Merge branch '3.2' into changelog_3.2

.dockerignore

@@ -1,2 +1,11 @@
+# Exclude everything from the Docker build context:
+*
+
+# Except for this content:
+!bin/
+!etc/
+!testssl.sh
+
+# But additionally exclude this nested content:
 bin/openssl.Darwin.*
 bin/openssl.FreeBSD.*

.gitattributes

@@ -0,0 +1,11 @@
+*.sh    eol=lf
+*.bash  eol=lf
+*.md    eol=lf
+*.html  eol=lf
+*.txt   eol=lf
+*.txt   eol=lf
+*.1     eol=lf
+*.t     eol=lf
+*.yml   eol=lf
+Dockerfile*  eol=lf
+*.csvfile    eol=lf

.github/ISSUE_TEMPLATE/feature_request.md

@@ -11,7 +11,7 @@ Feel free to remove this line but please stick to the template. Not filling out
 -->
 
 **Which version are you referring to**
-3.0.x or 3.1dev? We might close this right away otherwise.
+3.0.x or 3.2?
 
 
 **Please check this repo whether this is a known feature request**

.github/ISSUE_TEMPLATE/other-issues---question.md

@@ -8,4 +8,4 @@ assignees: ''
 ---
 
 **Which version are you referring to**
-3.0.x or 3.1dev? (please check also how old your version is compare to the ones here)
+3.0.x or 3.2? (please check also how old your version is compare to the ones here)

.github/workflows/codespell.yml

@@ -9,8 +9,8 @@ jobs:
     name: Check for spelling errors
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: codespell-project/actions-codespell@master
         with:
-          skip: ca_hashes.txt,tls_data.txt,*.pem,OPENSSL-LICENSE.txt
-          ignore_words_list: borken,gost,ciph,ba,bloc,isnt,chello,fo,alle
+          skip: ca_hashes.txt,tls_data.txt,*.pem,OPENSSL-LICENSE.txt,CREDITS.md,openssl.cnf
+          ignore_words_list: borken,gost,ciph,ba,bloc,isnt,chello,fo,alle,anull

.github/workflows/docker-3.1dev.yml → .github/workflows/docker-3.2.yml

@@ -1,37 +1,37 @@
-name: docker-3.1dev
+name: docker-3.2
 
 on:
   push:
     branches:
-      - 3.1dev
+      - 3.2
   workflow_dispatch:
   schedule:
     - cron: "0 8 * * 1"
 
 env:
-  BUILD_VERSION: "3.1dev"
+  BUILD_VERSION: "3.2"
   DOCKER_CLI_EXPERIMENTAL: enabled
 
 jobs:
 
   deploy:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     steps:
       - name: Source checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup QEMU
         id: qemu
-        uses: docker/setup-qemu-action@v2.1.0
+        uses: docker/setup-qemu-action@v3.0.0
 
       - name: Setup Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Set Docker metadata
         id: docker_meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ github.repository }}
           labels: |
@@ -41,14 +41,14 @@ jobs:
 
       - name: GitHub login
         if: ${{ github.event_name != 'pull_request' }}
-        uses: docker/login-action@v2.1.0
+        uses: docker/login-action@v3.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v3.3.0
+        uses: docker/build-push-action@v5.0.0
         with:
           push: ${{ github.event_name != 'pull_request' }}
           context: .

.github/workflows/test.yml

@@ -1,17 +1,6 @@
 name: testssl.sh CI
 
 on:
-  push:
-    paths-ignore:
-      - 'utils/**'
-      - 'doc/**'
-      - 'bin/**'
-      - '**.md'
-      - '**.pem'
-      - '**.pdf'
-      - '**.html'
-      - 'LICENSE'
-      - 'Dockerfile'
   pull_request:
     paths-ignore:
       - 'utils/**'
@@ -32,11 +21,11 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: ['ubuntu-20.04']
+        os: ['ubuntu-22.04']
         perl: ['5.26']
     name: Perl ${{ matrix.perl }} on ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up perl
         uses: shogo82148/actions-setup-perl@v1
         with:

.gitignore

@@ -9,6 +9,7 @@ tmp.html
 *.log
 *.xml
 *.iml
+*.script
 *.swp
 *.swo
 *~

CHANGELOG.md

@@ -1,24 +1,27 @@
 
 ## Change Log
 
-### Features implemented / improvements in 3.2rcX
+### Features implemented / improvements in 3.2
 
 * Rating (SSL Labs, not complete)
 * Extend Server (cipher) preference: always now in wide mode instead of running all ciphers in the end (per default)
+* Remove "negotiated cipher / protocol"
+* Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol
+* Switched to multi-stage docker image with opensuse base to avoid musl libc issues, performance gain also
 * Improved compatibility with OpenSSL 3.0
-* Improved compatibility with Open/LibreSSL versions not suppoting TLS 1.0-1.1 anymore
+* Improved compatibility with Open/LibreSSL versions not supporting TLS 1.0-1.1 anymore
 * Renamed PFS/perfect forward secrecy --> FS/forward secrecy
 * Cipher list straightening
 * Improved mass testing
-* switched to multi-stage image with opensuse base to avoid musl libc issues
-* Btter align colors of ciphers with standard cipherlists
+* Better align colors of ciphers with standard cipherlists
+* Save a few cycles for ROBOT
 * Several ciphers more colorized
 * Percent output char problem fixed
 * Several display/output fixes
 * BREACH check: list all compression methods and add brotli
 * Test for old winshock vulnerability
 * Test for STARTTLS injection vulnerabilities (SMTP, POP3, IMAP)
-* STARTTLS: XMPP server support
+* STARTTLS: XMPP server support, plus new set of OpenSSL-bad binaries
 * Several code improvements to STARTTLS, also better detection when no STARTTLS is offered
 * STARTTLS on active directory service support
 * Security fixes: DNS and other input from servers
@@ -39,14 +42,10 @@
 * Client simulation runs in wide mode which is even better readable
 * Added --reqheader to support custom headers in HTTP requests
 * Test for support for RFC 8879 certificate compression
-* New set of OpenSSL-bad binaries with STARTTLS xmpp-server
-* Save a few cycles for ROBOT
-* Provide a better verdict wrt to server order: Now per protocol and ciphers are
-  weighted for each protocol
-* Remove "negotiated cipher / protocol"
 * Deprecating --fast and --ssl-native (warning but still av)
 * Compatible to GNU grep 3.8
 * Don't use external pwd command anymore
+* Doesn't hang anymore when there's no local resolver
 
 
 ### Features implemented / improvements in 3.0

CREDITS.md

@@ -9,7 +9,7 @@ Full contribution, see git log.
 * David Cooper (main contributor)
   - Major extensions to socket support for all protocols
   - extended parsing of TLS ServerHello messages
-  - TLS 1.3 support (final and pre-final) with needed encrption/decryptions
+  - TLS 1.3 support (final and pre-final) with needed en/decryption
   - add several TLS extensions
   - Detection + output of multiple certificates
   - several cleanups of server certificate related stuff
@@ -94,7 +94,7 @@ Full contribution, see git log.
   - helped with avoiding accidental TCP fragmentation
 
 * Brennan Kinney
-  - refactor dockerfile: Change base Alpine (3.17) => openSUSE Leap (15.4)
+  - refactored multistage Dockerfiles: performance gain+address bugs/inconsistencies
 
 * Magnus Larsen
   - SSL Labs Rating
@@ -185,6 +185,9 @@ Full contribution, see git log.
 * @nvsofts (NV)
   - LibreSSL patch for GOST
 
+* @w4ntun
+  - fixed DNS via proxy
+
 Probably more I forgot to mention which did give me feedback, bug reports and helped one way or another.
 
 

Dockerfile

@@ -1,21 +1,40 @@
-FROM alpine:3.16
+# syntax=docker.io/docker/dockerfile:1
 
-RUN apk update && \
-    apk upgrade && \
-    apk add bash procps drill git coreutils libidn curl socat openssl xxd && \
-    rm -rf /var/cache/apk/* && \
-    addgroup testssl && \
-    adduser -G testssl -g "testssl user" -s /bin/bash -D testssl && \
-    ln -s /home/testssl/testssl.sh /usr/local/bin/ && \
-    mkdir -m 755 -p /home/testssl/etc /home/testssl/bin
+ARG LEAP_VERSION=15.4
+ARG INSTALL_ROOT=/rootfs
 
-USER testssl
-WORKDIR /home/testssl/
+FROM opensuse/leap:${LEAP_VERSION} as builder
+ARG CACHE_ZYPPER=/tmp/cache/zypper
+ARG INSTALL_ROOT
+# /etc/os-release provides $VERSION_ID
+RUN source /etc/os-release \
+  && export ZYPPER_OPTIONS=( --releasever "${VERSION_ID}" --installroot "${INSTALL_ROOT}" --cache-dir "${CACHE_ZYPPER}" ) \
+  && zypper "${ZYPPER_OPTIONS[@]}" --gpg-auto-import-keys refresh \
+  && zypper "${ZYPPER_OPTIONS[@]}" --non-interactive install --download-in-advance --no-recommends \
+       bash procps grep gawk sed coreutils busybox-util-linux busybox-vi ldns libidn2-0 socat openssl curl \
+  && zypper "${ZYPPER_OPTIONS[@]}" clean --all
+## Cleanup (reclaim approx 13 MiB):
+# None of this content should be relevant to the container:
+RUN  rm -r "${INSTALL_ROOT}/usr/share/"{licenses,man,locale,doc,help,info}
+# Functionality that the container doesn't need:
+RUN  rm    "${INSTALL_ROOT}/usr/share/misc/termcap" \
+  && rm -r "${INSTALL_ROOT}/usr/lib/sysimage/rpm"
 
-COPY --chown=testssl:testssl etc/. /home/testssl/etc/
-COPY --chown=testssl:testssl bin/. /home/testssl/bin/
-COPY --chown=testssl:testssl testssl.sh /home/testssl/
 
-ENTRYPOINT ["testssl.sh"]
+# Create a new image with the contents of $INSTALL_ROOT
+FROM scratch
+ARG INSTALL_ROOT
+COPY --link --from=builder ${INSTALL_ROOT} /
+# Link busybox to tar, see #2403. Create user + (home with SGID set):
+RUN  ln -s /usr/bin/busybox /usr/bin/tar \
+  && echo 'testssl:x:1000:1000::/home/testssl:/bin/bash' >> /etc/passwd \
+  && echo 'testssl:x:1000:' >> /etc/group \
+  && echo 'testssl:!::0:::::' >> /etc/shadow \
+  && install --mode 2755 --owner testssl --group testssl --directory /home/testssl \
+  && ln -s /home/testssl/testssl.sh /usr/local/bin/
 
+# Copy over build context (after filtered by .dockerignore): bin/ etc/ testssl.sh
+COPY --chown=testssl:testssl . /home/testssl/
+USER testssl
+ENTRYPOINT ["testssl.sh"]
 CMD ["--help"]

Dockerfile.git

@@ -1,6 +1,6 @@
 # Build using git repo
 
-FROM alpine:3.16
+FROM alpine:3.17
 
 WORKDIR /home/testssl
 

Dockerfile.md

@@ -36,7 +36,7 @@ You can pull the image from dockerhub and run:
 docker run --rm -t drwetter/testssl.sh --fs example.com
 ```
 
-Supported tags are: ``3.1dev`` and ``latest`, which are the same, i.e. the rolling release. ``3.0`` is the latest stable version from git which might have a few improvements (see git log) over the released version 3.0.X.
+Supported tags are: ``3.2`` and ``latest`, which are the same, i.e. the rolling release. ``3.0`` is the latest stable version from git which might have a few improvements (see git log) over the released version 3.0.X.
 
 ``docker run --rm -t drwetter/testssl.sh:stable example.com``.
 

Readme.md

@@ -5,7 +5,7 @@
 [![Build Status](https://github.com/drwetter/testssl.sh/actions/workflows/test.yml/badge.svg)](https://github.com/drwetter/testssl.sh/actions/workflows/test.yml)
 [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/drwetter/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 [![License](https://img.shields.io/github/license/drwetter/testssl.sh)](https://github.com/drwetter/testssl.sh/LICENSE)
-[![Docker](https://img.shields.io/docker/pulls/drwetter/testssl.sh)](https://github.com/drwetter/testssl.sh/blob/3.1dev/Dockerfile.md)
+[![Docker](https://img.shields.io/docker/pulls/drwetter/testssl.sh)](https://github.com/drwetter/testssl.sh/blob/3.2/Dockerfile.md)
 
 `testssl.sh` is a free command line tool which checks a server's service on
 any port for the support of TLS/SSL ciphers, protocols as well as some
@@ -49,11 +49,12 @@ Update notification here or @ [mastodon](https://infosec.exchange/@testssl) (old
 
 ### Installation
 
-You can download testssl.sh branch 3.1dev just by cloning this git repository:
+You can download testssl.sh branch 3.2 just by cloning this git repository:
 
     git clone --depth 1 https://github.com/drwetter/testssl.sh.git
 
-Think of 3.1dev like a rolling release, see below. For the stable version help yourself by downloading the [ZIP](https://codeload.github.com/drwetter/testssl.sh/zip/3.0.4) or [tar.gz](https://codeload.github.com/drwetter/testssl.sh/tar.gz/3.0.4) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there.
+3.2 is now the latest branch which evolved from 3.1dev. It's in the release candidate phase.
+For the former stable version help yourself by downloading the [ZIP](https://codeload.github.com/drwetter/testssl.sh/zip/v3.0.8) or [tar.gz](https://codeload.github.com/drwetter/testssl.sh/tar.gz/v3.0.8) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there.
 
 #### Docker
 
@@ -68,12 +69,12 @@ Or if you have cloned this repo you also can just ``cd`` to the INSTALLDIR and r
 docker build . -t imagefoo && docker run --rm -t imagefoo example.com
 ```
 
-For more please consult [Dockerfile.md](https://github.com/drwetter/testssl.sh/blob/3.1dev/Dockerfile.md).
+For more please consult [Dockerfile.md](https://github.com/drwetter/testssl.sh/blob/3.2/Dockerfile.md).
 
 
 ### Status
 
-We're currently in the development phase, version 3.1dev. 3.1dev will eventually become 3.2. Bigger features are developed in a separate branch before merged into 3.1dev to avoid hiccups or inconsistencies. Albeit we try to keep 3.1dev as solid as possible things will certainly change in 3.1dev. Think of the 3.1dev branch like a rolling release. So if you need stability the 3.0 branch is better for you.
+We're currently in the release candidate phase for version 3.2. Bigger features will be developed in a separate branch before merged into a 3.3dev to avoid hiccups or inconsistencies.
 
 Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is released.
 
@@ -87,7 +88,7 @@ Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
 
 ### Contributing
 
-Contributions are welcome! See [CONTRIBUTING.md](https://github.com/drwetter/testssl.sh/blob/3.1dev/CONTRIBUTING.md) for details. Please also have a look at the [Coding Convention](https://github.com/drwetter/testssl.sh/blob/3.1dev/Coding_Convention.md).
+Contributions are welcome! See [CONTRIBUTING.md](https://github.com/drwetter/testssl.sh/blob/3.2/CONTRIBUTING.md) for details. Please also have a look at the [Coding Convention](https://github.com/drwetter/testssl.sh/blob/3.2/Coding_Convention.md).
 
 ### Bug reports
 
@@ -114,9 +115,6 @@ Please address questions not specifically to the code of testssl.sh to the respe
 #### Mass scanner w parallel scans and elastic searching the results
 * https://github.com/TKCERT/testssl.sh-masscan
 
-#### Another ready-to-go docker image is at:
-* https://quay.io/repository/jumanjiman/testssl
-
 #### Privacy checker using testssl.sh
 * https://privacyscore.org