Merge pull request #2842 from testssl/opossum

drwetter · web-flow · commit e2f08a019a69 · 2025-07-12T22:41:20.000+02:00
Redo PR for Opossum , see #2838
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 
 * QUIC protocol check
 * bump SSLlabs rating guide to 2009r
+* Check for Opossum vulnerability
 
 ### Features implemented / improvements in 3.2
 
diff --git a/doc/testssl.1 b/doc/testssl.1
@@ -659,6 +659,9 @@ variable \f[CR]CCS_MAX_WAITSOCK\f[R].
 \f[CR]\-T, \-\-ticketbleed\f[R] Checks for Ticketbleed memory leakage in
 BigIP loadbalancers.
 .PP
+\f[CR]\-\-OP, \-\-opossum\f[R] Checks for HTTP to HTTPS upgrade
+vulnerability named Opossum.
+.PP
 \f[CR]\-\-BB, \-\-robot\f[R] Checks for vulnerability to ROBOT /
 (\f[I]Return Of Bleichenbacher\[cq]s Oracle Threat\f[R]) attack.
 .PP
@@ -1312,6 +1315,8 @@ RFC 2246: The TLS Protocol Version 1.0
 .IP \[bu] 2
 RFC 2595: Using TLS with IMAP, POP3 and ACAP
 .IP \[bu] 2
+RFC 2817: Upgrading to TLS Within HTTP/1.1
+.IP \[bu] 2
 RFC 2818: HTTP Over TLS
 .IP \[bu] 2
 RFC 2830: Lightweight Directory Access Protocol (v3): Extension for
diff --git a/doc/testssl.1.html b/doc/testssl.1.html
@@ -590,6 +590,8 @@ <h3 id="vulnerabilities">VULNERABILITIES</h3>
         <code>CCS_MAX_WAITSOCK</code>.</p>
         <p><code>-T, --ticketbleed</code> Checks for Ticketbleed memory
         leakage in BigIP loadbalancers.</p>
+        <p><code>--OP, --opossum</code> Checks for HTTP to HTTPS upgrade
+        vulnerability named Opossum.</p>
         <p><code>--BB, --robot</code> Checks for vulnerability to ROBOT
         / (<em>Return Of Bleichenbacher’s Oracle Threat</em>)
         attack.</p>
@@ -1131,6 +1133,7 @@ <h2 id="rfcs-and-other-standards">RFCs and other standards</h2>
         <ul>
         <li>RFC 2246: The TLS Protocol Version 1.0</li>
         <li>RFC 2595: Using TLS with IMAP, POP3 and ACAP</li>
+        <li>RFC 2817: Upgrading to TLS Within HTTP/1.1</li>
         <li>RFC 2818: HTTP Over TLS</li>
         <li>RFC 2830: Lightweight Directory Access Protocol (v3):
         Extension for Transport Layer Security</li>
diff --git a/doc/testssl.1.md b/doc/testssl.1.md
@@ -236,9 +236,11 @@ Also for multiple server certificates are being checked for as well as for the c
 
 `-T, --ticketbleed`             Checks for Ticketbleed memory leakage in BigIP loadbalancers.
 
-`--BB, --robot`          Checks for vulnerability to ROBOT / (*Return Of Bleichenbacher's Oracle Threat*) attack.
+`--OP, --opossum`               Checks for HTTP to HTTPS upgrade vulnerability named Opossum.
 
-`--SI, --starttls-injection`          Checks for STARTTLS injection vulnerabilities (SMTP, IMAP, POP3 only). `socat` and OpenSSL >=1.1.0 is needed.
+`--BB, --robot`                 Checks for vulnerability to ROBOT / (*Return Of Bleichenbacher's Oracle Threat*) attack.
+
+`--SI, --starttls-injection`    Checks for STARTTLS injection vulnerabilities (SMTP, IMAP, POP3 only). `socat` and OpenSSL >=1.1.0 is needed.
 
 `-R, --renegotiation`           Tests renegotiation vulnerabilities. Currently there's a check for *Secure Renegotiation* and for *Secure Client-Initiated Renegotiation*. Please be aware that vulnerable servers to the latter can likely be DoSed very easily (HTTP). A check for *Insecure Client-Initiated Renegotiation* is not yet implemented.
 
@@ -490,6 +492,7 @@ Please note that for plain TLS-encrypted ports you must not specify the protocol
 
 * RFC 2246: The TLS Protocol Version 1.0
 * RFC 2595: Using TLS with IMAP, POP3 and ACAP
+* RFC 2817: Upgrading to TLS Within HTTP/1.1
 * RFC 2818: HTTP Over TLS
 * RFC 2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security
 * RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security
@@ -551,7 +554,6 @@ Please note that for plain TLS-encrypted ports you must not specify the protocol
 
 **etc/client-simulation.txt**  contains client simulation data.
 
-
 **etc/cipher-mapping.txt**  provides a mandatory file with mapping from OpenSSL cipher suites names to the ones from IANA / used in the RFCs.
 
 **etc/tls_data.txt**        provides a mandatory file for ciphers (bash sockets) and key material.
diff --git a/t/32_isHTML_valid.t b/t/32_isHTML_valid.t
@@ -48,7 +48,7 @@ $edited_html =~ s/&apos;/'/g;
 
 $diff = diff \$edited_html, \$out;
 
-cmp_ok($edited_html, "eq", $out, "Checking if HTML file matches terminal output") or
+ok($edited_html eq $out, "Checking if HTML file matches terminal output") or
      diag ("\n%s\n", "$diff");
 
 $tests++;
@@ -82,7 +82,7 @@ $debughtml =~ s/.*Using bash .*\n//g;
 
 $diff = diff \$debughtml, \$html;
 
-cmp_ok($debughtml, "eq", $html, "Checking if HTML file created with --debug 4 matches HTML file created without --debug") or
+ok($debughtml eq $html, "Checking if HTML file created with --debug 4 matches HTML file created without --debug") or
      diag ("\n%s\n", "$diff");
 $tests++;
 
diff --git a/t/baseline_data/default_testssl.csvfile b/t/baseline_data/default_testssl.csvfile
@@ -90,6 +90,7 @@
 "heartbleed","testssl.sh/81.169.166.184","443","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
 "CCS","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2014-0224","CWE-310"
 "ticketbleed","testssl.sh/81.169.166.184","443","OK","no session ticket extension","CVE-2016-9244","CWE-200"
+"opossum","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2025-49812","CWE-287"
 "ROBOT","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081 CVE-2017-6168","CWE-203"
 "secure_renego","testssl.sh/81.169.166.184","443","OK","supported","","CWE-310"
 "secure_client_renego","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2011-1473","CWE-310"
diff --git a/testssl.sh b/testssl.sh
