Merge branch '3.2' into diffing_openssls

Author: drwetter

CHANGELOG.md

@@ -12,6 +12,7 @@
 * Improved compatibility with Open/LibreSSL versions not supporting TLS 1.0-1.1 anymore
 * Renamed PFS/perfect forward secrecy --> FS/forward secrecy
 * Cipher list straightening
+* Support RFC 9150 cipher suites
 * Improved mass testing
 * Better align colors of ciphers with standard cipherlists
 * Save a few cycles for ROBOT
@@ -23,13 +24,16 @@
 * Test for STARTTLS injection vulnerabilities (SMTP, POP3, IMAP)
 * STARTTLS: XMPP server support, plus new set of OpenSSL-bad binaries
 * Several code improvements to STARTTLS, also better detection when no STARTTLS is offered
+* Renegotiation checks more reliable against different servers
 * STARTTLS on active directory service support
 * Security fixes: DNS and other input from servers
 * Don't penalize missing trust in rating when CA not in Java store
 * Added support for certificates with EdDSA signatures and public keys
 * Extract CA list shows supported certification authorities sent by the server
+* Wildcard certificates: detection and warning
 * TLS 1.2 and TLS 1.3 sig algs added
 * Check for ffdhe groups
+* Check for three KEMs in draft-kwiatkowski-tls-ecdhe-mlkem/draft-tls-westerbaan-xyber768d00
 * Show server supported signature algorithms
 * --add-ca can also now be a directory with \*.pem files
 * Warning of 398 day limit for certificates issued after 2020/9/1
@@ -41,6 +45,7 @@
 * DNS via proxy improvements
 * Client simulation runs in wide mode which is even better readable
 * Added --reqheader to support custom headers in HTTP requests
+* Search for more HTTP security headers on the server
 * Test for support for RFC 8879 certificate compression
 * Deprecating --fast and --ssl-native (warning but still av)
 * Compatible to GNU grep 3.8

CONTRIBUTING.md

@@ -1,21 +1,25 @@
 
-### Contributions / participation
+### Contributing / participating
 
-is always welcome, here @ github or via e-mail.
+Contributing / participating is always welcome!
 
-Note please the following
+Please note the following:
 
-* Please read at least the [coding convention](https://github.com/testssl/testssl.sh/Coding_Convention.md).
-* One PR per feature or bug fix or improvement. Please do not mix issues.
-* Document your PR, both in the PR and/or commit message and in the code.
+* Please read the [coding convention](https://github.com/testssl/testssl.sh/blob/3.2/Coding_Convention.md).
+* If you have something new and/or bigger which you like to contribute, better open an issue first before you get frustrated.
+* Please one pull request per feature or bug fix or improvement. Please do not mix issues.
+* Documentation pays off in the long run. So please your document your code and the pull request and/or commit message.
 * Please test your changes thoroughly as reliability is important for this project. You may want to check different servers with different settings.
-* Travis runs automatically when anything is committed/PR'd. You should check any complains from Travis. Beforehand you can check with `prove -v`.
-* If it's a new feature please consider writing a unit test for it. You can use e.g. `t/20_baseline_ipv4_http.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start.
-* If it's a new feature it would need to be documented in the appropriate section in `help()` and in `~/doc/testssl.1.md`
+* GitHub actions are running automatically when anything is committed. You should see any complains. Beforehand you can check with `prove -v` from the "root dir" of this project.
+* If it's a new feature, please consider writing a unit test for it. You can use e.g. `t/10_baseline_ipv4_http.t` or `t/61_diff_testsslsh.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start.
+* If it's a new feature, it would need to be documented in the appropriate section in `help()` and in `~/doc/testssl.1.md`
 
-For questions just open an issue or feel free to send me an e-mail.
+If you're interested in contributing and wonder how you can help, you can search for different tags in the issues (somewhat increasing degree of difficulty):
+* [documentation](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:documentation)
+* [good first issue](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:%22good%20first%20issue%22)
+* [help wanted](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:%22help%20wanted%22)
+* [for grabs](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:%22good%20first%20issue%22)
+
+For questions just open an issue.  Thanks for reading this!
 
-#### Patches via e-mail
 
-Of course it is fine when you want to send in patches to use e-mail. For the address please grep for SWCONTACT in testssl.sh .
-Let me know how you like them to be attributed.

bin/Readme.md

@@ -10,7 +10,7 @@ for some new / advanced cipher suites and/or features which are not in the
 official branch like (old version of the) CHACHA20+POLY1305 and CAMELLIA 256 bit ciphers.
 
 The (stripped) binaries this directory are all compiled from my openssl snapshot
-(https://github.com/drwetter/openssl-1.0.2.bad) which adds a few bits to Peter
+(https://github.com/testssl/openssl-1.0.2.bad) which adds a few bits to Peter
 Mosman's openssl fork (https://github.com/PeterMosmans/openssl). Thx a bunch, Peter!
 The few bits are IPv6 support (except IPV6 proxy) and some STARTTLS backports.
 
@@ -71,11 +71,11 @@ Compilation instructions
 If you want to compile OpenSSL yourself, here are the instructions:
 
 1.)
-    git git clone https://github.com/drwetter/openssl-1.0.2-bad
+    git git clone https://github.com/testssl/openssl-1.0.2-bad
     cd openssl
 
 
-2.) configure the damned thing. Options I used (see https://github.com/drwetter/testssl.sh/blob/master/utils/make-openssl.sh)
+2.) configure the damned thing. Options I used (see https://github.com/testssl/testssl.sh/blob/master/utils/make-openssl.sh)
 
 **for 64Bit including Kerberos ciphers:**
 

doc/testssl.1

@@ -607,4 +607,4 @@ All native Windows platforms emulating Linux are known to be slow\.
 .SH "BUGS"
 Probably\. Current known ones and interface for filing new ones: https://testssl\.sh/bugs/ \.
 .SH "SEE ALSO"
-\fBciphers\fR(1), \fBopenssl\fR(1), \fBs_client\fR(1), \fBx509\fR(1), \fBverify\fR(1), \fBocsp\fR(1), \fBcrl\fR(1), \fBbash\fR(1) and the websites https://testssl\.sh/ and https://github\.com/drwetter/testssl\.sh/ \.
+\fBciphers\fR(1), \fBopenssl\fR(1), \fBs_client\fR(1), \fBx509\fR(1), \fBverify\fR(1), \fBocsp\fR(1), \fBcrl\fR(1), \fBbash\fR(1) and the websites https://testssl\.sh/ and https://github\.com/testssl/testssl\.sh/ \.

doc/testssl.1.html

@@ -587,4 +587,4 @@ Probably. Current known ones and interface for filing new ones: https://testssl.
 
 ## SEE ALSO
 
-`ciphers`(1), `openssl`(1), `s_client`(1), `x509`(1), `verify`(1), `ocsp`(1), `crl`(1), `bash`(1) and the websites https://testssl.sh/ and https://github.com/drwetter/testssl.sh/ .
+`ciphers`(1), `openssl`(1), `s_client`(1), `x509`(1), `verify`(1), `ocsp`(1), `crl`(1), `bash`(1) and the websites https://testssl.sh/ and https://github.com/testssl/testssl.sh/ .

doc/testssl.1.md

@@ -1,7 +1,7 @@
 
 # data we need for socket based handshakes
 # see #807 and #806 (especially
-# https://github.com/drwetter/testssl.sh/issues/806#issuecomment-318686374)
+# https://github.com/testssl/testssl.sh/issues/806#issuecomment-318686374)
 
 # 7 ciphers defined for TLS 1.3 in RFCs 8446 and 9150
 readonly TLS13_CIPHER="

etc/tls_data.txt

@@ -1,6 +1,6 @@
 #!/usr/bin/env perl
 
-# disabled as IPv6 is not supported by Travis, see https://github.com/drwetter/testssl.sh/issues/1177
+# disabled as IPv6 wasn't supported by Travis CI and isn't by GH action, see https://github.com/testssl/testssl.sh/issues/1177
 
 # Just a functional test, whether there are any problems on the client side
 # Probably we could also inspect the JSON for any problems for

t/11_baseline_ipv6_http.t.DISABLED

@@ -3,11 +3,10 @@
 # Baseline diff test against testssl.sh (csv output)
 #
 # We don't use a full run yet and only the certificate section.
-# There we would need to blacklist at least:
+# There we would need to blacklist more, like:
 # cert_serialNumber, cert_fingerprintSHA1, cert_fingerprintSHA256, cert
 # cert_expirationStatus, cert_notBefore, cert_notAfter, cert_caIssuers, intermediate_cert
 #
-# help is appreciated here
 
 use strict;
 use Test::More;
@@ -16,55 +15,54 @@ use Text::Diff;
 
 my $tests = 0;
 my $prg="./testssl.sh";
-my $master_socket_csv="./t/baseline_data/default_testssl.csvfile";
-my $socket_csv="tmp.csv";
-my $check2run="-p -s -P --fs -h -U -c -q --ip=one --color 0 --csvfile $socket_csv";
-#my $check2run="-p --color 0 --csvfile $socket_csv";
+my $baseline_csv="./t/baseline_data/default_testssl.csvfile";
+my $cat_csv="tmp.csv";
+my $check2run="-p -s -P --fs -h -U -c -q --ip=one --color 0 --csvfile $cat_csv";
 my $uri="testssl.sh";
 my $diff="";
 
 die "Unable to open $prg" unless -f $prg;
-die "Unable to open $master_socket_csv" unless -f $master_socket_csv;
-
+die "Unable to open $baseline_csv" unless -f $baseline_csv;
 
 # Provide proper start conditions
-unlink "tmp.csv";
+unlink $cat_csv;
 
-# Title
-printf "\n%s\n", "Diff unit test IPv4 against \"$uri\"";
+my @args=("$prg", "$check2run", "$uri", "2>&1");
 
 #1 run
-`$prg $check2run $uri 2>&1`;
-
-$diff = diff $socket_csv, $master_socket_csv;
+printf "\n%s\n", "Diff unit test (IPv4) against \"$uri\"";
+printf "@args\n";
+system("@args") == 0
+     or die ("FAILED: \"@args\" ");
 
-$socket_csv=`cat tmp.csv`;
-$master_socket_csv=`cat $master_socket_csv`;
+$cat_csv=`cat $cat_csv`;
+$baseline_csv=`cat $baseline_csv`;
 
 # Filter for changes that are allowed to occur
-$socket_csv=~ s/HTTP_clock_skew.*\n//g;
-$master_socket_csv=~ s/HTTP_clock_skew.*\n//g;
+$cat_csv      =~ s/HTTP_clock_skew.*\n//g;
+$baseline_csv =~ s/HTTP_clock_skew.*\n//g;
+
+# HTTP time
+$cat_csv      =~ s/HTTP_headerTime.*\n//g;
+$baseline_csv =~ s/HTTP_headerTime.*\n//g;
 
 # DROWN
-$socket_csv=~ s/censys.io.*\n//g;
-$master_socket_csv=~ s/censys.io.*\n//g;
+$cat_csv      =~ s/censys.io.*\n//g;
+$baseline_csv =~ s/censys.io.*\n//g;
 
-# HTTP time
-$socket_csv=~ s/HTTP_headerTime.*\n//g;
-$master_socket_csv=~ s/HTTP_headerTime.*\n//g;
+$diff = diff \$cat_csv, \$baseline_csv;
 
-# Compare the differences to the master file -- and print differences if there were detected.
+# Compare the differences to the baseline file -- and print differences if there were detected.
 #
-cmp_ok($socket_csv, "eq", $master_socket_csv, "Check whether CSV output matches master file from $uri") or
+ok($cat_csv eq $baseline_csv, "Check whether CSV output matches baseline file from $uri") or
      diag ("\n%s\n", "$diff");
 
-$tests++;
-
 unlink "tmp.csv";
 
+$tests++;
 done_testing($tests);
 printf "\n";
 
 
-#  vim:ts=5:sw=5:expandtab
+# vim:ts=5:sw=5:expandtab
 

t/61_diff_testsslsh.t

@@ -70,7 +70,7 @@
 "FS_TLS13_sig_algs","testssl.sh/81.169.166.184","443","INFO","RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512","",""
 "HTTP_status_code","testssl.sh/81.169.166.184","443","INFO","200 OK ('/')","",""
 "HTTP_clock_skew","testssl.sh/81.169.166.184","443","INFO","0 seconds from localtime","",""
-"HTTP_headerTime","testssl.sh/81.169.166.184","443","INFO","1654006271","",""
+"HTTP_headerTime","testssl.sh/81.169.166.184","443","INFO","1737570310","",""
 "HSTS_time","testssl.sh/81.169.166.184","443","OK","362 days (=31337000 seconds) > 15552000 seconds","",""
 "HSTS_subdomains","testssl.sh/81.169.166.184","443","INFO","only for this domain","",""
 "HSTS_preload","testssl.sh/81.169.166.184","443","INFO","domain is NOT marked for preloading","",""
@@ -81,6 +81,8 @@
 "X-Frame-Options","testssl.sh/81.169.166.184","443","OK","DENY","",""
 "X-Content-Type-Options","testssl.sh/81.169.166.184","443","OK","nosniff","",""
 "Content-Security-Policy","testssl.sh/81.169.166.184","443","OK","script-src 'unsafe-inline'; style-src 'unsafe-inline' 'self'; object-src 'self'; base-uri 'none'; form-action 'none'; img-src 'self' ; default-src 'self'; frame-ancestors 'self'; upgrade-insecure-requests;","",""
+"Cross-Origin-Opener-Policy","testssl.sh/81.169.166.184","443","INFO","same-origin-allow-popups","",""
+"Cross-Origin-Resource-Policy","testssl.sh/81.169.166.184","443","INFO","same-site","",""
 "banner_reverseproxy","testssl.sh/81.169.166.184","443","INFO","--","","CWE-200"
 "heartbleed","testssl.sh/81.169.166.184","443","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
 "CCS","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2014-0224","CWE-310"
@@ -95,7 +97,7 @@
 "SWEET32","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2016-2183 CVE-2016-6329","CWE-327"
 "FREAK","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2015-0204","CWE-310"
 "DROWN","testssl.sh/81.169.166.184","443","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310"
-"DROWN_hint","testssl.sh/81.169.166.184","443","INFO","Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=31B44391529821C6A77F3C78B02D716A07F99B8FDB342BF5A78F263C25375968","CVE-2016-0800 CVE-2016-0703","CWE-310"
+"DROWN_hint","testssl.sh/81.169.166.184","443","INFO","Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=5B4BC205947AED96ECB1879F2668F7F69D696C143BA8D1C69DBB4DC873C92AE9","CVE-2016-0800 CVE-2016-0703","CWE-310"
 "LOGJAM","testssl.sh/81.169.166.184","443","OK","not vulnerable, no DH EXPORT ciphers,","CVE-2015-4000","CWE-310"
 "LOGJAM-common_primes","testssl.sh/81.169.166.184","443","OK","--","CVE-2015-4000","CWE-310"
 "BEAST_CBC_TLS1","testssl.sh/81.169.166.184","443","MEDIUM","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","CVE-2011-3389","CWE-20"