905f801309
Remove changes to Dockerfiles Update hashes for CA trust stores |
||
|---|---|---|
| .. | ||
| Apple.pem | ||
| Java.pem | ||
| Linux.pem | ||
| Microsoft.pem | ||
| Mozilla.pem | ||
| README.md | ||
| ca_hashes.txt | ||
| cipher-mapping.txt | ||
| client-simulation.txt | ||
| client-simulation.wiresharked.md | ||
| client-simulation.wiresharked.txt | ||
| common-primes.txt | ||
| curves-mapping.txt | ||
| curves.txt | ||
| openssl.cnf | ||
| tls_data.txt | ||
README.md
Certificate stores
The certificate trust stores were retrieved from
- Linux: Copied from an up-to-date Debian Linux machine
- Mozilla: https://curl.haxx.se/docs/caextract.html
- Java: extracted (
keytool -list -rfc -keystore lib/security/cacerts | grep -E -v '^$|^\*\*\*\*\*|^Entry |^Creation |^Alias ') from a JDK 15 from https://jdk.java.net/. (use dos2unix). - Microsoft: Following command pulls all certificates from Windows Update services:
CertUtil -syncWithWU -f -f .(see also http://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions). - Apple:
- System: from Apple OS X keychain app. Open Keychain Access utility, i.e. In the Finder window, under Favorites --> "Applications" --> "Utilities" (OR perform a Spotlight Search for Keychain Access) --> "Keychain Access" (2 click). In that window --> "Keychains" --> "System" --> "Category" --> "All Items" Select all CA certificates except for Developer ID Certification Authority, "File" --> "Export Items"
- Internet: Pick the latest subdir (=highest number) from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension. Download them with
wget --level=1 --cut-dirs=5 --mirror --convert-links --adjust-extension --page-requisites --no-parent https://opensource.apple.com/source/security_certificates/security_certificates-*/certificates/roots/
Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.
If you want to check trust against e.g. a company internal CA you need to use ./testssl.sh --add-ca companyCA1.pem,companyCA2.pem <further_cmds> or ADDTL_CA_FILES=companyCA1.pem,companyCA2.pem ./testssl.sh <further_cmds>.
Further files
-
tls_data.txtcontains lists of cipher suites and private keys for sockets-based tests -
cipher-mapping.txtcontains information about all of the cipher suites defined for SSL/TLS -
curves-mapping.txtcontains information about all of the elliptic curves defined by IANA -
ca_hashes.txtis used for HPKP test in order to have a fast comparison with known CAs. Use~/utils/create_ca_hashes.shfor an update -
common-primes.txtis used for LOGJAM and the PFS section -
client-simulation.txt/client-simulation.wiresharked.txtare as the names indicate data for the client simulation. The first one is derived from~/utils/update_client_sim_data.pl, and manually edited to sort and label those we don't want. The second file provides more client data retrieved from wireshark captures and some instructions how to do that yourself.