testssl.sh

mirror of https://github.com/drwetter/testssl.sh.git synced 2024-12-29 04:49:44 +01:00

History

Christoph Settgast fa77a9c80e Deprecate Java 9, its EOL since March 2018 No current distro (Ubuntu, Debian, Fedora) is still shipping it, Oracle has EOLed it in March 2018 according to https://www.oracle.com/technetwork/java/java-se-support-roadmap.html		2019-05-06 21:26:30 +02:00
..
Apple.pem	Updated Trust Stores, Java added	2018-12-14 10:00:23 +01:00
ca_hashes.txt	added MS CA store, see #825	2017-09-19 15:15:54 +02:00
cipher-mapping.txt	Correct new openssl cipher name	2018-11-02 14:04:12 +01:00
client-simulation.txt	Deprecate Java 9, its EOL since March 2018	2019-05-06 21:26:30 +02:00
client-simulation.wiresharked.txt	Remove erroneous DES-CBC-MD5 from Java 11 and 12	2019-05-06 18:07:43 +02:00
common-primes.txt	Remove duplicate common primes	2018-07-23 13:48:18 -04:00
curves.txt	- added values to curve448 + 25519	2016-06-09 13:18:55 +02:00
Java.pem	Updated Trust Stores, Java added	2018-12-14 10:00:23 +01:00
Linux.pem	Updated Trust Stores, Java added	2018-12-14 10:00:23 +01:00
Microsoft.pem	Updated Trust Stores, Java added	2018-12-14 10:00:23 +01:00
Mozilla.pem	Updated store because of Mozilla update	2019-02-21 09:21:19 +01:00
README.md	Clarify client sim data	2019-04-23 10:26:30 +02:00
tls_data.txt	Remove '0a' character from public keys	2018-09-21 17:07:46 -04:00

README.md

Certificate stores

The certificate trust stores were retrieved from

Linux: Copied from an up-to-date Debian Linux machine
Mozilla: https://curl.haxx.se/docs/caextract.html
Java: JRE keystore pulled + extracted with keytool from a Linux machine from $JAVA_HOME/jre/lib/security/cacerts
Microsoft: Following command pulls all certificates from Windows Update services: CertUtil -syncWithWU -f -f . (see also http://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions).
Apple:
1. System: from Apple OS X keychain app. Open Keychain Access utility, i.e. In the Finder window, under Favorites --> "Applications" --> "Utilities" (OR perform a Spotlight Search for Keychain Access) --> "Keychain Access" (2 click). In that window --> "Keychains" --> "System" --> "Category" --> "All Items" Select all CA certificates except for Developer ID Certification Authority, "File" --> "Export Items"
2. Internet: Pick the latest subdir from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension.

Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.

If you want to test against e.g. a company internal CA you want to avoid warnings from the certificate stores here it's recommended to use ADDITIONAL_CA_FILES=<companyCA.pem ./testssl.sh <your cmdline>. (The former mechanism was to put the company root CA certificate here.)

Further files

tls_data.txt contains lists of cipher suites and private keys for sockets-based tests
cipher-mapping.txt contains information about all of the cipher suites defined for SSL/TLS
ca_hashes.txt is used for HPKP test in order to have a fast comparison with known CAs. Use ~/utils/create_ca_hashes.sh for an update
common-primes.txt is used for LOGJAM and the PFS section
client-simulation.txt / client-simulation.wiresharked.txt are as the names indicate data for the client simulation. The first one is derived from ~/utils/update_client_sim_data.pl, and manually edited to sort and label those we don't want. The second file provides more client data retrieved from wireshark captures and some instructions how to do that yourself.