mirror of
https://github.com/drwetter/testssl.sh.git
synced 2024-12-29 04:49:44 +01:00
Merge branch '3.1dev' into ssl_renego_mod
This commit is contained in:
commit
45059ed769
@ -24,6 +24,7 @@
|
||||
* --add-ca can also now be a directory with \*.pem files
|
||||
* Warning of 398 day limit for certificates issued after 2020/9/1
|
||||
* Added environment variable for amount of attempts for ssl renegotiation check
|
||||
* Added --user-agent argument to support using a custom User Agent
|
||||
|
||||
### Features implemented / improvements in 3.0
|
||||
|
||||
|
@ -171,6 +171,8 @@ Please note that \fBfname\fR has to be in Unix format\. DOS carriage returns won
|
||||
.
|
||||
.P
|
||||
\fB\-\-sneaky\fR For HTTP header checks testssl\.sh uses normally the server friendly HTTP user agent \fBTLS tester from ${URL}\fR\. With this option your traces are less verbose and a Firefox user agent is being used\. Be aware that it doesn\'t hide your activities\. That is just not possible (environment preset via \fBSNEAKY=true\fR)\.
|
||||
.P
|
||||
\fB\-\-user\-agent\fR tells testssl.sh to use the supplied HTTP user agent instead of the standard user agent \fBTLS tester from ${URL}\fR\.
|
||||
.
|
||||
.P
|
||||
\fB\-\-ids\-friendly\fR is a switch which may help to get a scan finished which otherwise would be blocked by a server side IDS\. This switch skips tests for the following vulnerabilities: Heartbleed, CCS Injection, Ticketbleed and ROBOT\. The environment variable OFFENSIVE set to false will achieve the same result\. Please be advised that as an alternative or as a general approach you can try to apply evasion techniques by changing the variables USLEEP_SND and / or USLEEP_REC and maybe MAX_WAITSOCK\.
|
||||
|
@ -216,6 +216,8 @@ in <code>/etc/hosts</code>. The use of the switch is only useful if you either
|
||||
|
||||
<p><code>--sneaky</code> For HTTP header checks testssl.sh uses normally the server friendly HTTP user agent <code>TLS tester from ${URL}</code>. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via <code>SNEAKY=true</code>).</p>
|
||||
|
||||
<p><code>--user-agent <user agent></code> tells testssl.sh to use the supplied HTTP user agent instead of the standard user agent <code>TLS tester from ${URL}</code>.</p>
|
||||
|
||||
<p><code>--ids-friendly</code> is a switch which may help to get a scan finished which otherwise would be blocked by a server side IDS. This switch skips tests for the following vulnerabilities: Heartbleed, CCS Injection, Ticketbleed and ROBOT. The environment variable OFFENSIVE set to false will achieve the same result. Please be advised that as an alternative or as a general approach you can try to apply evasion techniques by changing the variables USLEEP_SND and / or USLEEP_REC and maybe MAX_WAITSOCK.</p>
|
||||
|
||||
<p><code>--phone-out</code> Checking for revoked certificates via CRL and OCSP is not done per default. This switch instructs testssl.sh to query external -- in a sense of the current run -- URIs. By using this switch you acknowledge that the check might have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting the endpoint which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this.</p>
|
||||
|
@ -141,6 +141,8 @@ in `/etc/hosts`. The use of the switch is only useful if you either can't or ar
|
||||
|
||||
`--sneaky` For HTTP header checks testssl.sh uses normally the server friendly HTTP user agent `TLS tester from ${URL}`. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=true`).
|
||||
|
||||
`--user-agent <user agent>` tells testssl.sh to use the supplied HTTP user agent instead of the standard user agent `TLS tester from ${URL}`.
|
||||
|
||||
`--ids-friendly` is a switch which may help to get a scan finished which otherwise would be blocked by a server side IDS. This switch skips tests for the following vulnerabilities: Heartbleed, CCS Injection, Ticketbleed and ROBOT. The environment variable OFFENSIVE set to false will achieve the same result. Please be advised that as an alternative or as a general approach you can try to apply evasion techniques by changing the variables USLEEP_SND and / or USLEEP_REC and maybe MAX_WAITSOCK.
|
||||
|
||||
`--phone-out` Checking for revoked certificates via CRL and OCSP is not done per default. This switch instructs testssl.sh to query external -- in a sense of the current run -- URIs. By using this switch you acknowledge that the check might have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting the endpoint which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this.
|
||||
|
Loading…
Reference in New Issue
Block a user