Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 22:05:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: bump ssllabs rating guide to 2009r

Browse Source
This commit is contained in:
Magnus Larsen
2025-07-10 08:20:01 +02:00
parent b783fbc660
commit 826adbd6d7
1 changed files with 12 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
testssl.sh
View File

@@ -2817,6 +2817,7 @@ run_hsts() {
if ! is_number "$hsts_age_sec"; then if ! is_number "$hsts_age_sec"; then
pr_svrty_medium "misconfiguration: \'"$hsts_age_sec"\' is not a valid max-age specification" pr_svrty_medium "misconfiguration: \'"$hsts_age_sec"\' is not a valid max-age specification"
fileout "${jsonID}_time" "MEDIUM" "misconfiguration, specified not a number for max-age" fileout "${jsonID}_time" "MEDIUM" "misconfiguration, specified not a number for max-age"
set_grade_warning "HSTS max-age is misconfigured"
else else
if [[ -n $hsts_age_sec ]]; then if [[ -n $hsts_age_sec ]]; then
hsts_age_days=$(( hsts_age_sec / 86400)) hsts_age_days=$(( hsts_age_sec / 86400))
@@ -2826,18 +2827,18 @@ run_hsts() {
if [[ $hsts_age_days -eq -1 ]]; then if [[ $hsts_age_days -eq -1 ]]; then
pr_svrty_medium "misconfiguration: HSTS max-age (recommended > $HSTS_MIN seconds = $((HSTS_MIN/86400)) days ) is required but missing" pr_svrty_medium "misconfiguration: HSTS max-age (recommended > $HSTS_MIN seconds = $((HSTS_MIN/86400)) days ) is required but missing"
fileout "${jsonID}_time" "MEDIUM" "misconfiguration, parameter max-age (recommended > $HSTS_MIN seconds = $((HSTS_MIN/86400)) days) missing" fileout "${jsonID}_time" "MEDIUM" "misconfiguration, parameter max-age (recommended > $HSTS_MIN seconds = $((HSTS_MIN/86400)) days) missing"
set_grade_cap "A" "HSTS max-age is misconfigured" set_grade_warning "HSTS max-age is misconfigured"
elif [[ $hsts_age_sec -eq 0 ]]; then elif [[ $hsts_age_sec -eq 0 ]]; then
pr_svrty_low "HSTS max-age is set to 0. HSTS is disabled" pr_svrty_low "HSTS max-age is set to 0. HSTS is disabled"
fileout "${jsonID}_time" "LOW" "0. HSTS is disabled" fileout "${jsonID}_time" "LOW" "0. HSTS is disabled"
set_grade_cap "A" "HSTS is disabled" set_grade_warning "HSTS is disabled"
elif [[ $hsts_age_sec -ge $HSTS_MIN ]]; then elif [[ $hsts_age_sec -ge $HSTS_MIN ]]; then
pr_svrty_good "$hsts_age_days days" ; out "=$hsts_age_sec s" pr_svrty_good "$hsts_age_days days" ; out "=$hsts_age_sec s"
fileout "${jsonID}_time" "OK" "$hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN seconds" fileout "${jsonID}_time" "OK" "$hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN seconds"
else else
pr_svrty_medium "$hsts_age_sec s = $hsts_age_days days is too short ( >= $HSTS_MIN seconds recommended)" pr_svrty_medium "$hsts_age_sec s = $hsts_age_days days is too short ( >= $HSTS_MIN seconds recommended)"
fileout "${jsonID}_time" "MEDIUM" "max-age too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN seconds" fileout "${jsonID}_time" "MEDIUM" "max-age too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN seconds"
set_grade_cap "A" "HSTS max-age is too short" set_grade_warning "HSTS max-age is too short"
fi fi
fi fi
if includeSubDomains "$TMPFILE"; then if includeSubDomains "$TMPFILE"; then
@@ -2856,7 +2857,6 @@ run_hsts() {
else else
pr_svrty_low "not offered" pr_svrty_low "not offered"
fileout "$jsonID" "LOW" "not offered" fileout "$jsonID" "LOW" "not offered"
set_grade_cap "A" "HSTS is not offered"
fi fi
outln outln
@@ -6068,6 +6068,7 @@ run_protocols() {
fileout "$jsonID" "CRITICAL" "connection failed rather than downgrading to $latest_supported_string" fileout "$jsonID" "CRITICAL" "connection failed rather than downgrading to $latest_supported_string"
fi fi
add_proto_offered tls1_3 no add_proto_offered tls1_3 no
set_grade_warning "TLS 1.3 is not supported"
;; ;;
2) if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then 2) if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then
detected_version_string="SSLv3" detected_version_string="SSLv3"
@@ -6091,16 +6092,19 @@ run_protocols() {
fileout "$jsonID" "CRITICAL" "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fileout "$jsonID" "CRITICAL" "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
fi fi
add_proto_offered tls1_3 no add_proto_offered tls1_3 no
set_grade_warning "TLS 1.3 is not supported"
;; ;;
3) out "not offered " 3) out "not offered "
fileout "$jsonID" "INFO" "not offered" fileout "$jsonID" "INFO" "not offered"
add_proto_offered tls1_3 no add_proto_offered tls1_3 no
set_grade_warning "TLS 1.3 is not supported"
pr_warning "TLS downgraded to STARTTLS plaintext"; outln pr_warning "TLS downgraded to STARTTLS plaintext"; outln
fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext" fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext"
;; ;;
4) out "likely not offered, " # STARTTLS problem 4) out "likely not offered, " # STARTTLS problem
fileout "$jsonID" "INFO" "likely not offered" fileout "$jsonID" "INFO" "likely not offered"
add_proto_offered tls1_3 no add_proto_offered tls1_3 no
set_grade_warning "TLS 1.3 is not supported"
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm" pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}" fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
;; ;;
@@ -8070,6 +8074,7 @@ determine_cert_compression() {
tls_sockets "04" "$TLS13_CIPHER" "all+" "00,1b, 00,$len2, $len1$methods_to_test" tls_sockets "04" "$TLS13_CIPHER" "all+" "00,1b, 00,$len2, $len1$methods_to_test"
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
add_proto_offered tls1_3 no add_proto_offered tls1_3 no
set_grade_warning "TLS 1.3 is not supported"
return 1 return 1
fi fi
add_proto_offered tls1_3 yes add_proto_offered tls1_3 yes
@@ -18500,8 +18505,6 @@ run_tls_fallback_scsv() {
pr_svrty_medium "Downgrade attack prevention NOT supported" pr_svrty_medium "Downgrade attack prevention NOT supported"
fileout "$jsonID" "MEDIUM" "NOT supported" fileout "$jsonID" "MEDIUM" "NOT supported"
fi fi
set_grade_cap "A" "Does not support TLS_FALLBACK_SCSV"
elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then
pr_svrty_good "Downgrade attack prevention supported (OK)" pr_svrty_good "Downgrade attack prevention supported (OK)"
fileout "$jsonID" "OK" "supported" fileout "$jsonID" "OK" "supported"
@@ -22506,6 +22509,7 @@ determine_optimal_sockets_params() {
all_failed=false all_failed=false
else else
add_proto_offered tls1_3 no add_proto_offered tls1_3 no
set_grade_warning "TLS 1.3 is not supported"
KEY_SHARE_EXTN_NR="33" KEY_SHARE_EXTN_NR="33"
fi fi
fi fi
@@ -23673,10 +23677,10 @@ run_rating() {
# For other than SMTP on port 25 and port 587 and SIEVE (there's no implicit TLS port) you should use implicit TLS as per RFC 8314. # For other than SMTP on port 25 and port 587 and SIEVE (there's no implicit TLS port) you should use implicit TLS as per RFC 8314.
# Instead of port 587 (STARTTLS) implicit TLS on port 465 should be considered. # Instead of port 587 (STARTTLS) implicit TLS on port 465 should be considered.
pr_bold " Rating specs"; out " (not complete) "; outln "SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)" pr_bold " Rating specs"; out " (not complete) "; outln "SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)"
pr_bold " Specification documentation "; pr_url "https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide" pr_bold " Specification documentation "; pr_url "https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide"
outln outln
fileout "rating_spec" "INFO" "SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)" fileout "rating_spec" "INFO" "SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)"
fileout "rating_doc" "INFO" "https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide" fileout "rating_doc" "INFO" "https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide"
# No point in calculating a score, if a cap of "F", "T", or "M" has been set # No point in calculating a score, if a cap of "F", "T", or "M" has been set