From b2d41330e0f0636eb35ebfc6fc0eb747519514dc Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Thu, 25 Jun 2020 13:05:47 +0200 Subject: [PATCH 1/3] port typo fixes to html and roff doc --- doc/testssl.1 | 4 ++-- doc/testssl.1.html | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/testssl.1 b/doc/testssl.1 index 38bbfed..1b7a9f3 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -650,10 +650,10 @@ To implement a new grading cap, simply call the \fBset_grade_cap()\fR function, When implementing a new check (be it vulnerability or not) that sets grade caps, the \fBset_rating_state()\fR has to be updated (i\.e\. the \fB$do_mycheck\fR variable\-name has to be added to the loop, and \fB$nr_enabled\fR if\-statement has to be incremented) . .P -The \fBset_rating_state()\fR automatically disables ratinng, if all the required checks are \fInot\fR enabled\. This is to prevent giving out a misleading or wrong grade\. +The \fBset_rating_state()\fR automatically disables rating, if all the required checks are \fInot\fR enabled\. This is to prevent giving out a misleading or wrong grade\. . .P -When a new revision of the rating specification comes around, the following has to be done: * New grade caps has to be either: 1\. Added to the script wherever relevant, or 2\. Added to the above list of missing checks (if \fIi\.\fR is not possible) * New grade warnings has to be added wherever relevant * The revision output in \fBrun_rating()\fR function has to updated +When a new revision of the rating specification comes around, the following has to be done: * New grade caps has to be either: 1\. Added to the script wherever relevant, or 2\. Added to the above list of missing checks (if above is not possible) * New grade warnings has to be added wherever relevant * The revision output in \fBrun_rating()\fR function has to updated . .SH "EXAMPLES" . diff --git a/doc/testssl.1.html b/doc/testssl.1.html index 8290958..38067d1 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -515,7 +515,7 @@ set_grade_warning "Documentation is always right"

When implementing a new check (be it vulnerability or not) that sets grade caps, the set_rating_state() has to be updated (i.e. the $do_mycheck variable-name has to be added to the loop, and $nr_enabled if-statement has to be incremented)

-

The set_rating_state() automatically disables ratinng, if all the required checks are not enabled. +

The set_rating_state() automatically disables rating, if all the required checks are not enabled. This is to prevent giving out a misleading or wrong grade.

Implementing a new revision

@@ -523,7 +523,7 @@ This is to prevent giving out a misleading or wrong grade.

When a new revision of the rating specification comes around, the following has to be done: * New grade caps has to be either: 1. Added to the script wherever relevant, or - 2. Added to the above list of missing checks (if i. is not possible) + 2. Added to the above list of missing checks (if above is not possible) * New grade warnings has to be added wherever relevant * The revision output in run_rating() function has to updated

From 288223c70760a534712d2cc68a57486f281820fe Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Thu, 25 Jun 2020 20:47:51 +0200 Subject: [PATCH 2/3] Polish STARTTLS rating output Moved the sentence ~i "A grade better than T would lead to a false sense of security" to the documentation. No reason for excuses in the output. ;-) Explanation fits better in the doc. See also #1657 --- doc/testssl.1 | 2 +- doc/testssl.1.html | 2 +- doc/testssl.1.md | 3 ++- testssl.sh | 3 ++- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/doc/testssl.1 b/doc/testssl.1 index 1b7a9f3..834d339 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -638,7 +638,7 @@ This program has a near\-complete implementation of SSL Labs\'s \'SSL Server Rat This is \fInot\fR a 100% reimplementation of the SSL Lab\'s SSL Server Test \fIhttps://www\.ssllabs\.com/ssltest/analyze\.html\fR, but an implementation of the above rating specification, slight discrepancies may occur\. Please note that for now we stick to the SSL Labs rating as good as possible\. We are not responsible for their rating\. Before filing issues please inspect their Rating Guide\. . .P -Disclaimer: Having a good grade is \fBNOT\fR necessarily equal to having good security! Don\'t start a competition for the best grade, at least not without monitoring the client handshakes and not without adding a portion of good sense to it\. +Disclaimer: Having a good grade is \fBNOT\fR necessarily equal to having good security! Don\'t start a competition for the best grade, at least not without monitoring the client handshakes and not without adding a portion of good sense to it\. Please note STARTTLS always results in a grade cap to T\. Anything else would lead to a false sense of security \- at least until we test for DANE or MTA-STS\. . .P As of writing, these checks are missing: * GOLDENDOODLE \- should be graded \fBF\fR if vulnerable * Insecure renegotiation \- should be graded \fBF\fR if vulnerable * Padding oracle in AES\-NI CBC MAC check (CVE\-2016\-2107) \- should be graded \fBF\fR if vulnerable * Sleeping POODLE \- should be graded \fBF\fR if vulnerable * Zero Length Padding Oracle (CVE\-2019\-1559) \- should be graded \fBF\fR if vulnerable * Zombie POODLE \- should be graded \fBF\fR if vulnerable * All remaining old Symantec PKI certificates are distrusted \- should be graded \fBT\fR * Symantec certificates issued before June 2016 are distrusted \- should be graded \fBT\fR * ! A reading of DH params \- should give correct points in \fBset_key_str_score()\fR * Anonymous key exchange \- should give \fB0\fR points in \fBset_key_str_score()\fR * Exportable key exchange \- should give \fB40\fR points in \fBset_key_str_score()\fR * Weak key (Debian OpenSSL Flaw) \- should give \fB0\fR points in \fBset_key_str_score()\fR diff --git a/doc/testssl.1.html b/doc/testssl.1.html index 38067d1..af08013 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -484,7 +484,7 @@ Rating automatically gets disabled, to not give a wrong or misleading grade, whe

This is not a 100% reimplementation of the SSL Lab's SSL Server Test, but an implementation of the above rating specification, slight discrepancies may occur. Please note that for now we stick to the SSL Labs rating as good as possible. We are not responsible for their rating. Before filing issues please inspect their Rating Guide.

-

Disclaimer: Having a good grade is NOT necessarily equal to having good security! Don't start a competition for the best grade, at least not without monitoring the client handshakes and not without adding a portion of good sense to it.

+

Disclaimer: Having a good grade is NOT necessarily equal to having good security! Don't start a competition for the best grade, at least not without monitoring the client handshakes and not without adding a portion of good sense to it. Please note STARTTLS always results in a grade cap to T. Anything else would lead to a false sense of security - at least until we test for DANE or MTA-STS.

As of writing, these checks are missing: * GOLDENDOODLE - should be graded F if vulnerable diff --git a/doc/testssl.1.md b/doc/testssl.1.md index a866739..6755235 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -392,7 +392,8 @@ This program has a near-complete implementation of SSL Labs's '[SSL Server Ratin This is *not* a 100% reimplementation of the [SSL Lab's SSL Server Test](https://www.ssllabs.com/ssltest/analyze.html), but an implementation of the above rating specification, slight discrepancies may occur. Please note that for now we stick to the SSL Labs rating as good as possible. We are not responsible for their rating. Before filing issues please inspect their Rating Guide. -Disclaimer: Having a good grade is **NOT** necessarily equal to having good security! Don't start a competition for the best grade, at least not without monitoring the client handshakes and not without adding a portion of good sense to it. +Disclaimer: Having a good grade is **NOT** necessarily equal to having good security! Don't start a competition for the best grade, at least not without monitoring the client handshakes and not without adding a portion of good sense to it. Please note STARTTLS always results in a grade cap to T. Anything else +would lead to a false sense of security - at least until we test for DANE or MTA-STS. As of writing, these checks are missing: * GOLDENDOODLE - should be graded **F** if vulnerable diff --git a/testssl.sh b/testssl.sh index d5b3c3b..fe021e6 100755 --- a/testssl.sh +++ b/testssl.sh @@ -20797,12 +20797,13 @@ run_rating() { local c1_worst c1_best local c3_worst c3_best c3_worst_cb c3_best_cb local old_ifs=$IFS sorted_reasons sorted_warnings reason_nr=0 warning_nr=0 + local spaces=" " outln "\n"; pr_headlineln " Rating (experimental) " outln - [[ -n "$STARTTLS_PROTOCOL" ]] && set_grade_cap "T" "Encryption via STARTTLS is not mandatory (opportunistic). This leads to a false sense of security" + [[ -n "$STARTTLS_PROTOCOL" ]] && set_grade_cap "T" "Encryption via STARTTLS is not mandatory (opportunistic)." # Sort the reasons. This is just nicer to read in genereal IFS=$'\n' sorted_reasons=($(sort -ru <<<"${GRADE_CAP_REASONS[*]}")) From 7c759937469892e5eaf2621acfbf33c7e5f38fef Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Thu, 25 Jun 2020 20:54:43 +0200 Subject: [PATCH 3/3] remove unused spaces var --- testssl.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index fe021e6..716da8f 100755 --- a/testssl.sh +++ b/testssl.sh @@ -20797,7 +20797,6 @@ run_rating() { local c1_worst c1_best local c3_worst c3_best c3_worst_cb c3_best_cb local old_ifs=$IFS sorted_reasons sorted_warnings reason_nr=0 warning_nr=0 - local spaces=" " outln "\n"; pr_headlineln " Rating (experimental) "