mirrors/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-11-15 06:41:10 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2934 from testssl/shorten_badssl

Browse Source 
Shorten badssl GHA as they fail too often
This commit is contained in:
Dirk Wetter 2025-10-30 20:41:46 +01:00 committed by GitHub
commit a0c99d855e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 48 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
t/21_baseline_starttls.t
View File

@ -40,7 +40,7 @@ $uri="smtp-relay.gmail.com:587";
# unlink "tmp.json"; # unlink "tmp.json";
# we will have client simulations later, so we don't need to run everything again: # we will have client simulations later, so we don't need to run everything again:
printf "\n%s\n", "STARTTLS SMTP unit test via sockets --> $uri ..."; printf "\n%s\n", "STARTTLS SMTP unit test via sockets --> $uri ...";
$socket_out = `./testssl.sh $check2run_smtp -t smtp $uri 2>&1`; $socket_out = `$prg $check2run_smtp -t smtp $uri 2>&1`;
# $socket_json = json('tmp.json'); # $socket_json = json('tmp.json');
unlike($socket_out, qr/$socket_regex_bl/, ""); unlike($socket_out, qr/$socket_regex_bl/, "");
$tests++; $tests++;
@ -48,7 +48,7 @@ $tests++;
#2 #2
# unlink "tmp.json"; # unlink "tmp.json";
printf "\n%s\n", "STARTTLS SMTP unit tests via OpenSSL --> $uri ..."; printf "\n%s\n", "STARTTLS SMTP unit tests via OpenSSL --> $uri ...";
$openssl_out = `./testssl.sh --ssl-native $check2run_smtp -t smtp $uri 2>&1`; $openssl_out = `$prg --ssl-native $check2run_smtp -t smtp $uri 2>&1`;
# $openssl_json = json('tmp.json'); # $openssl_json = json('tmp.json');
unlike($openssl_out, qr/$openssl_regex_bl/, ""); unlike($openssl_out, qr/$openssl_regex_bl/, "");
$tests++; $tests++;
@ -58,14 +58,14 @@ $uri="pop.gmx.net:110";
#3 #3
# unlink "tmp.json"; # unlink "tmp.json";
printf "\n%s\n", "STARTTLS POP3 unit tests via sockets --> $uri ..."; printf "\n%s\n", "STARTTLS POP3 unit tests via sockets --> $uri ...";
$socket_out = `./testssl.sh $check2run -t pop3 $uri 2>&1`; $socket_out = `$prg $check2run -t pop3 $uri 2>&1`;
# $socket_json = json('tmp.json'); # $socket_json = json('tmp.json');
unlike($socket_out, qr/$socket_regex_bl/, ""); unlike($socket_out, qr/$socket_regex_bl/, "");
$tests++; $tests++;
#4 #4
printf "\n%s\n", "STARTTLS POP3 unit tests via OpenSSL --> $uri ..."; printf "\n%s\n", "STARTTLS POP3 unit tests via OpenSSL --> $uri ...";
$openssl_out = `./testssl.sh --ssl-native $check2run -t pop3 $uri 2>&1`; $openssl_out = `$prg --ssl-native $check2run -t pop3 $uri 2>&1`;
# $openssl_json = json('tmp.json'); # $openssl_json = json('tmp.json');
unlike($openssl_out, qr/$openssl_regex_bl/, ""); unlike($openssl_out, qr/$openssl_regex_bl/, "");
$tests++; $tests++;
@ -75,14 +75,14 @@ $uri="imap.gmx.net:143";
#5 #5
# unlink "tmp.json"; # unlink "tmp.json";
printf "\n%s\n", "STARTTLS IMAP unit tests via sockets --> $uri ..."; printf "\n%s\n", "STARTTLS IMAP unit tests via sockets --> $uri ...";
$socket_out = `./testssl.sh $check2run -t imap $uri 2>&1`; $socket_out = `$prg $check2run -t imap $uri 2>&1`;
# $socket_json = json('tmp.json'); # $socket_json = json('tmp.json');
unlike($socket_out, qr/$socket_regex_bl/, ""); unlike($socket_out, qr/$socket_regex_bl/, "");
$tests++; $tests++;
#6 #6
printf "\n%s\n", "STARTTLS IMAP unit tests via OpenSSL --> $uri ..."; printf "\n%s\n", "STARTTLS IMAP unit tests via OpenSSL --> $uri ...";
$openssl_out = `./testssl.sh --ssl-native $check2run -t imap $uri 2>&1`; $openssl_out = `$prg --ssl-native $check2run -t imap $uri 2>&1`;
# $openssl_json = json('tmp.json'); # $openssl_json = json('tmp.json');
unlike($openssl_out, qr/$openssl_regex_bl/, ""); unlike($openssl_out, qr/$openssl_regex_bl/, "");
$tests++; $tests++;
@ -92,7 +92,7 @@ $uri="mail.tigertech.net:4190";
#7 #7
# unlink "tmp.json"; # unlink "tmp.json";
printf "\n%s\n", "STARTTLS MANAGE(SIEVE) unit tests via sockets --> $uri ..."; printf "\n%s\n", "STARTTLS MANAGE(SIEVE) unit tests via sockets --> $uri ...";
$socket_out = `./testssl.sh $check2run -t sieve $uri 2>&1`; $socket_out = `$prg $check2run -t sieve $uri 2>&1`;
# $socket_json = json('tmp.json'); # $socket_json = json('tmp.json');
unlike($openssl_out, qr/$openssl_regex_bl/, ""); unlike($openssl_out, qr/$openssl_regex_bl/, "");
$tests++; $tests++;
@ -102,7 +102,7 @@ $uri="jabber.org:5222";
#8 #8
# unlink "tmp.json"; # unlink "tmp.json";
printf "\n%s\n", "STARTTLS XMPP unit tests via sockets --> $uri ..."; printf "\n%s\n", "STARTTLS XMPP unit tests via sockets --> $uri ...";
$socket_out = `./testssl.sh $check2run -t xmpp $uri 2>&1`; $socket_out = `$prg $check2run -t xmpp $uri 2>&1`;
# $socket_json = json('tmp.json'); # $socket_json = json('tmp.json');
unlike($openssl_out, qr/$openssl_regex_bl/, ""); unlike($openssl_out, qr/$openssl_regex_bl/, "");
$tests++; $tests++;
@ -110,14 +110,14 @@ $tests++;
# commented out, bc of travis' limits # commented out, bc of travis' limits
# #
#printf "\n%s\n", "STARTTLS XMPP unit tests via OpenSSL --> $uri ..."; #printf "\n%s\n", "STARTTLS XMPP unit tests via OpenSSL --> $uri ...";
#$openssl_out = `./testssl.sh --ssl-native $check2run -t xmpp $uri 2>&1`; #$openssl_out = `$prg --ssl-native $check2run -t xmpp $uri 2>&1`;
# $openssl_json = json('tmp.json'); # $openssl_json = json('tmp.json');
#unlike($openssl_out, qr/$openssl_regex_bl/, ""); #unlike($openssl_out, qr/$openssl_regex_bl/, "");
#$tests++; #$tests++;
# $uri="jabber.ccc.de:5269"; # $uri="jabber.ccc.de:5269";
# printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ..."; # printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ...";
# $openssl_out = `./testssl.sh --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`; # $openssl_out = `$prg --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`;
# # $openssl_json = json('tmp.json'); # # $openssl_json = json('tmp.json');
# unlike($openssl_out, qr/$openssl_regex_bl/, ""); # unlike($openssl_out, qr/$openssl_regex_bl/, "");
# $tests++; # $tests++;
@ -128,7 +128,7 @@ $uri="ldap.uni-rostock.de:21";
#9 #9
# unlink "tmp.json"; # unlink "tmp.json";
printf "\n%s\n", "STARTTLS FTP unit tests via sockets --> $uri ..."; printf "\n%s\n", "STARTTLS FTP unit tests via sockets --> $uri ...";
$socket_out = `./testssl.sh $check2run -t ftp $uri 2>&1`; $socket_out = `$prg $check2run -t ftp $uri 2>&1`;
# $socket_json = json('tmp.json'); # $socket_json = json('tmp.json');
# OCSP stapling fails sometimes with: 'offered, error querying OCSP responder (ERROR: No Status found)' # OCSP stapling fails sometimes with: 'offered, error querying OCSP responder (ERROR: No Status found)'
$socket_out =~ s/ error querying OCSP responder .*\n//g; $socket_out =~ s/ error querying OCSP responder .*\n//g;
@ -138,7 +138,7 @@ $tests++;
# commented out, bc of travis' limits # commented out, bc of travis' limits
# #
# printf "\n%s\n", "STARTTLS FTP unit tests via OpenSSL --> $uri ..."; # printf "\n%s\n", "STARTTLS FTP unit tests via OpenSSL --> $uri ...";
# $openssl_out = `./testssl.sh --ssl-native $check2run -t ftp $uri 2>&1`; # $openssl_out = `$prg --ssl-native $check2run -t ftp $uri 2>&1`;
# $openssl_json = json('tmp.json'); # $openssl_json = json('tmp.json');
# OCSP stapling fails sometimes with: 'offered, error querying OCSP responder (ERROR: No Status found)' # OCSP stapling fails sometimes with: 'offered, error querying OCSP responder (ERROR: No Status found)'
# $openssl_out =~ s/ error querying OCSP responder .*\n//g; # $openssl_out =~ s/ error querying OCSP responder .*\n//g;
@ -151,14 +151,14 @@ $uri="db.debian.org:389";
#10 #10
printf "\n%s\n", "STARTTLS LDAP unit tests via sockets --> $uri ..."; printf "\n%s\n", "STARTTLS LDAP unit tests via sockets --> $uri ...";
$socket_out = `./testssl.sh $check2run -t ldap $uri 2>&1`; $socket_out = `$prg $check2run -t ldap $uri 2>&1`;
# $socket_json = json('tmp.json'); # $socket_json = json('tmp.json');
unlike($socket_out, qr/$socket_regex_bl/, ""); unlike($socket_out, qr/$socket_regex_bl/, "");
$tests++; $tests++;
#11 #11
printf "\n%s\n", "STARTTLS LDAP unit tests via OpenSSL --> $uri ..."; printf "\n%s\n", "STARTTLS LDAP unit tests via OpenSSL --> $uri ...";
$openssl_out = `./testssl.sh --ssl-native $check2run -t ldap $uri 2>&1`; $openssl_out = `$prg --ssl-native $check2run -t ldap $uri 2>&1`;
# $openssl_json = json('tmp.json'); # $openssl_json = json('tmp.json');
unlike($openssl_out, qr/$openssl_regex_bl/, ""); unlike($openssl_out, qr/$openssl_regex_bl/, "");
$tests++; $tests++;
@ -168,14 +168,14 @@ $tests++;
#$uri="144.76.182.167:119"; #$uri="144.76.182.167:119";
#printf "\n%s\n", "STARTTLS NNTP unit tests via sockets --> $uri ..."; #printf "\n%s\n", "STARTTLS NNTP unit tests via sockets --> $uri ...";
#$socket_out = `./testssl.sh $check2run -t nntp $uri 2>&1`; #$socket_out = `$prg $check2run -t nntp $uri 2>&1`;
#unlike($socket_out, qr/$socket_regex_bl/, ""); #unlike($socket_out, qr/$socket_regex_bl/, "");
#$tests++; #$tests++;
# commented out, bc of travis' limits # commented out, bc of travis' limits
# #
#printf "\n%s\n", "STARTTLS NNTP unit tests via OpenSSL --> $uri ..."; #printf "\n%s\n", "STARTTLS NNTP unit tests via OpenSSL --> $uri ...";
#$openssl_out = `./testssl.sh --ssl-native $check2run -t nntp $uri 2>&1`; #$openssl_out = `$prg --ssl-native $check2run -t nntp $uri 2>&1`;
# $openssl_json = json('tmp.json'); # $openssl_json = json('tmp.json');
#unlike($openssl_out, qr/$openssl_regex_bl/, ""); #unlike($openssl_out, qr/$openssl_regex_bl/, "");
#$tests++; #$tests++;

2
t/23_client_simulation.t
View File

@ -57,7 +57,7 @@ $tests++;
# #
# unlink "tmp.json"; # unlink "tmp.json";
#printf "\n%s\n", "STARTTLS: Client simulations unit test via OpenSSL --> $uri ..."; #printf "\n%s\n", "STARTTLS: Client simulations unit test via OpenSSL --> $uri ...";
#$openssl_out = `./testssl.sh --ssl-native $check2run -t smtp $uri 2>&1`; #$openssl_out = `$prg --ssl-native $check2run -t smtp $uri 2>&1`;
## $openssl_json = json('tmp.json'); ## $openssl_json = json('tmp.json');
#unlike($openssl_out, qr/$openssl_regex_bl/, ""); #unlike($openssl_out, qr/$openssl_regex_bl/, "");
#$tests++; #$tests++;

2
t/33_isJSON_severitylevel_valid.t
View File

@ -16,7 +16,7 @@ my (
$tests = 0; $tests = 0;
my $prg="./testssl.sh"; my $prg="./testssl.sh";
my $check2run = '-S -e --ids-friendly -U --severity LOW --color 0'; my $check2run = '-S --beast --sweet32 --breach --beast --lucky13 --rc4 --severity LOW --color 0';
my $uri = 'badssl.com'; my $uri = 'badssl.com';
printf "\n%s\n", "Doing severity level checks"; printf "\n%s\n", "Doing severity level checks";

43
t/51_badssl.com.t
View File

@ -7,22 +7,33 @@ use JSON;
my $tests = 0; my $tests = 0;
my $prg="./testssl.sh"; my $prg="./testssl.sh";
my $check2run="-S -q --ip=one --color 0";
my $okout;
my $okjson;
my $uri="badssl.com";
my ( my (
$out, $out,
$json, $json,
$found, $found,
); );
# OK
pass("Running testssl.sh against badssl.com to create a baseline (may take 2~3 minutes)"); $tests++; die "Unable to open $prg" unless -f $prg;
my $okout = `$prg -S -e --freak --logjam --drown --rc4 --sweet32 --breach --winshock --crime --jsonfile tmp.json --color 0 badssl.com`;
my $okjson = json('tmp.json'); # Provide proper start conditions
unlink 'tmp.json';
#1+#2 OK
pass("Running testssl.sh against $uri to create a baseline (may take 2-3 minutes)"); $tests++;
$okout = `$prg $check2run --jsonfile tmp.json $uri`;
$okjson = json('tmp.json');
unlink 'tmp.json'; unlink 'tmp.json';
cmp_ok(@$okjson,'>',10,"We should have more then 10 findings"); $tests++; cmp_ok(@$okjson,'>',10,"We should have more then 10 findings"); $tests++;
# Expiration # Expiration
pass("Running testssl against expired.badssl.com"); $tests++; $uri="expired.badssl.com";
$out = `$prg -S --jsonfile tmp.json --color 0 expired.badssl.com`; pass("Running testssl against $uri"); $tests++;
$out = `$prg $check2run --jsonfile tmp.json $uri`;
like($out, qr/Chain of trust\s+NOT ok \(expired\)/,"The chain of trust should be expired"); $tests++; like($out, qr/Chain of trust\s+NOT ok \(expired\)/,"The chain of trust should be expired"); $tests++;
like($out, qr/Certificate Validity \(UTC\)\s+expired/,"The certificate should be expired"); $tests++; like($out, qr/Certificate Validity \(UTC\)\s+expired/,"The certificate should be expired"); $tests++;
$json = json('tmp.json'); $json = json('tmp.json');
@ -39,8 +50,9 @@ foreach my $f ( @$json ) {
is($found,1,"We should have a finding for this in the JSON output"); $tests++; is($found,1,"We should have a finding for this in the JSON output"); $tests++;
# Self signed and not-expired # Self signed and not-expired
pass("Running testssl against self-signed.badssl.com"); $tests++; $uri="self-signed.badssl.com";
$out = `$prg -S --jsonfile tmp.json --color 0 self-signed.badssl.com`; pass("Running testssl against $uri"); $tests++;
$out = `$prg $check2run --jsonfile tmp.json $uri`;
unlike($out, qr/Certificate Validity \(UTC\)s+expired/,"The certificate should not be expired"); $tests++; unlike($out, qr/Certificate Validity \(UTC\)s+expired/,"The certificate should not be expired"); $tests++;
$json = json('tmp.json'); $json = json('tmp.json');
unlink 'tmp.json'; unlink 'tmp.json';
@ -81,8 +93,9 @@ foreach my $f ( @$okjson ) {
is($found,1,"We should have a finding for this in the JSON output"); $tests++; is($found,1,"We should have a finding for this in the JSON output"); $tests++;
# Wrong host # Wrong host
#pass("Running testssl against wrong.host.badssl.com"); $tests++; #$uri="wrong.host.badssl.com";
#$out = `./testssl.sh -S --jsonfile tmp.json --color 0 wrong.host.badssl.com`; #pass("Running testssl against $uri"); $tests++;
#$out = ``$prg $check2run --jsonfile tmp.json $uri`;
#unlike($out, qr/Certificate Expiration\s+expired\!/,"The certificate should not be expired"); $tests++; #unlike($out, qr/Certificate Expiration\s+expired\!/,"The certificate should not be expired"); $tests++;
#$json = json('tmp.json'); #$json = json('tmp.json');
#unlink 'tmp.json'; #unlink 'tmp.json';
@ -98,8 +111,9 @@ is($found,1,"We should have a finding for this in the JSON output"); $tests++;
#is($found,1,"We had a finding for this in the JSON output"); $tests++; #is($found,1,"We had a finding for this in the JSON output"); $tests++;
# Incomplete chain # Incomplete chain
pass("Running testssl against incomplete-chain.badssl.com"); $tests++; $uri='incomplete-chain.badssl.com';
$out = `$prg -S --jsonfile tmp.json --color 0 incomplete-chain.badssl.com`; pass("Running testssl against $uri"); $tests++;
$out = `$prg $check2run --jsonfile tmp.json $uri`;
like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++; like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;
$json = json('tmp.json'); $json = json('tmp.json');
unlink 'tmp.json'; unlink 'tmp.json';
@ -117,8 +131,9 @@ is($found,1,"We should have a finding for this in the JSON output"); $tests++;
# TODO: RSA 8192 # TODO: RSA 8192
# TODO: CBC # TODO: CBC
#pass("Running testssl against cbc.badssl.com"); $tests++; #$uri='cbc.badssl.com';
#$out = `./testssl.sh -e -U --jsonfile tmp.json --color 0 cbc.badssl.com`; #pass("Running testssl against $uri"); $tests++;
#$out = `$prg $check2run --jsonfile tmp.json $uri`;
#like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++; #like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;
#$json = json('tmp.json'); #$json = json('tmp.json');
#unlink 'tmp.json'; #unlink 'tmp.json';