Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-09 12:12:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add 0-RTT

Browse Source 
also:
* fine tuning protocol section
* reference RFC 8470 (well..) and FIPS 203
* add a general linkto TLS related  RFCs
This commit is contained in:
Dirk Wetter
2025-10-08 10:31:48 +02:00
parent d637daefeb
commit da7c713b08
3 changed files with 727 additions and 738 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
doc/testssl.1.html
View File

@ -470,11 +470,11 @@
encryption sucks. Also this section lists the available
elliptical curves and Diffie Hellman groups, as well as FFDHE
groups (TLS 1.2 and TLS 1.3).</p>
<p><code>-p, --protocols</code> checks TLS/SSL protocols SSLv2,
SSLv3, TLS 1.0 through TLS 1.3. And for HTTP also QUIC (HTTP/3),
SPDY (NPN) and ALPN (HTTP/2). For TLS 1.3 the final version and
several drafts (from 18 on) are tested. QUIC needs OpenSSL &gt;=
3.2 which can be automatically picked up when in
<p><code>-p, --protocols</code> checks every SSL/TLS protocols:
SSLv2, SSLv3, TLS 1.0 through TLS 1.3. And for HTTP also QUIC
(HTTP/3), SPDY (NPN) and ALPN (HTTP/2). For TLS 1.3 the final
version and several drafts (from 18 on) are tested. QUIC needs
OpenSSL &gt;= 3.2 which can be automatically picked up when in
<code>/usr/bin/openssl</code> (or when defined environment
variable OPENSSL2). If a TLS-1.3-only host is encountered and
the openssl-bad version is used testssl.sh will e.g. for HTTP
@ -493,6 +493,7 @@
<li>Available TLS extensions,</li>
<li>TLS ticket + session ID information/capabilities,</li>
<li>session resumption capabilities,</li>
<li>TLS 1.3 early data, a.k.a 0-RTT</li>
<li>Time skew relative to localhost (most server implementations
return random values).</li>
<li>Several certificate information
@ -927,11 +928,11 @@
and when this is set to true, it generates a separate text file
with epoch times in <code>/tmp/testssl-&lt;XX&gt;.time</code>.
They need to be concatenated by
<code>paste /tmp/testssl-&lt;XX&gt;.{time,log}</code> <!---
* FAST_SOCKET
* SHOW_SIGALGO
* FAST
--></li>
<code>paste /tmp/testssl-&lt;XX&gt;.{time,log}</code>
&lt;!—</li>
<li>FAST_SOCKET</li>
<li>SHOW_SIGALGO</li>
<li>FAST &gt;</li>
<li>EXPERIMENTAL=true is an option which is sometimes used in
the development process to make testing easier. In released
versions this has no effect.</li>
@ -969,10 +970,9 @@
may be made larger on systems with faster processors.</li>
<li>MAX_WAIT_TEST is the maximum time (in seconds) to wait for a
single test in parallel mass testing mode to complete. The
default is 1200. <!---
* USLEEP_SND
* USLEEP_REC
--></li>
default is 1200. &lt;!—</li>
<li>USLEEP_SND</li>
<li>USLEEP_REC &gt;</li>
<li>HSTS_MIN is preset to 179 (days). If you want warnings
sooner or later for HTTP Strict Transport Security you can
change this.</li>
@ -1194,6 +1194,7 @@
News Transfer Protocol (NNTP)</li>
<li>RFC 8446: The Transport Layer Security (TLS) Protocol
Version 1.3</li>
<li>RFC 8470: Using Early Data in HTTP</li>
<li>RFC 8701: Applying Generate Random Extensions And Sustain
Extensibility (GREASE) to TLS Extensibility</li>
<li>RFC 9000: QUIC: A UDP-Based Multiplexed and Secure
@ -1201,7 +1202,12 @@
<li>W3C CSP: Content Security Policy Level 1-3</li>
<li>TLSWG Draft: The Transport Layer Security (TLS) Protocol
Version 1.3</li>
<li>FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism
Standard</li>
</ul>
<p><a
href="ihttps://www.rfc-editor.org/search/rfc_search_detail.php?title=TLS&amp;page=All">More
RFCs</a> might be applicable.</p>
<h2 id="exit-status">EXIT STATUS</h2>
<ul>
<li>0 testssl.sh finished successfully without errors and