From a2470b01af9c136c201beb2e1a06ed6d7e8e662e Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 20 Apr 2026 18:56:51 +0200 Subject: [PATCH] Fix doc error regarding MAX_SOCKET_FAIL + MAX_OSSL_FAIL (3.2) The trailing error messages were swapped in the paragraphs / description for MAX_SOCKET_FAIL + MAX_OSSL_FAIL . This fixes the confusion for 3.2 , see #3028 . --- doc/testssl.1 | 4 ++-- doc/testssl.1.html | 4 ++-- doc/testssl.1.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/testssl.1 b/doc/testssl.1 index 47e0c06..bfccf1e 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -415,9 +415,9 @@ TESTSSL_INSTALL_DIR is the derived installation directory of testssl\.sh\. Relat .IP "\[ci]" 4 CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl\.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl\.sh will use\. Please note that it overrides completely the builtin path of testssl\.sh which means that you will only test against the bundles you point to\. Also you might want to use \fB~/utils/create_ca_hashes\.sh\fR to create the hashes for HPKP\. .IP "\[ci]" 4 -MAX_SOCKET_FAIL: A number which tells testssl\.sh how often a TCP socket connection may fail before the program gives up and terminates\. The default is 2\. You can increase it to a higher value if you frequently see a message like \fIFatal error: repeated openssl s_client connect problem, doesn't make sense to continue\fR\. +MAX_SOCKET_FAIL: A number which tells testssl\.sh how often a TCP socket connection may fail before the program gives up and terminates\. The default is 2\. You can increase it to a higher value if you frequently see a message like \fIFatal error: repeated \TCP connect problems, giving up\fR\. .IP "\[ci]" 4 -MAX_OSSL_FAIL: A number which tells testssl\.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates\. The default is 2\. You can increase it to a higher value if you frequently see a message like \fIFatal error: repeated TCP connect problems, giving up\fR\. +MAX_OSSL_FAIL: A number which tells testssl\.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates\. The default is 2\. You can increase it to a higher value if you frequently see a message like \fIFatal error: repeated openssl s_client connect problem, doesn't make sense to continue\fR\. .IP "\[ci]" 4 MAX_HEADER_FAIL: A number which tells testssl\.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates\. The default is 3\. Also here you can increase the threshold when you spot messages like \fIFatal error: repeated HTTP header connect problems, doesn't make sense to continue\fR\. .IP "\[ci]" 4 diff --git a/doc/testssl.1.html b/doc/testssl.1.html index cf4d029..60e47c7 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -499,8 +499,8 @@ Rating automatically gets disabled, to not give a wrong or misleading grade, whe
  • DAYS2WARN2 is the second threshold when you'll be warning of a certificate expiration of a host, preset to 30 (days). For Let's Encrypt this value will be divided internally by 2.
  • TESTSSL_INSTALL_DIR is the derived installation directory of testssl.sh. Relatively to that the bin and mandatory etc directory will be looked for.
  • CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl.sh will use. Please note that it overrides completely the builtin path of testssl.sh which means that you will only test against the bundles you point to. Also you might want to use ~/utils/create_ca_hashes.sh to create the hashes for HPKP.
    • -
  • MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue.
    • -
  • MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like Fatal error: repeated TCP connect problems, giving up.
    • +
  • MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like Fatal error: repeated repeated TCP connect problems, giving up.
    • +
  • MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue.
  • MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can increase the threshold when you spot messages like Fatal error: repeated HTTP header connect problems, doesn't make sense to continue.
  • OPENSSL2 can be used to supply an alternative openssl version. This only makes sense if you want to amend the supplied version in bin/ which lacks TLS 1.3 support with a version which does not and is not in /usr/bin/openssl.
  • OSSL_SHORTCUT should be set to false when you run interactively and don't want to switch automatically to /usr/bin/openssl (OPENSSL2) if you encounter a TLS 1.3-only host.
    • diff --git a/doc/testssl.1.md b/doc/testssl.1.md index 9c40cfb..4a7ed63 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -401,8 +401,8 @@ Except the environment variables mentioned above which can replace command line * DAYS2WARN2 is the second threshold when you'll be warning of a certificate expiration of a host, preset to 30 (days). For Let's Encrypt this value will be divided internally by 2. * TESTSSL_INSTALL_DIR is the derived installation directory of testssl.sh. Relatively to that the `bin` and mandatory `etc` directory will be looked for. * CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl.sh will use. Please note that it overrides completely the builtin path of testssl.sh which means that you will only test against the bundles you point to. Also you might want to use `~/utils/create_ca_hashes.sh` to create the hashes for HPKP. -* MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like *Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue*. -* MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like *Fatal error: repeated TCP connect problems, giving up*. +* MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like *Fatal error: repeated TCP connect problems, giving up*. +* MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like *Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue*. * MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can increase the threshold when you spot messages like *Fatal error: repeated HTTP header connect problems, doesn't make sense to continue*. * OPENSSL2 can be used to supply an alternative openssl version. This only makes sense if you want to amend the supplied version in `bin/` which lacks TLS 1.3 support with a version which doesn not and is not in `/usr/bin/openssl`. * OSSL_SHORTCUT should be set to false when you run interactively and don't want to switch automatically to `/usr/bin/openssl` (`OPENSSL2`) if you encounter a TLS 1.3-only host.