Rev up testssl (microsoft#6801)

Co-authored-by: Amaury Chamayou <[email protected]>

Author: maxtropets

CMakeLists.txt

@@ -1124,7 +1124,7 @@ if(BUILD_TESTS)
         OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/testssl/testssl.sh
         COMMAND
           rm -rf ${CMAKE_CURRENT_BINARY_DIR}/testssl && git clone --depth 1
-          --branch v3.0.7 --single-branch
+          --branch v3.2rc4 --single-branch -c advice.detachedHead=false
           https://github.com/drwetter/testssl.sh
           ${CMAKE_CURRENT_BINARY_DIR}/testssl
       )

tests/tls_report.csv

@@ -1,12 +1,17 @@
 "ALPN","","INFO","http/1.1","",""
 "BEAST","","OK","not vulnerable, no SSL3 or TLS1","CVE-2011-3389","CWE-20"
-"BREACH","","OK","not vulnerable, no HTTP compression  - only supplied '/' tested","CVE-2013-3587","CWE-310"
+"BREACH","","OK","not vulnerable, no gzip/deflate/compress/br HTTP compression  - only supplied '/' tested","CVE-2013-3587","CWE-310"
 "CCS","","OK","not vulnerable","CVE-2014-0224","CWE-310"
 "CRIME_TLS","","OK","not vulnerable","CVE-2012-4929","CWE-310"
 "DNS_CAArecord","","LOW","--","",""
 "DROWN","","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310"
 "DROWN_hint","","INFO","no RSA certificate, can't be used with SSLv2 elsewhere","CVE-2016-0800 CVE-2016-0703","CWE-310"
 "FREAK","","OK","not vulnerable","CVE-2015-0204","CWE-310"
+"FS","","OK","offered","",""
+"FS_ECDHE_curves","","OK","prime256v1 secp384r1 secp521r1","",""
+"FS_TLS12_sig_algs","","INFO","ECDSA+SHA256 ECDSA+SHA384 ECDSA+SHA512 ECDSA-BRAINPOOL+SHA256 ECDSA-BRAINPOOL+SHA384 ECDSA-BRAINPOOL+SHA512 ECDSA+SHA224","",""
+"FS_TLS13_sig_algs","","INFO","ECDSA+SHA384","",""
+"FS_ciphers","","INFO","TLS_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 TLS_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256","",""
 "HPKP","","INFO","No support for HTTP Public Key Pinning","",""
 "HSTS","","LOW","not offered","",""
 "HTTP_clock_skew","","INFO","Got no HTTP time, maybe try different URL?","",""
@@ -16,9 +21,6 @@
 "LUCKY13","","OK","not vulnerable","CVE-2013-0169","CWE-310"
 "NPN","","INFO","not offered","",""
 "OCSP_stapling","","INFO","not offered","",""
-"PFS","","OK","offered","",""
-"PFS_ECDHE_curves","","OK","prime256v1 secp384r1 secp521r1","",""
-"PFS_ciphers","","INFO","TLS_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 TLS_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256","",""
 "POODLE_SSL","","OK","not vulnerable, no SSLv3","CVE-2014-3566","CWE-310"
 "RC4","","OK","not vulnerable","CVE-2013-2566 CVE-2015-2808","CWE-310"
 "ROBOT","","OK","not vulnerable, no RSA key transport cipher","CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081 CVE-2017-6168","CWE-203"
@@ -46,9 +48,10 @@
 "cert_eTLS","","INFO","not present","",""
 "cert_expirationStatus","","HIGH","expires < 30 days (0)","",""
 "cert_extKeyUsage","","INFO","No server extended key usage information","",""
+"cert_extlifeSpan","","OK","certificate has no extended life time according to browser forum","",""
 "cert_fingerprintSHA1","","INFO","","",""
 "cert_fingerprintSHA256","","INFO","","",""
-"cert_keySize","","OK","EC 384 bits","",""
+"cert_keySize","","OK","EC 384 bits (curve P-384)","",""
 "cert_keyUsage","","INFO","No server key usage information","",""
 "cert_mustStapleExtension","","INFO","--","",""
 "cert_notAfter","","HIGH","","",""
@@ -61,39 +64,46 @@
 "cert_signatureAlgorithm","","OK","ECDSA with SHA384","",""
 "cert_subjectAltName","","INFO","","",""
 "cert_trust","","OK","Ok via SAN","",""
-"cert_validityPeriod","","INFO","No finding","",""
+"certificate_compression","","INFO","none","",""
 "certificate_transparency","","INFO","--","",""
 "certs_countServer","","INFO","1","",""
 "certs_list_ordering_problem","","INFO","no","",""
-"cipher_negotiated","","OK","TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)","",""
+"cipher-tls1_2_xc02b","","OK","TLSv1.2   xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 521   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_xc02c","","OK","TLSv1.2   xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 521   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_3_x1301","","OK","TLSv1.3   x1301   TLS_AES_128_GCM_SHA256            ECDH 256   AESGCM      128      TLS_AES_128_GCM_SHA256","",""
+"cipher-tls1_3_x1302","","OK","TLSv1.3   x1302   TLS_AES_256_GCM_SHA384            ECDH 256   AESGCM      256      TLS_AES_256_GCM_SHA384","",""
 "cipher_order","","OK","server","",""
-"cipher_x1301","","INFO","x1301   TLS_AES_128_GCM_SHA256            ECDH 256   AESGCM      128      TLS_AES_128_GCM_SHA256","",""
-"cipher_x1302","","INFO","x1302   TLS_AES_256_GCM_SHA384            ECDH 256   AESGCM      256      TLS_AES_256_GCM_SHA384","",""
-"cipher_xc02b","","INFO","xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 521   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","",""
-"cipher_xc02c","","INFO","xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 521   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","",""
+"cipher_order-tls1_2","","OK","server","",""
+"cipher_order-tls1_3","","OK","server","",""
+"cipher_strength_score","","INFO","0","",""
+"cipher_strength_score_weighted","","INFO","0","",""
 "cipherlist_3DES_IDEA","","INFO","not offered","","CWE-310"
-"cipherlist_AVERAGE","","INFO","not offered","","CWE-310"
 "cipherlist_EXPORT","","OK","not offered","","CWE-327"
 "cipherlist_LOW","","OK","not offered","","CWE-327"
 "cipherlist_NULL","","OK","not offered","","CWE-327"
-"cipherlist_STRONG","","OK","offered","",""
+"cipherlist_OBSOLETED","","INFO","not offered","","CWE-310"
+"cipherlist_STRONG_FS","","OK","offered","",""
+"cipherlist_STRONG_NOFS","","INFO","not offered","",""
 "cipherlist_aNULL","","OK","not offered","","CWE-327"
 "cipherorder_TLSv1_2","","INFO","ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256","",""
 "cipherorder_TLSv1_3","","INFO","TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256","",""
-"clientsimulation-android_442","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
-"clientsimulation-android_500","","INFO","TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256","",""
+"clientAuth","","INFO","optional","",""
+"clientAuth_CA_list","","INFO","empty","",""
+"clientsimulation-android_11","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_12","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-android_60","","INFO","TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256","",""
 "clientsimulation-android_70","","INFO","No connection","",""
 "clientsimulation-android_81","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
 "clientsimulation-android_90","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-android_X","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-apple_ats_9_ios9","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
-"clientsimulation-chrome_74_win10","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-apple_mail_16_0","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-chrome_101_win10","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-chrome_79_win10","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-edge_101_win10_21h2","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-edge_15_win10","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
-"clientsimulation-edge_17_win10","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-firefox_100_win10","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-firefox_66_win81","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-firefox_71_win10","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-go_1178","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-ie_11_win10","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
 "clientsimulation-ie_11_win7","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
 "clientsimulation-ie_11_win81","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
@@ -102,30 +112,39 @@
 "clientsimulation-ie_8_win7","","INFO","No connection","",""
 "clientsimulation-ie_8_xp","","INFO","No connection","",""
 "clientsimulation-java1102","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-java1201","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-java_6u45","","INFO","No connection","",""
+"clientsimulation-java1703","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-java_7u25","","INFO","No connection","",""
 "clientsimulation-java_8u161","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-libressl_283","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
 "clientsimulation-openssl_102e","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
 "clientsimulation-openssl_110l","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
 "clientsimulation-openssl_111d","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-opera_66_win10","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-safari_10_osx1012","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-openssl_303","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-safari_121_ios_122","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-safari_130_osx_10146","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-safari_9_ios9","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
-"clientsimulation-safari_9_osx1011","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
-"clientsimulation-thunderbird_68_3_1","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_154_osx_1231","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-thunderbird_91_9","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "cookie_count","","INFO","0 at '/' (30x detected, better try target URL of 30x)","",""
 "fallback_SCSV","","OK","no protocol below TLS 1.2 offered","",""
+"final_score","","INFO","0","",""
+"grade_cap_reason_1","","INFO","Grade capped to T. Issues with the chain of trust (chain incomplete)","",""
+"grade_cap_reason_2","","INFO","Grade capped to A. HSTS is not offered","",""
 "heartbleed","","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
 "id","fqdn/ip","port","severity","finding","cve","cwe"
+"intermediate_cert_badOCSP","","OK","intermediate certificate(s) is/are ok","",""
+"key_exchange_score","","INFO","0","",""
+"key_exchange_score_weighted","","INFO","0","",""
+"overall_grade","","CRITICAL","T","",""
 "pre_128cipher","","INFO","No 128 cipher limit bug","",""
-"protocol_negotiated","","OK","Default protocol TLS1.3","",""
+"protocol_support_score","","INFO","0","",""
+"protocol_support_score_weighted","","INFO","0","",""
+"rating_doc","","INFO","https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide","",""
+"rating_spec","","INFO","SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)","",""
 "secure_client_renego","","OK","not vulnerable","CVE-2011-1473","CWE-310"
 "secure_renego","","OK","supported","","CWE-310"
 "security_headers","","MEDIUM","--","",""
 "service","","INFO","HTTP","",""
 "sessionresumption_ID","","INFO","not supported","",""
 "sessionresumption_ticket","","INFO","not supported","",""
 "ticketbleed","","OK","not vulnerable","CVE-2016-9244","CWE-200"
+"winshock","","OK","not vulnerable","CVE-2014-6321","CWE-94"