From 0c20b21fc2635716a4018f823c17cfb37cca9253 Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Thu, 26 Nov 2020 13:02:10 +0100
Subject: [PATCH 01/22] Better order, "command not found added"

---
 t/{20_baseline_ipv4_http.t => 10_baseline_ipv4_http.t}            | 0
 ...line_ipv6_http.t.DISABLED => 11_baseline_ipv6_http.t.DISABLED} | 0
 t/{25_baseline_starttls.t => 21_baseline_starttls.t}              | 0
 t/{07_isJSON_valid.t => 31_isJSON_valid.t}                        | 0
 t/{08_isHTML_valid.t => 32_isHTML_valid.t}                        | 0
 ...JSON_severitylevel_valid.t => 33_isJSON_severitylevel_valid.t} | 0
 6 files changed, 0 insertions(+), 0 deletions(-)
 rename t/{20_baseline_ipv4_http.t => 10_baseline_ipv4_http.t} (100%)
 rename t/{21_baseline_ipv6_http.t.DISABLED => 11_baseline_ipv6_http.t.DISABLED} (100%)
 rename t/{25_baseline_starttls.t => 21_baseline_starttls.t} (100%)
 rename t/{07_isJSON_valid.t => 31_isJSON_valid.t} (100%)
 rename t/{08_isHTML_valid.t => 32_isHTML_valid.t} (100%)
 rename t/{09_isJSON_severitylevel_valid.t => 33_isJSON_severitylevel_valid.t} (100%)

diff --git a/t/20_baseline_ipv4_http.t b/t/10_baseline_ipv4_http.t
similarity index 100%
rename from t/20_baseline_ipv4_http.t
rename to t/10_baseline_ipv4_http.t
diff --git a/t/21_baseline_ipv6_http.t.DISABLED b/t/11_baseline_ipv6_http.t.DISABLED
similarity index 100%
rename from t/21_baseline_ipv6_http.t.DISABLED
rename to t/11_baseline_ipv6_http.t.DISABLED
diff --git a/t/25_baseline_starttls.t b/t/21_baseline_starttls.t
similarity index 100%
rename from t/25_baseline_starttls.t
rename to t/21_baseline_starttls.t
diff --git a/t/07_isJSON_valid.t b/t/31_isJSON_valid.t
similarity index 100%
rename from t/07_isJSON_valid.t
rename to t/31_isJSON_valid.t
diff --git a/t/08_isHTML_valid.t b/t/32_isHTML_valid.t
similarity index 100%
rename from t/08_isHTML_valid.t
rename to t/32_isHTML_valid.t
diff --git a/t/09_isJSON_severitylevel_valid.t b/t/33_isJSON_severitylevel_valid.t
similarity index 100%
rename from t/09_isJSON_severitylevel_valid.t
rename to t/33_isJSON_severitylevel_valid.t

From 191efddaeef7c191c795360879e3e572268ce4a5 Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Thu, 26 Nov 2020 13:07:49 +0100
Subject: [PATCH 02/22] document changes from previous commits

---
 t/Readme.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/t/Readme.md b/t/Readme.md
index 56ba9c5..234c313 100644
--- a/t/Readme.md
+++ b/t/Readme.md
@@ -1,8 +1,8 @@
 ### Naming scheme
 
 * 00-05:  Does the bare testssl.sh work at all?
-* 06-09:  Does the reporting work at all?
-* 20-39:  Do scans work fine (client side)?
+* 10-29:  Do scans work fine (client side)?
+* 30-39:  Does reporting work?
 * 50-69:  Are the results what I expect (server side)?
 
 Please help to write Travis/CI tests! Documentation can be found [here](https://perldoc.perl.org/Test/More.html).

From 49d321cfbbcc94ce4adf870d56be8946d29cd35c Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Thu, 26 Nov 2020 13:41:44 +0100
Subject: [PATCH 03/22] Add "command not found"

---
 t/10_baseline_ipv4_http.t          | 4 ++--
 t/11_baseline_ipv6_http.t.DISABLED | 4 ++--
 t/21_baseline_starttls.t           | 4 ++--
 t/23_client_simulation.t           | 4 ++--
 t/31_isJSON_valid.t                | 4 ++--
 t/Readme.md                        | 2 +-
 6 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/t/10_baseline_ipv4_http.t b/t/10_baseline_ipv4_http.t
index 575a262..06d61ad 100755
--- a/t/10_baseline_ipv4_http.t
+++ b/t/10_baseline_ipv4_http.t
@@ -20,8 +20,8 @@ my $uri="google.com";
 my $socket_out="";
 my $openssl_out="";
 # Blacklists we use to trigger an error:
-my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal';
-my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem';
+my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
+my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
 my $json_regex_bl='(id".*:\s"scanProblem"|severity".*:\s"FATAL"|"Scan interrupted")';
 
 my $socket_json="";
diff --git a/t/11_baseline_ipv6_http.t.DISABLED b/t/11_baseline_ipv6_http.t.DISABLED
index 2043f50..e8253f8 100755
--- a/t/11_baseline_ipv6_http.t.DISABLED
+++ b/t/11_baseline_ipv6_http.t.DISABLED
@@ -20,8 +20,8 @@ my $uri="";
 my $socket_out="";
 my $openssl_out="";
 # Blacklists we use to trigger an error:
-my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal';
-my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem';
+my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
+my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
 
 # my $socket_json="";
 # my $openssl_json="";
diff --git a/t/21_baseline_starttls.t b/t/21_baseline_starttls.t
index efb795e..3182df8 100755
--- a/t/21_baseline_starttls.t
+++ b/t/21_baseline_starttls.t
@@ -23,8 +23,8 @@ my $uri="";
 my $socket_out="";
 my $openssl_out="";
 # Blacklists we use to trigger an error:
-my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal';
-my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem';
+my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
+my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
 
 # my $socket_json="";
 # my $openssl_json="";
diff --git a/t/23_client_simulation.t b/t/23_client_simulation.t
index 60ab990..897df5d 100755
--- a/t/23_client_simulation.t
+++ b/t/23_client_simulation.t
@@ -18,8 +18,8 @@ my $uri="";
 my $socket_out="";
 my $openssl_out="";
 # Blacklists we use to trigger an error:
-my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal';
-my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem';
+my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
+my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
 
 # my $socket_json="";
 # my $openssl_json="";
diff --git a/t/31_isJSON_valid.t b/t/31_isJSON_valid.t
index 26814b8..695da0c 100755
--- a/t/31_isJSON_valid.t
+++ b/t/31_isJSON_valid.t
@@ -14,8 +14,8 @@ my $uri="";
 my $json="";
 my $out="";
 # Blacklists we use to trigger an error:
-my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal';
-my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem';
+my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
+my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
 
 die "Unable to open $prg" unless -f $prg;
 
diff --git a/t/Readme.md b/t/Readme.md
index 234c313..272372b 100644
--- a/t/Readme.md
+++ b/t/Readme.md
@@ -6,5 +6,5 @@
 * 50-69:  Are the results what I expect (server side)?
 
 Please help to write Travis/CI tests! Documentation can be found [here](https://perldoc.perl.org/Test/More.html).
-You can consult the existing code here. Feel free to use `20_baseline_ipv4_http.t` or `23_client_simulation.t` as a
+You can consult the existing code here. Feel free to use `10_baseline_ipv4_http.t` or `23_client_simulation.t` as a
 template.

From a98ede0720d14f782299f889d5994fe8d12a095f Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Thu, 26 Nov 2020 15:58:13 +0100
Subject: [PATCH 04/22] Finalize first diff check for travis

---
 t/61_diff_testsslsh.t | 66 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100755 t/61_diff_testsslsh.t

diff --git a/t/61_diff_testsslsh.t b/t/61_diff_testsslsh.t
new file mode 100755
index 0000000..6a13c96
--- /dev/null
+++ b/t/61_diff_testsslsh.t
@@ -0,0 +1,66 @@
+#!/usr/bin/env perl
+
+# Baseline diff test against testssl, (csv output)
+#
+# We don't use a full run yet and omiy the certificate section.
+# There we would need to blacklist at least:
+# cert_serialNumber, cert_fingerprintSHA1, cert_fingerprintSHA256, cert
+# cert_expirationStatus, cert_notBefore, cert_notAfter, cert_caIssuers, intermediate_cert
+#
+# help is apreciated here
+
+use strict;
+use Test::More;
+use Data::Dumper;
+use File::Compare;
+use Text::Diff;
+
+my $tests = 0;
+my $prg="./testssl.sh";
+my $master_socket_csv="./t/baseline_data/default_testssl.csvfile";
+my $socket_csv="tmp.csv";
+ my $check2run="-p -s -P --fs -h -U -c -q --ip=one --color 0 --csvfile $socket_csv";
+#my $check2run="-p --color 0 --csvfile $socket_csv";
+my $uri="testssl.sh";
+my $diff="";
+
+die "Unable to open $prg" unless -f $prg;
+die "Unable to open $master_socket_csv" unless -f $master_socket_csv;
+
+
+# Provide proper start conditions
+unlink "tmp.csv";
+
+# Title
+printf "\n%s\n", "Diff unit test IPv4 against \"$uri\"";
+
+#1 run
+`$prg $check2run $uri 2>&1`;
+
+
+$diff = diff $socket_csv, $master_socket_csv;
+
+$socket_csv=`cat tmp.csv`;
+$master_socket_csv=`cat $master_socket_csv`;
+
+# Filter, for now only HTTP_clock_skew
+$socket_csv=~ s/HTTP_clock_skew.*\n//g;
+$master_socket_csv=~ s/HTTP_clock_skew.*\n//g;
+
+# Compare and print the differences if there are some
+# Filtering takes place later, so if ther will be a difference detected
+# it'll also show HTTP_clock_skew
+#
+cmp_ok($socket_csv, "eq", $master_socket_csv, "Check whether CSV output matches master file from $uri") and
+     printf "\n%s\n", "$diff";
+
+$tests++;
+
+unlink "tmp.csv";
+
+done_testing($tests);
+printf "\n";
+
+
+#  vim:tw=95:ts=5:sw=5:et
+

From 1b63760bc34cd198c1d576c8535e73223e6e9c51 Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Thu, 26 Nov 2020 16:05:08 +0100
Subject: [PATCH 05/22] Add baseline master file for testssl.sh

---
 t/baseline_data/default_testssl.csvfile | 137 ++++++++++++++++++++++++
 1 file changed, 137 insertions(+)
 create mode 100644 t/baseline_data/default_testssl.csvfile

diff --git a/t/baseline_data/default_testssl.csvfile b/t/baseline_data/default_testssl.csvfile
new file mode 100644
index 0000000..9c89f61
--- /dev/null
+++ b/t/baseline_data/default_testssl.csvfile
@@ -0,0 +1,137 @@
+"id","fqdn/ip","port","severity","finding","cve","cwe"
+"service","testssl.sh/81.169.166.184","443","INFO","HTTP","",""
+"pre_128cipher","testssl.sh/81.169.166.184","443","INFO","No 128 cipher limit bug","",""
+"SSLv2","testssl.sh/81.169.166.184","443","OK","not offered","",""
+"SSLv3","testssl.sh/81.169.166.184","443","OK","not offered","",""
+"TLS1","testssl.sh/81.169.166.184","443","LOW","offered (deprecated)","",""
+"TLS1_1","testssl.sh/81.169.166.184","443","LOW","offered (deprecated)","",""
+"TLS1_2","testssl.sh/81.169.166.184","443","OK","offered","",""
+"TLS1_3","testssl.sh/81.169.166.184","443","OK","offered with final","",""
+"NPN","testssl.sh/81.169.166.184","443","INFO","offered with h2, http/1.1 (advertised)","",""
+"ALPN_HTTP2","testssl.sh/81.169.166.184","443","OK","h2","",""
+"ALPN","testssl.sh/81.169.166.184","443","INFO","http/1.1","",""
+"cipherlist_NULL","testssl.sh/81.169.166.184","443","OK","not offered","","CWE-327"
+"cipherlist_aNULL","testssl.sh/81.169.166.184","443","OK","not offered","","CWE-327"
+"cipherlist_EXPORT","testssl.sh/81.169.166.184","443","OK","not offered","","CWE-327"
+"cipherlist_LOW","testssl.sh/81.169.166.184","443","OK","not offered","","CWE-327"
+"cipherlist_3DES_IDEA","testssl.sh/81.169.166.184","443","INFO","not offered","","CWE-310"
+"cipherlist_AVERAGE","testssl.sh/81.169.166.184","443","LOW","offered","","CWE-310"
+"cipherlist_GOOD","testssl.sh/81.169.166.184","443","OK","offered","",""
+"cipherlist_STRONG","testssl.sh/81.169.166.184","443","OK","offered","",""
+"cipher_order","testssl.sh/81.169.166.184","443","OK","server","",""
+"protocol_negotiated","testssl.sh/81.169.166.184","443","OK","Default protocol TLS1.3","",""
+"cipher_negotiated","testssl.sh/81.169.166.184","443","OK","TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)","",""
+"cipher-tls1_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1   xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1   xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1   x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
+"cipher-tls1_x45","testssl.sh/81.169.166.184","443","LOW","TLSv1   x45     DHE-RSA-CAMELLIA128-SHA           DH 2048    Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA","",""
+"cipher-tls1_x39","testssl.sh/81.169.166.184","443","LOW","TLSv1   x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_x33","testssl.sh/81.169.166.184","443","LOW","TLSv1   x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
+"cipherorder_TLSv1","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","",""
+"cipher-tls1_1_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_1_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_1_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
+"cipher-tls1_1_x45","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   x45     DHE-RSA-CAMELLIA128-SHA           DH 2048    Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA","",""
+"cipher-tls1_1_x39","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_1_x33","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_1_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1.1   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
+"cipherorder_TLSv1_1","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","",""
+"cipher-tls1_2_xc030","testssl.sh/81.169.166.184","443","OK","TLSv1.2   xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_xc02f","testssl.sh/81.169.166.184","443","OK","TLSv1.2   xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_x9f","testssl.sh/81.169.166.184","443","OK","TLSv1.2   x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_x9e","testssl.sh/81.169.166.184","443","OK","TLSv1.2   x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_xc028","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","",""
+"cipher-tls1_2_xc014","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_xc013","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_2_x88","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","",""
+"cipher-tls1_2_x45","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   x45     DHE-RSA-CAMELLIA128-SHA           DH 2048    Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA","",""
+"cipher-tls1_2_x6b","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   x6b     DHE-RSA-AES256-SHA256             DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256","",""
+"cipher-tls1_2_x39","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_x67","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   x67     DHE-RSA-AES128-SHA256             DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256","",""
+"cipher-tls1_2_x33","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_2_x9d","testssl.sh/81.169.166.184","443","OK","TLSv1.2   x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_x9c","testssl.sh/81.169.166.184","443","OK","TLSv1.2   x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_x3d","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256","",""
+"cipher-tls1_2_x35","testssl.sh/81.169.166.184","443","LOW","TLSv1.2   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
+"cipherorder_TLSv1_2","testssl.sh/81.169.166.184","443","INFO","ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES256-SHA","",""
+"cipher-tls1_3_x1302","testssl.sh/81.169.166.184","443","OK","TLSv1.3   x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384","",""
+"cipher-tls1_3_x1303","testssl.sh/81.169.166.184","443","OK","TLSv1.3   x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256","",""
+"cipher-tls1_3_x1301","testssl.sh/81.169.166.184","443","OK","TLSv1.3   x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256","",""
+"cipherorder_TLSv1_3","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256","",""
+"FS","testssl.sh/81.169.166.184","443","OK","offered","",""
+"FS_ciphers","testssl.sh/81.169.166.184","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA","",""
+"FS_ECDHE_curves","testssl.sh/81.169.166.184","443","OK","prime256v1 secp384r1 secp521r1 X25519 X448","",""
+"DH_groups","testssl.sh/81.169.166.184","443","OK","Unknown DH group (2048 bits)","",""
+"HTTP_status_code","testssl.sh/81.169.166.184","443","INFO","200 OK ('/')","",""
+"HTTP_clock_skew","testssl.sh/81.169.166.184","443","INFO","0 seconds from localtime","",""
+"HSTS_time","testssl.sh/81.169.166.184","443","OK","362 days (=31337000 seconds) > 15465600 seconds","",""
+"HSTS_subdomains","testssl.sh/81.169.166.184","443","INFO","only for this domain","",""
+"HSTS_preload","testssl.sh/81.169.166.184","443","INFO","domain is NOT marked for preloading","",""
+"HPKP","testssl.sh/81.169.166.184","443","INFO","No support for HTTP Public Key Pinning","",""
+"banner_server","testssl.sh/81.169.166.184","443","INFO","Never trust a banner","",""
+"banner_application","testssl.sh/81.169.166.184","443","INFO","X-Powered-By: A portion of humor","",""
+"cookie_count","testssl.sh/81.169.166.184","443","INFO","0 at '/'","",""
+"X-Frame-Options","testssl.sh/81.169.166.184","443","OK","DENY","",""
+"X-Content-Type-Options","testssl.sh/81.169.166.184","443","OK","nosniff","",""
+"Content-Security-Policy","testssl.sh/81.169.166.184","443","OK","script-src 'unsafe-inline'; style-src 'unsafe-inline' 'self'; default-src 'self' ; child-src 'none'; object-src 'self'; frame-ancestors 'self'; upgrade-insecure-requests","",""
+"Expect-CT","testssl.sh/81.169.166.184","443","OK","max-age=86400, enforce","",""
+"X-XSS-Protection","testssl.sh/81.169.166.184","443","INFO","1; mode=block","",""
+"banner_reverseproxy","testssl.sh/81.169.166.184","443","INFO","--","","CWE-200"
+"heartbleed","testssl.sh/81.169.166.184","443","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
+"CCS","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2014-0224","CWE-310"
+"ticketbleed","testssl.sh/81.169.166.184","443","OK","no session ticket extension","CVE-2016-9244","CWE-200"
+"ROBOT","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081 CVE-2017-6168","CWE-203"
+"secure_renego","testssl.sh/81.169.166.184","443","OK","supported","","CWE-310"
+"secure_client_renego","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2011-1473","CWE-310"
+"CRIME_TLS","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2012-4929","CWE-310"
+"BREACH","testssl.sh/81.169.166.184","443","OK","not vulnerable, no gzip/deflate/compress/br HTTP compression  - only supplied '/' tested","CVE-2013-3587","CWE-310"
+"POODLE_SSL","testssl.sh/81.169.166.184","443","OK","not vulnerable, no SSLv3","CVE-2014-3566","CWE-310"
+"fallback_SCSV","testssl.sh/81.169.166.184","443","OK","supported","",""
+"SWEET32","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2016-2183 CVE-2016-6329","CWE-327"
+"FREAK","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2015-0204","CWE-310"
+"DROWN","testssl.sh/81.169.166.184","443","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310"
+"DROWN_hint","testssl.sh/81.169.166.184","443","INFO","Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://censys.io/ipv4?q=B95B85E87BA020CD25A95DF53CDD16C7DCEA96EFE7FEF9411529D511B39015B3","CVE-2016-0800 CVE-2016-0703","CWE-310"
+"LOGJAM","testssl.sh/81.169.166.184","443","OK","not vulnerable, no DH EXPORT ciphers,","CVE-2015-4000","CWE-310"
+"LOGJAM-common_primes","testssl.sh/81.169.166.184","443","OK","--","CVE-2015-4000","CWE-310"
+"BEAST_CBC_TLS1","testssl.sh/81.169.166.184","443","MEDIUM","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","CVE-2011-3389","CWE-20"
+"BEAST","testssl.sh/81.169.166.184","443","LOW","VULNERABLE -- but also supports higher protocols  TLSv1.1 TLSv1.2 (likely mitigated)","CVE-2011-3389","CWE-20"
+"LUCKY13","testssl.sh/81.169.166.184","443","LOW","potentially vulnerable, uses TLS CBC ciphers","CVE-2013-0169","CWE-310"
+"winshock","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2014-6321","CWE-94"
+"RC4","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2013-2566 CVE-2015-2808","CWE-310"
+"clientsimulation-android_442","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
+"clientsimulation-android_500","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256","",""
+"clientsimulation-android_60","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256","",""
+"clientsimulation-android_70","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
+"clientsimulation-android_81","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
+"clientsimulation-android_90","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_X","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-chrome_74_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-chrome_79_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-firefox_66_win81","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-firefox_71_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-ie_6_xp","testssl.sh/81.169.166.184","443","INFO","No connection","",""
+"clientsimulation-ie_8_win7","testssl.sh/81.169.166.184","443","INFO","TLSv1.0 ECDHE-RSA-AES256-SHA","",""
+"clientsimulation-ie_8_xp","testssl.sh/81.169.166.184","443","INFO","No connection","",""
+"clientsimulation-ie_11_win7","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 DHE-RSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_win81","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 DHE-RSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_winphone81","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-SHA","",""
+"clientsimulation-ie_11_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
+"clientsimulation-edge_15_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
+"clientsimulation-edge_17_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
+"clientsimulation-opera_66_win10","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_9_ios9","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
+"clientsimulation-safari_9_osx1011","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
+"clientsimulation-safari_10_osx1012","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
+"clientsimulation-safari_121_ios_122","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_130_osx_10146","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-apple_ats_9_ios9","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
+"clientsimulation-java_6u45","testssl.sh/81.169.166.184","443","INFO","No connection","",""
+"clientsimulation-java_7u25","testssl.sh/81.169.166.184","443","INFO","TLSv1.0 ECDHE-RSA-AES128-SHA","",""
+"clientsimulation-java_8u161","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
+"clientsimulation-java1102","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java1201","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-openssl_102e","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
+"clientsimulation-openssl_110l","testssl.sh/81.169.166.184","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
+"clientsimulation-openssl_111d","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-thunderbird_68_3_1","testssl.sh/81.169.166.184","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""

From 665209bf60cea9837378073459dccb39697ab5d5 Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Thu, 26 Nov 2020 16:27:40 +0100
Subject: [PATCH 06/22] typos

---
 t/61_diff_testsslsh.t | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/t/61_diff_testsslsh.t b/t/61_diff_testsslsh.t
index 6a13c96..65b584e 100755
--- a/t/61_diff_testsslsh.t
+++ b/t/61_diff_testsslsh.t
@@ -1,8 +1,8 @@
 #!/usr/bin/env perl
 
-# Baseline diff test against testssl, (csv output)
+# Baseline diff test against testssl.sh (csv output)
 #
-# We don't use a full run yet and omiy the certificate section.
+# We don't use a full run yet and only the certificate section.
 # There we would need to blacklist at least:
 # cert_serialNumber, cert_fingerprintSHA1, cert_fingerprintSHA256, cert
 # cert_expirationStatus, cert_notBefore, cert_notAfter, cert_caIssuers, intermediate_cert
@@ -12,7 +12,6 @@
 use strict;
 use Test::More;
 use Data::Dumper;
-use File::Compare;
 use Text::Diff;
 
 my $tests = 0;
@@ -47,9 +46,8 @@ $master_socket_csv=`cat $master_socket_csv`;
 $socket_csv=~ s/HTTP_clock_skew.*\n//g;
 $master_socket_csv=~ s/HTTP_clock_skew.*\n//g;
 
-# Compare and print the differences if there are some
-# Filtering takes place later, so if ther will be a difference detected
-# it'll also show HTTP_clock_skew
+# Compare the differences to the master file -- and print differences if there were detected.
+# Filtering takes place later, so if there will be a difference detected it'll also show HTTP_clock_skew :-(
 #
 cmp_ok($socket_csv, "eq", $master_socket_csv, "Check whether CSV output matches master file from $uri") and
      printf "\n%s\n", "$diff";

From 96d4b4f08b68511a797f613597159bfa5955217e Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Fri, 27 Nov 2020 13:19:52 +0100
Subject: [PATCH 07/22] Trying to reduced the runtime of travis

Often in the past travis was hitting a limit (50min?).

This is a try to make reasonable cuts to the unit tests:
- For STARTTLS some checks with OPenSSL are skipped
- For JSON and HTML outputs --ids-friendly was added assumming we
  don't change the output of ticketbleed, CCSI, HeartBleed and ROBOT any more.
- There's also not point to run those checks against badssl
- for  the diff check we switch to 'or diag' to display a dfifference
---
 t/21_baseline_starttls.t          | 44 ++++++++++++++++++-------------
 t/23_client_simulation.t          | 12 +++++----
 t/31_isJSON_valid.t               |  4 +--
 t/32_isHTML_valid.t               |  2 +-
 t/33_isJSON_severitylevel_valid.t |  4 +--
 t/51_badssl.com.t                 |  2 +-
 t/61_diff_testsslsh.t             |  6 ++---
 7 files changed, 42 insertions(+), 32 deletions(-)

diff --git a/t/21_baseline_starttls.t b/t/21_baseline_starttls.t
index 3182df8..57c3663 100755
--- a/t/21_baseline_starttls.t
+++ b/t/21_baseline_starttls.t
@@ -17,7 +17,7 @@ use Data::Dumper;
 
 my $tests = 0;
 my $prg="./testssl.sh";
-my $check2run_smtp="--protocols --standard --fs --server-preference --headers --vulnerable --each-cipher -q --ip=one --color 0";
+my $check2run_smtp="--protocols --standard --fs --server-preference --headers --vulnerable -q --ip=one --color 0";
 my $check2run="-q --ip=one --color 0";
 my $uri="";
 my $socket_out="";
@@ -60,12 +60,14 @@ $socket_out = `./testssl.sh $check2run -t pop3 $uri 2>&1`;
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
+# commented out, bc of travis' limits
+#
+#printf "\n%s\n", "STARTTLS POP3 unit tests via OpenSSL --> $uri ...";
 # unlink "tmp.json";
-printf "\n%s\n", "STARTTLS POP3 unit tests via OpenSSL --> $uri ...";
-$openssl_out = `./testssl.sh --ssl-native $check2run -t pop3 $uri 2>&1`;
+#$openssl_out = `./testssl.sh --ssl-native $check2run -t pop3 $uri 2>&1`;
 # $openssl_json = json('tmp.json');
-unlike($openssl_out, qr/$openssl_regex_bl/, "");
-$tests++;
+#unlike($openssl_out, qr/$openssl_regex_bl/, "");
+#$tests++;
 
 
 $uri="imap.gmx.net:143";
@@ -93,11 +95,13 @@ $socket_out = `./testssl.sh $check2run -t xmpp $uri 2>&1`;
 unlike($openssl_out, qr/$openssl_regex_bl/, "");
 $tests++;
 
-printf "\n%s\n", "STARTTLS XMPP unit tests via OpenSSL --> $uri ...";
-$openssl_out = `./testssl.sh --ssl-native $check2run -t xmpp $uri 2>&1`;
+# commented out, bc of travis' limits
+#
+#printf "\n%s\n", "STARTTLS XMPP unit tests via OpenSSL --> $uri ...";
+#$openssl_out = `./testssl.sh --ssl-native $check2run -t xmpp $uri 2>&1`;
 # $openssl_json = json('tmp.json');
-unlike($openssl_out, qr/$openssl_regex_bl/, "");
-$tests++;
+#unlike($openssl_out, qr/$openssl_regex_bl/, "");
+#$tests++;
 
 # $uri="jabber.ccc.de:5269";
 # printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ...";
@@ -118,13 +122,15 @@ $socket_out =~ s/ error querying OCSP responder .*\n//g;
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
-printf "\n%s\n", "STARTTLS FTP unit tests via OpenSSL --> $uri ...";
-$openssl_out = `./testssl.sh --ssl-native $check2run -t ftp $uri 2>&1`;
+# commented out, bc of travis' limits
+#
+# printf "\n%s\n", "STARTTLS FTP unit tests via OpenSSL --> $uri ...";
+# $openssl_out = `./testssl.sh --ssl-native $check2run -t ftp $uri 2>&1`;
 # $openssl_json = json('tmp.json');
 # OCSP stapling fails sometimes with: 'offered, error querying OCSP responder (ERROR: No Status found)'
-$openssl_out =~ s/ error querying OCSP responder .*\n//g;
-unlike($openssl_out, qr/$openssl_regex_bl/, "");
-$tests++;
+# $openssl_out =~ s/ error querying OCSP responder .*\n//g;
+# unlike($openssl_out, qr/$openssl_regex_bl/, "");
+# $tests++;
 
 
 # https://ldapwiki.com/wiki/Public%20LDAP%20Servers
@@ -146,11 +152,13 @@ $socket_out = `./testssl.sh $check2run -t nntp $uri 2>&1`;
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
-printf "\n%s\n", "STARTTLS NNTP unit tests via OpenSSL --> $uri ...";
-$openssl_out = `./testssl.sh --ssl-native $check2run -t nntp $uri 2>&1`;
+# commented out, bc of travis' limits
+#
+#printf "\n%s\n", "STARTTLS NNTP unit tests via OpenSSL --> $uri ...";
+#$openssl_out = `./testssl.sh --ssl-native $check2run -t nntp $uri 2>&1`;
 # $openssl_json = json('tmp.json');
-unlike($openssl_out, qr/$openssl_regex_bl/, "");
-$tests++;
+#unlike($openssl_out, qr/$openssl_regex_bl/, "");
+#$tests++;
 
 
 # IRC: missing
diff --git a/t/23_client_simulation.t b/t/23_client_simulation.t
index 897df5d..c241132 100755
--- a/t/23_client_simulation.t
+++ b/t/23_client_simulation.t
@@ -53,12 +53,14 @@ $socket_out = `./testssl.sh $check2run -t smtp $uri 2>&1`;
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
+# commented out, bc of travis' limits
+#
 # unlink "tmp.json";
-printf "\n%s\n", "STARTTLS: Client simulations unit test via OpenSSL --> $uri ...";
-$openssl_out = `./testssl.sh --ssl-native $check2run -t smtp $uri 2>&1`;
-# $openssl_json = json('tmp.json');
-unlike($openssl_out, qr/$openssl_regex_bl/, "");
-$tests++;
+#printf "\n%s\n", "STARTTLS: Client simulations unit test via OpenSSL --> $uri ...";
+#$openssl_out = `./testssl.sh --ssl-native $check2run -t smtp $uri 2>&1`;
+## $openssl_json = json('tmp.json');
+#unlike($openssl_out, qr/$openssl_regex_bl/, "");
+#$tests++;
 
 done_testing($tests);
 unlink "tmp.json";
diff --git a/t/31_isJSON_valid.t b/t/31_isJSON_valid.t
index 695da0c..5a84bed 100755
--- a/t/31_isJSON_valid.t
+++ b/t/31_isJSON_valid.t
@@ -9,7 +9,7 @@ use JSON;
 
 my $tests = 0;
 my $prg="./testssl.sh";
-my $check2run ="--ip=one -q --color 0";
+my $check2run ="--ip=one --ids-friendly -q --color 0";
 my $uri="";
 my $json="";
 my $out="";
@@ -44,7 +44,7 @@ $tests++;
 
 
 #3
-# This testss.sh run deliberately does NOT work as travis-ci.org blocks port 25 egress.
+# This testssl.sh run deliberately does NOT work as travis-ci.org blocks port 25 egress.
 # but the output should be fine. The idea is to have a unit test for a failed connection.
 printf "%s\n", ".. plain JSON for a failed run: '--mx $uri' ...";
 $out = `./testssl.sh --ssl-native --openssl-timeout=10 $check2run --jsonfile tmp.json --mx $uri`;
diff --git a/t/32_isHTML_valid.t b/t/32_isHTML_valid.t
index 294661a..a1aa819 100755
--- a/t/32_isHTML_valid.t
+++ b/t/32_isHTML_valid.t
@@ -15,7 +15,7 @@ my $out="";
 my $html="";
 my $debughtml="";
 my $edited_html="";
-my $check2run="--ip=one --color 0 --htmlfile tmp.html";
+my $check2run="--ip=one --ids-friendly --color 0 --htmlfile tmp.html";
 my $diff="";
 die "Unable to open $prg" unless -f $prg;
 
diff --git a/t/33_isJSON_severitylevel_valid.t b/t/33_isJSON_severitylevel_valid.t
index e39d6ab..234efc0 100755
--- a/t/33_isJSON_severitylevel_valid.t
+++ b/t/33_isJSON_severitylevel_valid.t
@@ -21,7 +21,7 @@ unlink 'tmp.json';
 
 #1
 pass(" .. running testssl.sh against badssl.com to create a JSON report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++;
-$out = `./testssl.sh -S -e -U --jsonfile tmp.json --severity LOW --color 0 badssl.com`;
+$out = `./testssl.sh -S -e -U --ids-friendly --jsonfile tmp.json --severity LOW --color 0 badssl.com`;
 $json = json('tmp.json');
 unlink 'tmp.json';
 $found = 0;
@@ -36,7 +36,7 @@ is($found,0,"We should not have any finding with INFO level"); $tests++;
 
 #2
 pass(" .. running testssl.sh against badssl.com to create a JSON-PRETTY report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++;
-$out = `./testssl.sh -S -e -U --jsonfile-pretty tmp.json --severity LOW --color 0 badssl.com`;
+$out = `./testssl.sh -S -e -U --ids-friendly --jsonfile-pretty tmp.json --severity LOW --color 0 badssl.com`;
 $json_pretty = json('tmp.json');
 unlink 'tmp.json';
 $found = 0;
diff --git a/t/51_badssl.com.t b/t/51_badssl.com.t
index 16c5aed..b66f756 100755
--- a/t/51_badssl.com.t
+++ b/t/51_badssl.com.t
@@ -14,7 +14,7 @@ my (
 );
 # OK
 pass("Running testssl.sh against badssl.com to create a baseline (may take 2~3 minutes)"); $tests++;
-my $okout = `./testssl.sh -S -e --freak --logjam --drown --rc4 --sweet32 --breach --crime --jsonfile tmp.json --color 0 badssl.com`;
+my $okout = `./testssl.sh -S -e --freak --logjam --drown --rc4 --sweet32 --breach --winshock --crime --jsonfile tmp.json --color 0 badssl.com`;
 my $okjson = json('tmp.json');
 unlink 'tmp.json';
 cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); $tests++;
diff --git a/t/61_diff_testsslsh.t b/t/61_diff_testsslsh.t
index 65b584e..f7afe79 100755
--- a/t/61_diff_testsslsh.t
+++ b/t/61_diff_testsslsh.t
@@ -18,7 +18,7 @@ my $tests = 0;
 my $prg="./testssl.sh";
 my $master_socket_csv="./t/baseline_data/default_testssl.csvfile";
 my $socket_csv="tmp.csv";
- my $check2run="-p -s -P --fs -h -U -c -q --ip=one --color 0 --csvfile $socket_csv";
+my $check2run="-p -s -P --fs -h -U -c -q --ip=one --color 0 --csvfile $socket_csv";
 #my $check2run="-p --color 0 --csvfile $socket_csv";
 my $uri="testssl.sh";
 my $diff="";
@@ -49,8 +49,8 @@ $master_socket_csv=~ s/HTTP_clock_skew.*\n//g;
 # Compare the differences to the master file -- and print differences if there were detected.
 # Filtering takes place later, so if there will be a difference detected it'll also show HTTP_clock_skew :-(
 #
-cmp_ok($socket_csv, "eq", $master_socket_csv, "Check whether CSV output matches master file from $uri") and
-     printf "\n%s\n", "$diff";
+cmp_ok($socket_csv, "eq", $master_socket_csv, "Check whether CSV output matches master file from $uri") or
+     diag ("\n%s\n", "$diff");
 
 $tests++;
 

From 1a7e4f1e925da8ba196afe155ce87ee6a585fa34 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Fri, 27 Nov 2020 16:33:23 +0100
Subject: [PATCH 08/22] consolidate docker sections in Readme.md and
 Dockerfile.md

see #1791
---
 Dockerfile.md | 29 ++++++++++++++++++++++-------
 Readme.md     | 16 ++++++----------
 2 files changed, 28 insertions(+), 17 deletions(-)

diff --git a/Dockerfile.md b/Dockerfile.md
index bbdf371..ff79277 100644
--- a/Dockerfile.md
+++ b/Dockerfile.md
@@ -1,6 +1,21 @@
-## Usage:
+## Usage
+
+### From git directory
+
+```
+docker build .
+```
+
+Catch is when you run without image tags you need to catch the ID when building
+
+```
+[..]
+---> 889fa2f99933
+Successfully built 889fa2f99933
+```
+
+More comfortable is
 
-(in git directory):
 ```
 docker build -t mytestssl .
 docker run --rm -t mytestssl example.com
@@ -13,18 +28,18 @@ docker run -t mytestssl --help
 docker run --rm -t mytestssl -p --header example.com
 ```
 
-or pull the image from dockerhub and run:
+### From dockerhub
+
+You can pull the image from dockerhub and run:
 
 ```
-docker run --rm -t drwetter/testssl.sh --pfs example.com
+docker run --rm -t drwetter/testssl.sh --fs example.com
 ```
 
-Tags supported are: ``latest``, ``stable`` which _for now_ are all the same and point to ``3.0``.
+Tags supported are: ``3.1dev`` and ``latest`` are the same, i.e. is the rolling release. ``3.0`` is the latest stable version from git which might have a few improvements over the released 3.0.X.
 
 ``docker run --rm -t drwetter/testssl.sh:stable example.com``.
 
-And for the indomitable users who prefer to run old stuff you can use the tag ``2.9.5``. Please note ``2.9dev`` should not be used anymore.
-
 Keep in mind that any output file (--log, --html, --json etc.) will be created in the container. If you wish to have this created in a local directory you can mount a volume into the container and change the output prefix where the container user has write access to, e.g.:
 
 ```
diff --git a/Readme.md b/Readme.md
index b9833c7..3c128b3 100644
--- a/Readme.md
+++ b/Readme.md
@@ -40,7 +40,7 @@ to get bugfixes, other feedback and more contributions.
 Testssl.sh is working on every Linux/BSD distribution out of the box. Latest by 2.9dev
 most of the limitations of disabled features from the openssl client are gone
 due to bash-socket-based checks. As a result you can also use e.g. LibreSSL or OpenSSL >=
-1.1.1 . testssl.sh also works on other unixoid system out of the box, supposed they have
+1.1.1 . testssl.sh also works on other unixoid systems out of the box, supposed they have
 `/bin/bash` >= version 3.2 and standard tools like sed and awk installed. An implicit
 (silent) check for binaries is done when you start testssl.sh . System V needs probably
 to have GNU grep installed. MacOS X and Windows (using MSYS2, Cygwin or WSL) work too.
@@ -53,11 +53,11 @@ You can download testssl.sh branch 3.1dev just by cloning this git repository:
 
     git clone --depth 1 https://github.com/drwetter/testssl.sh.git
 
-Think of 3.1dev like a rolling release, see below. For the stable version help yourself by downloading the [ZIP](https://github.com/drwetter/testssl.sh/archive/3.0.2.zip) or [tar.gz](https://github.com/drwetter/testssl.sh/archive/3.0.2.zip) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there.
+Think of 3.1dev like a rolling release, see below. For the stable version help yourself by downloading the [ZIP](https://codeload.github.com/drwetter/testssl.sh/zip/3.0.4) or [tar.gz](https://codeload.github.com/drwetter/testssl.sh/tar.gz/3.0.4) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there.
 
 #### Docker
 
-Testssl.sh has minimal requirements. As stated you don't have to install or build anything.  You can just run it from the pulled/cloned directory. Still if you don't want to pull the github repo to your directory of choice you can pull a container from dockerhub and run it:
+Testssl.sh has minimal requirements. As stated you don't have to install or build anything. You can just run it from the pulled/cloned directory. Still if you don't want to pull the github repo to your directory of choice you can pull a container from dockerhub and run it:
 
 ```
 docker run --rm -ti  drwetter/testssl.sh:3.1dev <your_cmd_line>
@@ -65,21 +65,17 @@ docker run --rm -ti  drwetter/testssl.sh:3.1dev <your_cmd_line>
 
 Or if you have cloned this repo you also can just ``cd`` to the INSTALLDIR and run
 ```
-docker build .
+docker build . -t imagefoo && docker run --rm -t imagefoo example.com
 ```
 
-followed by ``docker run -ti <ID> <your_cmd_line>`` where ``ID`` is the identifier in the last line from the build command like
+For more please consult [Dockerfile.md](https://github.com/drwetter/testssl.sh/blob/3.1dev/Dockerfile.md).
 
-```
- ---> 889fa2f99933
-Successfully built 889fa2f99933
-```
 
 ### Status
 
 We're currently in the development phase, version 3.1dev. 3.1dev will eventually become 3.2. Bigger features are developed in a separate branch before merged into 3.1dev to avoid hiccups or inconsistencies. Albeit we try to keep 3.1dev as solid as possible things will certainly change in 3.1dev. So if you need stability the 3.0 branch is better for you. Think of the 3.1dev branch like a rolling release.
 
-Support for 2.9.5 has been dropped. Supported is 3.0.x only.
+Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
 
 ### Documentation
 

From 2655e91255ab9d14e3375dff0c23caab45b8a14e Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Fri, 27 Nov 2020 17:00:34 +0100
Subject: [PATCH 09/22] Update Readme.md

---
 Readme.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/Readme.md b/Readme.md
index 3c128b3..c8fbbf7 100644
--- a/Readme.md
+++ b/Readme.md
@@ -60,7 +60,7 @@ Think of 3.1dev like a rolling release, see below. For the stable version help y
 Testssl.sh has minimal requirements. As stated you don't have to install or build anything. You can just run it from the pulled/cloned directory. Still if you don't want to pull the github repo to your directory of choice you can pull a container from dockerhub and run it:
 
 ```
-docker run --rm -ti  drwetter/testssl.sh:3.1dev <your_cmd_line>
+docker run --rm -ti  drwetter/testssl.sh <your_cmd_line>
 ```
 
 Or if you have cloned this repo you also can just ``cd`` to the INSTALLDIR and run
@@ -73,7 +73,9 @@ For more please consult [Dockerfile.md](https://github.com/drwetter/testssl.sh/b
 
 ### Status
 
-We're currently in the development phase, version 3.1dev. 3.1dev will eventually become 3.2. Bigger features are developed in a separate branch before merged into 3.1dev to avoid hiccups or inconsistencies. Albeit we try to keep 3.1dev as solid as possible things will certainly change in 3.1dev. So if you need stability the 3.0 branch is better for you. Think of the 3.1dev branch like a rolling release.
+We're currently in the development phase, version 3.1dev. 3.1dev will eventually become 3.2. Bigger features are developed in a separate branch before merged into 3.1dev to avoid hiccups or inconsistencies. Albeit we try to keep 3.1dev as solid as possible things will certainly change in 3.1dev. Think of the 3.1dev branch like a rolling release. So if you need stability the 3.0 branch is better for you. 
+
+Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is released. 
 
 Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
 
@@ -86,7 +88,7 @@ Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
 
 ### Contributing
 
-Contributions are welcome! See [CONTRIBUTING.md](https://github.com/drwetter/testssl.sh/blob/3.0/CONTRIBUTING.md) for details.
+Contributions are welcome! See [CONTRIBUTING.md](https://github.com/drwetter/testssl.sh/blob/3.1dev/CONTRIBUTING.md) for details. Please also have a look at the [Coding Convention](https://github.com/drwetter/testssl.sh/blob/3.1dev/Coding_Convention.md}.
 
 ### Bug reports
 

From c88d22a0f06cbfdcc5a7237dba32d23ee1e5c5a4 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Fri, 27 Nov 2020 17:05:03 +0100
Subject: [PATCH 10/22] Update Dockerfile.md

---
 Dockerfile.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Dockerfile.md b/Dockerfile.md
index ff79277..1eed4e3 100644
--- a/Dockerfile.md
+++ b/Dockerfile.md
@@ -36,14 +36,14 @@ You can pull the image from dockerhub and run:
 docker run --rm -t drwetter/testssl.sh --fs example.com
 ```
 
-Tags supported are: ``3.1dev`` and ``latest`` are the same, i.e. is the rolling release. ``3.0`` is the latest stable version from git which might have a few improvements over the released 3.0.X.
+Supported tages are: ``3.1dev`` and ``latest`, which are the same, i.e. the rolling release. ``3.0`` is the latest stable version from git which might have a few improvements (see git log) over the released version 3.0.X.
 
 ``docker run --rm -t drwetter/testssl.sh:stable example.com``.
 
-Keep in mind that any output file (--log, --html, --json etc.) will be created in the container. If you wish to have this created in a local directory you can mount a volume into the container and change the output prefix where the container user has write access to, e.g.:
+Keep in mind that any output file (--log, --html, --json etc.) will be created within the container. If you wish to have this created in a local directory on your host you can mount a volume into the container and change the output prefix where the container user has write access to, e.g.:
 
 ```
 docker run --rm -t -v /tmp:/data drwetter/testssl.sh --htmlfile /data/ example.com
 ```
 
-which writes the output to ``/tmp/example.com_p443-<date>-<time>.html.`` The uid/gid is the one from the docker user but normally the file is 644. testssl.sh's docker container uses a non-root user (usually with user/groupid 1000:1000).
+which writes the HTML output to ``/tmp/example.com_p443-<date>-<time>.html.`` The uid/gid is the one from the docker user. Normally the file is 644. testssl.sh's docker container uses a non-root user (usually with user/groupid 1000:1000).

From 1cd5510955dff171c993cca4d4de5e20eb7b85ba Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Fri, 27 Nov 2020 18:10:43 +0100
Subject: [PATCH 11/22] Trying to save resources for poor Travis/CI ;-)

See https://github.com/google/EarlGrey/pull/383/files/3b38a5dea36a88aba42a42931e77a7c5429a1837
---
 .travis.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.travis.yml b/.travis.yml
index d1d660b..6035e3f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -7,6 +7,13 @@ addons:
     packages:
     - dnsutils
     - jsonlint
+before_install:
+  - |
+    - if ! git diff --name-only $TRAVIS_COMMIT_RANGE | grep -qvE '(.md)|(.pem)|(.pdf)|(.html)|^(LICENSE)|^(docs)|^(utils)|^(bin)|(Dockerfile)'
+      then
+        echo "no code was updated, not running the CI."
+        exit
+    fi
 install:
   - cpanm --notest Test::More
   - cpanm --notest Data::Dumper

From a780ad6174d048b2a609d91ede2c663652f6a7b1 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Fri, 27 Nov 2020 20:24:46 +0100
Subject: [PATCH 12/22] fix '|"

---
 .travis.yml | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 6035e3f..06f35cd 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -8,12 +8,11 @@ addons:
     - dnsutils
     - jsonlint
 before_install:
-  - |
-    - if ! git diff --name-only $TRAVIS_COMMIT_RANGE | grep -qvE '(.md)|(.pem)|(.pdf)|(.html)|^(LICENSE)|^(docs)|^(utils)|^(bin)|(Dockerfile)'
-      then
-        echo "no code was updated, not running the CI."
-        exit
-    fi
+  - if ! git diff --name-only $TRAVIS_COMMIT_RANGE | grep -qvE '(.md)|(.pem)|(.pdf)|(.html)|^(LICENSE)|^(docs)|^(utils)|^(bin)|(Dockerfile)'
+    then
+      echo "no code was updated, not running the CI."
+      exit
+  fi
 install:
   - cpanm --notest Test::More
   - cpanm --notest Data::Dumper

From 57ffe08dd4513a9183dc4b891b2506be990d918f Mon Sep 17 00:00:00 2001
From: Alexander Troost <alexander.troost@kpn.com>
Date: Sat, 28 Nov 2020 14:04:00 +0100
Subject: [PATCH 13/22] Adding a hex2curves util.

---
 etc/README.md                        |  2 ++
 etc/client-simulation.wiresharked.md |  2 +-
 etc/curves-mapping.txt               | 47 ++++++++++++++++++++++++++++
 utils/hexstream2curves.sh            | 36 +++++++++++++++++++++
 4 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 etc/curves-mapping.txt
 create mode 100755 utils/hexstream2curves.sh

diff --git a/etc/README.md b/etc/README.md
index 3550ac5..51f1d1d 100644
--- a/etc/README.md
+++ b/etc/README.md
@@ -28,6 +28,8 @@ If you want to check trust against e.g. a company internal CA you need to use ``
 
 * ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS
 
+* ``curves-mapping.txt`` contains information about all of the eliptic curves defined by IANA
+
 * ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. Use
    ``~/utils/create_ca_hashes.sh`` for an update
 
diff --git a/etc/client-simulation.wiresharked.md b/etc/client-simulation.wiresharked.md
index 60c66d9..f5a9ae9 100644
--- a/etc/client-simulation.wiresharked.md
+++ b/etc/client-simulation.wiresharked.md
@@ -14,7 +14,7 @@ The whole process is done manually.
 * Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream.
 * Figure out "protos" and "tlsvers" by looking at the supported_versions TLS extension (43=0x002b). May work only on modern clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3 here)
 * Adjust "lowest_protocol" and "highest_protocol" accordingly.
-* Get "curves" from at the supported groups TLS extension 10 = 0x00a. Omit any GREASE.
+* For "urves" mark the supported groups TLS extension --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2curves.sh`
 * Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010).
 * Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true
 * Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle
diff --git a/etc/curves-mapping.txt b/etc/curves-mapping.txt
new file mode 100644
index 0000000..1b348ec
--- /dev/null
+++ b/etc/curves-mapping.txt
@@ -0,0 +1,47 @@
+      0x00,0x00	-	NULL		TPM_ECC_NONE
+      0x00,0x01	-	sect163k1	sect163k1
+      0x00,0x02	-	sect163r1	sect163r1
+      0x00,0x03	-	sect163r2	sect163r2
+      0x00,0x04	-	sect193r1	sect193r1
+      0x00,0x05	-	sect193r2	sect193r2
+      0x00,0x06	-	sect233k1	sect233k1
+      0x00,0x07	-	sect233r1	sect233r1
+      0x00,0x08	-	sect239k1	sect239k1
+      0x00,0x09	-	sect283k1	sect283k1
+      0x00,0x0a	-	sect283r1	sect283r1
+      0x00,0x0b	-	sect409k1	sect409k1
+      0x00,0x0c	-	sect409r1	sect409r1
+      0x00,0x0d	-	sect571k1	sect571k1
+      0x00,0x0e	-	sect571r1	sect571r1
+      0x00,0x0f	-	secp160k1	secp160k1
+      0x00,0x10	-	secp160r1	secp160r1
+      0x00,0x11	-	secp160r2	secp160r2
+      0x00,0x12	-	secp192k1	secp192k1
+      0x00,0x13	-	secp192r1	secp192r1
+      0x00,0x14	-	secp224k1	secp224k1
+      0x00,0x15	-	secp224r1	secp224r1
+      0x00,0x16	-	secp256k1	secp256k1
+      0x00,0x17	-	secp256r1	secp256r1
+      0x00,0x18	-	secp384r1	secp384r1
+      0x00,0x19	-	secp521r1	secp521r1
+      0x00,0x1a   -     brainpoolP256r1	brainpoolP256r1
+      0x00,0x1b   -     brainpoolP384r1	brainpoolP384r1			
+      0x00,0x1c   -     brainpoolP512r1	brainpoolP512r1
+      0x00,0x1d   -     x25519		x25519
+      0x00,0x1e   -     x448		x448
+      0x00,0x1f   -	brainpoolP256r1tls13	brainpoolP256r1tls13
+      0x00,0x20	-	brainpoolP384r1tls13	brainpoolP384r1tls13
+      0x00,0x21   -	brainpoolP512r1tls13	brainpoolP512r1tls13
+      0x00,0x22   -     GC256A      GC256A
+      0x00,0x23   -     GC256B      GC256B
+      0x00,0x24   -     GC256C      GC256C
+      0x00,0x25   -     GC256D      GC256D
+      0x00,0x26   -     GC512A      GC512A
+      0x00,0x27   -     GC512B      GC512B
+      0x00,0x28   -     GC512C      GC512C
+      0x00,0x29	-     curveSM2	curveSM2
+      0x00,0x100  -	ffdhe2048	ffdhe2048
+      0x00,0x101  -     ffdhe3072   ffdhe3072
+      0x00,0x102  -     ffdhe4096   ffdhe4096
+      0x00,0x103  -     ffdhe6144   ffdhe6144
+      0x00,0x104  -     ffdhe8192   ffdhe8192
diff --git a/utils/hexstream2curves.sh b/utils/hexstream2curves.sh
new file mode 100755
index 0000000..f62e154
--- /dev/null
+++ b/utils/hexstream2curves.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+hs="$1"
+len=${#hs}
+echo "# curves: $((len/4))"
+
+mapfile="etc/curves-mapping.txt"
+[ -s $mapfile ] || mapfile="../$mapfile"
+[ -s $mapfile ] || exit 255
+
+cur=""
+first=true
+
+for ((i=0; i<len ; i+=4)); do
+	printf "%02d" "$i"
+	echo -n ": ${hs:$i:4}"
+	grepstr="0x${hs:$i:2},0x${hs:$((i+2)):2}"
+        echo -n " --> $grepstr --> "
+        cur=$(grep -i -E "^ *${grepstr}" $mapfile | awk '{ print $3 }')
+	if [[ $grepstr == 0x00,0xff ]]; then
+		echo TPM_ECC_NONE
+	else
+		echo $cur
+	fi
+	if "$first"; then
+		curves="$cur"
+		first=false
+	else
+		curves="$curves:$cur"
+	fi
+done
+
+echo
+# remove leading : because of GREASE, and trailing because of TPM_ECC_NONE
+curves="${curves%:}"
+echo ${curves#:}

From 7029ada0ba385e86aa1bfff329fd7b88cf442761 Mon Sep 17 00:00:00 2001
From: Alexander Troost <alexander.troost@kpn.com>
Date: Sat, 28 Nov 2020 14:06:26 +0100
Subject: [PATCH 14/22] fixing typo in md file

---
 etc/client-simulation.wiresharked.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/client-simulation.wiresharked.md b/etc/client-simulation.wiresharked.md
index f5a9ae9..6ed28a4 100644
--- a/etc/client-simulation.wiresharked.md
+++ b/etc/client-simulation.wiresharked.md
@@ -14,7 +14,7 @@ The whole process is done manually.
 * Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream.
 * Figure out "protos" and "tlsvers" by looking at the supported_versions TLS extension (43=0x002b). May work only on modern clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3 here)
 * Adjust "lowest_protocol" and "highest_protocol" accordingly.
-* For "urves" mark the supported groups TLS extension --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2curves.sh`
+* For "curves" mark the supported groups TLS extension --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2curves.sh`
 * Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010).
 * Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true
 * Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle

From e7fa4ff4cee463487d399e0c5015d18778c987a6 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Tue, 8 Dec 2020 19:43:07 +0100
Subject: [PATCH 15/22] Client simulation per default as wide

... in order to be consistent with run_server_preference().

The wide formatting of other tests need some inspection and
off the top off my head are not as perfectly formatted so that
they should not run per default in wide mode.
---
 testssl.sh | 47 ++++++++++++++++++++---------------------------
 1 file changed, 20 insertions(+), 27 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index ef1494b..0b2f684 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -4814,21 +4814,19 @@ run_client_simulation() {
      outln
      debugme echo
 
-     if "$WIDE"; then
-          if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then
-               out " Browser                      Protocol  Cipher Suite Name (OpenSSL)       "
-               ( "$using_sockets" || "$HAS_DH_BITS") && out "Forward Secrecy"
-               outln
-               out "--------------------------------------------------------------------------"
-          else
-               out " Browser                      Protocol  Cipher Suite Name (IANA/RFC)                      "
-               ( "$using_sockets" || "$HAS_DH_BITS") && out "Forward Secrecy"
-               outln
-               out "------------------------------------------------------------------------------------------"
-          fi
-          ( "$using_sockets" || "$HAS_DH_BITS") && out "----------------------"
+     if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then
+          out " Browser                      Protocol  Cipher Suite Name (OpenSSL)       "
+          ( "$using_sockets" || "$HAS_DH_BITS") && out "Forward Secrecy"
           outln
+          out "--------------------------------------------------------------------------"
+     else
+          out " Browser                      Protocol  Cipher Suite Name (IANA/RFC)                      "
+          ( "$using_sockets" || "$HAS_DH_BITS") && out "Forward Secrecy"
+          outln
+          out "------------------------------------------------------------------------------------------"
      fi
+     ( "$using_sockets" || "$HAS_DH_BITS") && out "----------------------"
+     outln
      if ! "$using_sockets"; then
           # We can't use the connectivity checker here as of now the openssl reply is always empty (reason??)
           save_max_ossl_fail=$MAX_OSSL_FAIL
@@ -4938,27 +4936,23 @@ run_client_simulation() {
                               cipher="$(openssl2rfc "$cipher")"
                               [[ -z "$cipher" ]] && cipher=$(get_cipher $TMPFILE)
                          fi
-                         out "$proto "
-                         "$WIDE" && out "  "
+                         out "$proto   "
                          if [[ "$COLOR" -le 2 ]]; then
                               out "$cipher"
                          else
                               pr_cipher_quality "$cipher"
                          fi
-                         if "$WIDE"; then
-                              if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then
-                                   for (( j=${#cipher}; j < 34; j++ )); do
-                                        out " "
-                                   done
-                              else
-                                   for (( j=${#cipher}; j < 50; j++ )); do
-                                        out " "
-                                   done
-                              fi
+                         if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then
+                              for (( j=${#cipher}; j < 34; j++ )); do
+                                   out " "
+                              done
+                         else
+                              for (( j=${#cipher}; j < 50; j++ )); do
+                                   out " "
+                              done
                          fi
                          if [[ -n "$what_dh" ]]; then
                               [[ -n "$curve" ]] && curve="($curve)"
-                              "$WIDE" || out ", "
                               if [[ "$what_dh" == ECDH ]]; then
                                    pr_ecdh_quality "$bits" "$(printf -- "%-12s" "$bits bit $what_dh") $curve"
                               else
@@ -4966,7 +4960,6 @@ run_client_simulation() {
                               fi
                          else
                               if "$HAS_DH_BITS" || ( "$using_sockets" && [[ -n "${handshakebytes[i]}" ]] ); then
-                                   "$WIDE" || out ", "
                                    out "No FS"
                               fi
                          fi

From d76829cd28ab68b4ac0f71cd5cd35c409c36245c Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Tue, 8 Dec 2020 19:52:42 +0100
Subject: [PATCH 16/22] wide mode for client simulation

---
 CHANGELOG.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0b21696..4a81c7d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,7 +26,8 @@
 * Added environment variable for amount of attempts for ssl renegotiation check
 * Added --user-agent argument to support using a custom User Agent
 * Added --overwrite argument to support overwriting output files without warning
-* Headerflag X-XSS-Protection is labeled as INFO 
+* Headerflag X-XSS-Protection is now labeled as INFO
+* Client simulation runs in wide mode which is even better readable
 
 ### Features implemented / improvements in 3.0
 

From da84740000dd4a9da91ad50967c78f8dd8caf894 Mon Sep 17 00:00:00 2001
From: Peter Dave Hello <hsu@peterdavehello.org>
Date: Tue, 8 Dec 2020 23:47:07 +0800
Subject: [PATCH 17/22] Remove `--no-cache` for `apk` in Dockerfile

As there is `apk upgrade` and `apk update`, the apk index will already
be existed. `--no-cache` is for `apk` when there is no `apk update`
behavior and it's expected to be no local cache left, not suitable for
the use case here, which wants to upgrade all the package to the latest
when packaging the image.
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 42a6941..1859869 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ FROM alpine:3.11
 
 RUN apk update && \
     apk upgrade && \
-    apk add --no-cache bash procps drill git coreutils libidn curl && \
+    apk add bash procps drill git coreutils libidn curl && \
     addgroup testssl && \
     adduser -G testssl -g "testssl user"  -s /bin/bash -D testssl && \
     ln -s /home/testssl/testssl.sh /usr/local/bin/ && \

From abc5694408b5121ec7ae400c3644918d5bd60570 Mon Sep 17 00:00:00 2001
From: Peter Dave Hello <hsu@peterdavehello.org>
Date: Tue, 8 Dec 2020 23:52:04 +0800
Subject: [PATCH 18/22] Clean up apk cache in Dockerfile after packages
 installed

This will make the image smaller.
---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile b/Dockerfile
index 1859869..279e315 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,6 +3,7 @@ FROM alpine:3.11
 RUN apk update && \
     apk upgrade && \
     apk add bash procps drill git coreutils libidn curl && \
+    rm -rf /var/cache/apk/* && \
     addgroup testssl && \
     adduser -G testssl -g "testssl user"  -s /bin/bash -D testssl && \
     ln -s /home/testssl/testssl.sh /usr/local/bin/ && \

From 39132fe3d01442b7bfc8d25c7e1b1fd11ec2e523 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Fri, 11 Dec 2020 20:49:15 +0100
Subject: [PATCH 19/22] Fix order for -U and --ids-friendly

Workaround for bug see #1717. In addition: Bring  the test closer to a cleaner style,
as the others

Should --ids-firednly could be as well be removed when travis runs faster.
---
 t/33_isJSON_severitylevel_valid.t | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/t/33_isJSON_severitylevel_valid.t b/t/33_isJSON_severitylevel_valid.t
index 234efc0..9f17de8 100755
--- a/t/33_isJSON_severitylevel_valid.t
+++ b/t/33_isJSON_severitylevel_valid.t
@@ -15,13 +15,18 @@ my (
 
 $tests = 0;
 
+my $prg="./testssl.sh";
+my $check2run = '-S -e --ids-friendly -U --severity LOW --color 0';
+my $uri = 'badssl.com';
 
 printf "\n%s\n", "Doing severity level checks";
+
+die "Unable to open $prg" unless -f $prg;
 unlink 'tmp.json';
 
 #1
-pass(" .. running testssl.sh against badssl.com to create a JSON report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++;
-$out = `./testssl.sh -S -e -U --ids-friendly --jsonfile tmp.json --severity LOW --color 0 badssl.com`;
+pass(" .. running testssl.sh against $uri to create a JSON report with severity level >= LOW (may take 2~3 minutes)"); $tests++;
+$out = `$prg $check2run --jsonfile tmp.json $uri`;
 $json = json('tmp.json');
 unlink 'tmp.json';
 $found = 0;
@@ -35,8 +40,8 @@ foreach my $f ( @$json ) {
 is($found,0,"We should not have any finding with INFO level"); $tests++;
 
 #2
-pass(" .. running testssl.sh against badssl.com to create a JSON-PRETTY report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++;
-$out = `./testssl.sh -S -e -U --ids-friendly --jsonfile-pretty tmp.json --severity LOW --color 0 badssl.com`;
+pass(" .. running testssl.sh against $uri to create a JSON-PRETTY report with severity level >= LOW (may take 2~3 minutes)"); $tests++;
+$out = `$prg $check2run --jsonfile-pretty tmp.json $uri`;
 $json_pretty = json('tmp.json');
 unlink 'tmp.json';
 $found = 0;

From c1a565fad833f119fe21842dd235258ef22584b1 Mon Sep 17 00:00:00 2001
From: tosticated <>
Date: Tue, 22 Dec 2020 22:33:25 +0100
Subject: [PATCH 20/22] Custom HTTP request headers support added. Addresses
 #1770

---
 CREDITS.md         |  2 +-
 doc/testssl.1      |  3 +++
 doc/testssl.1.html |  2 ++
 doc/testssl.1.md   |  2 ++
 testssl.sh         | 24 +++++++++++++++++++++++-
 5 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/CREDITS.md b/CREDITS.md
index beee57a..de826d5 100644
--- a/CREDITS.md
+++ b/CREDITS.md
@@ -42,6 +42,7 @@ Full contribution, see git log.
 * Jim Blankendaal
   - maximum certificate lifespan of 398 days
   - ssl renegotiation amount variable
+  - custom http request headers
 
 * Frank Breedijk
   - Detection of insecure redirects
@@ -181,4 +182,3 @@ Probably more I forgot to mention which did give me feedback, bug reports and he
 * Ivan Ristic/Qualys for the liberal license which made it possible to make partly use of the client data
 
 * My family for supporting me doing this work
-
diff --git a/doc/testssl.1 b/doc/testssl.1
index 57c7a4f..ad40aee 100644
--- a/doc/testssl.1
+++ b/doc/testssl.1
@@ -136,6 +136,9 @@ Please note that \fBfname\fR has to be in Unix format\. DOS carriage returns won
 .P
 \fB\-\-basicauth <user:pass>\fR This can be set to provide HTTP basic auth credentials which are used during checks for security headers\. BASICAUTH is the ENV variable you can use instead\.
 .
+.P
+\fB\-\-customhttpheader <header>\fR This can be used to add additional HTTP request headers in the correct format \fBHeadername: headercontent\fR\. This parameter can be called multiple times if required\. For example: \fB\-\-customhttpheader \'Proxy\-Authorization: Basic dGVzdHNzbDpydWxlcw==\' \-\-customhttpheader \'ClientID: 0xDEADBEAF\'\fR\. CUSTOMHTTPHEADER is the corresponding environment variable\.
+.
 .SS "SPECIAL INVOCATIONS"
 \fB\-t <protocol>, \-\-starttls <protocol>\fR does a default run against a STARTTLS enabled \fBprotocol\fR\. \fBprotocol\fR must be one of \fBftp\fR, \fBsmtp\fR, \fBpop3\fR, \fBimap\fR, \fBxmpp\fR, \fBxmpp-server\fR, \fBtelnet\fR, \fBldap\fR, \fBirc\fR, \fBlmtp\fR, \fBnntp\fR, \fBpostgres\fR, \fBmysql\fR\. For the latter four you need e\.g\. the supplied OpenSSL or OpenSSL version 1\.1\.1\. Please note: MongoDB doesn\'t offer a STARTTLS connection, LDAP currently only works with \fB\-\-ssl\-native\fR\. \fBtelnet\fR and \fBirc\fR is WIP\.
 .
diff --git a/doc/testssl.1.html b/doc/testssl.1.html
index dff5c7c..c37689c 100644
--- a/doc/testssl.1.html
+++ b/doc/testssl.1.html
@@ -187,6 +187,8 @@ The same can be achieved by setting the environment variable <code>WARNINGS</cod
 
 <p><code>--basicauth &lt;user:pass&gt;</code> This can be set to provide HTTP basic auth credentials which are used during checks for security headers. BASICAUTH is the ENV variable you can use instead.</p>
 
+<p><code>--customhttpheader &lt;header&gt;</code> This can be used to add additional HTTP request headers in the correct format <code>Headername: headercontent</code>. This parameter can be called multiple times if required. For example: <code>--customhttpheader &#39;Proxy-Authorization: Basic dGVzdHNzbDpydWxlcw==&#39; --customhttpheader &#39;ClientID: 0xDEADBEAF&#39;</code>. CUSTOMHTTPHEADER is the corresponding environment variable.</p>
+
 <h3 id="SPECIAL-INVOCATIONS">SPECIAL INVOCATIONS</h3>
 
 <p><code>-t &lt;protocol>, --starttls &lt;protocol></code>    does a default run against a STARTTLS enabled <code>protocol</code>. <code>protocol</code> must be one of <code>ftp</code>, <code>smtp</code>,  <code>pop3</code>, <code>imap</code>, <code>xmpp</code>, <code>xmpp-server</code>, <code>telnet</code>, <code>ldap</code>, <code>irc</code>, <code>lmtp</code>, <code>nntp</code>, <code>postgres</code>, <code>mysql</code>. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with <code>--ssl-native</code>. <code>telnet</code> and <code>irc</code> is WIP.</p>
diff --git a/doc/testssl.1.md b/doc/testssl.1.md
index fca7195..ee914fc 100644
--- a/doc/testssl.1.md
+++ b/doc/testssl.1.md
@@ -110,6 +110,8 @@ The same can be achieved by setting the environment variable `WARNINGS`.
 
 `--basicauth <user:pass>` This can be set to provide HTTP basic auth credentials which are used during checks for security headers. BASICAUTH is the ENV variable you can use instead.
 
+`--customhttpheader <header>` This can be used to add additional HTTP request headers in the correct format `Headername: headercontent`. This parameter can be called multiple times if required. For example: `--customhttpheader 'Proxy-Authorization: Basic dGVzdHNzbDpydWxlcw==' --customhttpheader 'ClientID: 0xDEADBEAF'`. CUSTOMHTTPHEADER is the corresponding environment variable.
+
 
 ### SPECIAL INVOCATIONS
 
diff --git a/testssl.sh b/testssl.sh
index 0b2f684..b3a3ee1 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -162,6 +162,7 @@ QUIET=${QUIET:-false}                   # don't output the banner. By doing this
 SSL_NATIVE=${SSL_NATIVE:-false}         # we do per default bash sockets where possible "true": switch back to "openssl native"
 ASSUME_HTTP=${ASSUME_HTTP:-false}       # in seldom cases (WAF, old servers, grumpy SSL) service detection fails. "True" enforces HTTP checks
 BASICAUTH=${BASICAUTH:-""}              # HTTP basic auth credentials can be set here like user:pass
+CUSTOMHTTPHEADER=${CUSTOMHTTPHEADER:-""}   # HTTP custom request header can be set here like Header: content. Can be used multiple times.
 BUGS=${BUGS:-""}                        # -bugs option from openssl, needed for some BIG IP F5
 WARNINGS=${WARNINGS:-""}                # can be either off or batch
 DEBUG=${DEBUG:-0}                       # 1: normal output the files in /tmp/ are kept for further debugging purposes
@@ -373,6 +374,7 @@ TLS_NOW=""                              # Similar
 TLS_DIFFTIME_SET=false                  # Tells TLS functions to measure the TLS difftime or not
 NOW_TIME=""
 HTTP_TIME=""
+CUSTOMHTTPHEADERS=()
 GET_REQ11=""
 START_TIME=0                            # time in epoch when the action started
 END_TIME=0                              # .. ended
@@ -886,6 +888,15 @@ is_ipv6addr() {
           return 1
 }
 
+join_by() {
+     # joins an array using a custom delimiter https://web.archive.org/web/20201222183540/https://stackoverflow.com/questions/1527049/how-can-i-join-elements-of-an-array-in-bash/17841619#17841619
+     local d=$1
+     shift
+     local f=$1
+     shift
+     printf %s "$f" "${@/#/$d}";
+}
+
 ###### END universal helper function definitions ######
 
 ###### START ServerHello/OpenSSL/F5 function definitions ######
@@ -19239,6 +19250,7 @@ tuning / connect options (most also can be preset via environment variables):
      --phone-out                   allow to contact external servers for CRL download and querying OCSP responder
      --add-ca <CA files|CA dir>    path to <CAdir> with *.pem or a comma separated list of CA files to include in trust check
      --basicauth <user:pass>       provide HTTP basic auth information.
+     --customhttpheader <header>   add custom http request headers
 
 output options (can also be preset via environment variables):
      --quiet                       don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner
@@ -19391,6 +19403,7 @@ SHOW_EACH_C: $SHOW_EACH_C
 SSL_NATIVE: $SSL_NATIVE
 ASSUME_HTTP $ASSUME_HTTP
 BASICAUTH: $BASICAUTH
+CUSTOMHTTPHEADER: $CUSTOMHTTPHEADER
 SNEAKY: $SNEAKY
 OFFENSIVE: $OFFENSIVE
 PHONE_OUT: $PHONE_OUT
@@ -20514,6 +20527,7 @@ determine_service() {
      local ua
      local protocol
      local basicauth_header=""
+     local customhttpheader=""
 
      # Check if we can connect to $NODEIP:$PORT. Attention: This ALWAYS uses sockets. Thus timeouts for --ssl-=native do not apply
      if ! fd_socket 5; then
@@ -20541,7 +20555,10 @@ determine_service() {
           if [[ -n "$BASICAUTH" ]]; then
                basicauth_header="Authorization: Basic $(safe_echo "$BASICAUTH" | $OPENSSL base64 2>/dev/null)\r\n"
           fi
-          GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\n${basicauth_header}Accept-Encoding: identity\r\nAccept: text/*\r\nConnection: Close\r\n\r\n"
+          if [[ -n "$CUSTOMHTTPHEADERS" ]]; then
+               customhttpheader="$(join_by "\r\n" "${CUSTOMHTTPHEADERS[@]}")\r\n" #Add all required custom http headers to one string with newlines
+          fi
+          GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\n${basicauth_header}${customhttpheader}Accept-Encoding: identity\r\nAccept: text/*\r\nConnection: Close\r\n\r\n"
           # returns always 0:
           service_detection $OPTIMAL_PROTO
      else # STARTTLS
@@ -22193,6 +22210,11 @@ parse_cmd_line() {
                     BASICAUTH="$(parse_opt_equal_sign "$1" "$2")"
                     [[ $? -eq 0 ]] && shift
                     ;;
+               --customhttpheader|--customhttpheader=*)
+                    CUSTOMHTTPHEADER="$(parse_opt_equal_sign "$1" "$2")"
+                    [[ $? -eq 0 ]] && shift
+                    CUSTOMHTTPHEADERS+=("$CUSTOMHTTPHEADER")
+                    ;;
                (--) shift
                     break
                     ;;

From 1473cdf02d2f51b09784c474470506c023049bc8 Mon Sep 17 00:00:00 2001
From: tosticated <70525720+tosticated@users.noreply.github.com>
Date: Thu, 24 Dec 2020 22:00:42 +0100
Subject: [PATCH 21/22] Update CHANGELOG.md

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4a81c7d..ab67fcb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,6 +28,7 @@
 * Added --overwrite argument to support overwriting output files without warning
 * Headerflag X-XSS-Protection is now labeled as INFO
 * Client simulation runs in wide mode which is even better readable
+* Added --customhttpheader to support custom headers in HTTP requests
 
 ### Features implemented / improvements in 3.0
 

From 351f36c9433765d488e949bd955860c35f0d3abe Mon Sep 17 00:00:00 2001
From: tosticated <>
Date: Fri, 25 Dec 2020 20:10:02 +0100
Subject: [PATCH 22/22] Changed parameter to --reqheader for custom HTTP
 headers.

---
 CHANGELOG.md       |  2 +-
 doc/testssl.1      |  2 +-
 doc/testssl.1.html |  2 +-
 doc/testssl.1.md   |  2 +-
 testssl.sh         | 22 +++++++++++-----------
 5 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ab67fcb..4cf6cc6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,7 +28,7 @@
 * Added --overwrite argument to support overwriting output files without warning
 * Headerflag X-XSS-Protection is now labeled as INFO
 * Client simulation runs in wide mode which is even better readable
-* Added --customhttpheader to support custom headers in HTTP requests
+* Added --reqheader to support custom headers in HTTP requests
 
 ### Features implemented / improvements in 3.0
 
diff --git a/doc/testssl.1 b/doc/testssl.1
index ad40aee..3ea717c 100644
--- a/doc/testssl.1
+++ b/doc/testssl.1
@@ -137,7 +137,7 @@ Please note that \fBfname\fR has to be in Unix format\. DOS carriage returns won
 \fB\-\-basicauth <user:pass>\fR This can be set to provide HTTP basic auth credentials which are used during checks for security headers\. BASICAUTH is the ENV variable you can use instead\.
 .
 .P
-\fB\-\-customhttpheader <header>\fR This can be used to add additional HTTP request headers in the correct format \fBHeadername: headercontent\fR\. This parameter can be called multiple times if required\. For example: \fB\-\-customhttpheader \'Proxy\-Authorization: Basic dGVzdHNzbDpydWxlcw==\' \-\-customhttpheader \'ClientID: 0xDEADBEAF\'\fR\. CUSTOMHTTPHEADER is the corresponding environment variable\.
+\fB\-\-reqheader <header>\fR This can be used to add additional HTTP request headers in the correct format \fBHeadername: headercontent\fR\. This parameter can be called multiple times if required\. For example: \fB\-\-reqheader \'Proxy\-Authorization: Basic dGVzdHNzbDpydWxlcw==\' \-\-reqheader \'ClientID: 0xDEADBEAF\'\fR\. REQHEADER is the corresponding environment variable\.
 .
 .SS "SPECIAL INVOCATIONS"
 \fB\-t <protocol>, \-\-starttls <protocol>\fR does a default run against a STARTTLS enabled \fBprotocol\fR\. \fBprotocol\fR must be one of \fBftp\fR, \fBsmtp\fR, \fBpop3\fR, \fBimap\fR, \fBxmpp\fR, \fBxmpp-server\fR, \fBtelnet\fR, \fBldap\fR, \fBirc\fR, \fBlmtp\fR, \fBnntp\fR, \fBpostgres\fR, \fBmysql\fR\. For the latter four you need e\.g\. the supplied OpenSSL or OpenSSL version 1\.1\.1\. Please note: MongoDB doesn\'t offer a STARTTLS connection, LDAP currently only works with \fB\-\-ssl\-native\fR\. \fBtelnet\fR and \fBirc\fR is WIP\.
diff --git a/doc/testssl.1.html b/doc/testssl.1.html
index c37689c..df4743d 100644
--- a/doc/testssl.1.html
+++ b/doc/testssl.1.html
@@ -187,7 +187,7 @@ The same can be achieved by setting the environment variable <code>WARNINGS</cod
 
 <p><code>--basicauth &lt;user:pass&gt;</code> This can be set to provide HTTP basic auth credentials which are used during checks for security headers. BASICAUTH is the ENV variable you can use instead.</p>
 
-<p><code>--customhttpheader &lt;header&gt;</code> This can be used to add additional HTTP request headers in the correct format <code>Headername: headercontent</code>. This parameter can be called multiple times if required. For example: <code>--customhttpheader &#39;Proxy-Authorization: Basic dGVzdHNzbDpydWxlcw==&#39; --customhttpheader &#39;ClientID: 0xDEADBEAF&#39;</code>. CUSTOMHTTPHEADER is the corresponding environment variable.</p>
+<p><code>--reqheader &lt;header&gt;</code> This can be used to add additional HTTP request headers in the correct format <code>Headername: headercontent</code>. This parameter can be called multiple times if required. For example: <code>--reqheader &#39;Proxy-Authorization: Basic dGVzdHNzbDpydWxlcw==&#39; --reqheader &#39;ClientID: 0xDEADBEAF&#39;</code>. REQHEADER is the corresponding environment variable.</p>
 
 <h3 id="SPECIAL-INVOCATIONS">SPECIAL INVOCATIONS</h3>
 
diff --git a/doc/testssl.1.md b/doc/testssl.1.md
index ee914fc..11cc267 100644
--- a/doc/testssl.1.md
+++ b/doc/testssl.1.md
@@ -110,7 +110,7 @@ The same can be achieved by setting the environment variable `WARNINGS`.
 
 `--basicauth <user:pass>` This can be set to provide HTTP basic auth credentials which are used during checks for security headers. BASICAUTH is the ENV variable you can use instead.
 
-`--customhttpheader <header>` This can be used to add additional HTTP request headers in the correct format `Headername: headercontent`. This parameter can be called multiple times if required. For example: `--customhttpheader 'Proxy-Authorization: Basic dGVzdHNzbDpydWxlcw==' --customhttpheader 'ClientID: 0xDEADBEAF'`. CUSTOMHTTPHEADER is the corresponding environment variable.
+`--reqheader <header>` This can be used to add additional HTTP request headers in the correct format `Headername: headercontent`. This parameter can be called multiple times if required. For example: `--reqheader 'Proxy-Authorization: Basic dGVzdHNzbDpydWxlcw==' --reqheader 'ClientID: 0xDEADBEAF'`. REQHEADER is the corresponding environment variable.
 
 
 ### SPECIAL INVOCATIONS
diff --git a/testssl.sh b/testssl.sh
index b3a3ee1..cb21f34 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -162,7 +162,7 @@ QUIET=${QUIET:-false}                   # don't output the banner. By doing this
 SSL_NATIVE=${SSL_NATIVE:-false}         # we do per default bash sockets where possible "true": switch back to "openssl native"
 ASSUME_HTTP=${ASSUME_HTTP:-false}       # in seldom cases (WAF, old servers, grumpy SSL) service detection fails. "True" enforces HTTP checks
 BASICAUTH=${BASICAUTH:-""}              # HTTP basic auth credentials can be set here like user:pass
-CUSTOMHTTPHEADER=${CUSTOMHTTPHEADER:-""}   # HTTP custom request header can be set here like Header: content. Can be used multiple times.
+REQHEADER=${REQHEADER:-""}              # HTTP custom request header can be set here like Header: content. Can be used multiple times.
 BUGS=${BUGS:-""}                        # -bugs option from openssl, needed for some BIG IP F5
 WARNINGS=${WARNINGS:-""}                # can be either off or batch
 DEBUG=${DEBUG:-0}                       # 1: normal output the files in /tmp/ are kept for further debugging purposes
@@ -374,7 +374,7 @@ TLS_NOW=""                              # Similar
 TLS_DIFFTIME_SET=false                  # Tells TLS functions to measure the TLS difftime or not
 NOW_TIME=""
 HTTP_TIME=""
-CUSTOMHTTPHEADERS=()
+REQHEADERS=()
 GET_REQ11=""
 START_TIME=0                            # time in epoch when the action started
 END_TIME=0                              # .. ended
@@ -19250,7 +19250,7 @@ tuning / connect options (most also can be preset via environment variables):
      --phone-out                   allow to contact external servers for CRL download and querying OCSP responder
      --add-ca <CA files|CA dir>    path to <CAdir> with *.pem or a comma separated list of CA files to include in trust check
      --basicauth <user:pass>       provide HTTP basic auth information.
-     --customhttpheader <header>   add custom http request headers
+     --reqheader <header>          add custom http request headers
 
 output options (can also be preset via environment variables):
      --quiet                       don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner
@@ -19403,7 +19403,7 @@ SHOW_EACH_C: $SHOW_EACH_C
 SSL_NATIVE: $SSL_NATIVE
 ASSUME_HTTP $ASSUME_HTTP
 BASICAUTH: $BASICAUTH
-CUSTOMHTTPHEADER: $CUSTOMHTTPHEADER
+REQHEADER: $REQHEADER
 SNEAKY: $SNEAKY
 OFFENSIVE: $OFFENSIVE
 PHONE_OUT: $PHONE_OUT
@@ -20527,7 +20527,7 @@ determine_service() {
      local ua
      local protocol
      local basicauth_header=""
-     local customhttpheader=""
+     local reqheader=""
 
      # Check if we can connect to $NODEIP:$PORT. Attention: This ALWAYS uses sockets. Thus timeouts for --ssl-=native do not apply
      if ! fd_socket 5; then
@@ -20555,10 +20555,10 @@ determine_service() {
           if [[ -n "$BASICAUTH" ]]; then
                basicauth_header="Authorization: Basic $(safe_echo "$BASICAUTH" | $OPENSSL base64 2>/dev/null)\r\n"
           fi
-          if [[ -n "$CUSTOMHTTPHEADERS" ]]; then
-               customhttpheader="$(join_by "\r\n" "${CUSTOMHTTPHEADERS[@]}")\r\n" #Add all required custom http headers to one string with newlines
+          if [[ -n "$REQHEADERS" ]]; then
+               reqheader="$(join_by "\r\n" "${REQHEADERS[@]}")\r\n" #Add all required custom http headers to one string with newlines
           fi
-          GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\n${basicauth_header}${customhttpheader}Accept-Encoding: identity\r\nAccept: text/*\r\nConnection: Close\r\n\r\n"
+          GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\n${basicauth_header}${reqheader}Accept-Encoding: identity\r\nAccept: text/*\r\nConnection: Close\r\n\r\n"
           # returns always 0:
           service_detection $OPTIMAL_PROTO
      else # STARTTLS
@@ -22210,10 +22210,10 @@ parse_cmd_line() {
                     BASICAUTH="$(parse_opt_equal_sign "$1" "$2")"
                     [[ $? -eq 0 ]] && shift
                     ;;
-               --customhttpheader|--customhttpheader=*)
-                    CUSTOMHTTPHEADER="$(parse_opt_equal_sign "$1" "$2")"
+               --reqheader|--reqheader=*)
+                    REQHEADER="$(parse_opt_equal_sign "$1" "$2")"
                     [[ $? -eq 0 ]] && shift
-                    CUSTOMHTTPHEADERS+=("$CUSTOMHTTPHEADER")
+                    REQHEADERS+=("$REQHEADER")
                     ;;
                (--) shift
                     break