see #2169, #2168
Added:
* Safari for macOS
* Java 17 LTS
* OpenSSL 3.0.3
* Android 11 and 12
* Go client (1.17)
* Firefox 100, Chrome and Edge 101 using Win10
* Thunderbird 91.9
* AppleMail
* LibreSSL from MacOS
* disabled Java 12 and Safari on OS X 10.12
* disabled Android < 6.0
* documention update how to add a client simulation
* add curves-mapping.txt file
As jsonID is not set by run_crime, make the fileout invocation for
servers supporting only TLS 1.3 use the literal "CRIME_TLS" instead.
Previously running testssl with CSV or JSON output would produce an item
with the wrong ID.
On macOS in dark mode the git tag in grey wasn't visible. It was
changed now to light grey. It also works at least on Linux
using a light terminal background.
The NNTP server which we used for STARTTLS checks seems ofen
not to work. Thus this PR removes that for the 3.0 branch.
In rare? occassions where the STARTTLS FEAT request only displays AUTH instead
of AUTH TLS, testssl.sh fails as it cannot upgrade to TLS.
Required by RFC 4217 is only AUTH ("MUST"), AUTH TLS is optional ("should"), see section 6.
This PR relaxes the presence of TLS after AUTH and fixes#2132 for the 3.0 branch.
run_server_preference() calls "default_proto=$(get_protocol $TMPFILE)" even if all attempts to connect to the server failed. This will result in default_proto incorrectly being set to TLS 1.2. This commit fixes the issue by only calling get_protocol() if an attempt to connect to the server was successful.
With a TLS 1.3 connection, a session ID will only appears as part of a post-handshake session ticket. However, with OpenSSL 1.1.1 or newer when using $OPENSSL s_client as it is called in determine_optimal_proto() (i.e., with "< /dev/null"), a post-handshake session ticket will usually not be received, even if the server supports it. With versions of LibreSSL that support TLS 1.3, a post-handshake session ticket is never displayed (even without "< /dev/null"). This can result in NO_SESSION_ID incorrectly being set to true.
This commit fixes the issue by setting NO_SESSION_ID to true by default, and then setting it to false if a session ID is returned by any connection to the server.
OpenSSL 3.X pretty prints certificates in a slightly different way than previous versions, and this breaks the code for getting the URIs from the CRLDP extension.
This commit fixes the issue by having awk search for additional possible strings to start the CRL Distribution Points output. Unless the CRLDP extension is malformed, it will begin with "Full Name", "Relative Name", "Reasons", or "CRL Issuer".
This commit fixes yet another issue with using OpenSSL 3.X with the 3.0 branch. When $OPENSSL is used to obtain a fingerprint, OpenSSL 3.X prepends the fingerprint with "sha1" or "sha256" rather than "SHA1" or "SHA256".
OpenSSL 3.0.X uses different names for some elliptic cures in the "Server Temp Key" line than previous previous versions. This commit addresses this issue by checking for both names.
There is at least one server that will not negotiate TLS_DHE_* cipher suites with TLS 1.2 and below if the supported_groups extension is present but does not include any DH groups. This commit adds the DH groups that are currently in the TLS 1.3 ClientHello to the TLS 1.2 and earlier ClientHello.
This commit changes prepare_tls_clienthello() so that the RSA-PSS algorithms are offered in the signature algorithms extension of TLS 1.2 and below ClientHello messages.
Under Darwin using LibreSSL it was not possible to test for session
resumption by session ID.
This fixes the issue #2096 for 3.0 by checking not only the return value of the
s_client hello but also whether a probable certificate is being returned.
It is now being tested whether the binary locale exists and
there's a global introduced for that.
Also there's no fileout warning at this early stage anymore
as it leads to non-valid JSON
Therefore a new global function was declared checking whether any of
the known locales work on the client without seeting them.
C / POSIX should work as well for LC_COLLATE.
This fixes#2100 for 3.0 .
