Pin `testssl` to v3.0.7 (#3736)

2022-04-05 10:03:04 +01:00 · 2022-04-05 10:03:04 +01:00 · 44a1e0644b
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -668,7 +668,7 @@ if(BUILD_TESTS)
      OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/testssl/testssl.sh
      COMMAND
        rm -rf ${CMAKE_CURRENT_BINARY_DIR}/testssl && git clone --depth 1
-        https://github.com/drwetter/testssl.sh
+        --branch v3.0.7 --single-branch https://github.com/drwetter/testssl.sh
        ${CMAKE_CURRENT_BINARY_DIR}/testssl
    )
    add_custom_target(
--- a/tests/tls_report.csv
+++ b/tests/tls_report.csv
@ -1,104 +1,85 @@
-"id","fqdn/ip","port","severity","finding","cve","cwe"
-"service","","INFO","HTTP","",""
-"pre_128cipher","","INFO","No 128 cipher limit bug","",""
+"ALPN","","INFO","http/1.1","",""
+"BEAST","","OK","not vulnerable, no SSL3 or TLS1","CVE-2011-3389","CWE-20"
+"BREACH","","OK","not vulnerable, no HTTP compression  - only supplied '/' tested","CVE-2013-3587","CWE-310"
+"CCS","","OK","not vulnerable","CVE-2014-0224","CWE-310"
+"CRIME_TLS","","OK","not vulnerable","CVE-2012-4929","CWE-310"
+"DNS_CAArecord","","LOW","--","",""
+"DROWN","","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310"
+"DROWN_hint","","INFO","no RSA certificate, can't be used with SSLv2 elsewhere","CVE-2016-0800 CVE-2016-0703","CWE-310"
+"FREAK","","OK","not vulnerable","CVE-2015-0204","CWE-310"
+"HPKP","","INFO","No support for HTTP Public Key Pinning","",""
+"HSTS","","LOW","not offered","",""
+"HTTP_clock_skew","","INFO","Got no HTTP time, maybe try different URL?","",""
+"HTTP_status_code","","INFO","404 Not Found ('/')","",""
+"LOGJAM","","OK","not vulnerable, no DH EXPORT ciphers,","CVE-2015-4000","CWE-310"
+"LOGJAM-common_primes","","OK","no DH key with <= TLS 1.2","CVE-2015-4000","CWE-310"
+"LUCKY13","","OK","not vulnerable","CVE-2013-0169","CWE-310"
+"NPN","","INFO","not offered","",""
+"OCSP_stapling","","INFO","not offered","",""
+"PFS","","OK","offered","",""
+"PFS_ECDHE_curves","","OK","secp384r1 secp521r1","",""
+"PFS_ciphers","","INFO","TLS_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 TLS_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256","",""
+"POODLE_SSL","","OK","not vulnerable, no SSLv3","CVE-2014-3566","CWE-310"
+"RC4","","OK","not vulnerable","CVE-2013-2566 CVE-2015-2808","CWE-310"
+"ROBOT","","OK","not vulnerable, no RSA key transport cipher","CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081 CVE-2017-6168","CWE-203"
+"SSL_sessionID_support","","INFO","yes","",""
 "SSLv2","","OK","not offered","",""
 "SSLv3","","OK","not offered","",""
+"SWEET32","","OK","not vulnerable","CVE-2016-2183 CVE-2016-6329","CWE-327"
 "TLS1","","INFO","not offered","",""
 "TLS1_1","","INFO","not offered","",""
 "TLS1_2","","OK","offered","",""
 "TLS1_3","","OK","offered with final","",""
-"NPN","","INFO","not offered","",""
-"ALPN","","INFO","http/1.1","",""
-"cipherlist_NULL","","OK","not offered","","CWE-327"
-"cipherlist_aNULL","","OK","not offered","","CWE-327"
-"cipherlist_EXPORT","","OK","not offered","","CWE-327"
-"cipherlist_LOW","","OK","not offered","","CWE-327"
-"cipherlist_3DES_IDEA","","INFO","not offered","","CWE-310"
-"cipherlist_AVERAGE","","INFO","not offered","","CWE-310"
-"cipherlist_GOOD","","INFO","not offered","",""
-"cipherlist_STRONG","","OK","offered","",""
-"cipher_order","","OK","server","",""
-"protocol_negotiated","","OK","Default protocol TLS1.3","",""
-"cipher_negotiated","","OK","TLS_AES_256_GCM_SHA384, 521 bit ECDH (P-521)","",""
-"cipher-tls1_2_xc02c","","OK","TLSv1.2   xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 521   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","",""
-"cipher-tls1_2_xc02b","","OK","TLSv1.2   xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 521   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","",""
-"cipherorder_TLSv1_2","","INFO","ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256","",""
-"cipher-tls1_3_x1302","","OK","TLSv1.3   x1302   TLS_AES_256_GCM_SHA384            ECDH 521   AESGCM      256      TLS_AES_256_GCM_SHA384","",""
-"cipher-tls1_3_x1301","","OK","TLSv1.3   x1301   TLS_AES_128_GCM_SHA256            ECDH 521   AESGCM      128      TLS_AES_128_GCM_SHA256","",""
-"cipherorder_TLSv1_3","","INFO","TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256","",""
-"FS","","OK","offered","",""
-"FS_ciphers","","INFO","TLS_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 TLS_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256","",""
-"FS_ECDHE_curves","","OK","secp384r1 secp521r1","",""
 "TLS_extensions","","INFO","'renegotiation info/#65281' 'EC point formats/#11' 'session ticket/#35' 'supported versions/#43' 'key share/#51' 'supported_groups/#10' 'max fragment length/#1' 'application layer protocol negotiation/#16' 'extended master secret/#23'","",""
 "TLS_session_ticket","","INFO","valid for 7200 seconds only (<daily)","",""
-"SSL_sessionID_support","","INFO","yes","",""
-"sessionresumption_ticket","","INFO","not supported","",""
-"sessionresumption_ID","","INFO","not supported","",""
 "TLS_timestamp","","INFO","random","",""
-"certificate_compression","","INFO","none","",""
-"clientAuth","","INFO","optional","",""
-"clientAuth_CA_list","","INFO","empty","",""
-"cert_numbers","","INFO","1","",""
-"cert_signatureAlgorithm","","OK","ECDSA with SHA384","",""
-"cert_keySize","","OK","EC 384 bits (curve P-384)","",""
-"cert_keyUsage","","INFO","No server key usage information","",""
-"cert_extKeyUsage","","INFO","No server extended key usage information","",""
-"cert_serialNumber","","INFO","","",""
-"cert_serialNumberLen","","INFO","","",""
-"cert_fingerprintSHA1","","INFO","","",""
-"cert_fingerprintSHA256","","INFO","","",""
+"banner_application","","INFO","No application banner found","",""
+"banner_reverseproxy","","INFO","--","","CWE-200"
+"banner_server","","INFO","No Server banner line in header, interesting!","",""
 "cert","","INFO","----------","",""
+"cert_caIssuers","","INFO","CCF Network","",""
+"cert_certificatePolicies_EV","","INFO","no","",""
+"cert_chain_of_trust","","CRITICAL","failed (chain incomplete).","",""
 "cert_commonName","","OK","CCF Node","",""
 "cert_commonName_wo_SNI","","INFO","CCF Node","",""
-"cert_subjectAltName","","INFO","","",""
-"cert_trust","","OK","Ok via SAN","",""
-"cert_chain_of_trust","","CRITICAL","failed (chain incomplete).","",""
-"cert_certificatePolicies_EV","","INFO","no","",""
-"cert_expirationStatus","","HIGH","expires < 30 days (0)","",""
-"cert_notBefore","","INFO","","",""
-"cert_notAfter","","HIGH","","",""
-"cert_extlifeSpan","","OK","certificate has no extended life time according to browser forum","",""
-"cert_eTLS","","INFO","not present","",""
 "cert_crlDistributionPoints","","INFO","--","",""
+"cert_eTLS","","INFO","not present","",""
+"cert_expirationStatus","","HIGH","expires < 30 days (0)","",""
+"cert_extKeyUsage","","INFO","No server extended key usage information","",""
+"cert_fingerprintSHA1","","INFO","","",""
+"cert_fingerprintSHA256","","INFO","","",""
+"cert_keySize","","OK","EC 384 bits","",""
+"cert_keyUsage","","INFO","No server key usage information","",""
+"cert_mustStapleExtension","","INFO","--","",""
+"cert_notAfter","","HIGH","","",""
+"cert_notBefore","","INFO","","",""
+"cert_numbers","","INFO","1","",""
 "cert_ocspURL","","INFO","--","",""
 "cert_revocation","","HIGH","Neither CRL nor OCSP URI provided","",""
-"OCSP_stapling","","INFO","not offered","",""
-"cert_mustStapleExtension","","INFO","--","",""
-"DNS_CAArecord","","LOW","--","",""
+"cert_serialNumber","","INFO","","",""
+"cert_serialNumberLen","","INFO","","",""
+"cert_signatureAlgorithm","","OK","ECDSA with SHA384","",""
+"cert_subjectAltName","","INFO","","",""
+"cert_trust","","OK","Ok via SAN","",""
+"cert_validityPeriod","","INFO","No finding","",""
 "certificate_transparency","","INFO","--","",""
 "certs_countServer","","INFO","1","",""
 "certs_list_ordering_problem","","INFO","no","",""
-"cert_caIssuers","","INFO","CCF Network","",""
-"intermediate_cert_badOCSP","","OK","intermediate certificate(s) is/are ok","",""
-"HTTP_status_code","","INFO","404 Not Found ('/')","",""
-"HTTP_clock_skew","","INFO","Got no HTTP time, maybe try different URL?","",""
-"HSTS","","LOW","not offered","",""
-"HPKP","","INFO","No support for HTTP Public Key Pinning","",""
-"banner_server","","INFO","No Server banner line in header, interesting!","",""
-"banner_application","","INFO","No application banner found","",""
-"cookie_count","","INFO","0 at '/' (30x detected, better try target URL of 30x)","",""
-"security_headers","","MEDIUM","--","",""
-"banner_reverseproxy","","INFO","--","","CWE-200"
-"heartbleed","","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
-"CCS","","OK","not vulnerable","CVE-2014-0224","CWE-310"
-"ticketbleed","","OK","not vulnerable","CVE-2016-9244","CWE-200"
-"ROBOT","","OK","not vulnerable, no RSA key transport cipher","CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081 CVE-2017-6168","CWE-203"
-"secure_renego","","OK","supported","","CWE-310"
-"secure_client_renego","","OK","not vulnerable","CVE-2011-1473","CWE-310"
-"CRIME_TLS","","OK","not vulnerable","CVE-2012-4929","CWE-310"
-"BREACH","","OK","not vulnerable, no gzip/deflate/compress/br HTTP compression  - only supplied '/' tested","CVE-2013-3587","CWE-310"
-"POODLE_SSL","","OK","not vulnerable, no SSLv3","CVE-2014-3566","CWE-310"
-"fallback_SCSV","","OK","no protocol below TLS 1.2 offered","",""
-"SWEET32","","OK","not vulnerable","CVE-2016-2183 CVE-2016-6329","CWE-327"
-"FREAK","","OK","not vulnerable","CVE-2015-0204","CWE-310"
-"DROWN","","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310"
-"DROWN_hint","","INFO","no RSA certificate, can't be used with SSLv2 elsewhere","CVE-2016-0800 CVE-2016-0703","CWE-310"
-"LOGJAM","","OK","not vulnerable, no DH EXPORT ciphers,","CVE-2015-4000","CWE-310"
-"LOGJAM-common_primes","","OK","no DH key with <= TLS 1.2","CVE-2015-4000","CWE-310"
-"BEAST","","OK","not vulnerable, no SSL3 or TLS1","CVE-2011-3389","CWE-20"
-"LUCKY13","","OK","not vulnerable","CVE-2013-0169","CWE-310"
-"winshock","","OK","not vulnerable","CVE-2014-6321","CWE-94"
-"RC4","","OK","not vulnerable","CVE-2013-2566 CVE-2015-2808","CWE-310"
+"cipher_negotiated","","OK","TLS_AES_256_GCM_SHA384, 521 bit ECDH (P-521)","",""
+"cipher_order","","OK","server","",""
+"cipher_x1301","","INFO","x1301   TLS_AES_128_GCM_SHA256            ECDH 521   AESGCM      128      TLS_AES_128_GCM_SHA256","",""
+"cipher_x1302","","INFO","x1302   TLS_AES_256_GCM_SHA384            ECDH 521   AESGCM      256      TLS_AES_256_GCM_SHA384","",""
+"cipher_xc02b","","INFO","xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 521   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","",""
+"cipher_xc02c","","INFO","xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 521   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","",""
+"cipherlist_3DES_IDEA","","INFO","not offered","","CWE-310"
+"cipherlist_AVERAGE","","INFO","not offered","","CWE-310"
+"cipherlist_EXPORT","","OK","not offered","","CWE-327"
+"cipherlist_LOW","","OK","not offered","","CWE-327"
+"cipherlist_NULL","","OK","not offered","","CWE-327"
+"cipherlist_STRONG","","OK","offered","",""
+"cipherlist_aNULL","","OK","not offered","","CWE-327"
+"cipherorder_TLSv1_2","","INFO","ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256","",""
+"cipherorder_TLSv1_3","","INFO","TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256","",""
 "clientsimulation-android_442","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
 "clientsimulation-android_500","","INFO","TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256","",""
 "clientsimulation-android_60","","INFO","TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256","",""
@ -106,44 +87,45 @@
 "clientsimulation-android_81","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
 "clientsimulation-android_90","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-android_X","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-apple_ats_9_ios9","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
 "clientsimulation-chrome_74_win10","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-chrome_79_win10","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-edge_15_win10","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-edge_17_win10","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
 "clientsimulation-firefox_66_win81","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-firefox_71_win10","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-ie_6_xp","","INFO","No connection","",""
-"clientsimulation-ie_8_win7","","INFO","No connection","",""
-"clientsimulation-ie_8_xp","","INFO","No connection","",""
+"clientsimulation-ie_11_win10","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
 "clientsimulation-ie_11_win7","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
 "clientsimulation-ie_11_win81","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
 "clientsimulation-ie_11_winphone81","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
-"clientsimulation-ie_11_win10","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
-"clientsimulation-edge_15_win10","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
-"clientsimulation-edge_17_win10","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
-"clientsimulation-opera_66_win10","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-safari_9_ios9","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
-"clientsimulation-safari_9_osx1011","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
-"clientsimulation-safari_10_osx1012","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
-"clientsimulation-safari_121_ios_122","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-safari_130_osx_10146","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-apple_ats_9_ios9","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_6_xp","","INFO","No connection","",""
+"clientsimulation-ie_8_win7","","INFO","No connection","",""
+"clientsimulation-ie_8_xp","","INFO","No connection","",""
+"clientsimulation-java1102","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java1201","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-java_6u45","","INFO","No connection","",""
 "clientsimulation-java_7u25","","INFO","No connection","",""
 "clientsimulation-java_8u161","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
-"clientsimulation-java1102","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-java1201","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-openssl_102e","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
 "clientsimulation-openssl_110l","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
 "clientsimulation-openssl_111d","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-opera_66_win10","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_10_osx1012","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-safari_121_ios_122","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_130_osx_10146","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_9_ios9","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-safari_9_osx1011","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
 "clientsimulation-thunderbird_68_3_1","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"rating_spec","","INFO","SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)","",""
-"rating_doc","","INFO","https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide","",""
-"protocol_support_score","","INFO","0","",""
-"protocol_support_score_weighted","","INFO","0","",""
-"key_exchange_score","","INFO","0","",""
-"key_exchange_score_weighted","","INFO","0","",""
-"cipher_strength_score","","INFO","0","",""
-"cipher_strength_score_weighted","","INFO","0","",""
-"final_score","","INFO","0","",""
-"overall_grade","","CRITICAL","T","",""
-"grade_cap_reason_1","","INFO","Grade capped to T. Issues with the chain of trust (chain incomplete)","",""
-"grade_cap_reason_2","","INFO","Grade capped to A. HSTS is not offered","",""
+"cookie_count","","INFO","0 at '/' (30x detected, better try target URL of 30x)","",""
+"fallback_SCSV","","OK","no protocol below TLS 1.2 offered","",""
+"heartbleed","","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
+"id","fqdn/ip","port","severity","finding","cve","cwe"
+"pre_128cipher","","INFO","No 128 cipher limit bug","",""
+"protocol_negotiated","","OK","Default protocol TLS1.3","",""
+"secure_client_renego","","OK","not vulnerable","CVE-2011-1473","CWE-310"
+"secure_renego","","OK","supported","","CWE-310"
+"security_headers","","MEDIUM","--","",""
+"service","","INFO","HTTP","",""
+"sessionresumption_ID","","INFO","not supported","",""
+"sessionresumption_ticket","","INFO","not supported","",""
+"ticketbleed","","OK","not vulnerable","CVE-2016-9244","CWE-200"
--- a/tests/tlstest.py
+++ b/tests/tlstest.py
@ -76,14 +76,18 @@ def cond_removal(file):
 def test(network, args):
    node = network.nodes[0]
    endpoint = f"https://{node.get_public_rpc_host()}:{node.get_public_rpc_port()}"
-    cond_removal("tls_report.csv")
+    report_basename = "tls_report"
+    report_csv = f"{report_basename}.csv"
+    cond_removal(report_csv)
    cond_removal("tls_report.html")
    cond_removal("tls_report.json")
    cond_removal("tls_report.log")
    r = subprocess.run(
-        ["testssl/testssl.sh", "--outfile", "tls_report", endpoint], check=False
+        ["testssl/testssl.sh", "--outfile", report_basename, endpoint], check=False
    )
    assert r.returncode == 0
+    # Sort csv output lines to simplify comparison
+    subprocess.run(["sort", "--stable", report_csv, "-o", report_csv], check=True)
    assert compare_golden()