Permalink
Commits on Nov 19, 2018
  1. Merge pull request #1153 from bitsofinfo/2.9dev

    drwetter committed Nov 19, 2018
    new links to external/related projects
Commits on Nov 13, 2018
  1. Finalize redoing XMPP handshake

    drwetter committed Nov 13, 2018
    This commit finally fixes #547 and makes XMPP handshakes at least
    as fast as the other STARTTLS handshakes.
    
    It utilizes dd to read from the file descriptor. In all tests
    I ran so far it didn't cause any problems. There's a potential
    problem though that dd might block.
Commits on Nov 12, 2018
  1. Minor updates

    drwetter committed Nov 12, 2018
    added: client simulation, requirements.
    
    Updated number of ciphers.
  2. Redid + bugfix for STARTTLS XMPP

    drwetter committed Nov 12, 2018
    This PR fixes #924 and does some foundation for #547. It's a
    somewhat preliminary push of code and further work for #547 is required.
    
    XMPP is now similar programmed as other STARTTLS handshakes with the exception
    that it is not line based but stream based.  That is still the catch here and
    needs to be addressed: STARTTLS protocols like IMAP + SMTP use
    starttls_full_read() which reads lines until the line is completely received or
    the timeout was encountered.
    
    The new function ``starttls_io()`` however does a wait (fixed value: 1 second)
    as there's no lf or terminator.
    
    The XMPP STARTTLS handshakes are now the same as in OpenSSL.
    
    There are redundant functions in this code which will be removed later.
    
    Also at some places a hint for lmtp was missing which was added.
  3. Check for OpenSSL + use unames

    drwetter committed Nov 12, 2018
  4. Check for OpenSSL + use unames

    drwetter committed Nov 12, 2018
Commits on Nov 9, 2018
  1. Add "No FS" in non-wide mode in client simulation

    drwetter committed Nov 9, 2018
    ... and redo there for the output of curves / no FS
    
    fix #98
Commits on Nov 8, 2018
  1. Attention: Replacing JSON ID "target host" by "targetHost"

    drwetter committed Nov 8, 2018
    see #1150.
  2. RFC --> IANA

    drwetter committed Nov 8, 2018
  3. RFC --> IANA

    drwetter committed Nov 8, 2018
    The cipher suites names in the RFCs stem (mostly) from IANA, see
    https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
    
    This PR corrects that in places visible to the user. For backwards
    compatibility the cmd line switches still work as before, but there's
    a preference to IANA. The RFC naming is labeled as to be retired
    in the future.
  4. TLS 1.3 ciphers forgotten :-(, added

    drwetter committed Nov 8, 2018
Commits on Nov 5, 2018
  1. Updated client simulation

    drwetter committed Nov 5, 2018
    SSLabs API only added one newer version of Chrome (70) and one newer version
    of Firefox (62).
    
    Thus the wishlist gets longer (c15e042).
    Missing is Android 8 and 9, OpenSSL 1.1.1, Safari on OSX 11 and 12. Java 10
    and 11.
    
    Fix #1104
  2. Add SSLv2 ciphers in handshakes, housekeeping

    drwetter committed Nov 5, 2018
    In addition to 7d36ba9 which
    added new SSLv2 ciphers to the ciphers file this commit adds those
    ciphers also to those functions where needed.
    
    Also it does some housekeeping. [[ doesn't require strings on
    the right hand side to be quoted, see bash hackers wiki.
Commits on Nov 3, 2018
  1. Merge pull request #1114 from dcooper16/run_pfs_dh_groups

    drwetter committed Nov 3, 2018
    Checking for DH groups in run_pfs()
Commits on Nov 2, 2018
  1. Correct new openssl cipher name

    drwetter committed Nov 2, 2018
    ... from 7d36ba9
  2. Add more ciphers

    drwetter committed Nov 2, 2018
    There are a couple of old SSLv2 ciphers which haben't been included in
    etc/cipher-mapping.txt . This PR updates the file. Names were derived
    from the (old) OpenSSL / SSLeay source code.
    
    In addition TLS_NULL_WITH_NULL_NULL (>=SSLv3 cipher) was added.
    
    ToDo: Review functions to be updated to use those ciphers.
Commits on Nov 1, 2018
  1. Add scrollable heading to table (z-index)

    drwetter committed Nov 1, 2018
  2. Renamed (typo) openssl-rfc.mappping.html and added entries

    drwetter committed Nov 1, 2018
    Some SSLv2 ciphers were missing (see openssl/ssl/ssl2.h and
    SSLeay (ssl.h + ssl_lib.c).
    
    Also in this list security bit strength None were renamed to '0',
    encryption None to Null.
Commits on Oct 29, 2018
  1. Add +2 to MAX_OSSL_FAIL if running with --openssl-native AND an --ope…

    drwetter committed Oct 29, 2018
    …nssl-timeout
    
    .. otherwise we'll hit too soon the threshold: Logic: by specifying
    a timeout a user indicates that there might be a problem.
    
    Also fatal() now supports a hint which is printed in normal
    text (to stderr)
  2. Detect downgrade to plaintext for STARTTLS, IMAP

    drwetter committed Oct 29, 2018
    Some Cyrus IMAD if configured with SSL_CTX_set_cipher_list(context, "!TLSv1")
    and similar respond with a plaintext 'a002 NO Starttls negotiation failed"
    when a not-supported protocol is detected, see #1082.
    
    This PR fixes this by detecting (also) this downgrade. As a precaution
    It still issues a warning as this is seems a special configuration.
Commits on Oct 24, 2018
  1. Merge pull request #1147 from C0FFEEC0FFEE/dev-fixcsv

    drwetter committed Oct 24, 2018
    Dev fixcsv
Commits on Oct 16, 2018
  1. Simplify run_logjam()

    drwetter committed Oct 16, 2018
    Looking @ pending #1114 two improvements were done:
    
    1) Keep the status of DH group detected (<name> or "Unknown DH group")
       as well as the bit length
    2) move the detection to a separate function get_common_prime()
    
    There's still room for improvements when run_pfs() will take
    over a part.
    
    Also double code (my bad) from run_logjam() was move to a separate function.
  2. Check requirements on missing binaries

    drwetter committed Oct 16, 2018
    As #1146 noted some installations miss hexdump. Better practice
    is to check before what's needed albeit the error message when
    a binary is missing does give the user a hint.
Commits on Oct 15, 2018
  1. Add a LICENSE section

    drwetter committed Oct 15, 2018
    and ask for mentioning that this program is being used
    and where to get it from.
  2. Be more verbose what client is simulated

    drwetter committed Oct 15, 2018
    Currently the client simulation is based on the handshake data
    from SSLlabs which is purely focussed on HTTP -- as SSLlabs does
    HTTP only.
    
    In #540 there was a PR addressing the fact that the data is not
    what is claims to be -- the handshake of Android 7 seems to be
    Chrome for Android and not Android itself.
    
    This PR tries at least to modify the headline for client simulations.
  3. Merge pull request #1044 from dcooper16/only_show_supported_ciphers

    drwetter committed Oct 15, 2018
    Only list supported ciphers
Commits on Oct 11, 2018
  1. Fix fragmentation also under FreeBSD and OS X

    drwetter committed Oct 11, 2018
    This PR addresses the remaining TCP fragmentation by piping the line buffered
    internal print through cat, see also #1130.
    It extends 1b52834 which was the same doing for Linux and
    OpenBSD.
    
    This PR also consolidates the last remaining low level socket calls
    in client_simulation_sockets() into socksend_clienthello().
    
    An negative performance effect is barely measurable.
    
    It also does a check whether the fd 5 is taken by a tty as
    I see this while writing the commit message ;-). We might
    want to make that line better instead of just echoing. :-)
Commits on Oct 9, 2018
  1. Bump version no of rc

    drwetter committed Oct 9, 2018
Commits on Oct 5, 2018
  1. Add jsonID to EC in run_pfs()

    drwetter committed Oct 5, 2018
  2. Merge pull request #1141 from dcooper16/ecdh_quality

    drwetter committed Oct 5, 2018
    Send ECDHE quality to fileout()
  3. House keeping: consolidating socket functions

    drwetter committed Oct 5, 2018
    * Put all low level socket related functions close to each other
    
    * removed socksend2 as it was not used and outdated looking forward
    
    * socksend_sslv2_clienthello() renamed to socksend_clienthello() as
      it wasn't particular SSLv2 related
    
    * removed the low level socket calls from socksend_tls_clienthello()
      and called socksend_clienthello() instead
    
    * renamed socksend_tls_clienthello() to prepare_tls_clienthello()
      as it is not a low level function anymore
Commits on Oct 4, 2018
  1. Fix STARTTLS IMAP

    drwetter committed Oct 4, 2018
    introduce @ b49399e
  2. Merge pull request #1138 from dcooper16/fix_typo

    drwetter committed Oct 4, 2018
    Remove typo
  3. Adding LMTP as a STARTTLS protocol

    drwetter committed Oct 4, 2018
    This commit adds LMTP to the STARTTLS protocols
    supported. It requires an openssl version which
    supports this which is either openssl 1.1.1
    or a backported version 1.0.2 (binary is in
    process).
    
    A check is in place whetrher the binary supports
    this.
    
    Furthermore some framework additions were made for
    further STARTTLS protocols like IRC and NNTP.
  4. Merge pull request #1137 from dcooper16/fix_1097

    drwetter committed Oct 4, 2018
    Name check for XMPP servers