Add ROBOT_TIMEOUT to documentation

Also * remove VULN_THRESHLD from docs Note: pandoc was a different version, so the roff output has different encodings for different special chars.
2025-12-19 21:42:05 +01:00 · 2025-12-19 15:07:40 +01:00
parent 61d0189f8f
commit 3ac39032fa
3 changed files with 273 additions and 295 deletions
--- a/doc/testssl.1
+++ b/doc/testssl.1
--- a/doc/testssl.1.html
+++ b/doc/testssl.1.html
@@ -578,17 +578,7 @@
        GREASE, see RFC 8701. This check doesn’t run per default.</p>
        <h3 id="vulnerabilities">VULNERABILITIES</h3>
        <p><code>-U, --vulnerable, --vulnerabilities</code> Just tests
-        all (of the following) vulnerabilities. The environment variable
-        <code>VULN_THRESHLD</code> determines after which value a
-        separate headline for each vulnerability is being displayed.
-        Default is <code>1</code> which means if you check for two
-        vulnerabilities, only the general headline for vulnerabilities
-        section is displayed – in addition to the vulnerability and the
-        result. Otherwise each vulnerability or vulnerability section
-        gets its own headline in addition to the output of the name of
-        the vulnerability and test result. A vulnerability section is
-        comprised of more than one check, e.g. the renegotiation
-        vulnerability check has two checks, so has Logjam.</p>
+        all (of the following) vulnerabilities.</p>
        <p><code>-H, --heartbleed</code> Checks for Heartbleed, a memory
        leakage in openssl. Unless the server side doesn’t support the
        heartbeat extension it is likely that this check runs into a
@@ -604,8 +594,9 @@
        <p><code>--OP, --opossum</code> Checks for HTTP to HTTPS upgrade
        vulnerability named Opossum.</p>
        <p><code>--BB, --robot</code> Checks for vulnerability to ROBOT
-        / (<em>Return Of Bleichenbacher’s Oracle Threat</em>)
-        attack.</p>
+        / (<em>Return Of Bleichenbacher’s Oracle Threat</em>) attack.
+        The predefined timeout of 5 seconds can be changed with the
+        environment variable <code>ROBOT_TIMEOUT</code>.</p>
        <p><code>--SI, --starttls-injection</code> Checks for STARTTLS
        injection vulnerabilities (SMTP, IMAP, POP3 only).
        <code>socat</code> and OpenSSL &gt;=1.1.0 is needed.</p>
@@ -930,11 +921,11 @@
        and when this is set to true, it generates a separate text file
        with epoch times in <code>/tmp/testssl-&lt;XX&gt;.time</code>.
        They need to be concatenated by
-        <code>paste /tmp/testssl-&lt;XX&gt;.{time,log}</code>
-        &lt;!—</li>
-        <li>FAST_SOCKET</li>
-        <li>SHOW_SIGALGO</li>
-        <li>FAST –&gt;</li>
+        <code>paste /tmp/testssl-&lt;XX&gt;.{time,log}</code> <!---
+        * FAST_SOCKET
+        * SHOW_SIGALGO
+        * FAST
+        --></li>
        <li>EXPERIMENTAL=true is an option which is sometimes used in
        the development process to make testing easier. In released
        versions this has no effect.</li>
@@ -961,6 +952,8 @@
        applies only to the ServerHello after sending the Heartbleed
        payload. Don’t change this unless you’re absolutely sure what
        you’re doing. Value is in seconds.</li>
+        <li>ROBOT_TIMEOUT is similar to above and applies to the ROBOT
+        check.</li>
        <li>MEASURE_TIME_FILE For seldom cases when you don’t want the
        scan time to be included in the output you can set this to
        false.</li>
@@ -972,9 +965,10 @@
        may be made larger on systems with faster processors.</li>
        <li>MAX_WAIT_TEST is the maximum time (in seconds) to wait for a
        single test in parallel mass testing mode to complete. The
-        default is 1200. &lt;!—</li>
-        <li>USLEEP_SND</li>
-        <li>USLEEP_REC –&gt;</li>
+        default is 1200. <!---
+        * USLEEP_SND
+        * USLEEP_REC
+        --></li>
        <li>HSTS_MIN is preset to 179 (days). If you want warnings
        sooner or later for HTTP Strict Transport Security you can
        change this.</li>
--- a/doc/testssl.1.md
+++ b/doc/testssl.1.md
@@ -233,7 +233,7 @@ Also for multiple server certificates are being checked for as well as for the c

 ### VULNERABILITIES

-`-U, --vulnerable, --vulnerabilities` Just tests all (of the following) vulnerabilities. The environment variable `VULN_THRESHLD` determines after which value a separate headline for each vulnerability is being displayed. Default is `1` which means if you check for two vulnerabilities, only the general headline for vulnerabilities section is displayed -- in addition to the vulnerability and the result. Otherwise each vulnerability or vulnerability section gets its own headline in addition to the output of the name of the vulnerability and test result. A vulnerability section is comprised of more than one check, e.g. the renegotiation vulnerability check has two checks, so has Logjam.
+`-U, --vulnerable, --vulnerabilities` Just tests all (of the following) vulnerabilities.

 `-H, --heartbleed`              Checks for Heartbleed, a memory leakage in openssl. Unless the server side doesn't support the heartbeat extension it is likely that this check runs into a timeout. The seconds to wait for a reply can be adjusted with `HEARTBLEED_MAX_WAITSOCK`. 8 is the default.

@@ -243,7 +243,7 @@ Also for multiple server certificates are being checked for as well as for the c

 `--OP, --opossum`               Checks for HTTP to HTTPS upgrade vulnerability named Opossum.

-`--BB, --robot`                 Checks for vulnerability to ROBOT / (*Return Of Bleichenbacher's Oracle Threat*) attack.
+`--BB, --robot`                 Checks for vulnerability to ROBOT / (*Return Of Bleichenbacher's Oracle Threat*) attack. The predefined timeout of 5 seconds can be changed with the environment variable `ROBOT_TIMEOUT`.

 `--SI, --starttls-injection`    Checks for STARTTLS injection vulnerabilities (SMTP, IMAP, POP3 only). `socat` and OpenSSL >=1.1.0 is needed.

@@ -393,6 +393,7 @@ Except the environment variables mentioned above which can replace command line
 * MAX_WAITSOCK: It instructs testssl.sh to wait until the specified time before declaring a socket connection dead. Don't change this unless you're absolutely sure what you're doing. Value is in seconds.
 * CCS_MAX_WAITSOCK Is the similar to above but applies only to the CCS handshakes, for both of the two the two CCS payload. Don't change this unless you're absolutely sure what you're doing. Value is in seconds.
 * HEARTBLEED_MAX_WAITSOCK  Is the similar to MAX_WAITSOCK but applies only to the ServerHello after sending the Heartbleed payload. Don't change this unless you're absolutely sure what you're doing. Value is in seconds.
+* ROBOT_TIMEOUT  is similar to above and applies to the ROBOT check.
 * MEASURE_TIME_FILE For seldom cases when you don't want the scan time to be included in the output you can set this to false.
 * STARTTLS_SLEEP is per default set to 10 (seconds). That's the value testssl.sh waits for a string in the STARTTLS handshake before giving up.
 * MAX_PARALLEL is the maximum number of tests to run in parallel in parallel mass testing mode. The default value of 20 may be made larger on systems with faster processors.