From 826adbd6d7fee01a437066a9bb4ee0d99d3c6ef7 Mon Sep 17 00:00:00 2001 From: Magnus Larsen Date: Thu, 10 Jul 2025 08:20:01 +0200 Subject: [PATCH] feat: bump ssllabs rating guide to 2009r --- testssl.sh | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/testssl.sh b/testssl.sh index 8d63dad..54fa24f 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2817,6 +2817,7 @@ run_hsts() { if ! is_number "$hsts_age_sec"; then pr_svrty_medium "misconfiguration: \'"$hsts_age_sec"\' is not a valid max-age specification" fileout "${jsonID}_time" "MEDIUM" "misconfiguration, specified not a number for max-age" + set_grade_warning "HSTS max-age is misconfigured" else if [[ -n $hsts_age_sec ]]; then hsts_age_days=$(( hsts_age_sec / 86400)) @@ -2826,18 +2827,18 @@ run_hsts() { if [[ $hsts_age_days -eq -1 ]]; then pr_svrty_medium "misconfiguration: HSTS max-age (recommended > $HSTS_MIN seconds = $((HSTS_MIN/86400)) days ) is required but missing" fileout "${jsonID}_time" "MEDIUM" "misconfiguration, parameter max-age (recommended > $HSTS_MIN seconds = $((HSTS_MIN/86400)) days) missing" - set_grade_cap "A" "HSTS max-age is misconfigured" + set_grade_warning "HSTS max-age is misconfigured" elif [[ $hsts_age_sec -eq 0 ]]; then pr_svrty_low "HSTS max-age is set to 0. HSTS is disabled" fileout "${jsonID}_time" "LOW" "0. HSTS is disabled" - set_grade_cap "A" "HSTS is disabled" + set_grade_warning "HSTS is disabled" elif [[ $hsts_age_sec -ge $HSTS_MIN ]]; then pr_svrty_good "$hsts_age_days days" ; out "=$hsts_age_sec s" fileout "${jsonID}_time" "OK" "$hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN seconds" else pr_svrty_medium "$hsts_age_sec s = $hsts_age_days days is too short ( >= $HSTS_MIN seconds recommended)" fileout "${jsonID}_time" "MEDIUM" "max-age too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN seconds" - set_grade_cap "A" "HSTS max-age is too short" + set_grade_warning "HSTS max-age is too short" fi fi if includeSubDomains "$TMPFILE"; then @@ -2856,7 +2857,6 @@ run_hsts() { else pr_svrty_low "not offered" fileout "$jsonID" "LOW" "not offered" - set_grade_cap "A" "HSTS is not offered" fi outln @@ -6068,6 +6068,7 @@ run_protocols() { fileout "$jsonID" "CRITICAL" "connection failed rather than downgrading to $latest_supported_string" fi add_proto_offered tls1_3 no + set_grade_warning "TLS 1.3 is not supported" ;; 2) if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then detected_version_string="SSLv3" @@ -6091,16 +6092,19 @@ run_protocols() { fileout "$jsonID" "CRITICAL" "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fi add_proto_offered tls1_3 no + set_grade_warning "TLS 1.3 is not supported" ;; 3) out "not offered " fileout "$jsonID" "INFO" "not offered" add_proto_offered tls1_3 no + set_grade_warning "TLS 1.3 is not supported" pr_warning "TLS downgraded to STARTTLS plaintext"; outln fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext" ;; 4) out "likely not offered, " # STARTTLS problem fileout "$jsonID" "INFO" "likely not offered" add_proto_offered tls1_3 no + set_grade_warning "TLS 1.3 is not supported" pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm" fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}" ;; @@ -8070,6 +8074,7 @@ determine_cert_compression() { tls_sockets "04" "$TLS13_CIPHER" "all+" "00,1b, 00,$len2, $len1$methods_to_test" if [[ $? -ne 0 ]]; then add_proto_offered tls1_3 no + set_grade_warning "TLS 1.3 is not supported" return 1 fi add_proto_offered tls1_3 yes @@ -18500,8 +18505,6 @@ run_tls_fallback_scsv() { pr_svrty_medium "Downgrade attack prevention NOT supported" fileout "$jsonID" "MEDIUM" "NOT supported" fi - set_grade_cap "A" "Does not support TLS_FALLBACK_SCSV" - elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then pr_svrty_good "Downgrade attack prevention supported (OK)" fileout "$jsonID" "OK" "supported" @@ -22506,6 +22509,7 @@ determine_optimal_sockets_params() { all_failed=false else add_proto_offered tls1_3 no + set_grade_warning "TLS 1.3 is not supported" KEY_SHARE_EXTN_NR="33" fi fi @@ -23673,10 +23677,10 @@ run_rating() { # For other than SMTP on port 25 and port 587 and SIEVE (there's no implicit TLS port) you should use implicit TLS as per RFC 8314. # Instead of port 587 (STARTTLS) implicit TLS on port 465 should be considered. - pr_bold " Rating specs"; out " (not complete) "; outln "SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)" + pr_bold " Rating specs"; out " (not complete) "; outln "SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)" pr_bold " Specification documentation "; pr_url "https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide" outln - fileout "rating_spec" "INFO" "SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)" + fileout "rating_spec" "INFO" "SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)" fileout "rating_doc" "INFO" "https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide" # No point in calculating a score, if a cap of "F", "T", or "M" has been set