Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-04-10 19:46:05 +02:00
Code Issues Packages Projects Releases Wiki Activity
testssl.sh/bin/Readme.md
Dirk 3a414d60bf Comment the removal of binaries
2025-03-30 18:14:41 +02:00

2.8 KiB
Raw Blame History

Binaries

The precompiled binaries provided here have extended support for weak crypto which is normally not in OpenSSL or LibreSSL: 40+56 Bit, export/ANON ciphers, weak DH ciphers, weak EC curves, SSLv2 etc. -- all the dirty features needed for testing if you just want to test with binaries. They also come with extended support for some new / advanced cipher suites and/or features which are not in the official branch like (old version of the) CHACHA20+POLY1305 and CAMELLIA 256 bit ciphers.

However testssl.sh has emerged, and some time back it is using bash sockets for checks if the binary does not support a specific feature. So since then you could also use the OpenSSL / LibreSSL binary from your vendor. Check using binaries instead of bash sockets run a bit faster though. Also the usage of these binaries became more and more of a limited value:They don't support e.g. TLS 1.3 and newer TLS 1.2 ciphers. OTOH servers which only offer SSLv2 and SSLv3 became less common and we use for the majority of checks in testssl.sh sockets and not this binary. As a result the 3.2 release will probably be the last distribution where we will include these binaries.

Security notices

The important thing upfront: DO NOT USE THESE BINARIES FOR PRODUCTION PURPOSES. A lot of security restrictions have been removed because we want to test how bad the servers are.

More

In general these binaries are not needed anymore as weak crypto is covered by bash sockets if the binary from the vendor can't handle weak crypto. In the future release they will ne retired.

Testing with openssl however is at the moment faster opposed to using bash sockets. And binaries can handle protocols (/better) once the SSL/TLS connection is established, like retrieving the HTTP header.

General

The (stripped) binaries this directory are all compiled from the old OpenSSL snapshot which adds a few bits to Peter Mosman's openssl fork. The few bits are IPv6 support (except IPV6 proxy) and some STARTTLS backports. More, see the README.md. Also, as of now, a few CVEs were fixed.

Compiled Linux and FreeBSD binaries so far came from Dirk, other contributors see ../CREDITS.md . Binaries for more architectures see contributed builds @ https://testssl.sh/.

A few binaries were removed in the latest edition, which are Kerberos binaries and 32 Bit binaries. The diff krb5-ciphers.diff shows the additional ciphers when using the kerberos binary.

Compilation instructions

See https://github.com/testssl/openssl-1.0.2.bad/00-testssl-stuff/Readme.md