testssl.sh

mirror of https://github.com/drwetter/testssl.sh.git synced 2025-04-09 19:24:01 +02:00

History

Christoph Settgast fa77a9c80e Deprecate Java 9, its EOL since March 2018

No current distro (Ubuntu, Debian, Fedora) is still shipping it,
Oracle has EOLed it in March 2018 according to

https://www.oracle.com/technetwork/java/java-se-support-roadmap.html

2019-05-06 21:26:30 +02:00

Apple.pem

Updated Trust Stores, Java added

2018-12-14 10:00:23 +01:00

ca_hashes.txt

added MS CA store, see #825

2017-09-19 15:15:54 +02:00

cipher-mapping.txt

Correct new openssl cipher name

2018-11-02 14:04:12 +01:00

client-simulation.txt

Deprecate Java 9, its EOL since March 2018

2019-05-06 21:26:30 +02:00

client-simulation.wiresharked.txt

Remove erroneous DES-CBC-MD5 from Java 11 and 12

2019-05-06 18:07:43 +02:00

common-primes.txt

Remove duplicate common primes

2018-07-23 13:48:18 -04:00

curves.txt

- added values to curve448 + 25519

2016-06-09 13:18:55 +02:00

Java.pem

Updated Trust Stores, Java added

2018-12-14 10:00:23 +01:00

Linux.pem

Updated Trust Stores, Java added

2018-12-14 10:00:23 +01:00

Microsoft.pem

Updated Trust Stores, Java added

2018-12-14 10:00:23 +01:00

Mozilla.pem

Updated store because of Mozilla update

2019-02-21 09:21:19 +01:00

README.md

Clarify client sim data

2019-04-23 10:26:30 +02:00

tls_data.txt

Remove '0a' character from public keys

2018-09-21 17:07:46 -04:00

README.md

Certificate stores

The certificate trust stores were retrieved from

Linux: Copied from an up-to-date Debian Linux machine
Mozilla: https://curl.haxx.se/docs/caextract.html
Java: JRE keystore pulled + extracted with keytool from a Linux machine from $JAVA_HOME/jre/lib/security/cacerts
Microsoft: Following command pulls all certificates from Windows Update services: CertUtil -syncWithWU -f -f . (see also http://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions).
Apple:
1. System: from Apple OS X keychain app. Open Keychain Access utility, i.e. In the Finder window, under Favorites --> "Applications" --> "Utilities" (OR perform a Spotlight Search for Keychain Access) --> "Keychain Access" (2 click). In that window --> "Keychains" --> "System" --> "Category" --> "All Items" Select all CA certificates except for Developer ID Certification Authority, "File" --> "Export Items"
2. Internet: Pick the latest subdir from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension.

Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.

If you want to test against e.g. a company internal CA you want to avoid warnings from the certificate stores here it's recommended to use ADDITIONAL_CA_FILES=<companyCA.pem ./testssl.sh <your cmdline>. (The former mechanism was to put the company root CA certificate here.)

Further files

tls_data.txt contains lists of cipher suites and private keys for sockets-based tests
cipher-mapping.txt contains information about all of the cipher suites defined for SSL/TLS
ca_hashes.txt is used for HPKP test in order to have a fast comparison with known CAs. Use ~/utils/create_ca_hashes.sh for an update
common-primes.txt is used for LOGJAM and the PFS section
client-simulation.txt / client-simulation.wiresharked.txt are as the names indicate data for the client simulation. The first one is derived from ~/utils/update_client_sim_data.pl, and manually edited to sort and label those we don't want. The second file provides more client data retrieved from wireshark captures and some instructions how to do that yourself.