mirror of
https://github.com/drwetter/testssl.sh.git
synced 2024-12-29 04:49:44 +01:00
7d8cf71a94
This commit adds * a check for the elliptical curves * and a check for TLS extensions which will again reduces false positives. Background: * https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Supported_elliptic_curves * https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Extensions Also: * Docu phrased more precise (we're not checking ciphers and HTTP Server banner only * As a last resort we also take 'Microsoft-HTTPAPI/2.0' as a server header on the HTTPS branch and query the HTTP branch for Microsoft-IIS/8.x. * $EXPERIMENTAL overrides some banner and service related checks. So that e.g. SMTP servers can also be checked. Last but bot least ist's a vulnerability of the TLS stack. For better debugging we'll keep the TLS extensions and offered curves in a file. Also it adds a debug1() function which may be needed on other occasions. Also the output is better coded as we put "check patches locally to confirm" into a variable. There's still room for improvement: * More extensions (see https://raw.githubusercontent.com/cisco/joy/master/doc/using-joy-fingerprinting-00.pdf) * We could need a separate determine_curves() function, see #1730 as otherwise we can't use the curves in a non-default run. |
||
|---|---|---|
| .. | ||
| testssl.1 | ||
| testssl.1.html | ||
| testssl.1.md | ||