This is a fresh start for #2484 as the PR wasn't ready yet for 3.2
by the time it was released.
The info for the HTTPS RR shows up in the very beginning, i.e. in the
service_detection(). All keys are listed now in bold, values in
a regular font.
`get_https_rrecord()` was introduced by copying and modifying `get_caa_rr_record()`.
There's a similar obstacle as with CAA RRs: older binaries show the
resource records binary encoded. Thus a new set of global vars is introduced
HAS_*_HTTPS which check whether the binaries support decoding the RR
directly.
For CAA there was a minor bug fixed when records were queried also when it was
instructed to minimize/skip or use proxy only.
Todo:
- Add logic in QUIC
- if RR is detected and not QUIC is possible
- add time for QUIC detection when RR is retrieved
- show full HTTPS RR record, at least when having a new DNS client
- shorten the comments in `get_https_rrecord()`
- Man page
- when ASSUME_HTTP is set and no services was detected: this needs to be handled
The site from that billioniare who made nazi gestures delivers a UDP
response without proper TLS handshake. This led to a false positive
as if the site supports QUIC via h3.
This PR makes the detection of QUIC more robust by adding a certificate check
and also take better the return values from `wait_kill()` into account.
It also introduces a function to remove any non printable chars (depending
on the LC_ALL var): `filter_printable()`
Also `sanitze_http_header()` doesn't operate anymore on a global variable
which is kind of not best practise as it is easily to avoid here.
... for t/32_isHTML_valid.t .
Github.com seems to be most reliable from the ones tested so far.
bahn.de has one IP to the outside however Session resumption seems
to come from different hosts behind that IP. Bad choice for this
test.
Seems the patch in #2856 wasn't complete. So that it was forgotten to add also manually specified IPv6 addresses to the IP addresses to show and to scan.
This makes sure it does, so this fixes#2854 finally.
Also statements were added to reset do_ipv4_only and do_ipv6_only correctly so that later the output "Testing all IP** addresses" is correct.
* `code2network()` was improved to just use internal bash functions, except sed
* `socksend()` was renamed to `socksend_x()` to clarify that the string passed contains already a leading x
We might want to try using in `code2network()` only bash internal functions like in `socksend_x()`.
And maybe decide for onee format of hexbytes in the code -- with x or without.
Due to rebasing determine_ip_addresses() in #2852 it was
forgotten to add any manually specified IP address to
the IP addresses to show and to scan.
This fixes#2854 .
This labels the result of a failed test for reaching
port 80 when no direct connection is possible as likely not
vulnerable.
This seems safe to say, as there's another check whether
a proxy is configured, like for corporate environments where
a connection is only allowed though the proxy.
As `wait_kill()` returns with 0 when a TCP reset is encountered
and the process is not killed, we need to open the socket again
in a sub shell. Which is safe in the foreground.
If then the subshell returns with 0 we can safely connect to
port 80.
* IPv6 addresses which won't be scanned will be put in round brackets to feedback th UI
* logic bug fixed which always said "Testing all IPv4 addresses (port $PORT):". Simplyfied the MULTIPLE_CHECKS output
This PR will enable IPv6 fully if available.
It was not enabled before as users were confronted with an error message when
testssl.sh wanted (also) to scan IPv6 before but routing/configuration or
whatsoever issues prevented that. This has been solved by introducing the function
`shouldwedo_ipv6()` which checks whether we can reach the target via IPv6 --
tracked be the global IPv6_OK.
The change is in line with tools like wget or curl in a sense that if IPv6 works
it is just being used. Formally testssl.sh had to be instructed via -6 cmdline
option, like nmap.
* \-6 is now the switch to do IPv6 scans only
* \-4 is now the switch to do IPv4 scans only
The latter is a *breaking change*, as the cmdline option meant before to check
for RC4 ciphers.
Also HAS_IPv6, synonymous to -6 before, does not exist anymore.
As the command line option `--connect-timeout` seemed rather unspecific,
it has been replaced by `--socket-timeout, also all internal variables.
Todo:
* man pages
* dashed lines appear too long
This fixes#2847 .
It was falsely assumed that the http head command blocks when port 80 is not available but
actucally the exec for the socket is the culprit.
This PR changes that so that the exec is put in the background.
Another change is that $node is still used but the port is stripped of which
lead to the problem raised in #2847. We use $node instead of $NODE has we
can recycle the `http_head[er]_printf()` later.
`http_header_printf()`was renamed to `http_head_printf()` as there's also an `http_head()`
and an `http_get()`
This commit adds an improvement so that e.g. under MacOS
/opt/homebrew/bin/openssl is automatically taken as
$OPENSSL so that also QUIC works out of the box for MacOS.
Formally for at least MacOS with silicon CPUs OPENSSL was
equal to OPENSSL2 and LibreSSL in /usr/bin/openssl doesn't
have QUIC support (up to version 15.5 of MacoOS at least).
Fixes#2833
This does a check for the opossum vulnerability, see https://opossum-attack.com/ .
It uses a separate function to send the payload and retrieve the result via `http_header_printf()`. It doesn't use curl or wget. The latter wouldn't work anyway as according to the manpage as the HTTP header which needs to be sent must not contain LFs. This function was introduced because `http_get_header()` -- which was renamed to `http_head()` -- could use wget if curl is not available. On the way to this PR `http_head()` was improved, so that timeouts were used for curl and wget for better maturity.
`http_header_printf()` now uses bach sockets , strips the URI so that a plaintext request is made. This will be done in the background because not every host will answer.
Done also:
- handling when PROXY is requested (try anyway directly as the payload is not "proxyable")
- print a message when no HTTP service is present
- try hard to use plaintext HTTP when auth is required for HTTPS and service HTTP would not be defined otherwise
- manpages
- help
Also when pwnedkeys are checked a not pwned certificate is labled not neutral but OK=green.
... so that we have a comparison between OpenSSL and LibreSSL. Otherwise this test would be completely futile for MacOS.
Also change the displayed text.
See #2832 (which was for 3.2)
