Merge branch '3.2' into mac_runner

Author: drwetter

.github/workflows/docker-3.2.yml

@@ -5,25 +5,30 @@ on:
     branches:
       - 3.2
   workflow_dispatch:
+  # Every week at 8am on Mondays, publish the 3.2 branch:
+  # NOTE: `schedule` event is only triggered for the default branch:
+  # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#schedule
   schedule:
     - cron: "0 8 * * 1"
 
 env:
-  BUILD_VERSION: "3.2"
-  DOCKER_CLI_EXPERIMENTAL: enabled
+  GIT_BRANCH: "3.2"
 
 jobs:
 
   deploy:
     runs-on: ubuntu-24.04
 
     steps:
+      - name: lowercase the repository name
+        run: echo "REPO=${GITHUB_REPOSITORY@L}" >> "${GITHUB_ENV}"
+
       - name: Source checkout
         uses: actions/checkout@v4
 
       - name: Setup QEMU
         id: qemu
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@v3
 
       - name: Setup Buildx
         id: buildx
@@ -33,31 +38,31 @@ jobs:
         id: docker_meta
         uses: docker/metadata-action@v5
         with:
-          images: ${{ github.repository }}
+          images: ${{ env.REPO }}
           labels: |
-            org.opencontainers.image.version=${{ env.BUILD_VERSION }}
+            org.opencontainers.image.version=${{ env.GIT_BRANCH }}
             org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.title=${{ github.repository }}
+            org.opencontainers.image.title=${{ env.REPO }}
 
       - name: GitHub login
         if: ${{ github.event_name != 'pull_request' }}
-        uses: docker/login-action@v3.4.0
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
-          username: ${{ github.actor }}
+          username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v6.16.0
+        uses: docker/build-push-action@v6
         with:
           push: ${{ github.event_name != 'pull_request' }}
           context: .
           file: Dockerfile.alpine
           platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7,linux/arm/v6,linux/ppc64le
-          build-args: BUILD_VERSION
+          build-args: GIT_BRANCH
           cache-from: type=gha, scope=${{ github.workflow }}
           cache-to: type=gha, scope=${{ github.workflow }}
           labels: ${{ steps.docker_meta.outputs.labels }}
           tags: |
-            ghcr.io/${{ github.repository }}:${{ env.BUILD_VERSION }}
-            ghcr.io/${{ github.repository }}:latest
+            ghcr.io/${{ env.REPO }}:${{ env.GIT_BRANCH }}
+            ghcr.io/${{ env.REPO }}:latest

.github/workflows/unit_tests_ubuntu.yml

@@ -0,0 +1,60 @@
+---
+name: testssl.sh CI with Ubuntu
+
+on:
+  pull_request:
+    paths-ignore:
+      - 'utils/**'
+      - 'doc/**'
+      - 'bin/**'
+      - '**.md'
+      - '**.pem'
+      - '**.pdf'
+      - '**.html'
+      - 'LICENSE'
+      - 'Dockerfile'
+      - 'Dockerfile.alpine'
+
+permissions:
+  contents: read
+
+# see https://github.com/shogo82148/actions-setup-perl
+jobs:
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: ['ubuntu-24.04']
+        perl: ['5.38']
+    name: Unit test on ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up perl
+        uses: shogo82148/actions-setup-perl@v1
+        with:
+          perl-version: ${{ matrix.perl }}
+
+      - name: Install OS dependencies
+        run: |
+          sudo apt install dnsutils jsonlint
+          printf "%s\n" "----------"
+          perl -V
+          printf "%s\n" "----------"
+          curl --version
+          printf "%s\n" "----------"
+          openssl version -a
+          printf "%s\n" "----------"
+          bash --version
+          printf "%s\n" "----------"
+
+      - name: Install perl modules
+        run: |
+        cpanm --notest Test::More
+        cpanm --notest Data::Dumper
+        cpanm --notest JSON
+        cpanm --notest Text::Diff
+
+      - name: run it
+        run: |
+          prove -v t

Dockerfile-alpine Dockerfile.alpineDockerfile-alpine renamed to Dockerfile.alpine

@@ -17,11 +17,13 @@ Use a volume bind mount to a local host directory to access the files outside of
 docker run --rm -it -v /tmp:/data --workdir /data ghcr.io/testssl/testssl.sh:3.2 --htmlfile ./ example.com
 ```
 
-**NOTE:**
-- The UID/GID ownership of the file will be created by the container user `testssl` (`1000:1000`), with permissions `644`.
-- Your host directory must permit the `testssl` container user or group to write to that host volume. You could alternatively use [`docker cp`](https://docs.docker.com/reference/cli/docker/container/cp/).
+> [!NOTE]
+> - The UID/GID ownership of the file will be created by the container user `testssl` (`1000:1000`), with permissions `644`.
+> - Your host directory must permit the `testssl` container user or group to write to that host volume. You could alternatively use [`docker cp`](https://docs.docker.com/reference/cli/docker/container/cp/).
 
-### From DockerHub or GHCR
+## Images
+
+### Available at DockerHub and GHCR
 
 You can pull the image from either of these registries:
 - DockerHub: [`drwetter/testssl.sh`](https://hub.docker.com/r/drwetter/testssl.sh)
@@ -31,7 +33,7 @@ Supported tags:
 - `3.2` / `latest`
 - `3.0` is the old stable version ([soon to become EOL](https://github.com/testssl/testssl.sh/tree/3.0#status))
 
-### Building
+### Building the `testssl.sh` container image
 
 You can build with a standard `git clone` + `docker build`. Tagging the image will make it easier to reference.
 
@@ -41,26 +43,30 @@ git clone --branch 3.2 --depth 1 https://github.com/testssl/testssl.sh .
 docker build --tag localhost/testssl.sh:3.2 .
 ```
 
-There are two base images available:
-- `Dockerfile` (openSUSE Leap), glibc-based + faster.
-- `Dockerfile-alpine` (Alpine), musl-based + half the size.
+There are two base images supported:
+- openSUSE Leap ([`Dockerfile`](./Dockerfile)), glibc-based + faster.
+- Alpine ([`Dockerfile`](./Dockerfile.alpine)), musl-based + half the size.
+
+The Alpine variant is made available if you need broarder platform support, or an image about 30MB smaller at the expense of slightly slower performance.
 
-Alpine is made available if you need broarder platform support or an image about 30MB smaller at the expense of speed.
+#### Tip - Remote build context + `Dockerfile`
 
-#### Remote build context + `Dockerfile`
 You can build with a single command instead via:
 
 ```bash
 docker build --tag localhost/testssl.sh:3.2 https://github.com/testssl/testssl.sh.git#3.2
 ```
 
-This will produce a slightly larger image however as `.dockerignore` is not supported with remote build contexts.
+> [!NOTE]
+> This will produce a slightly larger image as [`.dockerignore` is not supported with remote build contexts](https://github.com/docker/buildx/issues/3169).
+
+---
 
-If you would like to build the Alpine image instead this way, just provide the alternative `Dockerfile` via `--file`:
+To build the Alpine image instead, additionally provide the ([alternative `Dockerfile`](./Dockerfile.alpine)) via the `--file` option:
 
 ```bash
 docker build \
   --tag localhost/testssl.sh:3.2-alpine \
-  --file https://raw.githubusercontent.com/testssl/testssl.sh/3.2/Dockerfile-alpine \
+  --file https://raw.githubusercontent.com/testssl/testssl.sh/3.2/Dockerfile.alpine \
   https://github.com/testssl/testssl.sh.git#3.2
 ```

Dockerfile.md

@@ -1,7 +1,7 @@
 
 ## Intro
 
-[![CI tests](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests.yml/badge.svg)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests.yml)
+[![CI tests](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_ubuntu.yml/badge.svg)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_ubuntu.yml)
 [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/testssl/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 [![License](https://img.shields.io/github/license/testssl/testssl.sh)](https://github.com/testssl/testssl.sh/LICENSE)
 [![Docker](https://img.shields.io/docker/pulls/drwetter/testssl.sh)](https://github.com/testssl/testssl.sh/blob/3.2/Dockerfile.md)
@@ -119,6 +119,9 @@ You can also debug yourself, see [here](https://github.com/testssl/testssl.sh/wi
 
 Please address questions not specifically to the code of testssl.sh to the respective projects below.
 
+#### AI powered docs @ DeepWiki
+* https://deepwiki.com/testssl/testssl.sh
+
 #### Web frontend
 * https://github.com/johannesschaefer/webnettools
 * https://github.com/TKCERT/testssl.sh-webfrontend

Readme.md

@@ -310,7 +310,31 @@
      ja4+=("t13d1713h1_5b57614c22b0_352634941f3a")
      current+=(true)
 
-     names+=("Chrome 27 Win 7")
+     names+=("Android 15 (native)")
+     short+=("android_15")
+     ch_ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA")
+     ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
+     ch_sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("16030108ad010008a9030391072cb3571b43dc4a8cc1ad1c53edf47f89a855e5e52a701befa485fdcc847d201e6800efce12bdb7a96cdb1d7b6c3d451f1e7275ef468a873b746fe29fa89e2200201a1a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035010008409a9a0000000500050100000000000b0002010044cd0005000302683200170000002b000706eaea03040303002d000201010000001b0019000016706c61792d66652e676f6f676c65617069732e636f6d001b0003020002002300000010000e000c02683208687474702f312e3100120000000a000c000a3a3a11ec001d00170018fe0d00da00000100017b002072f7b873fdab02ad8a7e3ef3dd54613a0051821d29bfcde7f71af8ac49860c0500b0eb42e5082e1426108b1f5d6f67b5c35e26d985cdd337873c1ab77f3fcedc1cbf68cc86b20d82e5764fbadf86df30d44696184d7f73c5d2b67c3bc1955f7ce21900b7448b8ad575ce3533d8bfd9c6b6415a8c523454145c4c6306531fbe2bf0979002fd79fa707dea23d8bcd180662617c0a8b7a1dec7c63eeaf3156571c1e0f97f418b6d278dedf0d07fe027aea8f370d020503cdf7225ba8d0d1c1374c0580382f2880aaf82b7bab3a93f0bb40c91c6000d0012001004030804040105030805050108060601003304ef04ed3a3a00010011ec04c0fba42d89e82e616023e892af4a115a4bc5272dd77199ea670f927605acbd8607741e878836d92b9b35b9c3183b02621c5b6bca8ea93433dc4ad8abaabfc6a69e639d4ac391e9862609bc4ef0c1ba8b674f981cabe3f13007858a029b4d0ba12d170074ffb1468106cc91f9a394a947dbe32312b6936c26b0ad114d54c496e3233c5c53c9f86c35043ab012f9b658040df4614db746075e708657784eb22b1d5e63247b7820e4431ace5a82a85c83bcd686ed3a64ee2b4c55159da00744e0103c74b351a2956d6ba54c54696ad3d742f7d389c257143402254e0c7e7f292d08a7ad896c485fc362a33c73958836c32675d97c4e79c9a92ee00bfd3939ecd09be3fc58e1247ae468848455391cd7291a140103a34f4b054a7e148c9b672cc2f29c4c0482dba0cc3239b32dc6973da04b499c820159a2ec9bba37c6661794cdbbb5bf98d30c4d627ece6a883139a287799591059b5ca949f82234c1960cdd51278152bd39f2b734c187a70c478bcc8908d335a2848ff4b0aeddb4491860a269a74e6b5875c201004a51b72ae79096ec7b5c508a25fc04e2f3a1f3b15bfdc2673ce48a172b4faf175b9ae2750102a50b9893f93b06c2104b6ee73eed379713738d4090c80b30c3afc242a2e0022d8a9559d776069337c314c3ae346da1420465e3b8039635813185ae57ba77e6bc57f9c8afe0388ed228772caa7aaa5037a5234d7c4e7fe0372202add9e471248a87215c6c9a2838fdd0088e039405e62225580e326357c3a2a76f0b775ba07ad451934a916e79c537f0c0ad56e0c939d142809b2b44d0c446f554e52770f3e8cba997a59aa86429304c33161d9806a42c4c4777d7cab66290d26381953276e42a7990214b45989b9a979da1674861da4cea454412ba980842b4e8852f26db1d94416d388826b66a727bb26a51a55ac5dca267cb765a8c0999794e2a1b21048527a4366c5e670f5c36b769b030673b6dee187250f637aeebae1f01260293124bf289246813a345011e04a3e107a27a2b4ab9f4bced961fc7f570116322dab98986185ebce85f674c1bf0e4774d87055d1c2a239758eb20ae45588a294937a4a39361001863931e5d350ee0bc2950228631d49755d26988198cb6592a36e65710e1614f4608c5432138a3a7edca8520b9328aa3a3904028f7803a365194cbba86aeec8dec9711c7574baf0a8061b93762120b94923293c8cda3316f79509bdfe2328106714578130879c63270391508b29e984789067a1c59af71a807e6cb474e888773abb53ea87cced11a6ab6498c301630a65e9d37cd8e44abb18b9f97d2391eb22acc74c2f02633ae3649faf19efbe7b56ac6265b46354bba7197ecb8651c1dbeec4031a9cc3da48d8c6993905a8f0cf131a90a23af5b5b6bd2571dc15c3233a7f74ca3da76cc889a0eba3161790471da3542b4da57d9a1b2fc7c9a2693110828c405d19b8d6a0cec2a911c375c1d100671471401435cfc050b3039730de5ad30b78fd1fcb4ffa604d78ba6f72979db56008d903950e43385184b344b4ea2c0a331d8afb1954f567bb20ceb957bc72bb0c685a0f4176875107e47b59f2b4616901d0c9612e529204ea524222b39dad558deb07bda9919ae25635ff6b791e354b19f92175ed1635841072717a2e7bf8ea666d4ef0087ffe8ef74c50317c30c1406bb15e3a02606e2be51eea33beed8a3a6aef44a001d0020e3b270223362eb0f688b920f024370f2bcdc58f22ef5e7a32cbf318805e67113ff010001006a6a000100002901ca01a5019f02e416892a2f1f90b8c577cb046e05e5df038964982ae7b5b00f2450f97b2820b6a503d15f01fd0e8abe4ab5bfe3383af1fed6b5efd49450f1b773050ed43c8d4623b7d61b9ba793ed8ac81530bf3630efc169e883047220d8b7cc3290375cf03a69217648b952c2c3635f8c1f713d175e0032846f1e8887e75485561dcf7cff2555ed833a4fa236df7cdf971eb6e186213d0779c6eeae1777582a0300a2668cfc948881278534c2e3c102667c8c84325e3d5e31efbae0fdcf31347540e03d8f3c3cbb94a113df6dbf9ae2bc54d14e27dd92cf0eb708e7c5ce73aec09c0f1e006110af1c9ffe2f41cca0982db2d0e329fe6296f65b1d3d9c9bf55d88cd97fb1361c5c86a71f704b56819a5d0266d4214379df7ce093297ab2eddb69c3275c4cb98f25e4ba1849e81d7eccc52294c6aba5f750e5c5c1d41be5f42008870780b86d340108e6ef3c29362a678896d376245418ac27de83e8de2ea309bd294d510a032ff47b5651bf2a8f53fd0bdf5b569576ef6b1ea249e3f2f4a88fdd99d54ce5b53d6935f1dcb4bb6ffeac2ad08f1d8882d54240048414d6a2b7a3e8a0e04cc81ca531600212096370dc60f1571e843667259d4e4eccda96828a23587ecde81ad55262c4c5968")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2")
+     lowest_protocol+=("0x0303")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("ANY")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1")
+     requiresSha2+=(true)
+     ja3+=("78c89591bc3fffbc6aa884cc7ebbbdb5")
+     ja4+=("t13d1517h2_8daaf6152771_b6f405a00624")
+     current+=(true)
+
+names+=("Chrome 27 Win 7")
      short+=("chrome_27_win7")
      ch_ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DHE-DSS-RC4-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-AES128-SHA:SEED-SHA:CAMELLIA128-SHA:RC4-SHA:RC4-MD5:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA")
      ciphersuites+=("")

etc/client-simulation.txt

@@ -6,7 +6,7 @@ testssl.sh uses the file `client-simulation.txt`. Previously we queried the SSLl
 
 * Start wireshark / tcpdump at a client or router. If it's too noisy better filter for the target of your choice.
 * Make sure you create a bit of encrypted traffic to your target. Attention, privacy: if you want to contribute, be aware that the ClientHello contains the target hostname (SNI).
-* Make sure the client traffic is specific: For just "Android" do not use an Android browser! Be also careful with factory installed Google Apps, especially on older devices as they might come with a different TLS stack.
+* Make sure the client traffic is specific: For just "Android" do not use an Android browser! Be also careful with factory installed Google Apps, especially on older devices as they might come with a different TLS stack. The play store or e.g. f-droid works.
 * Stop recording.
 * If needed sort for ClientHello.
 * Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure it's the right traffic.