Merge branch '3.2' into mac_runner

Author: drwetter

.github/workflows/docker-3.2.yml

@@ -15,10 +15,8 @@ env:
   GIT_BRANCH: "3.2"
 
 jobs:
-
   deploy:
     runs-on: ubuntu-24.04
-
     steps:
       - name: lowercase the repository name
         run: echo "REPO=${GITHUB_REPOSITORY@L}" >> "${GITHUB_ENV}"
@@ -59,7 +57,6 @@ jobs:
           context: .
           file: Dockerfile.alpine
           platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7,linux/arm/v6,linux/ppc64le
-          build-args: GIT_BRANCH
           cache-from: type=gha, scope=${{ github.workflow }}
           cache-to: type=gha, scope=${{ github.workflow }}
           labels: ${{ steps.docker_meta.outputs.labels }}

Dockerfile

@@ -6,50 +6,61 @@ ARG INSTALL_ROOT=/rootfs
 FROM opensuse/leap:${LEAP_VERSION} AS builder
 ARG CACHE_ZYPPER=/tmp/cache/zypper
 ARG INSTALL_ROOT
-RUN \
-  # /etc/os-release provides ${VERSION_ID} for usage in ZYPPER_OPTIONS:
-  source /etc/os-release \
-  # We don't need the openh264.repo and the non-oss repos, just costs build time (repo caches).
-  && zypper removerepo repo-openh264 repo-non-oss repo-update-non-oss \
-  && export ZYPPER_OPTIONS=( --releasever "${VERSION_ID}" --installroot "${INSTALL_ROOT}" --cache-dir "${CACHE_ZYPPER}" ) \
-  && zypper "${ZYPPER_OPTIONS[@]}" --gpg-auto-import-keys refresh \
-  && zypper "${ZYPPER_OPTIONS[@]}" --non-interactive install --download-in-advance --no-recommends \
-       bash procps grep gawk sed coreutils busybox ldns libidn2-0 socat openssl curl \
-  && zypper "${ZYPPER_OPTIONS[@]}" clean --all \
-  ## Cleanup (reclaim approx 13 MiB):
+RUN <<HEREDOC
+  # Remove the `openh264` the `non-oss` repos to save on sync time, they're not needed:
+  zypper removerepo repo-openh264 repo-non-oss repo-update-non-oss
+  # `/etc/os-release` provides the `VERSION_ID` variable for usage in `ZYPPER_OPTIONS`:
+  source /etc/os-release
+  export ZYPPER_OPTIONS=( --releasever "${VERSION_ID}" --installroot "${INSTALL_ROOT}" --cache-dir "${CACHE_ZYPPER}" )
+
+  # Install packages to a custom root-fs location (defined in `ZYPPER_OPTIONS`):
+  zypper "${ZYPPER_OPTIONS[@]}" --gpg-auto-import-keys refresh
+  zypper "${ZYPPER_OPTIONS[@]}" --non-interactive install --download-in-advance --no-recommends \
+    bash procps grep gawk sed coreutils busybox ldns libidn2-0 socat openssl curl
+
+  # Optional - Avoid `CACHE_ZYPPER` from being redundantly cached in this RUN layer:
+  # (doesn't improve `INSTALL_ROOT` size thanks to `--cache-dir`)
+  zypper "${ZYPPER_OPTIONS[@]}" clean --all
+
+  # Cleanup (reclaim approx 13 MiB):
   # None of this content should be relevant to the container:
-  && rm -r "${INSTALL_ROOT}/usr/share/"{licenses,man,locale,doc,help,info} \
-           "${INSTALL_ROOT}/usr/share/misc/termcap" \
-           "${INSTALL_ROOT}/usr/lib/sysimage/rpm"
+  rm -r "${INSTALL_ROOT}/usr/share/"{licenses,man,locale,doc,help,info} \
+    "${INSTALL_ROOT}/usr/share/misc/termcap" \
+    "${INSTALL_ROOT}/usr/lib/sysimage/rpm"
+HEREDOC
 
 
 # Create a new image with the contents of ${INSTALL_ROOT}
 FROM scratch AS base-leap
 ARG INSTALL_ROOT
 COPY --link --from=builder ${INSTALL_ROOT} /
-RUN \
+RUN <<HEREDOC
   # Creates symlinks for any other commands that busybox can provide that
   # aren't already provided by coreutils (notably hexdump + tar, see #2403):
   # NOTE: `busybox --install -s` is not supported via the leap package, manually symlink commands.
-  ln -s /usr/bin/busybox /usr/bin/tar \
-  && ln -s /usr/bin/busybox /usr/bin/hexdump \
-  && ln -s /usr/bin/busybox /usr/bin/xxd \
+  ln -s /usr/bin/busybox /usr/bin/tar
+  ln -s /usr/bin/busybox /usr/bin/hexdump
+  ln -s /usr/bin/busybox /usr/bin/xxd
+
   # Add a non-root user `testssl`, this is roughly equivalent to the `useradd` command:
   # useradd --uid 1000 --user-group --create-home --shell /bin/bash testssl
-  && echo 'testssl:x:1000:1000::/home/testssl:/bin/bash' >> /etc/passwd \
-  && echo 'testssl:x:1000:' >> /etc/group \
-  && echo 'testssl:!::0:::::' >> /etc/shadow \
-  && install --mode 2755 --owner testssl --group testssl --directory /home/testssl \
-  # The home directory will install a copy of `testssl.sh`, symlink the script to be used as a command:
-  && ln -s /home/testssl/testssl.sh /usr/local/bin/testssl.sh
+  echo 'testssl:x:1000:1000::/home/testssl:/bin/bash' >> /etc/passwd
+  echo 'testssl:x:1000:' >> /etc/group
+  echo 'testssl:!::0:::::' >> /etc/shadow
+  install --mode 2755 --owner testssl --group testssl --directory /home/testssl
+
+  # A copy of `testssl.sh` will be added to the home directory,
+  # symlink to that file so it can be treated as a command:
+  ln -s /home/testssl/testssl.sh /usr/local/bin/testssl.sh
+HEREDOC
 
 # Runtime config:
 USER testssl
 ENTRYPOINT ["testssl.sh"]
 CMD ["--help"]
 
 # Final image stage (add `testssl.sh` project files)
-# Choose either one as the final stage (defaults to last stage, `dist-local`)
+# Choose either one as the final stage (defaults to the last stage, `dist-local`)
 
 # 62MB Image (Remote repo clone, cannot filter content through `.dockerignore`):
 FROM base-leap AS dist-git

Dockerfile.alpine

@@ -1,23 +1,35 @@
+# syntax=docker.io/docker/dockerfile:1
+
 FROM alpine:3.21 AS base-alpine
-RUN apk add --no-cache bash procps drill coreutils libidn curl socat openssl xxd \
-    && addgroup testssl \
-    && adduser -G testssl -g "testssl user" -s /bin/bash -D testssl \
-    && ln -s /home/testssl/testssl.sh /usr/local/bin/testssl.sh
+RUN <<HEREDOC
+  apk add --no-cache bash procps drill coreutils libidn curl socat openssl xxd
+
+  # Add a non-root user `testssl`, this is roughly equivalent to the `adduser` command:
+  # addgroup testssl && adduser -G testssl -g "testssl user" -s /bin/bash -D testssl
+  echo 'testssl:x:1000:1000::/home/testssl:/bin/bash' >> /etc/passwd
+  echo 'testssl:x:1000:' >> /etc/group
+  echo 'testssl:!::0:::::' >> /etc/shadow
+  install --mode 2755 --owner testssl --group testssl --directory /home/testssl
+
+  # A copy of `testssl.sh` will be added to the home directory,
+  # symlink to that file so it can be treated as a command:
+  ln -s /home/testssl/testssl.sh /usr/local/bin/testssl.sh
+HEREDOC
 
 # Runtime config:
 USER testssl
 ENTRYPOINT ["testssl.sh"]
 CMD ["--help"]
 
 # Final image stage (add `testssl.sh` project files)
-# Choose either one as the final stage (defaults to last stage, `dist-git`)
-
-# 27MB Image (Local repo copy from build context, uses `.dockerignore`):
-FROM base-alpine AS dist-local
-COPY --chown=testssl:testssl . /home/testssl/
+# Choose either one as the final stage (defaults to the last stage, `dist-local`)
 
 # 35MB Image (Remote repo clone, cannot filter content through `.dockerignore`):
 FROM base-alpine AS dist-git
 ARG GIT_URL=https://github.com/testssl/testssl.sh.git
 ARG GIT_BRANCH
 ADD --chown=testssl:testssl ${GIT_URL}#${GIT_BRANCH?branch-required} /home/testssl
+
+# 27MB Image (Local repo copy from build context, uses `.dockerignore`):
+FROM base-alpine AS dist-local
+COPY --chown=testssl:testssl . /home/testssl/

Dockerfile.md

@@ -1,6 +1,6 @@
 ## Usage
 
-Run the image with `testssl.sh` options appended (default is `--help`). The container entrypoint is already set to `testsl.sh` as the command for convenience.
+Run the image with `testssl.sh` options appended (default is `--help`). The container entrypoint is already set to `testsl.sh` for convenience.
 
 ```bash
 docker run --rm -it ghcr.io/testssl/testssl.sh:3.2 --fs github.com
@@ -19,19 +19,19 @@ docker run --rm -it -v /tmp:/data --workdir /data ghcr.io/testssl/testssl.sh:3.2
 
 > [!NOTE]
 > - The UID/GID ownership of the file will be created by the container user `testssl` (`1000:1000`), with permissions `644`.
-> - Your host directory must permit the `testssl` container user or group to write to that host volume. You could alternatively use [`docker cp`](https://docs.docker.com/reference/cli/docker/container/cp/).
+> - Your host directory must permit the `testssl` container user or group to write to that host volume. You could alternatively use [`docker cp`][docker-docs::cli::cp].
 
 ## Images
 
 ### Available at DockerHub and GHCR
 
 You can pull the image from either of these registries:
-- DockerHub: [`drwetter/testssl.sh`](https://hub.docker.com/r/drwetter/testssl.sh)
-- GHCR: [`ghcr.io/testssl/testssl.sh`](https://github.com/testssl/testssl.sh/pkgs/container/testssl.sh)
+- DockerHub: [`drwetter/testssl.sh`][image-registry::dockerhub]
+- GHCR: [`ghcr.io/testssl/testssl.sh`][image-registry::ghcr]
 
 Supported tags:
 - `3.2` / `latest`
-- `3.0` is the old stable version ([soon to become EOL](https://github.com/testssl/testssl.sh/tree/3.0#status))
+- `3.0` is the old stable version ([soon to become EOL][testssl::v3p0-eol])
 
 ### Building the `testssl.sh` container image
 
@@ -47,7 +47,9 @@ There are two base images supported:
 - openSUSE Leap ([`Dockerfile`](./Dockerfile)), glibc-based + faster.
 - Alpine ([`Dockerfile`](./Dockerfile.alpine)), musl-based + half the size.
 
-The Alpine variant is made available if you need broarder platform support, or an image about 30MB smaller at the expense of slightly slower performance.
+The Alpine variant is made available if you need broader platform support, or an image about 30MB smaller at the expense of [slightly slower performance][testssl::base-image-performance].
+
+For contributors, if needing context on the [package selection has been documented][testssl::base-image-packages] for each base image.
 
 #### Tip - Remote build context + `Dockerfile`
 
@@ -58,7 +60,7 @@ docker build --tag localhost/testssl.sh:3.2 https://github.com/testssl/testssl.s
 ```
 
 > [!NOTE]
-> This will produce a slightly larger image as [`.dockerignore` is not supported with remote build contexts](https://github.com/docker/buildx/issues/3169).
+> This will produce a slightly larger image as [`.dockerignore` is not supported with remote build contexts][build::dockerignore-remote-context].
 
 ---
 
@@ -70,3 +72,11 @@ docker build \
   --file https://raw.githubusercontent.com/testssl/testssl.sh/3.2/Dockerfile.alpine \
   https://github.com/testssl/testssl.sh.git#3.2
 ```
+
+[docker-docs::cli::cp]: https://docs.docker.com/reference/cli/docker/container/cp/
+[image-registry::dockerhub]: https://hub.docker.com/r/drwetter/testssl.sh
+[image-registry::ghcr]: https://github.com/testssl/testssl.sh/pkgs/container/testssl.sh
+[testssl::v3p0-eol]: https://github.com/testssl/testssl.sh/tree/3.0#status
+[testssl::base-image-performance]: https://github.com/testssl/testssl.sh/issues/2422#issuecomment-2841822406
+[testssl::base-image-packages]: https://github.com/testssl/testssl.sh/issues/2422#issuecomment-2841822406
+[build::dockerignore-remote-context]: https://github.com/docker/buildx/issues/3169

Readme.md

@@ -1,11 +1,17 @@
 
 ## Intro
-
-[![CI tests](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_ubuntu.yml/badge.svg)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_ubuntu.yml)
-[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/testssl/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+![GitHub Tag](https://img.shields.io/github/v/tag/testssl/testssl.sh)
+![Static Badge](https://img.shields.io/badge/%2Fbin%2Fbash_-blue)
+![Static Badge](https://img.shields.io/badge/OpenSSL_-blue)
 [![License](https://img.shields.io/github/license/testssl/testssl.sh)](https://github.com/testssl/testssl.sh/LICENSE)
+![GitHub Created At](https://img.shields.io/github/created-at/testssl/testssl.sh)
+![GitHub last commit](https://img.shields.io/github/last-commit/testssl/testssl.sh)
+![GitHub commit activity](https://img.shields.io/github/commit-activity/m/testssl/testssl.sh)
+[![CI tests](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_ubuntu.yml/badge.svg)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_ubuntu.yml)
 [![Docker](https://img.shields.io/docker/pulls/drwetter/testssl.sh)](https://github.com/testssl/testssl.sh/blob/3.2/Dockerfile.md)
-
+![Mastodon Follow](https://img.shields.io/mastodon/follow/109319848143024146?domain=infosec.exchange)
+[![Bluesky](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fpublic.api.bsky.app%2Fxrpc%2Fapp.bsky.actor.getProfile%2F%3Factor%3Dtestssl.bsky.social&query=%24.followersCount&style=social&logo=bluesky&label=Follow%20%40testssl.sh)
+[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/testssl/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 
 `testssl.sh` is a free command line tool which checks a server's service on
 any port for the support of TLS/SSL ciphers, protocols as well as some
@@ -23,7 +29,7 @@ cryptographic flaws.
 * Reliability: features are tested thoroughly.
 * Privacy: It's only you who sees the result, not a third party.
 * Freedom: It's 100% open source. You can look at the code, see what's going on.
-* The development is open @ GitHub and participation is welcome.
+* The development is free and open @ GitHub and participation is welcome.
 
 ### License
 
@@ -37,14 +43,14 @@ to get bugfixes, other feedback and more contributions.
 
 ### Compatibility
 
-Testssl.sh is working on every Linux/BSD distribution out of the box. Latest by 2.9dev
+Testssl.sh is working on every Linux/BSD distribution and MacOS out of the box. Latest by 2.9dev
 most of the limitations of disabled features from the openssl client are gone
 due to bash-socket-based checks. An old OpenSSL-bad version is supplied but
 but you can also use any LibreSSL or OpenSSL version.
    testssl.sh also works on other unixoid systems out of the box, supposed they have
 `/bin/bash` >= version 3.2 and standard tools like sed and awk installed. An implicit
 (silent) check for binaries is done when you start testssl.sh . System V needs probably
-to have GNU grep installed. MacOS X and Windows (using MSYS2, Cygwin or WSL) work too.
+to have GNU grep installed. Windows (using MSYS2, Cygwin or WSL) work too.
 
 Update notification here or @ [mastodon](https://infosec.exchange/@testssl) or [bluesky](https://bsky.app/profile/testssl.bsky.social). [twitter](https://twitter.com/drwetter) is not being used anymore.
 
@@ -74,7 +80,7 @@ docker run --rm -it ghcr.io/testssl/testssl.sh <your_cmd_line>
 Or if you have cloned this repo you also can just ``cd`` to the INSTALLDIR and run
 
 ```
-docker build . -t imagefoo && docker run --rm -t imagefoo example.com
+docker build . -t imagefoo && docker run --rm -t imagefoo testssl.net
 ```
 
 For more please consult [Dockerfile.md](https://github.com/testssl/testssl.sh/blob/3.2/Dockerfile.md).
@@ -83,32 +89,33 @@ For more please consult [Dockerfile.md](https://github.com/testssl/testssl.sh/bl
 
 Usage of the program is without any warranty. Use it at your own risk.
 
-Testssl.sh is intended to be used as a standalone CLI tool. While we tried to apply best practise security measures, we can't guarantee that the program is without any vulnerabilities. Running as a service may pose security risks and you're recommended to apply additional security measures.
+Testssl.sh is intended to be used as a standalone CLI tool. While we tried to apply best practise security measures and sanitize external input, we can't guarantee that the program is without any vulnerabilities. Running as a web service may pose security risks and you're advised to apply additional security measures. Validate input from the user and from all services which are queried.
 
 ### Status
 
-This is the stable release version 3.2. Please use it **now**, as 3.0.x will not get any updates after 3.0.10, with the current manpower we only support n-1 versions. There will be soon a separate 3.3.dev branch where further development takes place before 3.4 becomes the stable version and 3.2 becomes old-stable.
+This is the stable version 3.2. Please use it **now**, as 3.0.x will not get any updates after 3.0.10, with the current manpower we only support n-1 versions. There will be soon a separate 3.3.dev branch where further development takes place before 3.4 becomes the stable version and 3.2 becomes old-stable.
 
 ### Documentation
 
 * .. it is there for reading. Please do so :-) -- at least before asking questions. See man page in groff, html and markdown format in `~/doc/`.
 * [https://testssl.sh/](https://testssl.sh/) will help to get you started.
-* For the (older) version 2.8, Will Hunt provides a longer [description](https://www.4armed.com/blog/doing-your-own-ssl-tls-testing/), including useful background information.
+* There's also a [https://deepwiki.com/testssl/testssl.sh](AI generated doc), see also below.
+* Will Hunt provides a longer [description](https://www.4armed.com/blog/doing-your-own-ssl-tls-testing/) for an older version (2.8), including useful background information.
 
 ### Contributing
 
-A lot of contributors already helped to push the project where it currently is, see [CREDITS.md](https://github.com/testssl/testssl.sh/blob/3.2/CREDITS.md). Your contributions would be also welcome! There's a [large to-do list](https://github.com/testssl/testssl.sh/issues). To get started look for issues which are labeled as [good first issue](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22), [for grabs](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22for+grabs%22) or [help wanted](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22). The latter is more advanced, you can also lookout for documentation issues.
+A lot of contributors already helped to push the project where it currently is, see [CREDITS.md](https://github.com/testssl/testssl.sh/blob/3.2/CREDITS.md). Your contribution would be also welcome! There's an [issue list](https://github.com/testssl/testssl.sh/issues). To get started look for issues which are labeled as [good first issue](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22), [for grabs](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22for+grabs%22) or [help wanted](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22). The latter is more advanced. You can also lookout for [documentation issues](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue%20state%3Aopen%20label%3Adocumentation), or you can help with [unit testing](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22unit%20test%22) or improving github actions.
 
-It is recommended to read [CONTRIBUTING.md](https://github.com/testssl/testssl.sh/blob/3.2/CONTRIBUTING.md) and please also have a look at he [Coding Convention](https://github.com/testssl/testssl.sh/blob/3.2/Coding_Convention.md). Before you start writing patches with hundreds of lines, better create an issue first.
+It is recommended to read [CONTRIBUTING.md](https://github.com/testssl/testssl.sh/blob/3.2/CONTRIBUTING.md) and please also have a look at he [Coding Convention](https://github.com/testssl/testssl.sh/blob/3.2/Coding_Convention.md). Before you start writing PRs with hundreds of lines, better create an issue first.
 
-In general there's also some maintenance burden, like maintaining handshakes and CA stores, writing unit tests, improving github actions. If you believe you can contribute and be responsible to one of those maintenance task, please speak up. That would free resources that we could use for development.
+In general there's also some maintenance burden, like maintaining handshakes and CA stores etc. . If you believe you can contribute and be responsible to one of those maintenance task, please speak up. That would free resources that we could use for development.
 
 
 ### Bug reports
 
 Bug reports are important. It makes this project more robust.
 
-Please file bugs in the issue tracker @ GitHub. Do not forget to provide detailed information, see template for issue, and further details @
+Please file bugs in the issue tracker @ GitHub. Do not forget to provide detailed information, see the template for issues, and further details @
 https://github.com/testssl/testssl.sh/wiki/Bug-reporting. Nobody can read your thoughts -- yet. And only agencies your screen ;-)
 
 You can also debug yourself, see [here](https://github.com/testssl/testssl.sh/wiki/Findings-and-HowTo-Fix-them).