From da3520f8b25d05b835dd64fa59ca09160345fc43 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 31 Jan 2022 11:05:52 +0100 Subject: [PATCH] Update documentation * remove hint that LDAP only works with STARTTLS * Add the relevant LDAP RFC for STARTTLS * Amend with sieve RFC * Correct numbering order of RFC section --- doc/testssl.1 | 8 ++++++-- doc/testssl.1.html | 6 ++++-- doc/testssl.1.md | 6 ++++-- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/doc/testssl.1 b/doc/testssl.1 index 34f8d3a..0b505f8 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -82,7 +82,7 @@ A typical internal conversion to testssl\.sh file format from nmap's grep(p)able .P \fB\-\-reqheader
\fR This can be used to add additional HTTP request headers in the correct format \fBHeadername: headercontent\fR\. This parameter can be called multiple times if required\. For example: \fB\-\-reqheader 'Proxy\-Authorization: Basic dGVzdHNzbDpydWxlcw==' \-\-reqheader 'ClientID: 0xDEADBEAF'\fR\. REQHEADER is the corresponding environment variable\. .SS "SPECIAL INVOCATIONS" -\fB\-t , \-\-starttls \fR does a default run against a STARTTLS enabled \fBprotocol\fR\. \fBprotocol\fR must be one of \fBftp\fR, \fBsmtp\fR, \fBpop3\fR, \fBimap\fR, \fBxmpp\fR, \fBsieve\fR, \fBxmpp\-server\fR, \fBtelnet\fR, \fBldap\fR, \fBirc\fR, \fBlmtp\fR, \fBnntp\fR, \fBpostgres\fR, \fBmysql\fR\. For the latter four you need e\.g\. the supplied OpenSSL or OpenSSL version 1\.1\.1\. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with \fB\-\-ssl\-native\fR\. \fBtelnet\fR and \fBirc\fR is WIP\. +\fB\-t , \-\-starttls \fR does a default run against a STARTTLS enabled \fBprotocol\fR\. \fBprotocol\fR must be one of \fBftp\fR, \fBsmtp\fR, \fBpop3\fR, \fBimap\fR, \fBxmpp\fR, \fBsieve\fR, \fBxmpp\-server\fR, \fBtelnet\fR, \fBldap\fR, \fBirc\fR, \fBlmtp\fR, \fBnntp\fR, \fBpostgres\fR, \fBmysql\fR\. For the latter four you need e\.g\. the supplied OpenSSL or OpenSSL version 1\.1\.1\. Please note: MongoDB doesn't offer a STARTTLS connection, IRC currently only works with \fB\-\-ssl\-native\fR\. \fBtelnet\fR and \fBirc\fR are WIP\. .P \fB\-\-xmpphost \fR is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter\. This is only needed if the domain is different from the URI supplied\. .P @@ -478,9 +478,11 @@ Please note that for plain TLS\-encrypted ports you must not specify the protoco .IP "\[ci]" 4 RFC 2246: The TLS Protocol Version 1\.0 .IP "\[ci]" 4 +RFC 2595: Using TLS with IMAP, POP3 and ACAP +.IP "\[ci]" 4 RFC 2818: HTTP Over TLS .IP "\[ci]" 4 -RFC 2595: Using TLS with IMAP, POP3 and ACAP +RFC 2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security .IP "\[ci]" 4 RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security .IP "\[ci]" 4 @@ -502,6 +504,8 @@ RFC 5321: Simple Mail Transfer Protocol .IP "\[ci]" 4 RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension .IP "\[ci]" 4 +RFC 5804: A Protocol for Remotely Managing Sieve Scripts +.IP "\[ci]" 4 RFC 6066: Transport Layer Security (TLS) Extensions: Extension Definitions .IP "\[ci]" 4 RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3\.0 diff --git a/doc/testssl.1.html b/doc/testssl.1.html index 23ce568..f6bc2da 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -194,7 +194,7 @@ The same can be achieved by setting the environment variable WARNINGSSPECIAL INVOCATIONS -

-t <protocol>, --starttls <protocol> does a default run against a STARTTLS enabled protocol. protocol must be one of ftp, smtp, pop3, imap, xmpp, sieve, xmpp-server, telnet, ldap, irc, lmtp, nntp, postgres, mysql. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with --ssl-native. telnet and irc is WIP.

+

-t <protocol>, --starttls <protocol> does a default run against a STARTTLS enabled protocol. protocol must be one of ftp, smtp, pop3, imap, xmpp, sieve, xmpp-server, telnet, ldap, irc, lmtp, nntp, postgres, mysql. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, IRC currently only works with --ssl-native. telnet and irc are WIP.

--xmpphost <jabber_domain> is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied.

@@ -580,8 +580,9 @@ This is to prevent giving out a misleading or wrong grade.

  • RFC 2246: The TLS Protocol Version 1.0
    • -
  • RFC 2818: HTTP Over TLS
  • RFC 2595: Using TLS with IMAP, POP3 and ACAP
    • +
  • RFC 2818: HTTP Over TLS
    • +
  • RFC 2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security
  • RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security
  • RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1
  • RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1
    • @@ -592,6 +593,7 @@ This is to prevent giving out a misleading or wrong grade.

  • RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
  • RFC 5321: Simple Mail Transfer Protocol
  • RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension
    • +
  • RFC 5804: A Protocol for Remotely Managing Sieve Scripts
  • RFC 6066: Transport Layer Security (TLS) Extensions: Extension Definitions
  • RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0
  • RFC 6120: Extensible Messaging and Presence Protocol (XMPP): Core
    • diff --git a/doc/testssl.1.md b/doc/testssl.1.md index 54cff9b..b7f2c39 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -115,7 +115,7 @@ The same can be achieved by setting the environment variable `WARNINGS`. ### SPECIAL INVOCATIONS -`-t , --starttls ` does a default run against a STARTTLS enabled `protocol`. `protocol` must be one of `ftp`, `smtp`, `pop3`, `imap`, `xmpp`, `sieve`, `xmpp-server`, `telnet`, `ldap`, `irc`, `lmtp`, `nntp`, `postgres`, `mysql`. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with `--ssl-native`. `telnet` and `irc` is WIP. +`-t , --starttls ` does a default run against a STARTTLS enabled `protocol`. `protocol` must be one of `ftp`, `smtp`, `pop3`, `imap`, `xmpp`, `sieve`, `xmpp-server`, `telnet`, `ldap`, `irc`, `lmtp`, `nntp`, `postgres`, `mysql`. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, IRC currently only works with `--ssl-native`. `telnet` and `irc` are WIP. `--xmpphost ` is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied. @@ -473,8 +473,9 @@ Please note that for plain TLS-encrypted ports you must not specify the protocol ## RFCs and other standards * RFC 2246: The TLS Protocol Version 1.0 -* RFC 2818: HTTP Over TLS * RFC 2595: Using TLS with IMAP, POP3 and ACAP +* RFC 2818: HTTP Over TLS +* RFC 2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security * RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security * RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1 * RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1 @@ -485,6 +486,7 @@ Please note that for plain TLS-encrypted ports you must not specify the protocol * RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile * RFC 5321: Simple Mail Transfer Protocol * RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension +* RFC 5804: A Protocol for Remotely Managing Sieve Scripts * RFC 6066: Transport Layer Security (TLS) Extensions: Extension Definitions * RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0 * RFC 6120: Extensible Messaging and Presence Protocol (XMPP): Core