Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Jeroen Wiert Pluimers
    @jpluimers
    @drwetter / @franklinyu thanks.
    Jeroen Wiert Pluimers
    @jpluimers
    @drwetter you can also ping me here on the 24th.
    (I'll try to remember myself, but life has not been less busy lately)
    Franklin Yu
    @FranklinYu
    Latest release 2.9.5-6 suggests switching to 3.0rcX. What is that? A branch or a tag?
    Dirk Wetter
    @drwetter
    3.0rc1 is now a tag in the 2.9dev branch
    Franklin Yu
    @FranklinYu
    2.9.5-6 is on 2.9-dev branch, not on 2.9.5 branch?
    Dirk Wetter
    @drwetter
    My bad, thx. I shouldn't do things when I am in a hurry. 2.9.5-7 corrects this
    Franklin Yu
    @FranklinYu
    Good. I'm thinking about renaming 2.9dev branch to master?
    Dirk Wetter
    @drwetter
    I should write an FAQ for this. See above (11th July 2017_
    Franklin Yu
    @FranklinYu
    You mean :point_up: July 11, 2017 11:32 AM ? I don't quite get it, to be frank... I understand that current development has been placed on 2.9dev, and even number stands for stable release (GTK team does something similar), but how is that different from calling it master?
    Dirk Wetter
    @drwetter
    because IMO master it an unfortunate naming if I also have dev. The best thing is if I could use master and dev as pointers but that's not what github offers
    Franklin Yu
    @FranklinYu
    So master in you mind is "end user should check out this branch and expect it to work"? I thought "master branch is under development and end user should download releases" is widely accepted.
    Dirk Wetter
    @drwetter
    It led to confusion
    here
    Franklin Yu
    @FranklinYu
    Currently if I do ./testssl.sh www.example.com, it resolves the IP and then make a TCP connection with the IP, as expected. However, if I ./testssl.sh --proxy proxy.example.com:8080 www.example.com, it still seems to be resolving the domain name locally. Is that the case? Why?
    Dirk Wetter
    @drwetter
    shouldn't be the case. There's a ENV variable DNS_VIA_PROXY which is set to true per default
    Franklin Yu
    @FranklinYu
    I tested with version 3.0rc3, I think the latest pre-release
    Franklin Yu
    @FranklinYu

    Is it DNS via the HTTP tunnel? What does that mean? I thought that after

    CONNECT example.host.com:22 HTTP/1.1

    I should be directly talking with example.host.com?

    Franklin Yu
    @FranklinYu
    Dirk Wetter
    @drwetter
    Certainly not "directly" from a network perspective. That's the point from a proxy. It relays everything with the CONNECT method
    Christian Moore
    @shamelesscookie

    Trying to use drwetter/testssl.sh Docker image ID 0447630f7b8a from 30 hrs ago results in error:

    Fatal error: hexdump is from busybox. Please install a regular binary

    Christian Moore
    @shamelesscookie
    I was able to build a working Docker image by adding four packages to the Dockerfile: util-linux, grep, gawk, and sed
    Dirk Wetter
    @drwetter
    hmm, let me look into it
    Dirk Wetter
    @drwetter
    I actually enforced the usage of non-busybox binaries after drwetter/testssl.sh#1225 in testssl.sh itself -- as a user had a problem with the busybox ps. But it sounds to me I could relax that a bit
    Christian Moore
    @shamelesscookie
    Up to you. It seems to work just as well if you install the packages above using apt
    Dirk Wetter
    @drwetter
    https://docs.docker.com/develop/develop-images/dockerfile_best-practices/: Don’t install unnecessary packages ;-)
    Dirk Wetter
    @drwetter
    done
    Christian Moore
    @shamelesscookie
    :thumbsup: working again! Thanks
    Thomas Ward
    @teward
    @drwetter so, digging into what you poked me about, regarding IDN, emoji domains aren't valid against IDNA2008
    so the issue with IDN support generally here is if we support IDN we can't support Emojis which are outside the IDNA2008 allowed set
    which is the git issues and host issues you were running into, punycode or not
    closest we could do is use idn2 and enforce IDNA2008 and error whenever the specified URI contains things not permitted by IDNA2008
    therefore actual international scripts, i.e. Russian, will work, but emojis won't
    to quote Namecheap:
    To be successfully registered, an IDN domain name must be valid according to IDNA2008. Emojis cannot be used as IDNs as these code points are disallowed under the IDNA2008 protocol.
    so if we exclude Emoji domains as invalid because they are against IDNA2008, then the solution I detailed in my response to the issue ticket and your inquiry would 'solve' the issue.
    but we'd be forced to exclude Emoji domains because IDNA2008
    Rubens Ten
    @RubensTen

    Hello All!, I'm trying test my application with testssl but we are getting an error, please could you take a look ?
    Windows 8.1
    Terminal Gitbash
    command:
    ./testssl.sh --ip 23.209.230.254 fiu.mx

    No engine or GOST support via engine with your /mingw64/bin/openssl

    #
    testssl.sh       3.0 from https://testssl.sh/
    
      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
    
       Please file bugs @ https://testssl.sh/bugs/
    #

    Using "" [~0 ciphers]
    on LPC:/mingw64/bin/openssl
    (built: "reproducible build, date unspecified", platform: "mingw64")

    Start 2020-03-18 11:17:31 -->> 23.209.230.254:443 (fiu.mx) <<--

    A record via: supplied IP "23.209.230.254"
    rDNS (23.209.230.254): a23-209-230-254.deploy.static.akamaitechnologies.com
    Invalid option -v
    Try hexdump -h' for more information. Invalid option -v Tryhexdump -h' for more information.
    Invalid option -v
    Try hexdump -h' for more information. Invalid option -v Tryhexdump -h' for more information.
    Invalid option -v
    Try hexdump -h' for more information. Invalid option -v Tryhexdump -h' for more information.
    Invalid option -v
    Try hexdump -h' for more information. Invalid option -v Tryhexdump -h' for more information.
    Invalid option -v
    Try hexdump -h' for more information. Invalid option -v Tryhexdump -h' for more information.

    Dirk Wetter
    @drwetter
    There's something wrong with your binaries, specifically openssl and hexdump. What does "openssl version -a" and "hexdump --version" say?
    Other than that: a docker container might be easier. Can't tell how to / whether that works under win 8.1. Anybody?
    Rubens Ten
    @RubensTen

    hi @drwetter the version is

    $ openssl version -a
    OpenSSL 1.0.2l 25 May 2017
    built on: reproducible build, date unspecified
    platform: mingw64
    options: bn(64,64) rc4(16x,int) des(idx,cisc,2,long) idea(int) blowfish(idx)
    compiler: gcc -I. -I.. -I../include -I/mingw64/include -D_WINDLL -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_MT -DDSO_WIN32 -DL_ENDIAN -O3 -Wall -DWIN32_LEAN_AND_MEAN -DUNICODE -D_UNICODE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
    OPENSSLDIR: "/mingw64/ssl"

    hexdump --version
    hexdump de util-linux 2.33.1
    I can't use docker :/
    Dirk Wetter
    @drwetter
    That looks ok and don't give a hint on the errors you mentioned. What is "gitbash"?
    Dirk Wetter
    @drwetter
    Run "testssl.sh --debug=1 -p testssl.sh" and have a look at "/tmp/testssl.XXXXXX/environment.txt". What does PATH say? The OpenSSL sections should have an output too like ...

    OpenSSL 1.0.2-chacha (1.0.2k-dev)
    built on: Fri Jan 18 17:12:17 2019
    platform: linux-x86_64
    options: bn(64,64) md2(int) rc4(8x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
    compiler: gcc -I. -I.. -I../include -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_USE_BUILD_DATE -DOPENSSL_USE_IPV6 -static -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
    OPENSSLDIR: "/etc/ssl"
    OSSL_VER_MAJOR: 1
    OSSL_VER_MINOR: 0.2
    OSSL_VER_APPENDIX: -chacha
    OSSL_BUILD_DATE: Jan 18 17:12:17 2019
    OSSL_VER_PLATFORM: linux-x86_64

    OPENSSL_NR_CIPHERS: 183
    OPENSSL_CONF: /tmp/testssl.e5uJDk/gost.conf
    OSSL_SUPPORTED_CURVES: sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 secp160r2 secp192k1 prime192v1 secp224k1 secp224r1 secp256k1 prime256v1 secp384r1 secp521r1 brainpoolP256r1 brainpoolP384r1 brainpoolP512r1

    skyfermom
    @skyfermom

    Hi all
    I'm testing TLS configuration of a load balancer and found different responses between testssl.sh and openssl with forced TLS version.
    testssl told my balancer accepts whatever TLS release:

    c:\> docker run --rm -t test_ssl:20210111 my_FQDN_hostname
    ...
     Testing protocols via sockets except NPN+ALPN
    
     SSLv2      not offered (OK)
     SSLv3      not offered (OK)
     TLS 1      offered (deprecated)
     TLS 1.1    offered (deprecated)
     TLS 1.2    offered (OK)
     TLS 1.3    offered (OK): final
     NPN/SPDY   grpc-exp, h2, http/1.1 (advertised)
     ALPN/HTTP2 h2, http/1.1, grpc-exp (offered)
    ...
    
    c:\>  docker run --rm -t test_ssl:20210111  --version
    
    ###########################################################
        testssl.sh       3.1dev from https://testssl.sh/dev/
        (477bd13 2021-01-07 10:25:02 -- )
    
          This program is free software. Distribution and
                 modification under GPLv2 permitted.
          USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
    
           Please file bugs @ https://testssl.sh/bugs/
    
    ###########################################################
    
     Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
     on 52ab2c050ab0:/home/testssl/bin/openssl.Linux.x86_64
     (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")

    while openssl cannot negotiate TLS <= 1.2 (my aim):

    $ openssl s_client -servername my_FQDN_hostname -connect my_FQDN_hostname:443 -tls1 < /dev/null
    CONNECTED(00000003)
    140596531499648:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 7 bytes
    Verification: OK
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)
    ---
    $ openssl s_client -servername my_FQDN_hostname -connect my_FQDN_hostname:443 -tls1_1 < /dev/null
    CONNECTED(00000003)
    140541489844864:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 7 bytes
    Verification: OK
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)
    ---
    
    $ openssl s_client -servername my_FQDN_hostname -connect my_FQDN_hostname:443 -tls1_2 < /dev/null
    CONNECTED(00000003)
    (_certificate_chain)
    ...
    ---
    New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    ...
    what's bad with my comparison? Why testssl returns TLS < 1.2 is allowed, while openssl denies this?
    Dirk Wetter
    @drwetter
    Sounds weird. I am sure it works normally. Mind to pass the hostname to me (grep SWCONTACT testssl.sh)?
    skyfermom
    @skyfermom
    I cannot share the hostname, reserved and available only from within VPN.
    I rebuilt balancer from scratch and this time both tools are coherent. Don't ask me why ;-)
    Thank you Dirk!