Commit 242e94c3 authored by ChangZhuo Chen's avatar ChangZhuo Chen

New upstream version 2.9.5-1+dfsg1

parent 8a4e8255
##### Credits also to
##### Credits to
* Peter Mosmans
- started way better cmd line parsing
- cleanups, fixes
- openssl sources support with the "missing" features
- started way better cmd line parsing
- cleanups, fixes
- openssl sources support with the "missing" features
* John Newbigin
- Proxy support (sockets and openssl)
- Proxy support (sockets and openssl)
* Jonathan Roach
- TLS_FALLBACK_SCSV checks
- TLS_FALLBACK_SCSV checks
* Mark Felder
- lots of cleanups
- Shellcheck static analysis
- lots of cleanups
- Shellcheck static analysis
* Frank Breedijk
- Detection of insecure redirects
- JSON and CSV output
- CA pinning
- Client simulations
- CI integration, test cases for it
- Detection of insecure redirects
- JSON and CSV output
- CA pinning
- Client simulations
- CI integration, some test cases for it
* David Cooper
- Detection + output of multiple certificates
- several cleanups of server certificate related stuff
- several fixes
- improved parsing of TLS ServerHello messages
- speed improvements when testing all ciphers
- extensive CN <--> hostname check
- seperate check for curves
- Detection + output of multiple certificates
- several cleanups of server certificate related stuff
- extended parsing of TLS ServerHello messages
- testssl.sh -e/-E: testing with a mixture of openssl + sockets
- finding more TLS extensions via sockets
- extensive CN+SAN <--> hostname check
- seperate check for curves
- RFC 7919, key shares extension
- parallel mass testing!
- RFC <--> OpenSSL cipher name space switches for the command line
- numerous fixes
* Steven Danneman
- Postgres and MySQL STARTTLS support
* Thomas Patzke:
- Support of supplying timeout value for openssl connect
- Christoph Badura
- NetBSD fixes
* Oleksandr Nosenko
- non-flat JSON support (--json-pretty)
- in file output (CSV, JSON flat, JSON non-flat) support of a minimum severity level
* Christoph Badura
- NetBSD fixes
* Jean Marsault
- client auth: ideas, code snipplets
* Maciej Grela
- client auth: ideas, code snipplets
* Maciej Grela
- colorless handling
* Olivier Paroz
- conversion xxd --> hexdump stuff
- conversion xxd --> hexdump stuff
* @typingArtist
- improved BEAST detection
* @f-s
- ARM binary support
- ARM binary support
* Jeroen Wiert Pluimers
- Darwin binaries support
* Julien Vehent
- supplied 1st Darwin binary
- supplied 1st Darwin binary
* Rechi
- initial MX stuff
- fixes
- initial MX stuff
- fixes
* Laine Gholson
- avahi/mDNS support
- HTTP2/ALPN
- bugfixes
- former ARM binary support
- avahi/mDNS support
- HTTP2/ALPN
- bugfixes
- former ARM binary support
* Дилян Палаузов
- bug fix for 3des report
- reported a tricky STARTTLS bug
- bug fix for 3des report
- reported a tricky STARTTLS bug
* Viktor Szépe
- color function maker
- color function maker
* Thomas Martens
- colorblind
- adding colorblind option
- no-rfc mapping
* Jonathon Rossi
......@@ -82,17 +96,18 @@
- and other Darwin fixes
* @nvsofts (NV)
- LibreSSL patch for GOST
- LibreSSL patch for GOST
* Markus Manzke:
- Fix for HSTS + subdomains
- LibreSSL patch
* Markus Manzke
- Fix for HSTS + subdomains
- LibreSSL patch
* Dmitri S
- inspiration & help for Darwin port
- inspiration & help for Darwin port
Others I forgot to mention which did give me feedback, bug reports and helped one way or another.
* Bug reports:
- Viktor Szépe, Olivier Paroz, Jan H. Terstegge, Lorenz Adena, Jonathon Rossi, Stefan Stidl, Frank Breedijk
##### Last but not least:
......@@ -100,5 +115,5 @@
* Ivan Ristic/Qualys for the liberal license which made it possible to use the client data
* my family for supporting me doing this work
* My family for supporting me doing this work
## Intro
[![Build Status](https://travis-ci.org/drwetter/testssl.sh.svg?branch=master)](https://travis-ci.org/drwetter/testssl.sh)
[![Build Status](https://travis-ci.org/drwetter/testssl.sh.svg?branch=master)](https://travis-ci.org/drwetter/testssl.sh)
[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/drwetter/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
`testssl.sh` is a free command line tool which checks a server's service on
......@@ -26,55 +26,62 @@ cryptographic flaws.
going on and you can change it.
* Heck, even the development is open (github)
#### Status
#### Installation
You can download testssl.sh by cloning this git repository:
_Here in the master branch you find the stable version 2.8rc3 of the software, it
superseds 2.6. Version 2.8 is currently being finalized_ . 2.9dev is the new
developement branch For the **a more thorough description of the command line options**
please see [testssl.sh](https://testssl.sh/ "Go to the site with the stable version
and more documentation") or https://github.com/drwetter/testssl.sh/wiki/Usage-Documentation.
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
Or help yourself downloading the ZIP archive
https://github.com/drwetter/testssl.sh/archive/2.9.5.zip. Then ``testssl.sh
--help`` will give you some help upfront. More help: see doc directory. Older
sample runs are at https://testssl.sh/.
#### Compatibility
testssl.sh is working on every Linux/BSD distribution out of the box with
some limitations of disabled features from the openssl client -- some
workarounds are done with bash-socket-based checks. It also works on other
unixoid system out of the box, supposed they have `/bin/bash` and standard
tools like sed and awk installed. MacOS X and Windows (using MSYS2 or
cygwin) work too. OpenSSL version >= 1 is a must. OpenSSL version >= 1.0.2
is needed for better LOGJAM checks and to display bit strengths for key
exchanges.
#### Features in [2.8 stable](Readme.md#stable)
Done so far:
* Trust chain check against certificate stores from Apple (OS), Linux (OS),
Microsoft (OS), Mozilla (Firefox Browser), works for openssl >=1.0.1
* IPv6 (status: 80% working, details see
https://github.com/drwetter/testssl.sh/issues/11
* works now on servers requiring a x509 certificate for authentication
* extensive CN <--> hostname check
* SSL Session ID check
* Avahi/mDNS based name resolution
* HTTP2/ALPN protocol check
* Logging to a file / dir
* Logging to (flat) JSON + CSV
* HPKP checks now also for Root, intermediate SPKIs
* Check for multiple server certificates
* Browser cipher simulation: what client will connect with which cipher + protocol
* GOST cipher+certificate improvements
* Assistance for color-blind users
* Even more compatibility improvements for FreeBSD, NetBSD, Gentoo, RH-ish, F5 and Cisco systems
* Considerable speed improvements for each cipher runs (-e/-E)
* More robust SSLv2 + TLS socket interface
* seperate check for curves
* OpenSSL 1.1.0 compliant
* check for DROWN
* Whole number of bugs squashed
testssl.sh is working on every Linux/BSD distribution out of the box. In 2.9.5 most
of the limitations of disabled features from the openssl client are gone due to bash-socket-based
checks. testssl.sh also works on other unixoid system out of the box, supposed they have
`/bin/bash` and standard tools like sed and awk installed. System V needs to have GNU versions
of grep installed. MacOS X and Windows (using MSYS2 or cygwin) work too. OpenSSL
version >= 1.0.2 is recommended, you will get further with earlier openssl versions in
this interim release though as most of the checks in 2.9 are done via sockets.
Update notification here or @ [twitter](https://twitter.com/drwetter).
#### Status
2.9.5 is an interim release snapshot from the current 2.9dev version. It
has reached a point which is considered to be mature enough for day-to-day
usage before taking the next step in the development of this project.
2.9.5 has less bugs and has evolved considerably since 2.8.
#### Features implemented in 2.9.5
* TLS 1.2 protocol check via socket in production
* Way better coverage of ciphers as most checks are done via sockets, using bash sockets where ever possible
* Further tests via TLS sockets and improvements (handshake parsing, completeness, robustness)
* Testing 359 default ciphers (``testssl.sh -e/-E``) with a mixture of sockets and openssl. Same speed as with openssl only but addtional ciphers such as post-quantum ciphers, new CHAHA20/POLY1305, CamelliaGCM etc.
* Finding more TLS extensions via sockets
* TLS Supported Groups Registry (RFC 7919), key shares extension
* Non-flat JSON output support
* File output (CSV, JSON flat, JSON non-flat) supports a minimum severity level (only above supplied level there will be output)
* Native HTML support instead going through 'aha'
* LUCKY13 and SWEET32 checks
* Ticketbleed check
* LOGJAM: now checking also for known DH parameters
* Support of supplying timeout value for ``openssl connect`` -- useful for batch/mass scanning
* Check for CAA RR
* Check for OCSP must staple
* Check for Certificate Transparency
* Check for session resumption (Ticket, ID)
* Better formatting of output (indentation)
* Choice showing the RFC naming scheme only
* Parallel mass testing
* File input for mass testing can be also in nmap grep(p)able (-oG) format
* Postgres und MySQL STARTTLS support
* Man page
#### Contributions
......@@ -82,20 +89,15 @@ Contributions, feedback, bug reports are welcome! For contributions please
note: One patch per feature -- bug fix/improvement. Please test your
changes thouroughly as reliability is important for this project.
There's [coding guideline](https://github.com/drwetter/testssl.sh/wiki/Coding-Style).
There's a [coding guideline](https://github.com/drwetter/testssl.sh/wiki/Coding-Style).
Please file bug reports @ https://github.com/drwetter/testssl.sh/issues.
#### Documentation
For a start see the
[wiki](https://github.com/drwetter/testssl.sh/wiki/Usage-Documentation).
Help is needed here.
#### Bug reports
Please file bugs in the issue tracker. Do not forget to provide detailed information, see https://github.com/drwetter/testssl.sh/wiki/Bug-reporting. (Nobody can read your thoughts
-- yet. And only agencies your screen) ;-)
Please file bugs in the issue tracker. Do not forget to provide detailed information,
see https://github.com/drwetter/testssl.sh/wiki/Bug-reporting. Nobody can read your
thoughts -- yet. And only agencies your screen ;-)
----
......@@ -107,7 +109,7 @@ respective projects
#### Cool web frontend
* https://github.com/TKCERT/testssl.sh-webfrontend
#### mass scanner w parallel scans and elastic searching the results
#### Mass scanner w parallel scans and elastic searching the results
* https://github.com/TKCERT/testssl.sh-masscan
#### Ready-to-go docker images are available at:
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
......@@ -5,30 +5,30 @@ The certificate stores were retrieved by
* Mozilla; see https://curl.haxx.se/docs/caextract.html
* Linux: Just copied from an up-to-date Linux machine
* Microsoft: For Windows >= 7/2008 Microsoft decided not to provide
a full certificate store by default or via update as all other OS do.
It's being populated with time -- supposed you use e.g. IE while browsing.
Thus this file is smaller as the others.
This store was destilled from three different windows installations via
"certmgr.msc". It's a PKCS7 export of "Trusted Root Certification Authorities"
and the Third Party Store.
Feedback is welcome, see #317.
It's still behind what MS publishes what [should be included](http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants-v-2016-april.aspx).
Unfortunately there doesn't seem to be store to DL. Let me know if
you have a pointer
* Apple: It comes from Apple OS X keychain app. Open Keychain Access.
In the Finder window, under Favorites --> "Applications" --> "Utilities"
* Microsoft: Following command pulls all certificates from Windows Update services: (see also http://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions): ``CertUtil -syncWithWU -f -f . ``.
* Apple: It comes from Apple OS X keychain app. Open Keychain Access utility, i.e.
In the Finder window, under Favorites --> "Applications" --> "Utilities"
(OR perform a Spotlight Search for Keychain Access)
--> "Keychain Access" (2 click). In that window --> "Keychains" --> "System"
--> "Category" --> "All Items"
Select all CA certificates, "File" --> "Export Items"
Select all CA certificates except for Developer ID Certification Authority, "File" --> "Export Items"
In this directory you can also save e.g. your company Root CA(s) in PEM
format, extension ``pem``. This has two catches momentarily: You will still
In this directory you can also save e.g. your company Root CA(s) in PEM
format, extension ``pem``. This has two catches momentarily: You will still
get a warning for the other certificate stores while scanning internal net-
works. Second catch: If you scan other hosts in the internet the check against
works. Second catch: If you scan other hosts in the internet the check against
your Root CA will fail, too. This will be fixed in the future, see #230.
#### Mapping files
The file ``mapping-rfc.txt`` uses the hexcode to map OpenSSL names
against the RFC/IANA names. ``curves.txt`` is not being used yet, it
is supposed to map EC curve names properly.
#### Further needed files
* ``tls_data.txt`` contains lists of cipher suites and private keys for sockets-based tests
* ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS
* ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. Use
``~/utils/create_ca_hashes.sh`` for an update
* ``common-primes.txt`` is used for LOGJAM
* ``client-simulation.txt`` as the name indicates it's the data for the client simulation. Use
``~/utils/update_client_sim_data.pl`` for an update. Note: This list has been manually
edited to sort it and weed it out.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
#!/usr/bin/env perl
use strict;
use Test::More;
use Data::Dumper;
use JSON;
my (
$out,
$json,
$json_pretty,
$found,
$tests
);
$tests = 0;
#1
pass("Running testssl.sh against badssl.com to create a JSON report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++;
$out = `./testssl.sh -S -e -U --jsonfile tmp.json --severity LOW --color 0 badssl.com`;
$json = json('tmp.json');
unlink 'tmp.json';
$found = 0;
cmp_ok(@$json,'>',0,"At least 1 finding is expected"); $tests++;
foreach my $f ( @$json ) {
if ( $f->{severity} eq "INFO" ) {
$found = 1;
last;
}
}
is($found,0,"We should not have any finding with INFO level"); $tests++;
#2
pass("Running testssl.sh against badssl.com to create a JSON-PRETTY report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++;
$out = `./testssl.sh -S -e -U --jsonfile-pretty tmp.json --severity LOW --color 0 badssl.com`;
$json_pretty = json('tmp.json');
unlink 'tmp.json';
$found = 0;
my $vulnerabilities = $json_pretty->{scanResult}->[0]->{vulnerabilities};
foreach my $f ( @$vulnerabilities ) {
if ( $f->{severity} eq "INFO" ) {
$found = 1;
last;
}
}
is($found,0,"We should not have any finding with INFO level"); $tests++;
done_testing($tests);
sub json($) {
my $file = shift;
$file = `cat $file`;
unlink $file;
return from_json($file);
}
......@@ -14,8 +14,9 @@ my (
);
# OK
pass("Running testssl.sh against ssl.sectionzero.org"); $tests++;
$out = `./testssl.sh -H --jsonfile tmp.json --color 0 ssl.sectionzero.org`;
$out = `./testssl.sh --headers --jsonfile tmp.json --color 0 ssl.sectionzero.org`;
$json = json('tmp.json');
unlink 'tmp.json';
# It is better to have findings in a hash
# Look for a host cert match in the process.
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment