1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-04 13:33:12 +02:00

Add new baseline for testssl.sh tests.

This commit is contained in:
Bram Matthys
2025-02-10 13:47:12 +01:00
parent 35bbba2b5b
commit 8537b73253
2 changed files with 28 additions and 26 deletions
+24 -25
View File
@@ -1,25 +1,24 @@
Target: 127.0.0.1:5901
prio ciphersuite protocols pfs curves
1 ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-521,521bits secp521r1,secp384r1
2 ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-521,521bits secp521r1,secp384r1
3 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 ECDH,P-521,521bits secp521r1,secp384r1
4 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 ECDH,P-521,521bits secp521r1,secp384r1
Certificate: untrusted, 384 bits, ecdsa-with-SHA256 signature
TLS ticket lifetime hint: None
NPN protocols: None
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: server - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes
Intolerance to:
SSL 3.254 : absent
TLS 1.0 : PRESENT
TLS 1.1 : PRESENT
TLS 1.2 : absent
TLS 1.3 : absent
TLS 1.4 : absent
"id","fqdn/ip","port","severity","finding","cve","cwe"
"service","127.0.0.1/127.0.0.1","5901","DEBUG","Couldn't determine service, skipping all HTTP checks","",""
"pre_128cipher","127.0.0.1/127.0.0.1","5901","INFO","No 128 cipher limit bug","",""
"cipherlist_NULL","127.0.0.1/127.0.0.1","5901","OK","not offered","","CWE-327"
"cipherlist_aNULL","127.0.0.1/127.0.0.1","5901","OK","not offered","","CWE-327"
"cipherlist_EXPORT","127.0.0.1/127.0.0.1","5901","OK","not offered","","CWE-327"
"cipherlist_LOW","127.0.0.1/127.0.0.1","5901","OK","not offered","","CWE-327"
"cipherlist_3DES_IDEA","127.0.0.1/127.0.0.1","5901","INFO","not offered","","CWE-310"
"cipherlist_OBSOLETED","127.0.0.1/127.0.0.1","5901","INFO","not offered","","CWE-310"
"cipherlist_STRONG_NOFS","127.0.0.1/127.0.0.1","5901","INFO","not offered","",""
"cipherlist_STRONG_FS","127.0.0.1/127.0.0.1","5901","OK","offered","",""
"FS","127.0.0.1/127.0.0.1","5901","OK","offered","",""
"FS_ciphers","127.0.0.1/127.0.0.1","5901","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256","",""
"FS_ECDHE_curves","127.0.0.1/127.0.0.1","5901","OK","prime256v1 secp384r1 secp521r1 X25519","",""
"FS_TLS12_sig_algs","127.0.0.1/127.0.0.1","5901","INFO","ECDSA+SHA256 ECDSA+SHA384 ECDSA+SHA512 ECDSA+SHA224","",""
"FS_TLS13_sig_algs","127.0.0.1/127.0.0.1","5901","INFO","ECDSA+SHA384","",""
"cipher-tls1_2_xc02c","127.0.0.1/127.0.0.1","5901","OK","TLS 1.2 xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","",""
"cipher-tls1_2_xcca9","127.0.0.1/127.0.0.1","5901","OK","TLS 1.2 xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","",""
"cipher-tls1_2_xc02b","127.0.0.1/127.0.0.1","5901","OK","TLS 1.2 xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 521 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","",""
"supportedciphers_TLS 1_2","127.0.0.1/127.0.0.1","5901","INFO","ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256","",""
"cipher-tls1_3_x1302","127.0.0.1/127.0.0.1","5901","OK","TLS 1.3 x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384","",""
"cipher-tls1_3_x1303","127.0.0.1/127.0.0.1","5901","OK","TLS 1.3 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256","",""
"cipher-tls1_3_x1301","127.0.0.1/127.0.0.1","5901","OK","TLS 1.3 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256","",""
"supportedciphers_TLS 1_3","127.0.0.1/127.0.0.1","5901","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256","",""
+4 -1
View File
@@ -19,7 +19,10 @@ $TESTSSL --help >/dev/null || exit 1
# This is the actual scan, later on we use the 'testssl.csv' result
$TESTSSL --nodns none --cipher-per-proto --std --fs --csvfile testssl.csv --logfile testssl.log 127.0.0.1:5901
$TESTSSL --nodns none --cipher-per-proto --std --fs --csvfile testssl.pre.csv --logfile testssl.log 127.0.0.1:5901
# Filter this useless stuff out
cat testssl.pre.csv|grep -vF "No engine or GOST support" >testssl.csv
# Now check if profile matches, if so.. everything is ok.
FAILED=1