5f047db92f
While we are thankful that Ivan Ristic permitted to use the client data from SSLlabs, it became of bit outdated now (see #1158). Also as sslhaf [1] was used, the data comes from HTTP traffic only. This is a start to address it. It provides data from Android 9 (connecting to the play store, so that it is sure we don't capture a ClientHello from an application having an own TLS stack. Also it provides documentation how to grab data yourself, and provide it back to testssl.sh. Aim is at least for testssl.sh 3.0 to add Android 8 and OpenSSL 1.1.1 (@drwetter). My hope others can assist with Safari on OSX 11 and 12. Java 10 and 11, and a recent Opera and Edge version. (Firefox and Chrome are out of date too) Mail clients to follow later. [1] https://github.com/ssllabs/sslhaf
Certificate stores
The certificate trust stores were retrieved from
- Linux: Copied from an up-to-date Debian Linux machine
- Mozilla: https://curl.haxx.se/docs/caextract.html
- Java: JRE keystore pulled + extracted with keytool from a Linux machine from $JAVA_HOME/jre/lib/security/cacerts
- Microsoft: Following command pulls all certificates from Windows Update services:
CertUtil -syncWithWU -f -f .(see also http://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions). - Apple:
- System: from Apple OS X keychain app. Open Keychain Access utility, i.e. In the Finder window, under Favorites --> "Applications" --> "Utilities" (OR perform a Spotlight Search for Keychain Access) --> "Keychain Access" (2 click). In that window --> "Keychains" --> "System" --> "Category" --> "All Items" Select all CA certificates except for Developer ID Certification Authority, "File" --> "Export Items"
- Internet: Pick the latest subdir from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension.
Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.
If you want to test against e.g. a company internal CA you want to avoid warnings from the certificate stores here it's recommended to use ADDITIONAL_CA_FILES=<companyCA.pem ./testssl.sh <your cmdline>. (The former mechanism was to put the company root CA certificate here.)
Further files
-
tls_data.txtcontains lists of cipher suites and private keys for sockets-based tests -
cipher-mapping.txtcontains information about all of the cipher suites defined for SSL/TLS -
ca_hashes.txtis used for HPKP test in order to have a fast comparison with known CAs. Use~/utils/create_ca_hashes.shfor an update -
common-primes.txtis used for LOGJAM and the PFS section -
client-simulation.txtas the name indicates it's the data for the client simulation. Use~/utils/update_client_sim_data.plfor an update. Note: This list has been manually edited to sort it and weed it out. In addition the file namedclient-simulation.wiresharked.txtprovides more client data and some instructions how to generate it yourself