From a6f7121d25337510f6b712803c1c025cec4a11b9 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Wed, 20 Sep 2017 11:20:24 -0400 Subject: [PATCH] Correct typos --- CHANGELOG.stable-releases.txt | 24 +++++++++++----------- CREDITS.md | 2 +- Readme.md | 2 +- doc/testssl.1 | 38 +++++++++++++++++------------------ doc/testssl.1.md | 37 +++++++++++++++++----------------- 5 files changed, 51 insertions(+), 52 deletions(-) diff --git a/CHANGELOG.stable-releases.txt b/CHANGELOG.stable-releases.txt index c7b1fa5..09e3d85 100644 --- a/CHANGELOG.stable-releases.txt +++ b/CHANGELOG.stable-releases.txt @@ -12,7 +12,7 @@ * (HTTP) proxy support! Also with sockets -- thx @jnewbigin * Extended validation certificate detection * Run in default mode through all ciphers at the end of a default run - * will test multiple IP adresses of one supplied server name in one shot, --ip= restricts it accordingly + * will test multiple IP addresses of one supplied server name in one shot, --ip= restricts it accordingly * new mass testing file option --file option where testssl.sh commands are being read from, see https://twitter.com/drwetter/status/627619848344989696 * TLS time and HTTP time stamps * TLS time displayed also for STARTTLS protocols @@ -69,7 +69,7 @@ Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh * tests ciphers per protocol * HSTS * web and application server banner - * server prefereences + * server preferences * TLS server extensions * server key size * cipher suite mapping from openssl to RFC @@ -83,10 +83,10 @@ Details: - IPv6 display fix 1.111 -- NEW: tested unter FreeBSD (works with exception of xxd in CCS) +- NEW: tested under FreeBSD (works with exception of xxd in CCS) - getent now works under Linux and FreeBSD - sed -i in hsts sacrificed for compatibility -- reomved query for IP for finishing banner, is now called once in parse_hn_port +- removed query for IP for finishing banner, is now called once in parse_hn_port - GOST warning after banner - empty build date is not displayed anymore - long build date strings minimized @@ -176,7 +176,7 @@ Details: 1.91 - replaced most lcyan to brown (=not really bad but somehow) - empty server string better displayed -- prefered CBC TLS 1.2 cipher is now brown (lucky13) +- preferred CBC TLS 1.2 cipher is now brown (lucky13) 1.90 - fix for netweaver banner (server is lowercase) @@ -186,7 +186,7 @@ Details: 1.89 - reordered! : protocols + cipher come first -- colorized prefered server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green) +- colorized preferred server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green) - SSLv3 is now light cyan - NEW: -P|--preference now in help menu - light cyan is more appropriate than red for HSTS @@ -221,10 +221,10 @@ Details: - headline of -V / PFS+RC4 ciphers unified 1.82 -- NEW: output for -V now better (bits seperate, spacing improved) +- NEW: output for -V now better (bits separate, spacing improved) 1.81 -- output for RC4+PFS now better (with headline, bits seperate, spacing improved) +- output for RC4+PFS now better (with headline, bits separate, spacing improved) - both also sorted by encr. strength .. umm ..err bits! 1.80 @@ -251,7 +251,7 @@ Details: - removed legacy code (PROD_REL var) 1.76 -- bash was gone!! desaster for Ubuntu, fixed +- bash was gone!! disaster for Ubuntu, fixed - starttls+rc4 check: bottom line was wrong - starttls had too much output (certificate) at first a/v check @@ -259,7 +259,7 @@ Details: - location is now https://testssl.sh - be nice: banner, version, help also works for BSD folks (on dash) - bug in server banner fixed -- sneaky referer and user agent possible +- sneaky referrer and user agent possible 1.74 - Debian 7 fix @@ -356,13 +356,13 @@ Details: * bugfix 1.18 -* Rearragement of arguments: URL comes now always last! +* Rearrangement of arguments: URL comes now always last! * small code cleanups for readability * individual cipher test is now with bold headline, not blue * NOPARANOID flag tells whether medium grade ciphers are ok. NOW they are (=<1.17 was paranoid) 1.17 -* SSL tests now for renegotiation vulnerabilty! +* SSL tests now for renegotiation vulnerability! * version detection of testssl.sh * program has a banner * fixed bug leading to a file named "1" diff --git a/CREDITS.md b/CREDITS.md index d107675..8b75ab0 100644 --- a/CREDITS.md +++ b/CREDITS.md @@ -30,7 +30,7 @@ - testssl.sh -e/-E: testing with a mixture of openssl + sockets - finding more TLS extensions via sockets - extensive CN+SAN <--> hostname check - - seperate check for curves + - separate check for curves - RFC 7919, key shares extension - parallel mass testing! - RFC <--> OpenSSL cipher name space switches for the command line diff --git a/Readme.md b/Readme.md index 4ee7e81..3244154 100644 --- a/Readme.md +++ b/Readme.md @@ -67,7 +67,7 @@ Update notification here or @ [twitter](https://twitter.com/drwetter). * File output (CSV, JSON flat, JSON non-flat) supports a minimum severity level (only above supplied level there will be output) * Support of supplying timeout value for ``openssl connect`` -- useful for batch/mass scanning * Native HTML support instead going through 'aha' -* Testing 359 default ciphers (``testssl.sh -e/-E``) with a mixture of sockets and openssl. Same speed as with openssl only but addtional ciphers such as post-quantum ciphers, new CHAHA20/POLY1305, CamelliaGCM etc. +* Testing 359 default ciphers (``testssl.sh -e/-E``) with a mixture of sockets and openssl. Same speed as with openssl only but additional ciphers such as post-quantum ciphers, new CHAHA20/POLY1305, CamelliaGCM etc. * LUCKY13 and SWEET32 checks * Ticketbleed check * LOGJAM: now checking also for known DH parameters diff --git a/doc/testssl.1 b/doc/testssl.1 index 7698741..74c1346 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -64,7 +64,7 @@ It is out of the box pretty much portable: testssl\.sh runs under any Unix\-like 9) client simulation . .SH "OPTIONS AND PARAMETERS" -Options are either short or long options\. All options requiring a value can be called with or without an equal sign \'=\' e\.g\. \fBtestssl\.sh \-t=smtp \-\-wide \-\-openssl=/usr/bin/openssl \fR is equivalent to \fBtestssl\.sh \-\-starttls smtp \-\-wide \-\-openssl /usr/bin/openssl \fR\. Some command line options can also be preset via ENV variables\. \fBWIDE=true OPENSSL=/usr/bin/openssl testssl\.sh \-\-starttls smtp \fR would be the equivalent to the aforementioned examples\. Preference has the command line over any enviroment variables\. +Options are either short or long options\. All options requiring a value can be called with or without an equal sign \'=\' e\.g\. \fBtestssl\.sh \-t=smtp \-\-wide \-\-openssl=/usr/bin/openssl \fR is equivalent to \fBtestssl\.sh \-\-starttls smtp \-\-wide \-\-openssl /usr/bin/openssl \fR\. Some command line options can also be preset via ENV variables\. \fBWIDE=true OPENSSL=/usr/bin/openssl testssl\.sh \-\-starttls smtp \fR would be the equivalent to the aforementioned examples\. Preference has the command line over any environment variables\. . .P \fB\fR or \fB\-\-file \fR always needs to be the last parameter\. @@ -134,7 +134,7 @@ Please note that \fB\fR has to be in Unix format\. DOS carriage returns w \fB\-\-proxy :\fR does the whole check via the specified HTTP proxy\. \fB\-\-proxy=auto\fR inherits the proxy setting from the environment\. Proxying via IPv6 addresses is not possible\. The hostname supplied will only be resolved to the first A record\. Authentication to the proxy is not supported\. In addition if you want lookups via proxy you can specify \fBDNS_VIA_PROXY=true\fR\. . .P -\fB\-6\fR does (also) IPv6 checks\. This works only with both a supporting openssl binary like the one supplied and IPv6 connectivity\. testssl\.sh does no connectivity checks for IPv6, it also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support\. \fBHAS_IPv6\fR is the respective enviroment variable\. +\fB\-6\fR does (also) IPv6 checks\. This works only with both a supporting openssl binary like the one supplied and IPv6 connectivity\. testssl\.sh does no connectivity checks for IPv6, it also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support\. \fBHAS_IPv6\fR is the respective environment variable\. . .P \fB\-\-ssl\-native\fR instead of using a mixture of bash sockets and openssl s_client connects testssl\.sh uses the latter only\. This is at the moment faster but provides less accurate results, especially in the client simulation and if the openssl binary lacks cipher support\. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl\.sh internally can tell if one check cannot be performed or will give you inaccurate results\. For e\.g\. single cipher checks (\fB\-\-each\-cipher\fR and \fB\-\-cipher\-per\-proto\fR) you might end up getting false negatives without a warning\. @@ -201,7 +201,7 @@ Any single check switch supplied as an argument prevents testssl\.sh from doing \fB\-P, \-\-preference\fR displays the servers preferences: cipher order, with used openssl client: negotiated protocol and cipher\. If there\'s a cipher order enforced by the server it displays it for each protocol (openssl+sockets)\. If there\'s not, it displays instead which ciphers from the server were picked with each protocol (by using openssl only) . .P -\fB\-S, \-\-server_defaults\fR displays information from the server hello(s): available TLS extensions, TLS ticket + session information/capabilities and several certificate info including revocation info (CRL, OCSP, OCSP stapling/must staple), Certification Authority Authorization (CAA) record and: trust (CN, SAN, Chain of trust, expiration of certificate)\. For trust chain check there are 4 certificate stores provided (see section \fBFILES\fR below)\. If the trust is confirmed or not confirmed and the same in all four vertificate stores there will be only one line of output with the appropriate result\. If there are different results, each store is listed and for the one where there\'s no trust there\'s an indication what the failure is\. Additional certificate stores for e\.g\. an intranet CA an be put into \fBetc/\fR with the extension \fBpem\fR\. In that case there will be a complaint about a missing trust with the other stores, in the opposite case \-\- i\.e\. if trust will be checked against hosts having a certificate issued by a different CA \-\- there will be a complaint by a missing trust in this additional store\. If the server provides no matching record in Subject Alternative Name (SAN) but in Common Name (CN), it will be clearly indicated as this is deprecated\. Possible fingerprinting is possible by the results in TLS clock skew: Only a few servers nowadays still have and TLS/SSL implementation which returns the local clock \fBgmt_unix_time\fR (e\.g\. IIS, openssl < 1\.0\.1f)\. In addition to the HTTP date you could derive that there are different hosts where your TLS and your HTTP request ended \-\- if the time deltas differ significantly\. Also multiple server certificates are being checked for as well as the certificate reply to a non\-SNI (Server Name Indication) client hello to the IP address\. +\fB\-S, \-\-server_defaults\fR displays information from the server hello(s): available TLS extensions, TLS ticket + session information/capabilities and several certificate info including revocation info (CRL, OCSP, OCSP stapling/must staple), Certification Authority Authorization (CAA) record and: trust (CN, SAN, Chain of trust, expiration of certificate)\. For trust chain check there are 4 certificate stores provided (see section \fBFILES\fR below)\. If the trust is confirmed or not confirmed and the same in all four certificate stores there will be only one line of output with the appropriate result\. If there are different results, each store is listed and for the one where there\'s no trust there\'s an indication what the failure is\. Additional certificate stores for e\.g\. an intranet CA an be put into \fBetc/\fR with the extension \fBpem\fR\. In that case there will be a complaint about a missing trust with the other stores, in the opposite case \-\- i\.e\. if trust will be checked against hosts having a certificate issued by a different CA \-\- there will be a complaint by a missing trust in this additional store\. If the server provides no matching record in Subject Alternative Name (SAN) but in Common Name (CN), it will be clearly indicated as this is deprecated\. Possible fingerprinting is possible by the results in TLS clock skew: Only a few servers nowadays still have and TLS/SSL implementation which returns the local clock \fBgmt_unix_time\fR (e\.g\. IIS, openssl < 1\.0\.1f)\. In addition to the HTTP date you could derive that there are different hosts where your TLS and your HTTP request ended \-\- if the time deltas differ significantly\. Also multiple server certificates are being checked for as well as the certificate reply to a non\-SNI (Server Name Indication) client hello to the IP address\. . .P \fB\-x , \-\-single\-cipher \fR tests matched \fB\fR of ciphers against a server\. Patterns are similar to \fB\-V , \-\-local \fR @@ -245,13 +245,13 @@ Security headers (X\-Frame\-Options, X\-XSS\-Protection, \.\.\., CSP headers) .IP "" 0 . .SS "VULNERABILITIES" -\fB\-U, \-\-vulnerable\fR Just tests all (following) vulnerabilities\. The environment variable \fBVULN_THRESHLD\fR determines after which value a separate headline for each vulnerability is being displayed\. Default is \fB1\fR which means if you check for two vulnerabilities, only the general headline for vulnerabilities section is displayed \-\- in addition to the vulnerability and the result\. Otherwise each vulnerability or vulnerability section gets its own headline in addition to the output of the name of the vulnerabilty and test result\. A vulnerability section is comprised of more than one check, e\.g\. the renegotiation vulnerability check has two checks, so has Logjam\. +\fB\-U, \-\-vulnerable\fR Just tests all (following) vulnerabilities\. The environment variable \fBVULN_THRESHLD\fR determines after which value a separate headline for each vulnerability is being displayed\. Default is \fB1\fR which means if you check for two vulnerabilities, only the general headline for vulnerabilities section is displayed \-\- in addition to the vulnerability and the result\. Otherwise each vulnerability or vulnerability section gets its own headline in addition to the output of the name of the vulnerability and test result\. A vulnerability section is comprised of more than one check, e\.g\. the renegotiation vulnerability check has two checks, so has Logjam\. . .P \fB\-H, \-\-heartbleed\fR Checks for Heartbleed, a memory leakage in openssl\. Unless the server side doesn\'t support the heartbeat extension it is likely that this check runs into a timeout\. The seconds to wait for a reply can be adjusted with \fBHEARTBLEED_MAX_WAITSOCK\fR\. 8 is the default (unit: seconds) . .P -\fB\-I, \-\-ccs, \-\-ccs\-injection\fR Checks for CCS injection which is an openssl vulnerability\. Sometimes also here the check needs to wait for a reply\. The predefined timeout of 5 seconds can be changed with the enviroment variable \fBCCS_MAX_WAITSOCK\fR\. +\fB\-I, \-\-ccs, \-\-ccs\-injection\fR Checks for CCS injection which is an openssl vulnerability\. Sometimes also here the check needs to wait for a reply\. The predefined timeout of 5 seconds can be changed with the environment variable \fBCCS_MAX_WAITSOCK\fR\. . .P \fB\-T, \-\-ticketbleed\fR Checks for Ticketbleed memory leakage in BigIP loadbalancers\. @@ -263,7 +263,7 @@ Security headers (X\-Frame\-Options, X\-XSS\-Protection, \.\.\., CSP headers) \fB\-C, \-\-compression, \-\-crime\fR Checks for CRIME ("Compression Ratio Info\-leak Made Easy") vulnerability in TLS\. CRIME in SPDY is not yet being checked for\. . .P -\fB\-B, \-\-breach\fR Checks for BREACH ("Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext") vulnerability\. As for this vulnerabilty HTTP level compressoin is a prerequisite it\'ll be not tested if HTTP cannot be detected or the detection is not enforced via \fB`\-\-assume\-http\fR\. Please note that only the URL supplied (normally "/" ) is being tested\. +\fB\-B, \-\-breach\fR Checks for BREACH ("Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext") vulnerability\. As for this vulnerability HTTP level compression is a prerequisite it\'ll be not tested if HTTP cannot be detected or the detection is not enforced via \fB`\-\-assume\-http\fR\. Please note that only the URL supplied (normally "/" ) is being tested\. . .P \fB\-O, \-\-poodle\fR Tests for SSL POODLE ("Padding Oracle On Downgraded Legacy Encryption") vulnerability\. It basically checks for the existence of CBC ciphers in SSLv3\. @@ -272,7 +272,7 @@ Security headers (X\-Frame\-Options, X\-XSS\-Protection, \.\.\., CSP headers) \fB\-Z, \-\-tls\-fallback\fR Checks TLS_FALLBACK_SCSV mitigation\. TLS_FALLBACK_SCSV is basically a ciphersuite appended to the Client Hello trying to prevent protocol downgrade attacks by a Man in the Middle\. . .P -\fB\-W, \-\-sweet32\fR Checks for vulnerabilty to SWEET32 by testing 64 bit block ciphers (3DES, RC2 and IDEA)\. +\fB\-W, \-\-sweet32\fR Checks for vulnerability to SWEET32 by testing 64 bit block ciphers (3DES, RC2 and IDEA)\. . .P \fB\-A, \-\-beast\fR Checks BEAST vulnerabilities in SSL 3 and TLS 1\.0 by testing the usage of CBC ciphers\. @@ -284,7 +284,7 @@ Security headers (X\-Frame\-Options, X\-XSS\-Protection, \.\.\., CSP headers) \fB\-F, \-\-freak\fR Checks for FREAK vulnerability by testing for EXPORT RSA ciphers . .P -\fB\-J, \-\-logjam\fR Checks for LOGJAM vulnerability by checking for DH EXPORT ciphrs\. It also checks for "common primes" which are preconfigured DH keys\. DH keys =< 1024 Bit will be penalized +\fB\-J, \-\-logjam\fR Checks for LOGJAM vulnerability by checking for DH EXPORT ciphers\. It also checks for "common primes" which are preconfigured DH keys\. DH keys =< 1024 Bit will be penalized . .P \fB\-D, \-\-drown\fR Checks for DROWN vulnerability by checking whether the SSL 2 protocol is available at the target\. Please note that if you use the same RSA certificate elsewhere you might be vulnerable too\. testssl\.sh doesn\'t check for this but provides a helpful link @ censys\.io which provides this service\. @@ -296,13 +296,13 @@ Security headers (X\-Frame\-Options, X\-XSS\-Protection, \.\.\., CSP headers) \fB\-4, \-\-rc4, \-\-appelbaum\fR Checks which RC4 stream ciphers are being offered\. . .SS "OUTPUT OPTIONS" -\fB\-\-warnings \fR The warnings parameter determines how testssl\.sh will deal with situations where user input will normally be necessary\. There are a couple of options here\. \fBbatch\fR doesn\'t wait for a confirming keypress\. This is automatically being chosen for mass testing (\fB\-\-file\fR)\. \fB\-false\fR just skips the warning AND the confirmation\. Please note that there are conflicts where testssl\.sh will still ask for confirmation\. Those are ones which would have a drastic impact on the results\. The same can be achived by setting the environment variable \fBWARNINGS\fR\. +\fB\-\-warnings \fR The warnings parameter determines how testssl\.sh will deal with situations where user input will normally be necessary\. There are a couple of options here\. \fBbatch\fR doesn\'t wait for a confirming keypress\. This is automatically being chosen for mass testing (\fB\-\-file\fR)\. \fB\-false\fR just skips the warning AND the confirmation\. Please note that there are conflicts where testssl\.sh will still ask for confirmation\. Those are ones which would have a drastic impact on the results\. The same can be achieved by setting the environment variable \fBWARNINGS\fR\. . .P \fB\-\-openssl\-timeout \fR This is especially useful for all connects using openssl and practically useful for mass testing\. It avoids the openssl connect to hang for ~2 minutes\. The expected parameter \fB\fR instructs testssl\.sh to wait before the openssl connect will be terminated\. The option is only available if your OS has a timeout binary installed\. As there are different implementations of \fBtimeout\fR: It automatically calls the binary with the right parameters\. . .P -\fB\-q, \-\-quiet\fR Normally testssl\.sh displays a banner on stdout with several version information, usage rights and a warning\. This option suppresses it\. Pleas not that by chosing this option you acknowledge usage terms and the warning normally appearing in the banner\. +\fB\-q, \-\-quiet\fR Normally testssl\.sh displays a banner on stdout with several version information, usage rights and a warning\. This option suppresses it\. Please note that by choosing this option you acknowledge usage terms and the warning normally appearing in the banner\. . .P \fB\-\-wide\fR Except the "each cipher output" all tests displays the single cipher name (scheme see below)\. This option enables testssl\.sh to display also for the following sections the same output as for testing each ciphers: BEAST, PFS, RC4\. The client simulation has also a wide mode\. The difference here is restricted to a column aligned output and a proper headline\. The environment variable \fBWIDE\fR can be used instead\. @@ -328,13 +328,13 @@ Security headers (X\-Frame\-Options, X\-XSS\-Protection, \.\.\., CSP headers) \fB\-\-show\-each\fR This is an option for all wide modes only: it displays all ciphers tested \-\- not only succeeded ones\. \fBSHOW_EACH_C\fR is your friend if you prefer to set this via the shell environment\. . .P -\fB\-\-color <0|1|2>\fR It determines the use of colors on the screen: \fB2\fR is the default and makes use of ANSI and termcap escape codes on your terminal\. \fB1\fR just uses non\-colored mark\-up like bold, italics, underline, reverse\. \fB0\fR means no mark\-up at all = no escape codes\. Setting the environment varable \fBCOLOR\fR achives the same result\. +\fB\-\-color <0|1|2>\fR It determines the use of colors on the screen: \fB2\fR is the default and makes use of ANSI and termcap escape codes on your terminal\. \fB1\fR just uses non\-colored mark\-up like bold, italics, underline, reverse\. \fB0\fR means no mark\-up at all = no escape codes\. Setting the environment variable \fBCOLOR\fR achieves the same result\. . .P -\fB\-\-colorblind\fR Swaps green and blue colors in the output, so that this percentage of folks (up to 8% of males, see https://en\.wikipedia\.org/wiki/Color_blindness) can distuingish those findings better\. \fBCOLORBLIND\fR is the according variable if you want to set this in the environment\. +\fB\-\-colorblind\fR Swaps green and blue colors in the output, so that this percentage of folks (up to 8% of males, see https://en\.wikipedia\.org/wiki/Color_blindness) can distinguish those findings better\. \fBCOLORBLIND\fR is the according variable if you want to set this in the environment\. . .P -\fB\-\-debug <0\-6>\fR This gives you additional output on the screen (2\-6), only useful for debugging\. \fBDEBUG\fR is the according enviroment variable which you can use\. There are six levels (0 is the default, thus it has no effect): +\fB\-\-debug <0\-6>\fR This gives you additional output on the screen (2\-6), only useful for debugging\. \fBDEBUG\fR is the according environment variable which you can use\. There are six levels (0 is the default, thus it has no effect): . .IP "1." 4 screen output normal but leaves useful debug output in \fB/tmp/testssl\.XXXXXX/\fR \. The info about the exact directory is included in the screen output\. @@ -357,10 +357,10 @@ whole 9 yards .IP "" 0 . .SS "FILE OUTPUT OPTIONS" -\fB\-\-log, \-\-logging\fR Logs stdout also to \fB\-p\.log\fR in current working directory of the shell\. Depending on the color output option (see above) the output file will contain color and other markup escape codes\. \fBcat\fR and \-\- if properly configured \fBless\fR \-\- will show the output properly formatted on your terminal\. The output shows a banner with the almost the same information as on the screen\. In addition it shows the command line of the testssl\.sh instance\. Please note that the resulting log file is formatted according to the width of your screen while runing testssl\.sh\. +\fB\-\-log, \-\-logging\fR Logs stdout also to \fB\-p\.log\fR in current working directory of the shell\. Depending on the color output option (see above) the output file will contain color and other markup escape codes\. \fBcat\fR and \-\- if properly configured \fBless\fR \-\- will show the output properly formatted on your terminal\. The output shows a banner with the almost the same information as on the screen\. In addition it shows the command line of the testssl\.sh instance\. Please note that the resulting log file is formatted according to the width of your screen while running testssl\.sh\. . .P -\fB\-\-logfile \fR Instead of the previous option you may want to use this one if you want to log into a directory or if you rather want to specify the log file name yourself\. If \fB\fR is a directory the output will put into \fB/\-p\.log\fR\. If \fB\fRis a file it will use that file name, an absolute path is also permitted here\. LOGFILE is the variable you need to set if you prefer to work environment variables instead\. Please note that the resulting log file is formatted according to the width of your screen while run ing testssl\.sh\. +\fB\-\-logfile \fR Instead of the previous option you may want to use this one if you want to log into a directory or if you rather want to specify the log file name yourself\. If \fB\fR is a directory the output will put into \fB/\-p\.log\fR\. If \fB\fRis a file it will use that file name, an absolute path is also permitted here\. LOGFILE is the variable you need to set if you prefer to work environment variables instead\. Please note that the resulting log file is formatted according to the width of your screen while running testssl\.sh\. . .P \fB\-\-json\fR Logs additionally to JSON file \fB\-p\.json\fR in the current working directory of the shell\. The resulting JSON file is opposed to \fB\-\-json\-pretty\fR flat \-\- which means each section is self contained and has an identifier for each single check, the hostname/IP address, the port, severity and the finding\. For vulnerabilities it may contain a cve and cwe entry too\. The output doesn\'t contain a banner or a footer\. @@ -369,7 +369,7 @@ whole 9 yards \fB\-\-jsonfile \fR Instead of the previous option you may want to use this one if you want to log the JSON out put into a directory or if you rather want to specify the log file name yourself\. If \fB\fR is a directory the output will put into \fB/\-p\.json\fR\. If \fB\fRis a file it will use that file name, an absolute path is also permitted here\. JSONFILE is the variable you need to set if you prefer to work environment variables instead\. . .P -\fB\-\-json\-pretty\fR Logs additionally to JSON file \fB\-p\.json\fR in the current working directory of the shell\. The resulting JSON file is opposed to \fB\-\-json\fR non\-flat \-\- which means it is structured\. The structure contains a header similar to the banner on the screen (with the epoch of the start time) and then for every test section of testssl\.sh it contains a seperate JSON object/section\. Each finding has a key/value pair identifier with the identifier for each single check, the severity and the finding\. For vulnerabilities it may contain a cve and cwe entry too\. The footer lists the scan time in seconds\. +\fB\-\-json\-pretty\fR Logs additionally to JSON file \fB\-p\.json\fR in the current working directory of the shell\. The resulting JSON file is opposed to \fB\-\-json\fR non\-flat \-\- which means it is structured\. The structure contains a header similar to the banner on the screen (with the epoch of the start time) and then for every test section of testssl\.sh it contains a separate JSON object/section\. Each finding has a key/value pair identifier with the identifier for each single check, the severity and the finding\. For vulnerabilities it may contain a cve and cwe entry too\. The footer lists the scan time in seconds\. . .P \fB\-\-jsonfile\-pretty \fR Similar to the aforementioned \fB\-\-jsonfile\fR or \fB\-\-logfile\fR it logs the output in pretty JSON format (see \fB\-\-json\-pretty\fR) additionally into a file or a directory\. For further explanation see \fB\-\-jsonfile\fR or \fB`\-\-logfile\fR\. \fBJSONFILE\fR is the variable you need to set if you prefer to work environment with variables instead\. @@ -381,13 +381,13 @@ whole 9 yards \fB\-\-csvfile \fR Similar to the aforementioned \fB\-\-jsonfile\fR or \fB\-\-logfile\fR it logs the output in CSV format (see \fB\-\-cvs\fR) additionally into a file or a directory\. For further explanation see \fB\-\-jsonfile\fR or \fB`\-\-logfile\fR\. \fBCSVFILE\fR is the variable you need to set if you prefer to work environment with variables instead\. . .P -\-\-html Logs additionally to an HTML file \fB\-p\.html\fR in the current working directory of the shell\. It contains a 1:1 output of the konsole\. In former versions there was a non\-native option to use "aha" (Ansi HTML Adapter: github\.com/theZiz/aha) like \fBtestssl\.sh | aha >output\.html\fR \. This is not neccessary anymore\. +\-\-html Logs additionally to an HTML file \fB\-p\.html\fR in the current working directory of the shell\. It contains a 1:1 output of the console\. In former versions there was a non\-native option to use "aha" (Ansi HTML Adapter: github\.com/theZiz/aha) like \fBtestssl\.sh | aha >output\.html\fR \. This is not necessary anymore\. . .P \fB\-\-htmlfile \fR Similar to the aforementioned \fB\-\-jsonfile\fR or \fB\-\-logfile\fR it logs the output in HTML format (see \fB\-\-html\fR) additionally into a file or a directory\. For further explanation see \fB\-\-jsonfile\fR or \fB\-\-logfile\fR\. \fBHTMLFILE\fR is the variable you need to set if you prefer to work with environment variables instead\. . .P -\fB\-\-hints\fR Thios option is not in use yet\. This option is meant to give hints how to fix a finding or at least a help to improve something\. GIVE_HINTS is the environment variable for this\. +\fB\-\-hints\fR This option is not in use yet\. This option is meant to give hints how to fix a finding or at least a help to improve something\. GIVE_HINTS is the environment variable for this\. . .P \fB\-\-severity \fR For JSON and CSV output this will only add findings to the output file if a severity is equal or higher than the \fB\fR value specified\. Allowed are \fB\fR @@ -524,7 +524,7 @@ does the same checks as above, with the difference that one IP address is being .IP "" 0 . .P -implicilty does a STARTTLS handshake on the plain text port, then check the IPs @ smtp\.gmail\.com\. +implicitly does a STARTTLS handshake on the plain text port, then check the IPs @ smtp\.gmail\.com\. . .IP "" 4 . diff --git a/doc/testssl.1.md b/doc/testssl.1.md index f9684ba..87228a4 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -48,7 +48,7 @@ It is out of the box pretty much portable: testssl.sh runs under any Unix-like s ## OPTIONS AND PARAMETERS -Options are either short or long options. All options requiring a value can be called with or without an equal sign '=' e.g. `testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl ` is equivalent to `testssl.sh --starttls smtp --wide --openssl /usr/bin/openssl `. Some command line options can also be preset via ENV variables. `WIDE=true OPENSSL=/usr/bin/openssl testssl.sh --starttls smtp ` would be the equivalent to the aforementioned examples. Preference has the command line over any enviroment variables. +Options are either short or long options. All options requiring a value can be called with or without an equal sign '=' e.g. `testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl ` is equivalent to `testssl.sh --starttls smtp --wide --openssl /usr/bin/openssl `. Some command line options can also be preset via ENV variables. `WIDE=true OPENSSL=/usr/bin/openssl testssl.sh --starttls smtp ` would be the equivalent to the aforementioned examples. Preference has the command line over any environment variables. `` or `--file ` always needs to be the last parameter. @@ -103,7 +103,7 @@ Please note that `` has to be in Unix format. DOS carriage returns won't `--proxy :` does the whole check via the specified HTTP proxy. `--proxy=auto` inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible. The hostname supplied will only be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify `DNS_VIA_PROXY=true`. -`-6` does (also) IPv6 checks. This works only with both a supporting openssl binary like the one supplied and IPv6 connectivity. testssl.sh does no connectivity checks for IPv6, it also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. `HAS_IPv6` is the respective enviroment variable. +`-6` does (also) IPv6 checks. This works only with both a supporting openssl binary like the one supplied and IPv6 connectivity. testssl.sh does no connectivity checks for IPv6, it also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. `HAS_IPv6` is the respective environment variable. `--ssl-native` instead of using a mixture of bash sockets and openssl s_client connects testssl.sh uses the latter only. This is at the moment faster but provides less accurate results, especially in the client simulation and if the openssl binary lacks cipher support. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl.sh internally can tell if one check cannot be performed or will give you inaccurate results. For e.g. single cipher checks (`--each-cipher` and `--cipher-per-proto`) you might end up getting false negatives without a warning. @@ -145,7 +145,7 @@ Any single check switch supplied as an argument prevents testssl.sh from doing a `-P, --preference` displays the servers preferences: cipher order, with used openssl client: negotiated protocol and cipher. If there's a cipher order enforced by the server it displays it for each protocol (openssl+sockets). If there's not, it displays instead which ciphers from the server were picked with each protocol (by using openssl only) -`-S, --server_defaults` displays information from the server hello(s): available TLS extensions, TLS ticket + session information/capabilities and several certificate info including revocation info (CRL, OCSP, OCSP stapling/must staple), Certification Authority Authorization (CAA) record and: trust (CN, SAN, Chain of trust, expiration of certificate). For trust chain check there are 4 certificate stores provided (see section `FILES` below). If the trust is confirmed or not confirmed and the same in all four vertificate stores there will be only one line of output with the appropriate result. If there are different results, each store is listed and for the one where there's no trust there's an indication what the failure is. Additional certificate stores for e.g. an intranet CA an be put into __etc/__ with the extension __pem__. In that case there will be a complaint about a missing trust with the other stores, in the opposite case -- i.e. if trust will be checked against hosts having a certificate issued by a different CA -- there will be a complaint by a missing trust in this additional store. +`-S, --server_defaults` displays information from the server hello(s): available TLS extensions, TLS ticket + session information/capabilities and several certificate info including revocation info (CRL, OCSP, OCSP stapling/must staple), Certification Authority Authorization (CAA) record and: trust (CN, SAN, Chain of trust, expiration of certificate). For trust chain check there are 4 certificate stores provided (see section `FILES` below). If the trust is confirmed or not confirmed and the same in all four certificate stores there will be only one line of output with the appropriate result. If there are different results, each store is listed and for the one where there's no trust there's an indication what the failure is. Additional certificate stores for e.g. an intranet CA an be put into __etc/__ with the extension __pem__. In that case there will be a complaint about a missing trust with the other stores, in the opposite case -- i.e. if trust will be checked against hosts having a certificate issued by a different CA -- there will be a complaint by a missing trust in this additional store. If the server provides no matching record in Subject Alternative Name (SAN) but in Common Name (CN), it will be clearly indicated as this is deprecated. Possible fingerprinting is possible by the results in TLS clock skew: Only a few servers nowadays still have and TLS/SSL implementation which returns the local clock `gmt_unix_time` (e.g. IIS, openssl < 1.0.1f). In addition to the HTTP date you could derive that there are different hosts where your TLS and your HTTP request ended -- if the time deltas differ significantly. Also multiple server certificates are being checked for as well as the certificate reply to a non-SNI (Server Name Indication) client hello to the IP address. `-x , --single-cipher ` tests matched `` of ciphers against a server. Patterns are similar to `-V , --local ` @@ -171,7 +171,7 @@ If the server provides no matching record in Subject Alternative Name (SAN) but `-H, --heartbleed` Checks for Heartbleed, a memory leakage in openssl. Unless the server side doesn't support the heartbeat extension it is likely that this check runs into a timeout. The seconds to wait for a reply can be adjusted with `HEARTBLEED_MAX_WAITSOCK`. 8 is the default (unit: seconds) -`-I, --ccs, --ccs-injection` Checks for CCS injection which is an openssl vulnerability. Sometimes also here the check needs to wait for a reply. The predefined timeout of 5 seconds can be changed with the enviroment variable `CCS_MAX_WAITSOCK`. +`-I, --ccs, --ccs-injection` Checks for CCS injection which is an openssl vulnerability. Sometimes also here the check needs to wait for a reply. The predefined timeout of 5 seconds can be changed with the environment variable `CCS_MAX_WAITSOCK`. `-T, --ticketbleed` Checks for Ticketbleed memory leakage in BigIP loadbalancers. @@ -179,13 +179,13 @@ If the server provides no matching record in Subject Alternative Name (SAN) but `-C, --compression, --crime` Checks for CRIME ("Compression Ratio Info-leak Made Easy") vulnerability in TLS. CRIME in SPDY is not yet being checked for. -`-B, --breach` Checks for BREACH ("Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext") vulnerability. As for this vulnerabilty HTTP level compressoin is a prerequisite it'll be not tested if HTTP cannot be detected or the detection is not enforced via ``--assume-http`. Please note that only the URL supplied (normally "/" ) is being tested. +`-B, --breach` Checks for BREACH ("Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext") vulnerability. As for this vulnerability HTTP level compression is a prerequisite it'll be not tested if HTTP cannot be detected or the detection is not enforced via ``--assume-http`. Please note that only the URL supplied (normally "/" ) is being tested. `-O, --poodle` Tests for SSL POODLE ("Padding Oracle On Downgraded Legacy Encryption") vulnerability. It basically checks for the existence of CBC ciphers in SSLv3. `-Z, --tls-fallback` Checks TLS_FALLBACK_SCSV mitigation. TLS_FALLBACK_SCSV is basically a ciphersuite appended to the Client Hello trying to prevent protocol downgrade attacks by a Man in the Middle. -`-W, --sweet32` Checks for vulnerabilty to SWEET32 by testing 64 bit block ciphers (3DES, RC2 and IDEA). +`-W, --sweet32` Checks for vulnerability to SWEET32 by testing 64 bit block ciphers (3DES, RC2 and IDEA). `-A, --beast` Checks BEAST vulnerabilities in SSL 3 and TLS 1.0 by testing the usage of CBC ciphers. @@ -193,7 +193,7 @@ If the server provides no matching record in Subject Alternative Name (SAN) but `-F, --freak` Checks for FREAK vulnerability by testing for EXPORT RSA ciphers -`-J, --logjam` Checks for LOGJAM vulnerability by checking for DH EXPORT ciphrs. It also checks for "common primes" which are preconfigured DH keys. DH keys =< 1024 Bit will be penalized +`-J, --logjam` Checks for LOGJAM vulnerability by checking for DH EXPORT ciphers. It also checks for "common primes" which are preconfigured DH keys. DH keys =< 1024 Bit will be penalized `-D, --drown` Checks for DROWN vulnerability by checking whether the SSL 2 protocol is available at the target. Please note that if you use the same RSA certificate elsewhere you might be vulnerable too. testssl.sh doesn't check for this but provides a helpful link @ censys.io which provides this service. @@ -205,11 +205,11 @@ If the server provides no matching record in Subject Alternative Name (SAN) but ### OUTPUT OPTIONS `--warnings ` The warnings parameter determines how testssl.sh will deal with situations where user input will normally be necessary. There are a couple of options here. `batch` doesn't wait for a confirming keypress. This is automatically being chosen for mass testing (`--file`). `-false` just skips the warning AND the confirmation. Please note that there are conflicts where testssl.sh will still ask for confirmation. Those are ones which would have a drastic impact on the results. -The same can be achived by setting the environment variable `WARNINGS`. +The same can be achieved by setting the environment variable `WARNINGS`. `--openssl-timeout ` This is especially useful for all connects using openssl and practically useful for mass testing. It avoids the openssl connect to hang for ~2 minutes. The expected parameter `` instructs testssl.sh to wait before the openssl connect will be terminated. The option is only available if your OS has a timeout binary installed. As there are different implementations of `timeout`: It automatically calls the binary with the right parameters. -`-q, --quiet` Normally testssl.sh displays a banner on stdout with several version information, usage rights and a warning. This option suppresses it. Pleas not that by chosing this option you acknowledge usage terms and the warning normally appearing in the banner. +`-q, --quiet` Normally testssl.sh displays a banner on stdout with several version information, usage rights and a warning. This option suppresses it. Please note that by choosing this option you acknowledge usage terms and the warning normally appearing in the banner. `--wide` Except the "each cipher output" all tests displays the single cipher name (scheme see below). This option enables testssl.sh to display also for the following sections the same output as for testing each ciphers: BEAST, PFS, RC4. The client simulation has also a wide mode. The difference here is restricted to a column aligned output and a proper headline. The environment variable `WIDE` can be used instead. @@ -225,12 +225,12 @@ The same can be achived by setting the environment variable `WARNINGS`. `--show-each` This is an option for all wide modes only: it displays all ciphers tested -- not only succeeded ones. `SHOW_EACH_C` is your friend if you prefer to set this via the shell environment. -`--color <0|1|2>` It determines the use of colors on the screen: `2` is the default and makes use of ANSI and termcap escape codes on your terminal. `1` just uses non-colored mark-up like bold, italics, underline, reverse. `0` means no mark-up at all = no escape codes. Setting the environment varable `COLOR` achives the same result. +`--color <0|1|2>` It determines the use of colors on the screen: `2` is the default and makes use of ANSI and termcap escape codes on your terminal. `1` just uses non-colored mark-up like bold, italics, underline, reverse. `0` means no mark-up at all = no escape codes. Setting the environment variable `COLOR` achieves the same result. -`--colorblind` Swaps green and blue colors in the output, so that this percentage of folks (up to 8% of males, see https://en.wikipedia.org/wiki/Color_blindness) can distuingish those findings better. `COLORBLIND` is the according variable if you want to set this in the environment. +`--colorblind` Swaps green and blue colors in the output, so that this percentage of folks (up to 8% of males, see https://en.wikipedia.org/wiki/Color_blindness) can distinguish those findings better. `COLORBLIND` is the according variable if you want to set this in the environment. -`--debug <0-6>` This gives you additional output on the screen (2-6), only useful for debugging. `DEBUG` is the according enviroment variable which you can use. There are six levels (0 is the default, thus it has no effect): +`--debug <0-6>` This gives you additional output on the screen (2-6), only useful for debugging. `DEBUG` is the according environment variable which you can use. There are six levels (0 is the default, thus it has no effect): 1. screen output normal but leaves useful debug output in __/tmp/testssl.XXXXXX/__ . The info about the exact directory is included in the screen output. 2. list more what's going on, status (high level) and connection errors, a few general debug output @@ -243,16 +243,15 @@ The same can be achived by setting the environment variable `WARNINGS`. ### FILE OUTPUT OPTIONS -`--log, --logging` Logs stdout also to `-p.log` in current working directory of the shell. Depending on the color output option (see above) the output file will contain color and other markup escape codes. `cat` and -- if properly configured `less` -- will show the output properly formatted on your terminal. The output shows a banner with the almost the same information as on the screen. In addition it shows the command line of the testssl.sh instance. Please note that the resulting log file is formatted according to the width of your screen while runing testssl.sh. +`--log, --logging` Logs stdout also to `-p.log` in current working directory of the shell. Depending on the color output option (see above) the output file will contain color and other markup escape codes. `cat` and -- if properly configured `less` -- will show the output properly formatted on your terminal. The output shows a banner with the almost the same information as on the screen. In addition it shows the command line of the testssl.sh instance. Please note that the resulting log file is formatted according to the width of your screen while running testssl.sh. -`--logfile ` Instead of the previous option you may want to use this one if you want to log into a directory or if you rather want to specify the log file name yourself. If `` is a directory the output will put into `/-p.log`. If ``is a file it will use that file name, an absolute path is also permitted here. LOGFILE is the variable you need to set if you prefer to work environment variables instead. Please note that the resulting log file is formatted according to the width of your screen while run -ing testssl.sh. +`--logfile ` Instead of the previous option you may want to use this one if you want to log into a directory or if you rather want to specify the log file name yourself. If `` is a directory the output will put into `/-p.log`. If ``is a file it will use that file name, an absolute path is also permitted here. LOGFILE is the variable you need to set if you prefer to work environment variables instead. Please note that the resulting log file is formatted according to the width of your screen while running testssl.sh. `--json` Logs additionally to JSON file `-p.json` in the current working directory of the shell. The resulting JSON file is opposed to `--json-pretty` flat -- which means each section is self contained and has an identifier for each single check, the hostname/IP address, the port, severity and the finding. For vulnerabilities it may contain a cve and cwe entry too. The output doesn't contain a banner or a footer. `--jsonfile ` Instead of the previous option you may want to use this one if you want to log the JSON out put into a directory or if you rather want to specify the log file name yourself. If `` is a directory the output will put into `/-p.json`. If ``is a file it will use that file name, an absolute path is also permitted here. JSONFILE is the variable you need to set if you prefer to work environment variables instead. -`--json-pretty` Logs additionally to JSON file `-p.json` in the current working directory of the shell. The resulting JSON file is opposed to `--json` non-flat -- which means it is structured. The structure contains a header similar to the banner on the screen (with the epoch of the start time) and then for every test section of testssl.sh it contains a seperate JSON object/section. Each finding has a key/value pair identifier with the identifier for each single check, the severity and the finding. For vulnerabilities it may contain a cve and cwe entry too. The footer lists the scan time in seconds. +`--json-pretty` Logs additionally to JSON file `-p.json` in the current working directory of the shell. The resulting JSON file is opposed to `--json` non-flat -- which means it is structured. The structure contains a header similar to the banner on the screen (with the epoch of the start time) and then for every test section of testssl.sh it contains a separate JSON object/section. Each finding has a key/value pair identifier with the identifier for each single check, the severity and the finding. For vulnerabilities it may contain a cve and cwe entry too. The footer lists the scan time in seconds. `--jsonfile-pretty ` Similar to the aforementioned `--jsonfile` or `--logfile` it logs the output in pretty JSON format (see `--json-pretty`) additionally into a file or a directory. For further explanation see `--jsonfile` or ``--logfile`. `JSONFILE` is the variable you need to set if you prefer to work environment with variables instead. @@ -260,11 +259,11 @@ ing testssl.sh. `--csvfile ` Similar to the aforementioned `--jsonfile` or `--logfile` it logs the output in CSV format (see `--cvs`) additionally into a file or a directory. For further explanation see `--jsonfile` or ``--logfile`. `CSVFILE` is the variable you need to set if you prefer to work environment with variables instead. ---html Logs additionally to an HTML file `-p.html` in the current working directory of the shell. It contains a 1:1 output of the konsole. In former versions there was a non-native option to use "aha" (Ansi HTML Adapter: github.com/theZiz/aha) like `testssl.sh | aha >output.html` . This is not neccessary anymore. +--html Logs additionally to an HTML file `-p.html` in the current working directory of the shell. It contains a 1:1 output of the console. In former versions there was a non-native option to use "aha" (Ansi HTML Adapter: github.com/theZiz/aha) like `testssl.sh | aha >output.html` . This is not necessary anymore. `--htmlfile ` Similar to the aforementioned `--jsonfile` or `--logfile` it logs the output in HTML format (see `--html`) additionally into a file or a directory. For further explanation see `--jsonfile` or `--logfile`. `HTMLFILE` is the variable you need to set if you prefer to work with environment variables instead. -`--hints` Thios option is not in use yet. This option is meant to give hints how to fix a finding or at least a help to improve something. GIVE_HINTS is the environment variable for this. +`--hints` This option is not in use yet. This option is meant to give hints how to fix a finding or at least a help to improve something. GIVE_HINTS is the environment variable for this. `--severity ` For JSON and CSV output this will only add findings to the output file if a severity is equal or higher than the `` value specified. Allowed are `` @@ -343,7 +342,7 @@ does the same checks as above, with the difference that one IP address is being testssl.sh -t smtp smtp.gmail.com:25 -implicilty does a STARTTLS handshake on the plain text port, then check the IPs @ smtp.gmail.com. +implicitly does a STARTTLS handshake on the plain text port, then check the IPs @ smtp.gmail.com. testssl.sh --starttls=imap imap.gmx.net:143