From 9121c7a3c9b5951745c7eaf851356db432d78204 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Sat, 8 May 2021 14:45:38 +0200
Subject: [PATCH] Fix "off by one" error in HSTS

There was by mistake a 179 days threshold and also the error message
was wrong when HSTS was exactly set to 179 days.

This commit sets it to 180 days and corrects the error messages on
both screen and JSON.
---
 testssl.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index e180e42..025abd6 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -208,7 +208,7 @@ STARTTLS_SLEEP=${STARTTLS_SLEEP:-10}    # max time wait on a socket for STARTTLS
 FAST_STARTTLS=${FAST_STARTTLS:-true}    # at the cost of reliability decrease the handshakes for STARTTLS
 USLEEP_SND=${USLEEP_SND:-0.1}           # sleep time for general socket send
 USLEEP_REC=${USLEEP_REC:-0.2}           # sleep time for general socket receive
-HSTS_MIN=${HSTS_MIN:-179}               # >179 days is ok for HSTS
+HSTS_MIN=${HSTS_MIN:-180}               # >=180 days is ok for HSTS
      HSTS_MIN=$((HSTS_MIN * 86400))     # correct to seconds
 HPKP_MIN=${HPKP_MIN:-30}                # >=30 days should be ok for HPKP_MIN, practical hints?
      HPKP_MIN=$((HPKP_MIN * 86400))     # correct to seconds
@@ -2619,12 +2619,12 @@ run_hsts() {
                pr_svrty_low "HSTS max-age is set to 0. HSTS is disabled"
                fileout "${jsonID}_time" "LOW" "0. HSTS is disabled"
                set_grade_cap "A" "HSTS is disabled"
-          elif [[ $hsts_age_sec -gt $HSTS_MIN ]]; then
+          elif [[ $hsts_age_sec -ge $HSTS_MIN ]]; then
                pr_svrty_good "$hsts_age_days days" ; out "=$hsts_age_sec s"
                fileout "${jsonID}_time" "OK" "$hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN seconds"
           else
-               pr_svrty_medium "$hsts_age_sec s = $hsts_age_days days is too short ( > $HSTS_MIN seconds recommended)"
-               fileout "${jsonID}_time" "MEDIUM" "max-age too short. $hsts_age_days days (=$hsts_age_sec seconds) <= $HSTS_MIN seconds"
+               pr_svrty_medium "$hsts_age_sec s = $hsts_age_days days is too short ( >= $HSTS_MIN seconds recommended)"
+               fileout "${jsonID}_time" "MEDIUM" "max-age too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN seconds"
                set_grade_cap "A" "HSTS max-age is too short"
           fi
           if includeSubDomains "$TMPFILE"; then