Implement DNS HTTPS RR (RFC 9460)

.github/workflows/codespell.yml

@@ -13,4 +13,4 @@ jobs:
       - uses: codespell-project/actions-codespell@master
         with:
           skip: ca_hashes.txt,tls_data.txt,*.pem,OPENSSL-LICENSE.txt,CREDITS.md,openssl.cnf,fedora-dirk-ipv6.diff
-          ignore_words_list: borken,gost,ciph,ba,bloc,isnt,chello,fo,alle,anull
+          ignore_words_list: borken,gost,ciph,ba,bloc,isnt,chello,fo,alle,anull,experim

t/10_baseline_ipv4_http.t

@@ -15,48 +15,51 @@ use JSON;
 
 my $tests = 0;
 my $prg="./testssl.sh";
-my $check2run="-p -s -P --fs -S -h -U -q --ip=one --color 0";
+my $tmp_json="tmp.json";
+my $check2run="-p -s -P --fs -S -h -U -q --ip=one --color 0 --jsonfile $tmp_json";
 my $uri="google.com";
 my $socket_out="";
 my $openssl_out="";
-# Blacklists we use to trigger an error:
-my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
-my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
-my $json_regex_bl='(id".*:\s"scanProblem"|severity".*:\s"FATAL"|"Scan interrupted")';
-
 my $socket_json="";
 my $openssl_json="";
-$check2run="--jsonfile tmp.json $check2run";
+#FIXME: Blacklists we use to trigger an error, but likely we can skip that and instead we should?/could use
+#       @args="$prg $check2run $uri >/dev/null";
+#       system("@args") == 0
+#           or die ("FAILED: \"@args\" ");
+my $socket_errors='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
+my $openssl_errors='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
+my $json_errors='(id".*:\s"scanProblem"|severity".*:\s"FATAL"|"Scan interrupted")';
+
 
 die "Unable to open $prg" unless -f $prg;
 
 # Provide proper start conditions
-unlink "tmp.json";
+unlink $tmp_json;
 
 # Title
 printf "\n%s\n", "Baseline unit test IPv4 against \"$uri\"";
 
 #1
 $socket_out = `$prg $check2run $uri 2>&1`;
-$socket_json = json('tmp.json');
-unlink "tmp.json";
-unlike($socket_out, qr/$socket_regex_bl/, "via sockets, terminal output");
+$socket_json = json($tmp_json);
+unlike($socket_out, qr/$socket_errors≈/, "via sockets, checking terminal output");
 $tests++;
-unlike($socket_json, qr/$json_regex_bl/, "via sockets JSON output");
+unlike($socket_json, qr/$json_errors/, "via sockets checking JSON output");
 $tests++;
 
+unlink $tmp_json;
+
+
 #2
 $openssl_out = `$prg --ssl-native $check2run $uri 2>&1`;
-$openssl_json = json('tmp.json');
-unlink "tmp.json";
-# With Google only we sometimes encounter an error as they return a 0 char with openssl, so we white list this pattern here:
-# It should be fixed in the code though so we comment this out
-# $openssl_out =~ s/testssl.*warning: command substitution: ignored null byte in input\n//g;
-unlike($openssl_out, qr/$openssl_regex_bl/, "via OpenSSL");
+$openssl_json = json($tmp_json);
+unlike($openssl_out, qr/$openssl_errors/, "via (builtin) OpenSSL, checking terminal output");
 $tests++;
-unlike($openssl_json, qr/$json_regex_bl/, "via OpenSSL JSON output");
+unlike($openssl_json, qr/$json_errors/, "via OpenSSL (builtin) checking JSON output");
 $tests++;
 
+unlink $tmp_json;
+
 done_testing($tests);
 printf "\n";
 
@@ -69,5 +72,5 @@ sub json($) {
 }
 
 
-#  vim:ts=5:sw=5:expandtab
+# vim:ts=5:sw=5:expandtab
 

t/12_diff_opensslversions.t

@@ -25,18 +25,18 @@ die "Unable to open $prg" unless -f $prg;
 die "Unable to open $distro_openssl" unless -f $distro_openssl;
 
 # Provide proper start conditions
-unlink "tmp.csv";
-unlink "tmp2.csv";
+unlink $csvfile;
+unlink $csvfile2;
 
 #1 run
 printf "\n%s\n", "Diff test IPv4 with supplied openssl against \"$uri\"";
-@args="$prg $check2run $csvfile $uri 2>&1";
+@args="$prg $check2run $csvfile $uri >/dev/null";
 system("@args") == 0
      or die ("FAILED: \"@args\"");
 
 # 2
 printf "\n%s\n", "Diff test IPv4 with $distro_openssl against \"$uri\"";
-@args="$prg $check2run $csvfile2 --openssl=$distro_openssl $uri 2>&1";
+@args="$prg $check2run $csvfile2 --openssl=$distro_openssl $uri >/dev/null";
 system("@args") == 0
      or die ("FAILED: \"@args\" ");
 
@@ -63,6 +63,10 @@ $cat_csvfile  =~  s/ECDH\/MLKEM/ECDH 253  /g;
 $cat_csvfile  =~ s/.nonce-.* //g;
 $cat_csvfile2 =~ s/.nonce-.* //g;
 
+# Fix IP addresses. Needed when we don't hit the same IP address. We just remove them
+$cat_csvfile  =~ s/","google.com\/.*","443/","google.com","443/g;
+$cat_csvfile2 =~ s/","google.com\/.*","443/","google.com","443/g;
+
 $diff = diff \$cat_csvfile, \$cat_csvfile2;
 
 # Compare the differences -- and print them if there were any

t/61_diff_testsslsh.t

@@ -15,23 +15,23 @@ use Text::Diff;
 
 my $tests = 0;
 my $prg="./testssl.sh";
-my $baseline_csv="./t/baseline_data/default_testssl.csvfile";
+my $baseline_csv="./t/baseline_data/testssl.csv";
 my $cat_csv="tmp.csv";
 my $check2run="-p -s -P --fs -h -U -c -q --ip=one --color 0 --csvfile $cat_csv";
 my $uri="testssl.sh";
 my $diff="";
+my @args="";
 
 die "Unable to open $prg" unless -f $prg;
 die "Unable to open $baseline_csv" unless -f $baseline_csv;
 
 # Provide proper start conditions
 unlink $cat_csv;
 
-my @args=("$prg", "$check2run", "$uri", "2>&1");
 
 #1 run
 printf "\n%s\n", "Diff unit test (IPv4) against \"$uri\"";
-printf "@args\n";
+@args="$prg $check2run $uri >/dev/null";
 system("@args") == 0
      or die ("FAILED: \"@args\" ");
 

t/Readme.md

@@ -5,6 +5,6 @@
 * 30-39:  Does reporting work?
 * 50-69:  Are the results what I expect (server side)?
 
-Please help to write Travis/CI tests! Documentation can be found [here](https://perldoc.perl.org/Test/More.html).
-You can consult the existing code here. Feel free to use `10_baseline_ipv4_http.t` or `23_client_simulation.t` as a
-template.
+Please help to write CI tests! Documentation can be found [here](https://perldoc.perl.org/Test/More.html).
+You can consult the existing code here. Feel free to use `10_baseline_ipv4_http.t` or `12_diff_opensslversions.t` as a
+template. The latter is newer and code is cleaner.

t/baseline_data/default_testssl.csvfile

@@ -1,4 +1,6 @@
 "id","fqdn/ip","port","severity","finding","cve","cwe"
+"engine_problem","/","443","WARN","No engine or GOST support via engine with your /opt/homebrew/bin/openssl","",""
+"DNS_HTTPS_rrecord","testssl.sh/81.169.166.184","443","OK","\# 10 00010000010003026832","",""
 "service","testssl.sh/81.169.166.184","443","INFO","HTTP","",""
 "pre_128cipher","testssl.sh/81.169.166.184","443","INFO","No 128 cipher limit bug","",""
 "SSLv2","testssl.sh/81.169.166.184","443","OK","not offered","",""
@@ -19,31 +21,31 @@
 "cipherlist_STRONG_NOFS","testssl.sh/81.169.166.184","443","OK","offered","",""
 "cipherlist_STRONG_FS","testssl.sh/81.169.166.184","443","OK","offered","",""
 "cipher_order-tls1","testssl.sh/81.169.166.184","443","OK","server","",""
-"cipher-tls1_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1   xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
-"cipher-tls1_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1   xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1   xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1   xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
 "cipher-tls1_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1   x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
 "cipher-tls1_x45","testssl.sh/81.169.166.184","443","LOW","TLSv1   x45     DHE-RSA-CAMELLIA128-SHA           DH 2048    Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA","",""
 "cipher-tls1_x39","testssl.sh/81.169.166.184","443","LOW","TLSv1   x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA","",""
 "cipher-tls1_x33","testssl.sh/81.169.166.184","443","LOW","TLSv1   x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
 "cipher-tls1_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
 "cipherorder_TLSv1","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","",""
 "cipher_order-tls1_1","testssl.sh/81.169.166.184","443","OK","server","",""
-"cipher-tls1_1_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
-"cipher-tls1_1_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_1_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_1_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
 "cipher-tls1_1_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
 "cipher-tls1_1_x45","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   x45     DHE-RSA-CAMELLIA128-SHA           DH 2048    Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA","",""
 "cipher-tls1_1_x39","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA","",""
 "cipher-tls1_1_x33","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
 "cipher-tls1_1_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
 "cipherorder_TLSv1_1","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","",""
 "cipher_order-tls1_2","testssl.sh/81.169.166.184","443","OK","server","",""
-"cipher-tls1_2_xc030","testssl.sh/81.169.166.184","443","OK","TLSv1.2   xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","",""
-"cipher-tls1_2_xc02f","testssl.sh/81.169.166.184","443","OK","TLSv1.2   xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_xc030","testssl.sh/81.169.166.184","443","OK","TLSv1.2   xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_xc02f","testssl.sh/81.169.166.184","443","OK","TLSv1.2   xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","",""
 "cipher-tls1_2_x9f","testssl.sh/81.169.166.184","443","OK","TLSv1.2   x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","",""
 "cipher-tls1_2_x9e","testssl.sh/81.169.166.184","443","OK","TLSv1.2   x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","",""
-"cipher-tls1_2_xc028","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","",""
-"cipher-tls1_2_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
-"cipher-tls1_2_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_2_xc028","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","",""
+"cipher-tls1_2_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
 "cipher-tls1_2_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
 "cipher-tls1_2_x45","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   x45     DHE-RSA-CAMELLIA128-SHA           DH 2048    Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA","",""
 "cipher-tls1_2_x6b","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   x6b     DHE-RSA-AES256-SHA256             DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256","",""
@@ -70,7 +72,7 @@
 "FS_TLS13_sig_algs","testssl.sh/81.169.166.184","443","INFO","RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512","",""
 "HTTP_status_code","testssl.sh/81.169.166.184","443","INFO","200 OK ('/')","",""
 "HTTP_clock_skew","testssl.sh/81.169.166.184","443","INFO","0 seconds from localtime","",""
-"HTTP_headerTime","testssl.sh/81.169.166.184","443","INFO","1737570310","",""
+"HTTP_headerTime","testssl.sh/81.169.166.184","443","INFO","1737993118","",""
 "HSTS_time","testssl.sh/81.169.166.184","443","OK","362 days (=31337000 seconds) > 15552000 seconds","",""
 "HSTS_subdomains","testssl.sh/81.169.166.184","443","INFO","only for this domain","",""
 "HSTS_preload","testssl.sh/81.169.166.184","443","INFO","domain is NOT marked for preloading","",""