Document --phone-out

doc/testssl.1

@@ -154,6 +154,9 @@ Please note that the content of \fBfname\fR has to be in Unix format\. DOS carri
 .P
 \fB\-\-sneaky\fR as a friendly feature for the server side testssl\.sh uses a HTTP user agent \fBTLS tester from ${URL}\fR\. With this option your traces are less verbose and a Firefox user agent is being used\. Be aware that it doesn\'t hide your activities\. That is just not possible (environment preset via \fBSNEAKY=true\fR)\.
 .
+.P
+\fB\-\-phone\-out\fR instructs testssl\.sh to query external \-\- in a sense of the current run \-\- URLs or URIs\. This is needed for checking revoked certificates via CRL and OCSP\. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl\.sh doesn\'t handle\. PHONE_OUT is the environment variable for this which needs to be set to true if you want this\.
+.
 .SS "SINGLE CHECK OPTIONS"
 Any single check switch supplied as an argument prevents testssl\.sh from doing a default run\. It just takes this and if supplied other options and runs them \- in the order they would also appear in the default run\.
 .
@@ -196,7 +199,7 @@ Any single check switch supplied as an argument prevents testssl\.sh from doing
 \fB\-P, \-\-preference\fR displays the servers preferences: cipher order, with used openssl client: negotiated protocol and cipher\. If there\'s a cipher order enforced by the server it displays it for each protocol (openssl+sockets)\. If there\'s not, it displays instead which ciphers from the server were picked with each protocol (by using openssl only)
 .
 .P
-\fB\-S, \-\-server_defaults\fR displays information from the server hello(s): available TLS extensions, TLS ticket + session information/capabilities, session resumption capabilities, time skew relative to localhost (most server implementations return random values) and several certificate info: certificate signature algorithm, certificate key size, X509v3 key usage and extended key usage, certificate fingerprints and serial, revocation info (CRL, OCSP, OCSP stapling/must staple), certificate transparency info (if provided by server)\. It also displays certificate start and expiration time in GMT\. In addition testssl\.sh checks the trust (CN, SAN, Chain of trust)\. For the trust chain check there are 4 certificate stores provided (see section \fBFILES\fR below)\. If the trust is confirmed or not confirmed and the same in all four certificate stores there will be only one line of output with the appropriate result\. If there are different results, each store is listed and for the one where there\'s no trust there\'s an indication what the failure is\. Additional certificate stores for e\.g\. an intranet CA an be put into \fBetc/\fR with the extension \fBpem\fR\. In that case there will be a complaint about a missing trust with the other stores, in the opposite case \-\- i\.e\. if trust will be checked against hosts having a certificate issued by a different CA \-\- there will be a complaint by a missing trust in this additional store\. If the server provides no matching record in Subject Alternative Name (SAN) but in Common Name (CN), it will be clearly indicated as this is deprecated\. Possible fingerprinting is possible by the results in TLS clock skew: Only a few servers nowadays still have and TLS/SSL implementation which returns the local clock \fBgmt_unix_time\fR (e\.g\. IIS, openssl < 1\.0\.1f)\. In addition to the HTTP date you could derive that there are different hosts where your TLS and your HTTP request ended \-\- if the time deltas differ significantly\. Also multiple server certificates are being checked for as well as the certificate reply to a non\-SNI (Server Name Indication) client hello to the IP address\. Also the Certification Authority Authorization (CAA) record is displayed\.
+\fB\-S, \-\-server_defaults\fR displays information from the server hello(s): available TLS extensions, TLS ticket + session information/capabilities, session resumption capabilities, time skew relative to localhost (most server implementations return random values) and several certificate info: certificate signature algorithm, certificate key size, X509v3 key usage and extended key usage, certificate fingerprints and serial, revocation info (CRL, OCSP, OCSP stapling/must staple), certificate transparency info (if provided by server)\. When \fB\-\-phone\-out\fR supplied it checks against the certificate issuer whether the host certificate has been revoked (only URI scheme supported currently is HTTP)\. \fB\-S, \-\-server_defaults\fR also displays certificate start and expiration time in GMT\. In addition testssl\.sh checks the trust (CN, SAN, Chain of trust)\. For the trust chain check there are 4 certificate stores provided (see section \fBFILES\fR below)\. If the trust is confirmed or not confirmed and the same in all four certificate stores there will be only one line of output with the appropriate result\. If there are different results, each store is listed and for the one where there\'s no trust there\'s an indication what the failure is\. Additional certificate stores for e\.g\. an intranet CA an be put into \fBetc/\fR with the extension \fBpem\fR\. In that case there will be a complaint about a missing trust with the other stores, in the opposite case \-\- i\.e\. if trust will be checked against hosts having a certificate issued by a different CA \-\- there will be a complaint by a missing trust in this additional store\. If the server provides no matching record in Subject Alternative Name (SAN) but in Common Name (CN), it will be clearly indicated as this is deprecated\. Possible fingerprinting is possible by the results in TLS clock skew: Only a few servers nowadays still have and TLS/SSL implementation which returns the local clock \fBgmt_unix_time\fR (e\.g\. IIS, openssl < 1\.0\.1f)\. In addition to the HTTP date you could derive that there are different hosts where your TLS and your HTTP request ended \-\- if the time deltas differ significantly\. Also multiple server certificates are being checked for as well as the certificate reply to a non\-SNI (Server Name Indication) client hello to the IP address\. Also the Certification Authority Authorization (CAA) record is displayed\.
 .
 .P
 \fB\-x <pattern>, \-\-single\-cipher <pattern>\fR tests matched \fBpattern\fR of ciphers against a server\. Patterns are similar to \fB\-V pattern , \-\-local pattern\fR
@@ -447,7 +450,7 @@ light magenta: a fatal error which either requires strict consent from the user
 .IP "" 0
 .
 .P
-Besides that \fB\-\-color=3\fR will color ciphers and EC acording to an internal and rough rating\.
+Besides \fB\-\-color=3\fR will color ciphers and EC according to an internal and rough rating\.
 .
 .P
 What is labeled as "light" above appears as such on the screen but is technically speaking "bold"\. Markup (without any color) is used in the following manner:

doc/testssl.1.html

@@ -202,6 +202,8 @@ in /etc/hosts.  The use of the switch is only useful if you either can't or are
 
 <p><code>--sneaky</code> as a friendly feature for the server side testssl.sh uses a HTTP user agent <code>TLS tester from ${URL}</code>. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via <code>SNEAKY=true</code>).</p>
 
+<p><code>--phone-out</code>    instructs testssl.sh to query external -- in a sense of the current run -- URLs or URIs. This is needed for checking revoked certificates via CRL and OCSP. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this.</p>
+
 <h3 id="SINGLE-CHECK-OPTIONS">SINGLE CHECK OPTIONS</h3>
 
 <p>Any single check switch supplied as an argument prevents testssl.sh from doing a default run. It just takes this and if supplied other options and runs them - in the order they would also appear in the default run.</p>
@@ -234,7 +236,9 @@ return random values) and several certificate info: certificate signature algori
 certificate key size, X509v3 key usage and extended key usage, certificate
 fingerprints and serial, revocation info (CRL, OCSP, OCSP
 stapling/must staple), certificate transparency info (if provided by
-server).  It also displays certificate start and expiration time in GMT.
+server).  When <code>--phone-out</code> supplied it checks against the certificate issuer
+whether the host certificate has been revoked (only URI scheme supported
+currently is HTTP).  <code>-S, --server_defaults</code> also displays certificate start and expiration time in GMT.
 In addition testssl.sh checks the trust (CN, SAN, Chain of trust). For the trust chain
 check there are 4 certificate stores provided (see section <code>FILES</code> below). If
 the trust is confirmed or not confirmed and the same in all four certificate
@@ -410,7 +414,7 @@ The same can be achieved by setting the environment variable <code>WARNINGS</cod
 </ul>
 
 
-<p>Besides that <code>--color=3</code> will color ciphers and EC acording to an internal and rough rating.</p>
+<p>Besides <code>--color=3</code> will color ciphers and EC according to an internal and rough rating.</p>
 
 <p>What is labeled as "light" above appears as such on the screen but is technically speaking "bold".  Markup (without any color) is used in the following manner:</p>
 

doc/testssl.1.md

@@ -125,6 +125,8 @@ in /etc/hosts.  The use of the switch is only useful if you either can't or are
 
 `--sneaky` as a friendly feature for the server side testssl.sh uses a HTTP user agent `TLS tester from ${URL}`. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=true`).
 
+`--phone-out`    instructs testssl.sh to query external -- in a sense of the current run -- URLs or URIs. This is needed for checking revoked certificates via CRL and OCSP. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this.
+
 
 ### SINGLE CHECK OPTIONS
 
@@ -157,7 +159,9 @@ return random values) and several certificate info: certificate signature algori
 certificate key size, X509v3 key usage and extended key usage, certificate
 fingerprints and serial, revocation info (CRL, OCSP, OCSP
 stapling/must staple), certificate transparency info (if provided by
-server).  It also displays certificate start and expiration time in GMT.
+server).  When `--phone-out` supplied it checks against the certificate issuer
+whether the host certificate has been revoked (only URI scheme supported
+currently is HTTP).  `-S, --server_defaults` also displays certificate start and expiration time in GMT.
 In addition testssl.sh checks the trust (CN, SAN, Chain of trust). For the trust chain
 check there are 4 certificate stores provided (see section `FILES` below). If
 the trust is confirmed or not confirmed and the same in all four certificate
@@ -329,7 +333,7 @@ Testssl.sh makes use of (the eight) standard terminal colors. The color scheme i
 * magenta: signals a warning condition, e.g. either a local lack of capabilities on the client side or another problem
 * light magenta: a fatal error which either requires strict consent from the user to continue or a condition which leaves no other choice for testssl.sh to quit
 
-Besides that `--color=3` will color ciphers and EC acording to an internal and rough rating.
+Besides `--color=3` will color ciphers and EC according to an internal and rough rating.
 
 What is labeled as "light" above appears as such on the screen but is technically speaking "bold".  Markup (without any color) is used in the following manner: