Merge pull request #2934 from testssl/shorten_badssl

drwetter · web-flow · commit a0c99d855ed2 · 2025-10-30T20:41:46.000+01:00
Shorten badssl GHA as they fail too often
diff --git a/t/21_baseline_starttls.t b/t/21_baseline_starttls.t
@@ -40,15 +40,15 @@ $uri="smtp-relay.gmail.com:587";
 # unlink "tmp.json";
 # we will have client simulations later, so we don't need to run everything again:
 printf "\n%s\n", "STARTTLS SMTP unit test via sockets --> $uri ...";
-$socket_out = `./testssl.sh $check2run_smtp -t smtp $uri 2>&1`;
+$socket_out = `$prg $check2run_smtp -t smtp $uri 2>&1`;
 # $socket_json = json('tmp.json');
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
 #2
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS SMTP unit tests via OpenSSL --> $uri ...";
-$openssl_out = `./testssl.sh --ssl-native $check2run_smtp -t smtp $uri 2>&1`;
+$openssl_out = `$prg --ssl-native $check2run_smtp -t smtp $uri 2>&1`;
 # $openssl_json = json('tmp.json');
 unlike($openssl_out, qr/$openssl_regex_bl/, "");
 $tests++;
@@ -58,14 +58,14 @@ $uri="pop.gmx.net:110";
 #3
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS POP3 unit tests via sockets --> $uri ...";
-$socket_out = `./testssl.sh $check2run -t pop3 $uri 2>&1`;
+$socket_out = `$prg $check2run -t pop3 $uri 2>&1`;
 # $socket_json = json('tmp.json');
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
 #4
 printf "\n%s\n", "STARTTLS POP3 unit tests via OpenSSL --> $uri ...";
-$openssl_out = `./testssl.sh --ssl-native $check2run -t pop3 $uri 2>&1`;
+$openssl_out = `$prg --ssl-native $check2run -t pop3 $uri 2>&1`;
 # $openssl_json = json('tmp.json');
 unlike($openssl_out, qr/$openssl_regex_bl/, "");
 $tests++;
@@ -75,14 +75,14 @@ $uri="imap.gmx.net:143";
 #5
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS IMAP unit tests via sockets --> $uri ...";
-$socket_out = `./testssl.sh $check2run -t imap $uri 2>&1`;
+$socket_out = `$prg $check2run -t imap $uri 2>&1`;
 # $socket_json = json('tmp.json');
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
 #6
 printf "\n%s\n", "STARTTLS IMAP unit tests via OpenSSL --> $uri ...";
-$openssl_out = `./testssl.sh --ssl-native $check2run -t imap $uri 2>&1`;
+$openssl_out = `$prg --ssl-native $check2run -t imap $uri 2>&1`;
 # $openssl_json = json('tmp.json');
 unlike($openssl_out, qr/$openssl_regex_bl/, "");
 $tests++;
@@ -92,7 +92,7 @@ $uri="mail.tigertech.net:4190";
 #7
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS MANAGE(SIEVE) unit tests via sockets --> $uri ...";
-$socket_out = `./testssl.sh $check2run -t sieve $uri 2>&1`;
+$socket_out = `$prg $check2run -t sieve $uri 2>&1`;
 # $socket_json = json('tmp.json');
 unlike($openssl_out, qr/$openssl_regex_bl/, "");
 $tests++;
@@ -102,22 +102,22 @@ $uri="jabber.org:5222";
 #8
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS XMPP unit tests via sockets --> $uri ...";
-$socket_out = `./testssl.sh $check2run -t xmpp $uri 2>&1`;
+$socket_out = `$prg $check2run -t xmpp $uri 2>&1`;
 # $socket_json = json('tmp.json');
 unlike($openssl_out, qr/$openssl_regex_bl/, "");
 $tests++;
 
 # commented out, bc of travis' limits
 #
 #printf "\n%s\n", "STARTTLS XMPP unit tests via OpenSSL --> $uri ...";
-#$openssl_out = `./testssl.sh --ssl-native $check2run -t xmpp $uri 2>&1`;
+#$openssl_out = `$prg --ssl-native $check2run -t xmpp $uri 2>&1`;
 # $openssl_json = json('tmp.json');
 #unlike($openssl_out, qr/$openssl_regex_bl/, "");
 #$tests++;
 
 # $uri="jabber.ccc.de:5269";
 # printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ...";
-# $openssl_out = `./testssl.sh --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`;
+# $openssl_out = `$prg --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`;
 # # $openssl_json = json('tmp.json');
 # unlike($openssl_out, qr/$openssl_regex_bl/, "");
 # $tests++;
@@ -128,7 +128,7 @@ $uri="ldap.uni-rostock.de:21";
 #9
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS FTP unit tests via sockets --> $uri ...";
-$socket_out = `./testssl.sh $check2run -t ftp $uri 2>&1`;
+$socket_out = `$prg $check2run -t ftp $uri 2>&1`;
 # $socket_json = json('tmp.json');
 # OCSP stapling fails sometimes with: 'offered, error querying OCSP responder (ERROR: No Status found)'
 $socket_out =~ s/ error querying OCSP responder .*\n//g;
@@ -138,7 +138,7 @@ $tests++;
 # commented out, bc of travis' limits
 #
 # printf "\n%s\n", "STARTTLS FTP unit tests via OpenSSL --> $uri ...";
-# $openssl_out = `./testssl.sh --ssl-native $check2run -t ftp $uri 2>&1`;
+# $openssl_out = `$prg --ssl-native $check2run -t ftp $uri 2>&1`;
 # $openssl_json = json('tmp.json');
 # OCSP stapling fails sometimes with: 'offered, error querying OCSP responder (ERROR: No Status found)'
 # $openssl_out =~ s/ error querying OCSP responder .*\n//g;
@@ -151,14 +151,14 @@ $uri="db.debian.org:389";
 
 #10
 printf "\n%s\n", "STARTTLS LDAP unit tests via sockets --> $uri ...";
-$socket_out = `./testssl.sh $check2run -t ldap $uri 2>&1`;
+$socket_out = `$prg $check2run -t ldap $uri 2>&1`;
 # $socket_json = json('tmp.json');
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
 #11
 printf "\n%s\n", "STARTTLS LDAP unit tests via OpenSSL --> $uri ...";
-$openssl_out = `./testssl.sh --ssl-native $check2run -t ldap $uri 2>&1`;
+$openssl_out = `$prg --ssl-native $check2run -t ldap $uri 2>&1`;
 # $openssl_json = json('tmp.json');
 unlike($openssl_out, qr/$openssl_regex_bl/, "");
 $tests++;
@@ -168,14 +168,14 @@ $tests++;
 #$uri="144.76.182.167:119";
 
 #printf "\n%s\n", "STARTTLS NNTP unit tests via sockets --> $uri ...";
-#$socket_out = `./testssl.sh $check2run -t nntp $uri 2>&1`;
+#$socket_out = `$prg $check2run -t nntp $uri 2>&1`;
 #unlike($socket_out, qr/$socket_regex_bl/, "");
 #$tests++;
 
 # commented out, bc of travis' limits
 #
 #printf "\n%s\n", "STARTTLS NNTP unit tests via OpenSSL --> $uri ...";
-#$openssl_out = `./testssl.sh --ssl-native $check2run -t nntp $uri 2>&1`;
+#$openssl_out = `$prg --ssl-native $check2run -t nntp $uri 2>&1`;
 # $openssl_json = json('tmp.json');
 #unlike($openssl_out, qr/$openssl_regex_bl/, "");
 #$tests++;
diff --git a/t/23_client_simulation.t b/t/23_client_simulation.t
@@ -57,7 +57,7 @@ $tests++;
 #
 # unlink "tmp.json";
 #printf "\n%s\n", "STARTTLS: Client simulations unit test via OpenSSL --> $uri ...";
-#$openssl_out = `./testssl.sh --ssl-native $check2run -t smtp $uri 2>&1`;
+#$openssl_out = `$prg --ssl-native $check2run -t smtp $uri 2>&1`;
 ## $openssl_json = json('tmp.json');
 #unlike($openssl_out, qr/$openssl_regex_bl/, "");
 #$tests++;
diff --git a/t/33_isJSON_severitylevel_valid.t b/t/33_isJSON_severitylevel_valid.t
@@ -16,7 +16,7 @@ my (
 $tests = 0;
 
 my $prg="./testssl.sh";
-my $check2run = '-S -e --ids-friendly -U --severity LOW --color 0';
+my $check2run = '-S --beast --sweet32 --breach --beast --lucky13 --rc4 --severity LOW --color 0';
 my $uri = 'badssl.com';
 
 printf "\n%s\n", "Doing severity level checks";
diff --git a/t/51_badssl.com.t b/t/51_badssl.com.t
@@ -7,22 +7,33 @@ use JSON;
 
 my $tests = 0;
 my $prg="./testssl.sh";
+my $check2run="-S -q --ip=one --color 0";
+my $okout;
+my $okjson;
+my $uri="badssl.com";
 
 my (
 	$out,
 	$json,
 	$found,
 );
-# OK
-pass("Running testssl.sh against badssl.com to create a baseline (may take 2~3 minutes)"); $tests++;
-my $okout = `$prg -S -e --freak --logjam --drown --rc4 --sweet32 --breach --winshock --crime --jsonfile tmp.json --color 0 badssl.com`;
-my $okjson = json('tmp.json');
+
+die "Unable to open $prg" unless -f $prg;
+
+# Provide proper start conditions
+unlink 'tmp.json';
+
+#1+#2 OK
+pass("Running testssl.sh against $uri to create a baseline (may take 2-3 minutes)"); $tests++;
+$okout = `$prg $check2run --jsonfile tmp.json $uri`;
+$okjson = json('tmp.json');
 unlink 'tmp.json';
 cmp_ok(@$okjson,'>',10,"We should have more then 10 findings"); $tests++;
 
 # Expiration
-pass("Running testssl against expired.badssl.com"); $tests++;
-$out = `$prg -S --jsonfile tmp.json --color 0 expired.badssl.com`;
+$uri="expired.badssl.com";
+pass("Running testssl against $uri"); $tests++;
+$out = `$prg $check2run --jsonfile tmp.json $uri`;
 like($out, qr/Chain of trust\s+NOT ok \(expired\)/,"The chain of trust should be expired"); $tests++;
 like($out, qr/Certificate Validity \(UTC\)\s+expired/,"The certificate should be expired"); $tests++;
 $json = json('tmp.json');
@@ -39,8 +50,9 @@ foreach my $f ( @$json ) {
 is($found,1,"We should have a finding for this in the JSON output"); $tests++;
 
 # Self signed and not-expired
-pass("Running testssl against self-signed.badssl.com"); $tests++;
-$out = `$prg -S --jsonfile tmp.json --color 0 self-signed.badssl.com`;
+$uri="self-signed.badssl.com";
+pass("Running testssl against $uri"); $tests++;
+$out = `$prg $check2run --jsonfile tmp.json $uri`;
 unlike($out, qr/Certificate Validity \(UTC\)s+expired/,"The certificate should not be expired"); $tests++;
 $json = json('tmp.json');
 unlink 'tmp.json';
@@ -81,8 +93,9 @@ foreach my $f ( @$okjson ) {
 is($found,1,"We should have a finding for this in the JSON output"); $tests++;
 
 # Wrong host
-#pass("Running testssl against wrong.host.badssl.com"); $tests++;
-#$out = `./testssl.sh -S --jsonfile tmp.json --color 0 wrong.host.badssl.com`;
+#$uri="wrong.host.badssl.com";
+#pass("Running testssl against $uri"); $tests++;
+#$out = ``$prg $check2run --jsonfile tmp.json $uri`;
 #unlike($out, qr/Certificate Expiration\s+expired\!/,"The certificate should not be expired"); $tests++;
 #$json = json('tmp.json');
 #unlink 'tmp.json';
@@ -98,8 +111,9 @@ is($found,1,"We should have a finding for this in the JSON output"); $tests++;
 #is($found,1,"We had a finding for this in the JSON output"); $tests++;
 
 # Incomplete chain
-pass("Running testssl against incomplete-chain.badssl.com"); $tests++;
-$out = `$prg -S --jsonfile tmp.json --color 0 incomplete-chain.badssl.com`;
+$uri='incomplete-chain.badssl.com';
+pass("Running testssl against $uri"); $tests++;
+$out = `$prg $check2run --jsonfile tmp.json $uri`;
 like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;
 $json = json('tmp.json');
 unlink 'tmp.json';
@@ -117,8 +131,9 @@ is($found,1,"We should have a finding for this in the JSON output"); $tests++;
 # TODO: RSA 8192
 
 # TODO: CBC
-#pass("Running testssl against cbc.badssl.com"); $tests++;
-#$out = `./testssl.sh -e -U --jsonfile tmp.json --color 0 cbc.badssl.com`;
+#$uri='cbc.badssl.com';
+#pass("Running testssl against $uri"); $tests++;
+#$out = `$prg $check2run --jsonfile tmp.json $uri`;
 #like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;
 #$json = json('tmp.json');
 #unlink 'tmp.json';
@@ -144,5 +159,5 @@ sub json($) {
 }
 
 
-#  vim:ts=5:sw=5:expandtab
+# vim:ts=5:sw=5:expandtab
 

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ $tests++;`
`57`	`57`	`#`
`58`	`58`	`# unlink "tmp.json";`
`59`	`59`	`#printf "\n%s\n", "STARTTLS: Client simulations unit test via OpenSSL --> $uri ...";`
`60`		-#$openssl_out = `./testssl.sh --ssl-native $check2run -t smtp $uri 2>&1`;
	`60`	+#$openssl_out = `$prg --ssl-native $check2run -t smtp $uri 2>&1`;
`61`	`61`	`## $openssl_json = json('tmp.json');`
`62`	`62`	`#unlike($openssl_out, qr/$openssl_regex_bl/, "");`
`63`	`63`	`#$tests++;`