NO_ENGINE (#834) and GREASE (#814)

This commit is contained in:
Dirk 2017-09-23 11:55:09 +02:00
parent 4523eea398
commit 68509694d4
2 changed files with 11 additions and 2 deletions

View File

@ -1,7 +1,7 @@
.\" generated with Ronn/v0.7.3 .\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3
. .
.TH "TESTSSL" "1" "August 2017" "" "" .TH "TESTSSL" "1" "September 2017" "" ""
. .
.SH "NAME" .SH "NAME"
\fBtestssl\fR \fBtestssl\fR
@ -245,7 +245,7 @@ Security headers (X\-Frame\-Options, X\-XSS\-Protection, \.\.\., CSP headers)
.IP "" 0 .IP "" 0
. .
.SS "VULNERABILITIES" .SS "VULNERABILITIES"
\fB\-U, \-\-vulnerable\fR Just tests all (following) vulnerabilities\. The environment variable \fBVULN_THRESHLD\fR determines after which value a separate headline for each vulnerability is being displayed\. Default is \fB1\fR which means if you check for two vulnerabilities, only the general headline for vulnerabilities section is displayed \-\- in addition to the vulnerability and the result\. Otherwise each vulnerability or vulnerability section gets its own headline in addition to the output of the name of the vulnerability and test result\. A vulnerability section is comprised of more than one check, e\.g\. the renegotiation vulnerability check has two checks, so has Logjam\. \fB\-U, \-\-vulnerable\fR Just tests all (following) vulnerabilities\. The environment variable \fBVULN_THRESHLD\fR determines after which value a separate headline for each vulnerability is being displayed\. Default is \fB1\fR which means if you check for two vulnerabilities, only the general headline for vulnerabilities section is displayed \-\- in addition to the vulnerability and the result\. Otherwise each vulnerability or vulnerability section gets its own headline in addition to the output of the name of the vulnerabilty and test result\. A vulnerability section is comprised of more than one check, e\.g\. the renegotiation vulnerability check has two checks, so has Logjam\.
. .
.P .P
\fB\-H, \-\-heartbleed\fR Checks for Heartbleed, a memory leakage in openssl\. Unless the server side doesn\'t support the heartbeat extension it is likely that this check runs into a timeout\. The seconds to wait for a reply can be adjusted with \fBHEARTBLEED_MAX_WAITSOCK\fR\. 8 is the default (unit: seconds) \fB\-H, \-\-heartbleed\fR Checks for Heartbleed, a memory leakage in openssl\. Unless the server side doesn\'t support the heartbeat extension it is likely that this check runs into a timeout\. The seconds to wait for a reply can be adjusted with \fBHEARTBLEED_MAX_WAITSOCK\fR\. 8 is the default (unit: seconds)
@ -295,6 +295,9 @@ Security headers (X\-Frame\-Options, X\-XSS\-Protection, \.\.\., CSP headers)
.P .P
\fB\-4, \-\-rc4, \-\-appelbaum\fR Checks which RC4 stream ciphers are being offered\. \fB\-4, \-\-rc4, \-\-appelbaum\fR Checks which RC4 stream ciphers are being offered\.
. .
.P
\fB\-g, \-\-grease\fR test for server implementation bugs, see https://datatracker\.ietf\.org/doc/draft\-ietf\-tls\-grease
.
.SS "OUTPUT OPTIONS" .SS "OUTPUT OPTIONS"
\fB\-\-warnings <batch|off>\fR The warnings parameter determines how testssl\.sh will deal with situations where user input will normally be necessary\. There are a couple of options here\. \fBbatch\fR doesn\'t wait for a confirming keypress\. This is automatically being chosen for mass testing (\fB\-\-file\fR)\. \fB\-false\fR just skips the warning AND the confirmation\. Please note that there are conflicts where testssl\.sh will still ask for confirmation\. Those are ones which would have a drastic impact on the results\. The same can be achieved by setting the environment variable \fBWARNINGS\fR\. \fB\-\-warnings <batch|off>\fR The warnings parameter determines how testssl\.sh will deal with situations where user input will normally be necessary\. There are a couple of options here\. \fBbatch\fR doesn\'t wait for a confirming keypress\. This is automatically being chosen for mass testing (\fB\-\-file\fR)\. \fB\-false\fR just skips the warning AND the confirmation\. Please note that there are conflicts where testssl\.sh will still ask for confirmation\. Those are ones which would have a drastic impact on the results\. The same can be achieved by setting the environment variable \fBWARNINGS\fR\.
. .
@ -460,6 +463,9 @@ ALL_CLIENTS runs a client simulation with all (currently) 117 clients
UNBRACKTD_IPV6: needs to be set to true for some versions of OpenSSL (like from Gentoo) which don\'t support [bracketed] IPv6 addresses UNBRACKTD_IPV6: needs to be set to true for some versions of OpenSSL (like from Gentoo) which don\'t support [bracketed] IPv6 addresses
. .
.IP "\(bu" 4 .IP "\(bu" 4
NO_ENGINE: if you have problems with garbled output containing the word \'engine\' you might want to set this to true\. It forces testssl\.sh not try to configure openssl\'s engine or a non existing one from libressl
.
.IP "\(bu" 4
HEADER_MAXSLEEP: To wait how long before killing the process to retrieve a service banner / HTTP header HEADER_MAXSLEEP: To wait how long before killing the process to retrieve a service banner / HTTP header
. .
.IP "\(bu" 4 .IP "\(bu" 4

View File

@ -201,6 +201,8 @@ If the server provides no matching record in Subject Alternative Name (SAN) but
`-4, --rc4, --appelbaum` Checks which RC4 stream ciphers are being offered. `-4, --rc4, --appelbaum` Checks which RC4 stream ciphers are being offered.
`-g, --grease` test for server implementation bugs, see https://datatracker.ietf.org/doc/draft-ietf-tls-grease
### OUTPUT OPTIONS ### OUTPUT OPTIONS
@ -307,6 +309,7 @@ Except the environment variables mentioned above which replace command line opti
[comment]: # * EXPERIMENTAL [comment]: # * EXPERIMENTAL
* ALL_CLIENTS runs a client simulation with all (currently) 117 clients * ALL_CLIENTS runs a client simulation with all (currently) 117 clients
* UNBRACKTD_IPV6: needs to be set to true for some versions of OpenSSL (like from Gentoo) which don't support [bracketed] IPv6 addresses * UNBRACKTD_IPV6: needs to be set to true for some versions of OpenSSL (like from Gentoo) which don't support [bracketed] IPv6 addresses
* NO_ENGINE: if you have problems with garbled output containing the word 'engine' you might want to set this to true. It forces testssl.sh not try to configure openssl's engine or a non existing one from libressl
* HEADER_MAXSLEEP: To wait how long before killing the process to retrieve a service banner / HTTP header * HEADER_MAXSLEEP: To wait how long before killing the process to retrieve a service banner / HTTP header
* MAX_WAITSOCK: It instructs testssl.sh to wait until the specified time before declaring a socket connection dead. Don't change this unless you're absolutely sure what you're doing. Value is in seconds. * MAX_WAITSOCK: It instructs testssl.sh to wait until the specified time before declaring a socket connection dead. Don't change this unless you're absolutely sure what you're doing. Value is in seconds.
* CCS_MAX_WAITSOCK Is the similar to above but applies only to the CCS handshakes, for both of the two the two CCS payload. Don't change this unless you're absolutely sure what you're doing. Value is in seconds. * CCS_MAX_WAITSOCK Is the similar to above but applies only to the CCS handshakes, for both of the two the two CCS payload. Don't change this unless you're absolutely sure what you're doing. Value is in seconds.