From de14ec9f8111fa905467b965b7026e8817ffabb3 Mon Sep 17 00:00:00 2001 From: Magnus Larsen Date: Fri, 19 Jun 2020 21:21:43 +0200 Subject: [PATCH 1/4] STARTTLS rating styling --- testssl.sh | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/testssl.sh b/testssl.sh index 926e282..9c64829 100755 --- a/testssl.sh +++ b/testssl.sh @@ -20802,14 +20802,7 @@ run_rating() { pr_headlineln " Rating (experimental) " outln - if [[ -n "$STARTTLS_PROTOCOL" ]]; then - pr_bold " Grade "; pr_svrty_critical "T" - outln " - STARTTLS encryption is opportunistic" - outln " (Further details would lead to a false sense of security)" - fileout "grade" "CRITICAL" "T" - fileout "grade_cap_reasons" "INFO" "No more details shown as it would lead to a false sense of security" - return 0 - fi + [[ -n "$STARTTLS_PROTOCOL" ]] && set_grade_warning "STARTTLS encryption is opportunistic. The grade is very insignificant" # Sort the reasons. This is just nicer to read in genereal IFS=$'\n' sorted_reasons=($(sort -ru <<<"${GRADE_CAP_REASONS[*]}")) @@ -20912,7 +20905,7 @@ run_rating() { pr_bold " Final Score "; outln $final_score - # get score, and somehow do something about the GRADE_CAP + # Calculate the pre-cap grade if [[ $final_score -ge 80 ]]; then pre_cap_grade="A" elif [[ $final_score -ge 65 ]]; then From 2bff63b7db8a289acca2d88e1669ed3e85b9ef17 Mon Sep 17 00:00:00 2001 From: Magnus Larsen Date: Mon, 22 Jun 2020 19:14:25 +0200 Subject: [PATCH 2/4] Add a comment about STARTTLS connections in the docs --- doc/testssl.1.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/testssl.1.md b/doc/testssl.1.md index 5198def..227ffbd 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -407,6 +407,10 @@ As of writing, these checks are missing: * Exportable key exchange - should give **40** points in `set_key_str_score()` * Weak key (Debian OpenSSL Flaw) - should give **0** points in `set_key_str_score()` +#### STARTTLS +This program rates STARTTLS connections, exactly according to the specification. However, this program adds a grade warning about STARTTLS is being used. This is not apart of the rating specification, and limits the grade a STARTTLS connection can have, to a maximum of `A-`. + + #### Implementing new grades caps or -warnings To implement a new grading cap, simply call the `set_grade_cap()` function, with the grade and a reason: ```bash From 069c5ae917709f2fd1540cc4ce6bd4334e0db47b Mon Sep 17 00:00:00 2001 From: Magnus Larsen Date: Mon, 22 Jun 2020 19:16:20 +0200 Subject: [PATCH 3/4] Spelling --- doc/testssl.1.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/doc/testssl.1.md b/doc/testssl.1.md index 227ffbd..c15f3ee 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -410,7 +410,6 @@ As of writing, these checks are missing: #### STARTTLS This program rates STARTTLS connections, exactly according to the specification. However, this program adds a grade warning about STARTTLS is being used. This is not apart of the rating specification, and limits the grade a STARTTLS connection can have, to a maximum of `A-`. - #### Implementing new grades caps or -warnings To implement a new grading cap, simply call the `set_grade_cap()` function, with the grade and a reason: ```bash @@ -423,14 +422,14 @@ set_grade_warning "Documentation is always right" #### Implementing a new check which contains grade caps When implementing a new check (be it vulnerability or not) that sets grade caps, the `set_rating_state()` has to be updated (i.e. the `$do_mycheck` variable-name has to be added to the loop, and `$nr_enabled` if-statement has to be incremented) -The `set_rating_state()` automatically disables ratinng, if all the required checks are *not* enabled. +The `set_rating_state()` automatically disables rating, if all the required checks are *not* enabled. This is to prevent giving out a misleading or wrong grade. #### Implementing a new revision When a new revision of the rating specification comes around, the following has to be done: * New grade caps has to be either: 1. Added to the script wherever relevant, or - 2. Added to the above list of missing checks (if *i.* is not possible) + 2. Added to the above list of missing checks (if above is not possible) * New grade warnings has to be added wherever relevant * The revision output in `run_rating()` function has to updated From f647ae8264d274067706b2b3272e7b930cbf16c0 Mon Sep 17 00:00:00 2001 From: Magnus Larsen Date: Tue, 23 Jun 2020 19:24:24 +0200 Subject: [PATCH 4/4] Change to grade cap --- doc/testssl.1.md | 3 --- testssl.sh | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/doc/testssl.1.md b/doc/testssl.1.md index c15f3ee..a866739 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -407,9 +407,6 @@ As of writing, these checks are missing: * Exportable key exchange - should give **40** points in `set_key_str_score()` * Weak key (Debian OpenSSL Flaw) - should give **0** points in `set_key_str_score()` -#### STARTTLS -This program rates STARTTLS connections, exactly according to the specification. However, this program adds a grade warning about STARTTLS is being used. This is not apart of the rating specification, and limits the grade a STARTTLS connection can have, to a maximum of `A-`. - #### Implementing new grades caps or -warnings To implement a new grading cap, simply call the `set_grade_cap()` function, with the grade and a reason: ```bash diff --git a/testssl.sh b/testssl.sh index 9c64829..d5b3c3b 100755 --- a/testssl.sh +++ b/testssl.sh @@ -20802,7 +20802,7 @@ run_rating() { pr_headlineln " Rating (experimental) " outln - [[ -n "$STARTTLS_PROTOCOL" ]] && set_grade_warning "STARTTLS encryption is opportunistic. The grade is very insignificant" + [[ -n "$STARTTLS_PROTOCOL" ]] && set_grade_cap "T" "Encryption via STARTTLS is not mandatory (opportunistic). This leads to a false sense of security" # Sort the reasons. This is just nicer to read in genereal IFS=$'\n' sorted_reasons=($(sort -ru <<<"${GRADE_CAP_REASONS[*]}"))