Commit Graph

5478 Commits

Author SHA1 Message Date
Dirk Wetter ffbc439897 fix yet another typo 2026-07-14 20:04:52 +02:00
Dirk Wetter 7956a222c1 Merge pull request #3098 from testssl/drwetter-patch-1
Create SECURITY.md
2026-07-14 19:58:21 +02:00
Dirk Wetter 4e3fdab08e Update Readme.md 2026-07-14 19:56:35 +02:00
Dirk Wetter 1e80984577 Update SECURITY.md 2026-07-14 19:52:06 +02:00
Dirk Wetter 0bd118e657 Fix typo in comment, add improvement for LLM 2026-07-14 19:48:10 +02:00
Dirk Wetter 6c4e0f257f Create SECURITY.md 2026-07-14 19:29:14 +02:00
Dirk Wetter 580bffeb0f Merge pull request #3096 from ericcgu/fix/3095-ipv6-proxy-bad-substitution
Fix broken OpenSSL version check for IPv6 proxy in check_proxy() (#3095)
2026-07-14 18:21:29 +02:00
Eric Gu 2940c9503e Fix broken OpenSSL version check for IPv6 proxy in check_proxy() (#3095)
check_proxy() gated IPv6 proxy support on a home-grown version check
${OSSL_VER_MAJOR$}${OSSL_VER_MINOR} -ge 11 at two places, which had a
stray "$" causing a "bad substitution" error. On non-LibreSSL builds
this aborted the rest of check_proxy() for any IPv6 proxy (literal
[addr]:port, or a hostname resolving only to AAAA), so PROXY was never
rebuilt into a valid "-proxy ..." argument and downstream openssl calls
failed with an error mentioning neither IPv6 nor the proxy.

Beyond the typo, the concatenation approach was itself unsound:
OSSL_VER_MINOR carries the patch component (e.g. "1.1" for OpenSSL
1.1.1), so ${OSSL_VER_MAJOR}${OSSL_VER_MINOR} yields "11.1" and
[[ 11.1 -ge 11 ]] is an arithmetic error. Replace both checks with the
dotted-glob idiom used everywhere else in the file for OpenSSL >= 1.1
gates (e.g. testssl.sh:21441, :8216), which is robust and greppable.
2026-07-12 17:10:45 -04:00
Dirk Wetter 611b1b1f39 Merge pull request #3091 from ericcgu/fix/3090-html-xss-pr-url
Fix stored XSS in HTML report via unescaped Location: header (#3090)
2026-07-12 14:43:29 +02:00
Eric Gu aad4894f77 Fix stored XSS in HTML report via unescaped Location: header (#3090)
pr_url() and pr_boldurl() interpolated their argument directly into
<a href="$1">$1</a> without HTML escaping. The most notable caller
passes the raw HTTP Location: header from the scanned server, so a
malicious HTTPS target could inject arbitrary HTML/JS into an
operator's --htmlfile report. Route both the href attribute and the
link text through the existing html_reserved() escaper, matching the
pattern already used by every other pr_* HTML-output function.
2026-07-11 22:53:36 -04:00
Dirk Wetter 21bf1ff19f Merge pull request #3089 from testssl/03_mini_syntax_check
Small check for semantic unit tests
2026-07-11 22:47:16 +02:00
Dirk Wetter f6a59dc083 Properly premature exit for MacOS 2026-07-11 19:03:05 +02:00
Dirk ed07c763e1 Check on MacOS returned not ok 2026-07-11 17:12:50 +02:00
Dirk Wetter 20a632844b Now fix the existing non-compliant issues
18422:          if [[ $tmp_result -eq 1 ]] && [[ loop_reneg -eq 1 ]]; then
19633:          [[ aaa == bbb ]]    # provoke return code=1

450:TRUSTED1ST=""                           # Contains the `-trusted_first` flag, if this version of openssl supports it

The latter check be amended/corrected later, so that backticks in comments are allowed.
2026-07-11 15:35:21 +02:00
Dirk Wetter cf17bd7629 Merge pull request #3086 from ericcgu/ericcgu-bugfix
bugfix: aesgcm_used --> enc_aesgcm_used
2026-07-11 13:37:12 +02:00
Dirk Wetter 49c26b7e36 perl-style grep for mac
so skip the while thing
2026-07-10 22:25:49 +02:00
Dirk 27c432e95d Add more checks
recommended by Claude Sonnet 5

The backtick pattern will fail in a comment. To be fixed later
2026-07-10 20:20:38 +02:00
Dirk 0c16ebd6b9 Small check for semantic check
Staring with a simple pattern for checking for non-variables at left hand
side like [[ LHS == $value ]]. The file is supposed be amended in the future.

This fixes #3074 .

Upon commit it fails first as there are two instances which will be detected
(one is deliberate but will be changed too) .
2026-07-10 19:33:08 +02:00
Dirk Wetter 1be2f7472a Merge pull request #3088 from testssl/patch-1
Update pull_request_template.md
2026-07-10 16:48:58 +02:00
Dirk Wetter b7fb813edf Update pull_request_template.md 2026-07-10 16:47:43 +02:00
Dirk Wetter a46c8baad5 Merge pull request #3084 from testssl/fix_tls13_only_hosts
Fix confusion when scanning TLS-1.3-only hosts
2026-07-10 16:41:40 +02:00
Dirk Wetter 0ddba7301e Fix double mistake 🙁 2026-07-10 15:22:34 +02:00
Dirk Wetter d1da2c1dea fix spelling 2026-07-10 13:55:33 +02:00
Dirk Wetter cbd2b4da1e Add HAS_LDAP to global vars
... and bail out if it is not supported.
2026-07-10 13:51:39 +02:00
Dirk Wetter d7f5095042 Exempt MacOS with LibreSSL to run STARTTLS via LDAP 2026-07-10 13:40:03 +02:00
Eric Gu (@ericguuu) 5a69b1c344 bugfix: aesgcm_used --> enc_aesgcm_used 2026-07-09 08:45:38 -04:00
Dirk Wetter 8dce14187d Fix confusion when scanning TLS-1.3-only hosts
When scanning hosts which offer only TLS 1.3 under some circumstances (e.g. using
MacOS) the scan stopped and prompted the user . It happened always when $OPENSSL
supported TLS 1.3. It did not when this was not the case.

This fixes that (see #3083) for 3.3dev by just skipping the rest in determine_optimal_proto()
when TLS13_ONLY is true.

Also it fixes missing line feeds for servoce detecttion and order in which DNS HTTPS
RR are displayed.
2026-07-09 13:13:15 +02:00
Dirk Wetter deda4c7627 Merge pull request #3080 from ericcgu/ericcgu-patch-1
fix: inverted return check in sym-encrypt() at testssl.sh:14741 makes …
2026-07-08 20:45:06 +02:00
Dirk Wetter 044cfee81b Merge pull request #3078 from testssl/fix_empty_httpsrr
Fix empty result for HTTPS_RR for Mac and friends
2026-07-08 18:24:45 +02:00
Dirk Wetter 62ca07cc33 Merge pull request #3059 from TheraNinjaCat/fix-cert-trust-wildcard-identifier-3051
Fixed 'cert_trust_wildcard' identifier when multiple certificates are…
2026-07-08 18:24:14 +02:00
Eric Gu (@ericguuu) 09a17c0cc1 fix: nverted return check in sym-encrypt() at testssl.sh:14741 makes the function return error 7 on every success.
[BUG / possible BUG] Inverted return check in sym-encrypt() at testssl.sh:14741 makes the function return error 7 on every success. The tm_out line at testssl.sh:14743 is unreachable.
 #3079
2026-07-08 08:28:33 -04:00
Dirk 2dba5fea1b fix typo 2026-07-06 11:41:18 +02:00
Dirk 44d6b7adbf Fix empty result for HTTPS_RR for Mac and friends
... also improve error handling by adding return values in
*https_rr functions.

The error for ~Macs occured because for interpretation of
raw TYPE65 DNS data it was just 1 returned instead of 0
--for empty records.
2026-07-06 11:36:15 +02:00
TheraNinjaCat 36e5d3df3f Fixed 'cert_trust_wildcard' identifier when multiple certificates are present. 2026-06-28 21:07:10 +12:00
Dirk Wetter 9fdf8028ba Merge pull request #3076 from SteveVaneeckhout/fix-ipv4-only-flag-ignored
Fix -4/-6 flag being ignored when no specific test is selected
2026-06-25 22:34:27 +02:00
Dirk Wetter df6cd77195 Merge pull request #3075 from lapo-luchini/3.3dev_fix_escaping
Fix escaping.
2026-06-23 23:15:43 +02:00
Lapo Luchini 0db7ab0d49 Fix escaping. 2026-06-23 09:43:55 +02:00
Dirk Wetter 56ba1ab229 Merge pull request #3047 from testssl/https_rr
Provide DNS HTTPS RR functionality
2026-06-22 18:16:35 +02:00
github-actions[bot] f284366aee Auto-generate docs from testssl.1.md [skip ci] 2026-06-22 14:38:35 +00:00
Dirk Wetter 859d24df20 HTTPS DNS RR in manual 2026-06-22 16:37:32 +02:00
Dirk Wetter 50966dc1d6 Merge branch '3.3dev' into https_rr 2026-06-22 16:26:38 +02:00
Dirk Wetter dca6434604 Compare QUIC section with DNS HTTPS RR
Also: make "A(AAA) record via:" bold, to be in line with the other keys
2026-06-22 16:20:13 +02:00
Dirk Wetter 7e97b243d1 Introduce global HTTPS_RR variable
... which is initialized with "initt" to distinguish between not being tested yet and no value.
We only display the value once per $NODE for the first IP address being tested.

HTTPS_RR doesn't have to be reset in reset_hostdepended_vars()

Few comments were added / indentation fixed (not relevant to this PR)
2026-06-22 14:59:13 +02:00
Dirk Wetter 689516c378 Merge pull request #3073 from testssl/my-patch-2
clarify what a breaking change is
2026-06-22 13:06:55 +02:00
Dirk Wetter 492882577d clarify what a braking change is 2026-06-22 13:01:56 +02:00
Dirk Wetter 8b653d0abf Merge pull request #3072 from testssl/my-patch-1
AI section + minor improvements
2026-06-22 12:56:35 +02:00
Dirk Wetter a75e25a958 Minor changes 2026-06-22 12:55:45 +02:00
Dirk Wetter 74ba0c4f1e Add links 2026-06-22 12:47:24 +02:00
Dirk Wetter efab5f9165 AI section + minor improvements
- AI generated code becomes more important, so we add a new section (albeit bash support is not really as good as for other languages).
- streamlined comment, which is a comment
2026-06-22 12:33:11 +02:00
Dirk Wetter a55fc6d5d4 Merge pull request #3071 from testssl/potato-20-revive-hsts-preload
Potato 20 revive hsts preload
2026-06-20 18:34:54 +02:00