testssl.sh/etc
David Cooper 851cd564e6 Check for bad OCSP intermediate certificates
This commit checks whether any intermediate certificates provided by the server include an extended key usage extension that asserts the OCSP Signing key purpose.

This commit replaces #1680, which checks for such certificates by comparing the server's intermediate certificates against a fixed list of known bad certificates.
2020-07-15 11:56:20 -04:00
..
Apple.pem Update for 3.0 2020-01-09 10:27:09 +01:00
Java.pem Update Java store 2020-01-10 09:17:57 +01:00
Linux.pem Update for 3.0 2020-01-09 10:27:09 +01:00
Microsoft.pem Update store 2020-01-11 11:42:30 +01:00
Mozilla.pem Update for 3.0 2020-01-09 10:27:09 +01:00
README.md Update documentation (ADDITIONAL_CA_FILES -> ADDTL_CA_FILES) 2020-04-23 11:20:46 +02:00
ca_hashes.txt Needed update after putting all CA store here 2020-01-11 11:45:27 +01:00
cipher-mapping.txt Correct new openssl cipher name 2018-11-02 14:04:12 +01:00
client-simulation.txt Add wiresharked Android 7.0 (native) 2020-06-23 15:26:31 +02:00
client-simulation.wiresharked.md fix language 2020-01-17 11:59:41 +01:00
client-simulation.wiresharked.txt Add wiresharked Android 7.0 (native) 2020-06-23 15:26:31 +02:00
common-primes.txt Remove duplicate common primes 2018-07-23 13:48:18 -04:00
curves.txt - added values to curve448 + 25519 2016-06-09 13:18:55 +02:00
tls_data.txt Allow TLS12_CIPHER to be changed 2019-09-23 15:54:44 -04:00

README.md

Certificate stores

The certificate trust stores were retrieved from

Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.

If you want to check trust against e.g. a company internal CA you need to use ./testssl.sh --add-ca companyCA1.pem,companyCA2.pem <further_cmds> or ADDTL_CA_FILES=companyCA1.pem,companyCA2.pem ./testssl.sh <further_cmds>.

Further files

  • tls_data.txt contains lists of cipher suites and private keys for sockets-based tests

  • cipher-mapping.txt contains information about all of the cipher suites defined for SSL/TLS

  • ca_hashes.txt is used for HPKP test in order to have a fast comparison with known CAs. Use ~/utils/create_ca_hashes.sh for an update

  • common-primes.txt is used for LOGJAM and the PFS section

  • client-simulation.txt / client-simulation.wiresharked.txt are as the names indicate data for the client simulation. The first one is derived from ~/utils/update_client_sim_data.pl, and manually edited to sort and label those we don't want. The second file provides more client data retrieved from wireshark captures and some instructions how to do that yourself.