testssl.sh

mirror of https://github.com/drwetter/testssl.sh.git synced 2024-12-29 04:49:44 +01:00

History

David Cooper 851cd564e6 Check for bad OCSP intermediate certificates This commit checks whether any intermediate certificates provided by the server include an extended key usage extension that asserts the OCSP Signing key purpose. This commit replaces #1680, which checks for such certificates by comparing the server's intermediate certificates against a fixed list of known bad certificates.		2020-07-15 11:56:20 -04:00
..
Apple.pem	Update for 3.0	2020-01-09 10:27:09 +01:00
ca_hashes.txt	Needed update after putting all CA store here	2020-01-11 11:45:27 +01:00
cipher-mapping.txt	Correct new openssl cipher name	2018-11-02 14:04:12 +01:00
client-simulation.txt	Add wiresharked Android 7.0 (native)	2020-06-23 15:26:31 +02:00
client-simulation.wiresharked.md	fix language	2020-01-17 11:59:41 +01:00
client-simulation.wiresharked.txt	Add wiresharked Android 7.0 (native)	2020-06-23 15:26:31 +02:00
common-primes.txt	Remove duplicate common primes	2018-07-23 13:48:18 -04:00
curves.txt	- added values to curve448 + 25519	2016-06-09 13:18:55 +02:00
Java.pem	Update Java store	2020-01-10 09:17:57 +01:00
Linux.pem	Update for 3.0	2020-01-09 10:27:09 +01:00
Microsoft.pem	Update store	2020-01-11 11:42:30 +01:00
Mozilla.pem	Update for 3.0	2020-01-09 10:27:09 +01:00
README.md	Update documentation (ADDITIONAL_CA_FILES -> ADDTL_CA_FILES)	2020-04-23 11:20:46 +02:00
tls_data.txt	Allow TLS12_CIPHER to be changed	2019-09-23 15:54:44 -04:00

README.md

Certificate stores

The certificate trust stores were retrieved from

Linux: Copied from an up-to-date Debian Linux machine
Mozilla: https://curl.haxx.se/docs/caextract.html
Java: extracted (keytool -list -rfc -keystore <file> | grep -E -v '^$|^\*\*\*\*\*|^Entry |^Creation |^Alias ') from a JRE 8 from https://jdk.java.net/ (previously JRE keystore extracted from $JAVA_HOME/jre/lib/security/cacerts using Linux)
Microsoft: Following command pulls all certificates from Windows Update services: CertUtil -syncWithWU -f -f . (see also http://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions).
Apple:
1. System: from Apple OS X keychain app. Open Keychain Access utility, i.e. In the Finder window, under Favorites --> "Applications" --> "Utilities" (OR perform a Spotlight Search for Keychain Access) --> "Keychain Access" (2 click). In that window --> "Keychains" --> "System" --> "Category" --> "All Items" Select all CA certificates except for Developer ID Certification Authority, "File" --> "Export Items"
2. Internet: Pick the latest subdir from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension.

Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.

If you want to check trust against e.g. a company internal CA you need to use ./testssl.sh --add-ca companyCA1.pem,companyCA2.pem <further_cmds> or ADDTL_CA_FILES=companyCA1.pem,companyCA2.pem ./testssl.sh <further_cmds>.

Further files

tls_data.txt contains lists of cipher suites and private keys for sockets-based tests
cipher-mapping.txt contains information about all of the cipher suites defined for SSL/TLS
ca_hashes.txt is used for HPKP test in order to have a fast comparison with known CAs. Use ~/utils/create_ca_hashes.sh for an update
common-primes.txt is used for LOGJAM and the PFS section
client-simulation.txt / client-simulation.wiresharked.txt are as the names indicate data for the client simulation. The first one is derived from ~/utils/update_client_sim_data.pl, and manually edited to sort and label those we don't want. The second file provides more client data retrieved from wireshark captures and some instructions how to do that yourself.