Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-04-04 08:44:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Remove redundant statements

Browse Source
This commit is contained in:
Dirk 2025-03-31 17:54:01 +02:00
parent 2dfd192f27
commit 093e8ddd10
1 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
bin/Readme.md
View File

@ -2,11 +2,10 @@
Binaries
========
The precompiled binaries provided here have extended support for weak crypto which is normally not in OpenSSL or LibreSSL: 40+56 Bit,
export/ANON ciphers, weak DH ciphers, weak EC curves, SSLv2 etc. -- all the dirty features needed for testing if you just want to test with
binaries. They also come with extended support for some new / advanced cipher suites and/or features which are not in the official branch like (old version of the) CHACHA20+POLY1305 and CAMELLIA 256 bit ciphers.
However testssl.sh has emerged, and some time back it is using bash sockets for checks if the binary does not support a specific feature. So since then you could also use the OpenSSL / LibreSSL binary from your vendor. Check using binaries instead of bash sockets run a bit faster though. Also the usage of these binaries became more and more of a limited value:They don't support e.g. TLS 1.3 and newer TLS 1.2 ciphers. OTOH servers which only offer SSLv2 and SSLv3 became less common and we use for the majority of checks in testssl.sh sockets and not this binary. As a result the 3.2 release will probably be the last distribution where we will include these binaries.
The precompiled binaries provided in this directory have extended support for weak crypto which is normally not in OpenSSL
or LibreSSL: 40+56 Bit, export/ANON ciphers, weak DH ciphers, weak EC curves, SSLv2 etc. -- all the dirty features needed for
testing if you just ant to test with binaries. They also come with extended support for some advanced cipher suites and/or
features which are not in the offcial branch like (old version of the) CHACHA20+POLY1305 and CAMELLIA 256 bit ciphers.
# Security notices
@ -16,18 +15,21 @@ The important thing upfront: **DO NOT USE THESE BINARIES FOR PRODUCTION PURPOSES
More
====
In general these binaries are not needed anymore as weak crypto is covered by bash sockets if the binary from the vendor can't handle weak crypto. In a future release they will be retired.
testssl.sh has emerged a longer while back, so in general these binaries are not needed anymore as weak crypto is covered by bash sockets if the binary from the vendor can't handle weak crypto. In a future release they could be be retired.
Checks using binaries instead of bash sockets run a bit faster though. For modern servers the usage of the binaries provided by our project might come with a limited value: They don't support e.g. TLS 1.3 and lack nerwer TLS 1.2 ciphers. OTOH servers which only offer SSLv2 and SSLv3 became less common.
One other thing worth to mention is that any binary can handle protocols on top of SSL/TLS better (or at all) once encrypted connection is established, like retrieving the HTTP header. OTOH as of 2024/2025 distributors/vendors however still support weaker crypto with TLS 1.0 or TLS 1.1, most of them even support SSLv3. That is possible with some tweaks which testssl.sh applies. So using older binaries like the ones in this directory are very often not needed.
Testing with openssl however is at the moment faster as opposed to using bash sockets. And binaries can handle protocols (/better) once the SSL/TLS connection is established, like retrieving the HTTP header. Distributors / vendors however support as of 2024/2025 still protocols like TLS 1.0 and TLS 1.1, most of them even SSLv3, with some tweaks. So using older binaries like the ones in this directory is very often not needed.
General
-------
The (stripped) binaries this directory are all compiled from the [old OpenSSL snapshot](https://github.com/testssl/openssl-1.0.2.bad) which adds a few bits to [Peter
Mosman's openssl fork](https://github.com/PeterMosmans/openssl). The few bits are IPv6 support (except IPV6 proxy) and some STARTTLS backports. More, see the [README.md](https://github.com/testssl/openssl-1.0.2.bad/README.md). Also, as of now, a few CVEs were fixed.
Compiled Linux and FreeBSD binaries so far came from Dirk, other contributors see ../CREDITS.md . Binaries for more architectures see [contributed builds @ https://testssl.sh/](https://testssl.sh/contributed_binaries/).
Compiled Linux and FreeBSD binaries so far came from Dirk, other contributors see ../CREDITS.md . A few binaries were removed in the latest edition, which are Kerberos binaries and 32 Bit binaries. Those and binaries for more architectures can be retrieved from [contributed builds @ https://testssl.sh/](https://testssl.sh/contributed_binaries/). Those binaries are not stripped.
A few binaries were removed in the latest edition, which are Kerberos binaries and 32 Bit binaries. The diff krb5-ciphers.diff shows the additional ciphers when using the kerberos binary.
The diff krb5-ciphers.diff shows the additional ciphers when using the kerberos binary.
Compilation instructions