From f9edaa7fe1465d0fd099d28f7fe17bdeb82c37e0 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 7 Sep 2024 15:51:12 +0200 Subject: [PATCH 1/3] Phrasing of STARTTLS grading improved ... a a comment added in the desciption. Unfortunately I couldn't get the line wrapping working. --- testssl.sh | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index cc824a8..35a45de 100755 --- a/testssl.sh +++ b/testssl.sh @@ -22912,7 +22912,15 @@ run_rating() { pr_headlineln " Rating (experimental) " outln - [[ -n "$STARTTLS_PROTOCOL" ]] && set_grade_cap "T" "Encryption via STARTTLS is not mandatory (opportunistic)." + [[ -n "$STARTTLS_PROTOCOL" ]] && set_grade_cap "T" "STARTTLS encryption is not mandatory for clients. STARTTLS can only be secured clientside" + + # TL;DR: E-mail transfer via port 25 is broken and the amendments suggested so far are duct tape. So please do not expect testssl.sh to shut up. + + # Explanation: For other than SMTP you should use TLS as per RFC 8314 . For SMTP however there's this thing named reality: A mail server cannot + # just switch to the mail submission port 587 only and continue to receive mail from everyone. Even if you advertise this via SRV record (RFC 6186). + # For STARTTLS there's no way to tell for testssl.sh whether it is secure. A MitM can always intercept the connection, unless the client checks + # the certificate accordingly (it's getting better but some just don't). TLSA Records/DANE and MTA-STS (RFC-8461) on the server side can help too. + # But as said, it's useless unless the client MTA checks all that which no tool can check. pr_bold " Rating specs"; out " (not complete) "; outln "SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)" pr_bold " Specification documentation "; pr_url "https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide" @@ -22965,7 +22973,7 @@ run_rating() { c1_worst=80 elif [[ $(has_server_protocol "tls1") -eq 0 ]]; then c1_worst=90 - elif [[ $(has_server_protocol "tls1_1") -eq 0 ]]; then + elif [[ $(as_server_protocol "tls1_1") -eq 0 ]]; then c1_worst=95 else # TLS1.2 and TLS1.3 both give 100 points c1_worst=100 From a1c67c0794d74d6891b08e54c955658c06679f08 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 7 Sep 2024 16:03:53 +0200 Subject: [PATCH 2/3] proper English --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 35a45de..c9c66b4 100755 --- a/testssl.sh +++ b/testssl.sh @@ -22912,7 +22912,7 @@ run_rating() { pr_headlineln " Rating (experimental) " outln - [[ -n "$STARTTLS_PROTOCOL" ]] && set_grade_cap "T" "STARTTLS encryption is not mandatory for clients. STARTTLS can only be secured clientside" + [[ -n "$STARTTLS_PROTOCOL" ]] && set_grade_cap "T" "STARTTLS encryption is not mandatory for clients. STARTTLS can only be secured client-side" # TL;DR: E-mail transfer via port 25 is broken and the amendments suggested so far are duct tape. So please do not expect testssl.sh to shut up. From 3b85f53d52e4fbd7aa12d438cdf850cb34117298 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 7 Sep 2024 16:15:03 +0200 Subject: [PATCH 3/3] added an accidently erased char --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index c9c66b4..f35949d 100755 --- a/testssl.sh +++ b/testssl.sh @@ -22973,7 +22973,7 @@ run_rating() { c1_worst=80 elif [[ $(has_server_protocol "tls1") -eq 0 ]]; then c1_worst=90 - elif [[ $(as_server_protocol "tls1_1") -eq 0 ]]; then + elif [[ $(has_server_protocol "tls1_1") -eq 0 ]]; then c1_worst=95 else # TLS1.2 and TLS1.3 both give 100 points c1_worst=100