Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2024-12-29 04:49:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '3.1dev' of https://github.com/magnuslarsen/testssl.sh into magnuslarsen-3.1dev

Browse Source
This commit is contained in:
Dirk 2024-10-14 13:03:46 +02:00
commit 6c771f7902
1 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
testssl.sh
View File

@ -22933,15 +22933,20 @@ run_rating() {
pr_headlineln " Rating (experimental) "
outln
[[ -n "$STARTTLS_PROTOCOL" ]] && set_grade_cap "T" "STARTTLS encryption is not mandatory for clients. STARTTLS can only be secured client-side"
# TL;DR: E-mail transfer via port 25 is broken and the amendments suggested so far are duct tape. So please do not expect testssl.sh to shut up.
if [[ -n "$STARTTLS_PROTOCOL" ]]; then
read -r -d '' grade_cap_reason <<'EOF'
TL;DR: E-mail transfer via port 25 is broken and the amendments suggested so far are duct tape. So please do not expect testssl.sh to shut up.
# Explanation: For other than SMTP you should use TLS as per RFC 8314 . For SMTP however there's this thing named reality: A mail server cannot
# just switch to the mail submission port 587 only and continue to receive mail from everyone. Even if you advertise this via SRV record (RFC 6186).
# For STARTTLS there's no way to tell for testssl.sh whether it is secure. A MitM can always intercept the connection, unless the client checks
# the certificate accordingly (it's getting better but some just don't). TLSA Records/DANE and MTA-STS (RFC-8461) on the server side can help too.
# But as said, it's useless unless the client MTA checks all that which no tool can check.
Explanation: For other than SMTP you should use TLS as per RFC 8314. For SMTP however there's this thing named reality: A mail server cannot
just switch to the mail submission port 587 only and continue to receive mail from everyone. Even if you advertise this via SRV record (RFC 6186).
For STARTTLS there's no way to tell for testssl.sh whether it is secure. A MitM can always intercept the connection, unless the client checks
the certificate accordingly (it's getting better but some just don't). TLSA Records/DANE and MTA-STS (RFC-8461) on the server side can help too.
But as said, it's useless unless the client MTA checks all that which no tool can check.
EOF
# We can't use newlines in the message, as the grade-sorting function will mess up the reason
set_grade_cap "T" "$(tr '\n' ' ' <<<$grade_cap_reason)"
fi
pr_bold " Rating specs"; out " (not complete) "; outln "SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)"
pr_bold " Specification documentation "; pr_url "https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide"
@ -23127,9 +23132,9 @@ run_rating() {
# Pretty print - again, it's just nicer to read
for reason in "${sorted_reasons[@]}"; do
if [[ $reason_nr -eq 0 ]]; then
pr_bold " Grade cap reasons "; outln "$reason"
pr_bold " Grade cap reasons "; out_row_aligned_max_width "$reason\n" ' ' $TERM_WIDTH
else
outln " $reason"
out_row_aligned_max_width " $reason\n" ' ' $TERM_WIDTH
fi
((reason_nr++))
fileout "grade_cap_reason_${reason_nr}" "INFO" "$reason"