mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-11-13 13:51:01 +01:00
Merge pull request #2934 from testssl/shorten_badssl
Shorten badssl GHA as they fail too often
This commit is contained in:
Dirk Wetter
GitHub
commit
a0c99d855e
@ -40,7 +40,7 @@ $uri="smtp-relay.gmail.com:587";
|
||||
# unlink "tmp.json";
|
||||
# we will have client simulations later, so we don't need to run everything again:
|
||||
printf "\n%s\n", "STARTTLS SMTP unit test via sockets --> $uri ...";
|
||||
$socket_out = `./testssl.sh $check2run_smtp -t smtp $uri 2>&1`;
|
||||
$socket_out = `$prg $check2run_smtp -t smtp $uri 2>&1`;
|
||||
# $socket_json = json('tmp.json');
|
||||
unlike($socket_out, qr/$socket_regex_bl/, "");
|
||||
$tests++;
|
||||
@ -48,7 +48,7 @@ $tests++;
|
||||
#2
|
||||
# unlink "tmp.json";
|
||||
printf "\n%s\n", "STARTTLS SMTP unit tests via OpenSSL --> $uri ...";
|
||||
$openssl_out = `./testssl.sh --ssl-native $check2run_smtp -t smtp $uri 2>&1`;
|
||||
$openssl_out = `$prg --ssl-native $check2run_smtp -t smtp $uri 2>&1`;
|
||||
# $openssl_json = json('tmp.json');
|
||||
unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||
$tests++;
|
||||
@ -58,14 +58,14 @@ $uri="pop.gmx.net:110";
|
||||
#3
|
||||
# unlink "tmp.json";
|
||||
printf "\n%s\n", "STARTTLS POP3 unit tests via sockets --> $uri ...";
|
||||
$socket_out = `./testssl.sh $check2run -t pop3 $uri 2>&1`;
|
||||
$socket_out = `$prg $check2run -t pop3 $uri 2>&1`;
|
||||
# $socket_json = json('tmp.json');
|
||||
unlike($socket_out, qr/$socket_regex_bl/, "");
|
||||
$tests++;
|
||||
|
||||
#4
|
||||
printf "\n%s\n", "STARTTLS POP3 unit tests via OpenSSL --> $uri ...";
|
||||
$openssl_out = `./testssl.sh --ssl-native $check2run -t pop3 $uri 2>&1`;
|
||||
$openssl_out = `$prg --ssl-native $check2run -t pop3 $uri 2>&1`;
|
||||
# $openssl_json = json('tmp.json');
|
||||
unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||
$tests++;
|
||||
@ -75,14 +75,14 @@ $uri="imap.gmx.net:143";
|
||||
#5
|
||||
# unlink "tmp.json";
|
||||
printf "\n%s\n", "STARTTLS IMAP unit tests via sockets --> $uri ...";
|
||||
$socket_out = `./testssl.sh $check2run -t imap $uri 2>&1`;
|
||||
$socket_out = `$prg $check2run -t imap $uri 2>&1`;
|
||||
# $socket_json = json('tmp.json');
|
||||
unlike($socket_out, qr/$socket_regex_bl/, "");
|
||||
$tests++;
|
||||
|
||||
#6
|
||||
printf "\n%s\n", "STARTTLS IMAP unit tests via OpenSSL --> $uri ...";
|
||||
$openssl_out = `./testssl.sh --ssl-native $check2run -t imap $uri 2>&1`;
|
||||
$openssl_out = `$prg --ssl-native $check2run -t imap $uri 2>&1`;
|
||||
# $openssl_json = json('tmp.json');
|
||||
unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||
$tests++;
|
||||
@ -92,7 +92,7 @@ $uri="mail.tigertech.net:4190";
|
||||
#7
|
||||
# unlink "tmp.json";
|
||||
printf "\n%s\n", "STARTTLS MANAGE(SIEVE) unit tests via sockets --> $uri ...";
|
||||
$socket_out = `./testssl.sh $check2run -t sieve $uri 2>&1`;
|
||||
$socket_out = `$prg $check2run -t sieve $uri 2>&1`;
|
||||
# $socket_json = json('tmp.json');
|
||||
unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||
$tests++;
|
||||
@ -102,7 +102,7 @@ $uri="jabber.org:5222";
|
||||
#8
|
||||
# unlink "tmp.json";
|
||||
printf "\n%s\n", "STARTTLS XMPP unit tests via sockets --> $uri ...";
|
||||
$socket_out = `./testssl.sh $check2run -t xmpp $uri 2>&1`;
|
||||
$socket_out = `$prg $check2run -t xmpp $uri 2>&1`;
|
||||
# $socket_json = json('tmp.json');
|
||||
unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||
$tests++;
|
||||
@ -110,14 +110,14 @@ $tests++;
|
||||
# commented out, bc of travis' limits
|
||||
#
|
||||
#printf "\n%s\n", "STARTTLS XMPP unit tests via OpenSSL --> $uri ...";
|
||||
#$openssl_out = `./testssl.sh --ssl-native $check2run -t xmpp $uri 2>&1`;
|
||||
#$openssl_out = `$prg --ssl-native $check2run -t xmpp $uri 2>&1`;
|
||||
# $openssl_json = json('tmp.json');
|
||||
#unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||
#$tests++;
|
||||
|
||||
# $uri="jabber.ccc.de:5269";
|
||||
# printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ...";
|
||||
# $openssl_out = `./testssl.sh --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`;
|
||||
# $openssl_out = `$prg --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`;
|
||||
# # $openssl_json = json('tmp.json');
|
||||
# unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||
# $tests++;
|
||||
@ -128,7 +128,7 @@ $uri="ldap.uni-rostock.de:21";
|
||||
#9
|
||||
# unlink "tmp.json";
|
||||
printf "\n%s\n", "STARTTLS FTP unit tests via sockets --> $uri ...";
|
||||
$socket_out = `./testssl.sh $check2run -t ftp $uri 2>&1`;
|
||||
$socket_out = `$prg $check2run -t ftp $uri 2>&1`;
|
||||
# $socket_json = json('tmp.json');
|
||||
# OCSP stapling fails sometimes with: 'offered, error querying OCSP responder (ERROR: No Status found)'
|
||||
$socket_out =~ s/ error querying OCSP responder .*\n//g;
|
||||
@ -138,7 +138,7 @@ $tests++;
|
||||
# commented out, bc of travis' limits
|
||||
#
|
||||
# printf "\n%s\n", "STARTTLS FTP unit tests via OpenSSL --> $uri ...";
|
||||
# $openssl_out = `./testssl.sh --ssl-native $check2run -t ftp $uri 2>&1`;
|
||||
# $openssl_out = `$prg --ssl-native $check2run -t ftp $uri 2>&1`;
|
||||
# $openssl_json = json('tmp.json');
|
||||
# OCSP stapling fails sometimes with: 'offered, error querying OCSP responder (ERROR: No Status found)'
|
||||
# $openssl_out =~ s/ error querying OCSP responder .*\n//g;
|
||||
@ -151,14 +151,14 @@ $uri="db.debian.org:389";
|
||||
|
||||
#10
|
||||
printf "\n%s\n", "STARTTLS LDAP unit tests via sockets --> $uri ...";
|
||||
$socket_out = `./testssl.sh $check2run -t ldap $uri 2>&1`;
|
||||
$socket_out = `$prg $check2run -t ldap $uri 2>&1`;
|
||||
# $socket_json = json('tmp.json');
|
||||
unlike($socket_out, qr/$socket_regex_bl/, "");
|
||||
$tests++;
|
||||
|
||||
#11
|
||||
printf "\n%s\n", "STARTTLS LDAP unit tests via OpenSSL --> $uri ...";
|
||||
$openssl_out = `./testssl.sh --ssl-native $check2run -t ldap $uri 2>&1`;
|
||||
$openssl_out = `$prg --ssl-native $check2run -t ldap $uri 2>&1`;
|
||||
# $openssl_json = json('tmp.json');
|
||||
unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||
$tests++;
|
||||
@ -168,14 +168,14 @@ $tests++;
|
||||
#$uri="144.76.182.167:119";
|
||||
|
||||
#printf "\n%s\n", "STARTTLS NNTP unit tests via sockets --> $uri ...";
|
||||
#$socket_out = `./testssl.sh $check2run -t nntp $uri 2>&1`;
|
||||
#$socket_out = `$prg $check2run -t nntp $uri 2>&1`;
|
||||
#unlike($socket_out, qr/$socket_regex_bl/, "");
|
||||
#$tests++;
|
||||
|
||||
# commented out, bc of travis' limits
|
||||
#
|
||||
#printf "\n%s\n", "STARTTLS NNTP unit tests via OpenSSL --> $uri ...";
|
||||
#$openssl_out = `./testssl.sh --ssl-native $check2run -t nntp $uri 2>&1`;
|
||||
#$openssl_out = `$prg --ssl-native $check2run -t nntp $uri 2>&1`;
|
||||
# $openssl_json = json('tmp.json');
|
||||
#unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||
#$tests++;
|
||||
|
||||
@ -57,7 +57,7 @@ $tests++;
|
||||
#
|
||||
# unlink "tmp.json";
|
||||
#printf "\n%s\n", "STARTTLS: Client simulations unit test via OpenSSL --> $uri ...";
|
||||
#$openssl_out = `./testssl.sh --ssl-native $check2run -t smtp $uri 2>&1`;
|
||||
#$openssl_out = `$prg --ssl-native $check2run -t smtp $uri 2>&1`;
|
||||
## $openssl_json = json('tmp.json');
|
||||
#unlike($openssl_out, qr/$openssl_regex_bl/, "");
|
||||
#$tests++;
|
||||
|
||||
@ -16,7 +16,7 @@ my (
|
||||
$tests = 0;
|
||||
|
||||
my $prg="./testssl.sh";
|
||||
my $check2run = '-S -e --ids-friendly -U --severity LOW --color 0';
|
||||
my $check2run = '-S --beast --sweet32 --breach --beast --lucky13 --rc4 --severity LOW --color 0';
|
||||
my $uri = 'badssl.com';
|
||||
|
||||
printf "\n%s\n", "Doing severity level checks";
|
||||
|
||||
@ -7,22 +7,33 @@ use JSON;
|
||||
|
||||
my $tests = 0;
|
||||
my $prg="./testssl.sh";
|
||||
my $check2run="-S -q --ip=one --color 0";
|
||||
my $okout;
|
||||
my $okjson;
|
||||
my $uri="badssl.com";
|
||||
|
||||
my (
|
||||
$out,
|
||||
$json,
|
||||
$found,
|
||||
);
|
||||
# OK
|
||||
pass("Running testssl.sh against badssl.com to create a baseline (may take 2~3 minutes)"); $tests++;
|
||||
my $okout = `$prg -S -e --freak --logjam --drown --rc4 --sweet32 --breach --winshock --crime --jsonfile tmp.json --color 0 badssl.com`;
|
||||
my $okjson = json('tmp.json');
|
||||
|
||||
die "Unable to open $prg" unless -f $prg;
|
||||
|
||||
# Provide proper start conditions
|
||||
unlink 'tmp.json';
|
||||
|
||||
#1+#2 OK
|
||||
pass("Running testssl.sh against $uri to create a baseline (may take 2-3 minutes)"); $tests++;
|
||||
$okout = `$prg $check2run --jsonfile tmp.json $uri`;
|
||||
$okjson = json('tmp.json');
|
||||
unlink 'tmp.json';
|
||||
cmp_ok(@$okjson,'>',10,"We should have more then 10 findings"); $tests++;
|
||||
|
||||
# Expiration
|
||||
pass("Running testssl against expired.badssl.com"); $tests++;
|
||||
$out = `$prg -S --jsonfile tmp.json --color 0 expired.badssl.com`;
|
||||
$uri="expired.badssl.com";
|
||||
pass("Running testssl against $uri"); $tests++;
|
||||
$out = `$prg $check2run --jsonfile tmp.json $uri`;
|
||||
like($out, qr/Chain of trust\s+NOT ok \(expired\)/,"The chain of trust should be expired"); $tests++;
|
||||
like($out, qr/Certificate Validity \(UTC\)\s+expired/,"The certificate should be expired"); $tests++;
|
||||
$json = json('tmp.json');
|
||||
@ -39,8 +50,9 @@ foreach my $f ( @$json ) {
|
||||
is($found,1,"We should have a finding for this in the JSON output"); $tests++;
|
||||
|
||||
# Self signed and not-expired
|
||||
pass("Running testssl against self-signed.badssl.com"); $tests++;
|
||||
$out = `$prg -S --jsonfile tmp.json --color 0 self-signed.badssl.com`;
|
||||
$uri="self-signed.badssl.com";
|
||||
pass("Running testssl against $uri"); $tests++;
|
||||
$out = `$prg $check2run --jsonfile tmp.json $uri`;
|
||||
unlike($out, qr/Certificate Validity \(UTC\)s+expired/,"The certificate should not be expired"); $tests++;
|
||||
$json = json('tmp.json');
|
||||
unlink 'tmp.json';
|
||||
@ -81,8 +93,9 @@ foreach my $f ( @$okjson ) {
|
||||
is($found,1,"We should have a finding for this in the JSON output"); $tests++;
|
||||
|
||||
# Wrong host
|
||||
#pass("Running testssl against wrong.host.badssl.com"); $tests++;
|
||||
#$out = `./testssl.sh -S --jsonfile tmp.json --color 0 wrong.host.badssl.com`;
|
||||
#$uri="wrong.host.badssl.com";
|
||||
#pass("Running testssl against $uri"); $tests++;
|
||||
#$out = ``$prg $check2run --jsonfile tmp.json $uri`;
|
||||
#unlike($out, qr/Certificate Expiration\s+expired\!/,"The certificate should not be expired"); $tests++;
|
||||
#$json = json('tmp.json');
|
||||
#unlink 'tmp.json';
|
||||
@ -98,8 +111,9 @@ is($found,1,"We should have a finding for this in the JSON output"); $tests++;
|
||||
#is($found,1,"We had a finding for this in the JSON output"); $tests++;
|
||||
|
||||
# Incomplete chain
|
||||
pass("Running testssl against incomplete-chain.badssl.com"); $tests++;
|
||||
$out = `$prg -S --jsonfile tmp.json --color 0 incomplete-chain.badssl.com`;
|
||||
$uri='incomplete-chain.badssl.com';
|
||||
pass("Running testssl against $uri"); $tests++;
|
||||
$out = `$prg $check2run --jsonfile tmp.json $uri`;
|
||||
like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;
|
||||
$json = json('tmp.json');
|
||||
unlink 'tmp.json';
|
||||
@ -117,8 +131,9 @@ is($found,1,"We should have a finding for this in the JSON output"); $tests++;
|
||||
# TODO: RSA 8192
|
||||
|
||||
# TODO: CBC
|
||||
#pass("Running testssl against cbc.badssl.com"); $tests++;
|
||||
#$out = `./testssl.sh -e -U --jsonfile tmp.json --color 0 cbc.badssl.com`;
|
||||
#$uri='cbc.badssl.com';
|
||||
#pass("Running testssl against $uri"); $tests++;
|
||||
#$out = `$prg $check2run --jsonfile tmp.json $uri`;
|
||||
#like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;
|
||||
#$json = json('tmp.json');
|
||||
#unlink 'tmp.json';
|
||||
@ -144,5 +159,5 @@ sub json($) {
|
||||
}
|
||||
|
||||
|
||||
# vim:ts=5:sw=5:expandtab
|
||||
# vim:ts=5:sw=5:expandtab
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user