Add '--full' / '-9' ...

.. to check during the default run for server implemenation bugs and run cipher per procol check instead of cipher check. Please not that this option could disappear later.
2025-01-03 23:39:45 +01:00 · 2017-12-20 19:21:33 +01:00 · 2017-12-20 19:21:33 +01:00 · 5c005ac139
commit 5c005ac139
parent 6d53a1e9f4
1 changed files with 11 additions and 4 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -14210,7 +14210,7 @@ help() {
                                   Alternatively: nmap output in greppable format (-oG) (1x port per line allowed)
     --mode <serial|parallel>      Mass testing to be done serial (default) or parallel (--parallel is shortcut for the latter)

-single check as <options>  ("$PROG_NAME  URI" does everything except -E and -g):
+single check as <options>  ("$PROG_NAME URI" does everything except -E and -g):
     -e, --each-cipher             checks each local cipher remotely
     -E, --cipher-per-proto        checks those per protocol
     -s, --std, --standard         tests certain lists of cipher suites by strength
@ -14241,10 +14241,11 @@ single check as <options>  ("$PROG_NAME  URI" does everything except -E and -g):
     -f, --pfs, --fs, --nsa        checks (perfect) forward secrecy settings
     -4, --rc4, --appelbaum        which RC4 ciphers are being offered?
     -g, --grease                  tests several server implementation bugs like GREASE and size limitations
+     -9, --full                    includes tests for implementation bugs and cipher per protocol (could disappear)

 tuning / connect options (most also can be preset via environment variables):
     --fast                        omits some checks: using openssl for all ciphers (-e), show only first
-                                   preferred cipher
+                                   preferred cipher.
     --bugs                        enables the "-bugs" option of s_client, needed e.g. for some buggy F5s
     --assume-http                 if protocol check fails it assumes HTTP protocol and enforces HTTP checks
     --ssl-native                  fallback to checks with OpenSSL where sockets are normally used
@ -16074,6 +16075,12 @@ parse_cmd_line() {
               -g|--grease)
                    do_grease=true
                    ;;
+               -9|--full)
+                    set_scanning_defaults
+                    do_allciphers=false
+                    do_cipher_per_proto=true
+                    do_grease=true
+                    ;;
               --devel) ### this development feature will soon disappear
                    HEX_CIPHER="$TLS12_CIPHER"
                    # DEBUG=3  ./testssl.sh --devel 03 "cc, 13, c0, 13" google.de                              --> TLS 1.2, old CHACHA/POLY
@ -16383,6 +16390,8 @@ lets_roll() {
          run_spdy; ret=$(($? + ret)); time_right_align run_spdy;
          run_http2; ret=$(($? + ret)); time_right_align run_http2;
     }
+     fileout_section_header $section_number true && ((section_number++))
+     "$do_grease" && { run_grease; ret=$(($? + ret)); time_right_align run_grease; }

     fileout_section_header $section_number true && ((section_number++))
     $do_std_cipherlists && { run_std_cipherlists; ret=$(($? + ret)); time_right_align run_std_cipherlists; }
@ -16446,8 +16455,6 @@ lets_roll() {
     fileout_section_header $section_number true && ((section_number++))
     $do_client_simulation && { run_client_simulation; ret=$(($? + ret)); time_right_align run_client_simulation; }

-     fileout_section_header $section_number true && ((section_number++))
-     "$do_grease" && { run_grease; ret=$(($? + ret)); time_right_align run_grease; }
     fileout_section_footer true

     outln