Add ROBOT_TIMEOUT to documentation

Also * remove VULN_THRESHLD from docs Note: pandoc was a different version, so the roff output has different encodings for different special chars.
2025-12-20 05:52:06 +01:00 · 2025-12-19 15:07:40 +01:00
parent 61d0189f8f
commit 3ac39032fa
3 changed files with 273 additions and 295 deletions
--- a/doc/testssl.1.html
+++ b/doc/testssl.1.html
@@ -578,17 +578,7 @@
        GREASE, see RFC 8701. This check doesn’t run per default.</p>
        <h3 id="vulnerabilities">VULNERABILITIES</h3>
        <p><code>-U, --vulnerable, --vulnerabilities</code> Just tests
-        all (of the following) vulnerabilities. The environment variable
-        <code>VULN_THRESHLD</code> determines after which value a
-        separate headline for each vulnerability is being displayed.
-        Default is <code>1</code> which means if you check for two
-        vulnerabilities, only the general headline for vulnerabilities
-        section is displayed – in addition to the vulnerability and the
-        result. Otherwise each vulnerability or vulnerability section
-        gets its own headline in addition to the output of the name of
-        the vulnerability and test result. A vulnerability section is
-        comprised of more than one check, e.g. the renegotiation
-        vulnerability check has two checks, so has Logjam.</p>
+        all (of the following) vulnerabilities.</p>
        <p><code>-H, --heartbleed</code> Checks for Heartbleed, a memory
        leakage in openssl. Unless the server side doesn’t support the
        heartbeat extension it is likely that this check runs into a
@@ -604,8 +594,9 @@
        <p><code>--OP, --opossum</code> Checks for HTTP to HTTPS upgrade
        vulnerability named Opossum.</p>
        <p><code>--BB, --robot</code> Checks for vulnerability to ROBOT
-        / (<em>Return Of Bleichenbacher’s Oracle Threat</em>)
-        attack.</p>
+        / (<em>Return Of Bleichenbacher’s Oracle Threat</em>) attack.
+        The predefined timeout of 5 seconds can be changed with the
+        environment variable <code>ROBOT_TIMEOUT</code>.</p>
        <p><code>--SI, --starttls-injection</code> Checks for STARTTLS
        injection vulnerabilities (SMTP, IMAP, POP3 only).
        <code>socat</code> and OpenSSL &gt;=1.1.0 is needed.</p>
@@ -930,11 +921,11 @@
        and when this is set to true, it generates a separate text file
        with epoch times in <code>/tmp/testssl-&lt;XX&gt;.time</code>.
        They need to be concatenated by
-        <code>paste /tmp/testssl-&lt;XX&gt;.{time,log}</code>
-        &lt;!—</li>
-        <li>FAST_SOCKET</li>
-        <li>SHOW_SIGALGO</li>
-        <li>FAST –&gt;</li>
+        <code>paste /tmp/testssl-&lt;XX&gt;.{time,log}</code> <!---
+        * FAST_SOCKET
+        * SHOW_SIGALGO
+        * FAST
+        --></li>
        <li>EXPERIMENTAL=true is an option which is sometimes used in
        the development process to make testing easier. In released
        versions this has no effect.</li>
@@ -961,6 +952,8 @@
        applies only to the ServerHello after sending the Heartbleed
        payload. Don’t change this unless you’re absolutely sure what
        you’re doing. Value is in seconds.</li>
+        <li>ROBOT_TIMEOUT is similar to above and applies to the ROBOT
+        check.</li>
        <li>MEASURE_TIME_FILE For seldom cases when you don’t want the
        scan time to be included in the output you can set this to
        false.</li>
@@ -972,9 +965,10 @@
        may be made larger on systems with faster processors.</li>
        <li>MAX_WAIT_TEST is the maximum time (in seconds) to wait for a
        single test in parallel mass testing mode to complete. The
-        default is 1200. &lt;!—</li>
-        <li>USLEEP_SND</li>
-        <li>USLEEP_REC –&gt;</li>
+        default is 1200. <!---
+        * USLEEP_SND
+        * USLEEP_REC
+        --></li>
        <li>HSTS_MIN is preset to 179 (days). If you want warnings
        sooner or later for HTTP Strict Transport Security you can
        change this.</li>