), see also #126
* GOST support now doesn't complain if MY confif file aleady exists (minor fix)
2015-07-02 16:39:41 +02:00
Dirk
5acfc93d79
* couple of checks for new proxy option from John Newbigin #124
...
* minor cleanups for #124
2015-06-29 23:28:37 +02:00
Dirk
ddd680ac93
* merge #124 from jnewbigin
...
* fix my run time error
2015-06-29 22:29:15 +02:00
Dirk
15a672b521
* assertion vs. condition fixed
2015-06-29 10:41:56 +02:00
Dirk
93f5b8216d
* FIX #125
...
* beautified some code / function names
2015-06-28 13:52:42 +02:00
Dirk
5d78c9421f
* first tls_low_byte is now always 01 in TLS 1.0 --> TLS 1.2 (see openssl)
...
* removing TLS 1.2 check from sockets as IIS has a problem with it
2015-06-24 11:08:09 +02:00
Dirk
e121f944e9
* FIX: added missed downgrade (ret=2) in socket protcol check
...
* resorted helper functions to top
* cleanups (ok, renamed some functions)
2015-06-23 21:54:47 +02:00
Dirk
b575710634
* FIX in --ip=one
...
* straighthen help()
* FIX ret value for no response in parse_tls_serverhello
2015-06-23 12:58:40 +02:00
Dirk
ae8f998f8f
* help corrected, -e is standard
2015-06-23 07:56:56 +02:00
Dirk
a6c5a2af0d
* handshake works now with SNI
2015-06-22 23:19:08 +02:00
Dirk
d3c793e6bc
* help without <> now and |
...
* socket SNI issue: As it turns out Apache 2.2/2.4 is not behaving according to https://tools.ietf.org/html/rfc6066#section-3
.
2015-06-22 18:32:40 +02:00
Dirk
58a6f501b5
- better addressed no clear fallback repsonses, see #121
2015-06-20 19:36:11 +02:00
Dirk
633cdc209b
- NEW: IP address detection now in HTTP header
...
- NEW: Varnish and Squid header detected
- NEW: option --ip=one is a shortcut and means just test the first ip
- CSP Report-Only in security headers
- New: Varnish and Squid header detected, OWA header
- all single tests in bold now
- no support for TLS 1.2 spits out "NOT ok" as it is not ok
- Medium ciphers and DES ciphers are not having aNULL and aDH ciphers anymore and have different colors --> ratings
- http-date is now in http header(), tls_time in server_defaults()
- http header reply is indented to same row as server defaults
- http status code is displayed clearly now
- BUGFIX: IPv6 address wasn't displayed
- cleanup
- application banner now in two lines if needed
- try a second time to get a http header if first one fails
- fix: case where % sign in ip address made prinf hiccup (sanitized)
- fix: $url was in some functions empty
- fixed bug where some headers were displayed twice
2015-06-19 20:36:32 +02:00
Dirk
59299ce9e1
- FIX #119 (sed -E fails for old sed versions)
...
- std_cipherlists tuned
- fix for selfsigned certs (missed sometimes because of trailing space)
2015-06-17 11:33:29 +02:00
Dirk
06899f3cbf
- introduced Reverse Proxy header
...
- FIX for OWA header
- beautfied some header funcs
- fixed GET_REQ1?/HEAD_REQ1?
2015-06-16 23:00:47 +02:00
Dirk
478b8afac7
FIX: bail out better if $NODE doesn't resolve
...
cipher lists now wth plural ending
added Liferay-Portal + X-OWA-Version for application banner
new http_header (still leaving old one in)
readability improvements
2015-06-16 19:53:40 +02:00
Dirk
e16ccd06b6
- testing all IP addresses of a node works now (refactoring of parse_hn_port into three functions) FIX #96
...
- SNI is unset if STARTTLS is set
- some BSD fixes (sed)
2015-06-16 14:04:44 +02:00
Dirk
4432faf497
"--ip" works now (see help)
...
little cleanups
2015-06-15 12:13:16 +02:00
Dirk
a98b67013a
FIX #116
...
CRIME is lightred/litegreen as it is not that bad as ccs or heartbleed
resorted some functions
2015-06-11 21:41:25 +02:00
Dirk
bdff6ba1bd
- TLS_FALLBACK* was missing in the help #22 #118
2015-06-11 18:46:22 +02:00
Dirk
f9e4526f70
- polish of #118
...
- FIX #22
2015-06-11 18:33:06 +02:00
JonnyHightower
dc548f1cfc
Added check for TLS_FALLBACK_SCSV support in local OpenSSL binary.
...
In TLS_FALLBACK_SCSV check, added unique socket address to temporary
file name in order to support multiple simultaneous instances.
2015-06-10 17:38:39 +01:00
JonnyHightower
0e36255fb9
Added a check for TLS_FALLBACK_SCSV
2015-06-08 17:19:34 +01:00
Dirk
0f5c4981cb
- more or less desperate try to figure out the real installation path (and find the mapping file)
...
- help extended (equal sign, logjam)
2015-06-02 22:13:19 +02:00
Dirk
4081b2eef4
- wrong arg for dirname ($1)
2015-06-02 15:59:17 +02:00
Dirk
06c3b06a7a
- regression fix on mapping file
2015-06-02 15:53:46 +02:00