diff --git a/extras/tests/tls/testssl_profiles/baseline.txt b/extras/tests/tls/testssl_profiles/baseline.txt index a8c9272b2..68f997acb 100644 --- a/extras/tests/tls/testssl_profiles/baseline.txt +++ b/extras/tests/tls/testssl_profiles/baseline.txt @@ -1,25 +1,24 @@ -Target: 127.0.0.1:5901 - -prio ciphersuite protocols pfs curves -1 ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-521,521bits secp521r1,secp384r1 -2 ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-521,521bits secp521r1,secp384r1 -3 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 ECDH,P-521,521bits secp521r1,secp384r1 -4 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 ECDH,P-521,521bits secp521r1,secp384r1 - -Certificate: untrusted, 384 bits, ecdsa-with-SHA256 signature -TLS ticket lifetime hint: None -NPN protocols: None -OCSP stapling: not supported -Cipher ordering: server -Curves ordering: server - fallback: no -Server supports secure renegotiation -Server supported compression methods: NONE -TLS Tolerance: yes - -Intolerance to: - SSL 3.254 : absent - TLS 1.0 : PRESENT - TLS 1.1 : PRESENT - TLS 1.2 : absent - TLS 1.3 : absent - TLS 1.4 : absent +"id","fqdn/ip","port","severity","finding","cve","cwe" +"service","127.0.0.1/127.0.0.1","5901","DEBUG","Couldn't determine service, skipping all HTTP checks","","" +"pre_128cipher","127.0.0.1/127.0.0.1","5901","INFO","No 128 cipher limit bug","","" +"cipherlist_NULL","127.0.0.1/127.0.0.1","5901","OK","not offered","","CWE-327" +"cipherlist_aNULL","127.0.0.1/127.0.0.1","5901","OK","not offered","","CWE-327" +"cipherlist_EXPORT","127.0.0.1/127.0.0.1","5901","OK","not offered","","CWE-327" +"cipherlist_LOW","127.0.0.1/127.0.0.1","5901","OK","not offered","","CWE-327" +"cipherlist_3DES_IDEA","127.0.0.1/127.0.0.1","5901","INFO","not offered","","CWE-310" +"cipherlist_OBSOLETED","127.0.0.1/127.0.0.1","5901","INFO","not offered","","CWE-310" +"cipherlist_STRONG_NOFS","127.0.0.1/127.0.0.1","5901","INFO","not offered","","" +"cipherlist_STRONG_FS","127.0.0.1/127.0.0.1","5901","OK","offered","","" +"FS","127.0.0.1/127.0.0.1","5901","OK","offered","","" +"FS_ciphers","127.0.0.1/127.0.0.1","5901","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256","","" +"FS_ECDHE_curves","127.0.0.1/127.0.0.1","5901","OK","prime256v1 secp384r1 secp521r1 X25519","","" +"FS_TLS12_sig_algs","127.0.0.1/127.0.0.1","5901","INFO","ECDSA+SHA256 ECDSA+SHA384 ECDSA+SHA512 ECDSA+SHA224","","" +"FS_TLS13_sig_algs","127.0.0.1/127.0.0.1","5901","INFO","ECDSA+SHA384","","" +"cipher-tls1_2_xc02c","127.0.0.1/127.0.0.1","5901","OK","TLS 1.2 xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","","" +"cipher-tls1_2_xcca9","127.0.0.1/127.0.0.1","5901","OK","TLS 1.2 xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","","" +"cipher-tls1_2_xc02b","127.0.0.1/127.0.0.1","5901","OK","TLS 1.2 xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 521 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","","" +"supportedciphers_TLS 1_2","127.0.0.1/127.0.0.1","5901","INFO","ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256","","" +"cipher-tls1_3_x1302","127.0.0.1/127.0.0.1","5901","OK","TLS 1.3 x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384","","" +"cipher-tls1_3_x1303","127.0.0.1/127.0.0.1","5901","OK","TLS 1.3 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256","","" +"cipher-tls1_3_x1301","127.0.0.1/127.0.0.1","5901","OK","TLS 1.3 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256","","" +"supportedciphers_TLS 1_3","127.0.0.1/127.0.0.1","5901","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256","","" diff --git a/extras/tests/tls/tls-tests b/extras/tests/tls/tls-tests index 2da317fae..59483b1ce 100755 --- a/extras/tests/tls/tls-tests +++ b/extras/tests/tls/tls-tests @@ -19,7 +19,10 @@ $TESTSSL --help >/dev/null || exit 1 # This is the actual scan, later on we use the 'testssl.csv' result -$TESTSSL --nodns none --cipher-per-proto --std --fs --csvfile testssl.csv --logfile testssl.log 127.0.0.1:5901 +$TESTSSL --nodns none --cipher-per-proto --std --fs --csvfile testssl.pre.csv --logfile testssl.log 127.0.0.1:5901 + +# Filter this useless stuff out +cat testssl.pre.csv|grep -vF "No engine or GOST support" >testssl.csv # Now check if profile matches, if so.. everything is ok. FAILED=1