mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-20 23:49:30 +01:00
Documenting exit error codes improvements
See prevoius commit b2be380b54
and
issue #985 / #752.
This commit is contained in:
parent
b2be380b54
commit
e7619fa8d9
@ -148,14 +148,12 @@ Please note that the content of \fBfname\fR has to be in Unix format\. DOS carri
|
|||||||
.P
|
.P
|
||||||
\fB\-\-assuming\-http\fR testssl\.sh does upfront an application protocol detection\. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option\. It tells testssl\.sh not to skip HTTP specific tests and to run the client simulation with browsers\. Sometimes also the severity depends on the application protocol, e\.g\. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server\.
|
\fB\-\-assuming\-http\fR testssl\.sh does upfront an application protocol detection\. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option\. It tells testssl\.sh not to skip HTTP specific tests and to run the client simulation with browsers\. Sometimes also the severity depends on the application protocol, e\.g\. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server\.
|
||||||
.
|
.
|
||||||
.IP "\(bu" 4
|
.P
|
||||||
\fB\-n, \-\-nodns <min|none>\fR tells testssl\.sh which DNS lookups should be performed\. \fBmin\fR uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name\. \fBnone\fR performs no DNS lookups at all\. For the latter you either have to supply the IP address as a target, to use \fB\-\-ip\fR or have the IP address in /etc/hosts\. The use of the switch is only useful if you either can\'t or are not willing to perform DNS lookups\. The latter can apply e\.g\. to some pentestsi\. In general this option could e\.g\. help you to avoid timeouts by DNS lookups\. \fBNODNS\fR is the enviroment variable for this\.
|
\fB\-n, \-\-nodns <min|none>\fR tells testssl\.sh which DNS lookups should be performed\. \fBmin\fR uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name\. \fBnone\fR performs no DNS lookups at all\. For the latter you either have to supply the IP address as a target, to use \fB\-\-ip\fR or have the IP address in /etc/hosts\. The use of the switch is only useful if you either can\'t or are not willing to perform DNS lookups\. The latter can apply e\.g\. to some pentestsi\. In general this option could e\.g\. help you to avoid timeouts by DNS lookups\. \fBNODNS\fR is the enviroment variable for this\.
|
||||||
.
|
.
|
||||||
.IP "\(bu" 4
|
.P
|
||||||
\fB\-\-sneaky\fR as a friendly feature for the server side testssl\.sh uses a HTTP user agent \fBTLS tester from ${URL}\fR\. With this option your traces are less verbose and a Firefox user agent is being used\. Be aware that it doesn\'t hide your activities\. That is just not possible (environment preset via \fBSNEAKY=true\fR)\.
|
\fB\-\-sneaky\fR as a friendly feature for the server side testssl\.sh uses a HTTP user agent \fBTLS tester from ${URL}\fR\. With this option your traces are less verbose and a Firefox user agent is being used\. Be aware that it doesn\'t hide your activities\. That is just not possible (environment preset via \fBSNEAKY=true\fR)\.
|
||||||
.
|
.
|
||||||
.IP "" 0
|
|
||||||
.
|
|
||||||
.SS "SINGLE CHECK OPTIONS"
|
.SS "SINGLE CHECK OPTIONS"
|
||||||
Any single check switch supplied as an argument prevents testssl\.sh from doing a default run\. It just takes this and if supplied other options and runs them \- in the order they would also appear in the default run\.
|
Any single check switch supplied as an argument prevents testssl\.sh from doing a default run\. It just takes this and if supplied other options and runs them \- in the order they would also appear in the default run\.
|
||||||
.
|
.
|
||||||
@ -684,22 +682,43 @@ TLSWG Draft: The Transport Layer Security (TLS) Protocol Version 1\.3
|
|||||||
50\-200 reserved for returning a vulnerability scoring for system monitoring or a CI tools
|
50\-200 reserved for returning a vulnerability scoring for system monitoring or a CI tools
|
||||||
.
|
.
|
||||||
.IP "\(bu" 4
|
.IP "\(bu" 4
|
||||||
245 no bash used
|
242 (ERR_CHILD) Child received a signal from master
|
||||||
.
|
.
|
||||||
.IP "\(bu" 4
|
.IP "\(bu" 4
|
||||||
249 temp file creation problem
|
244 (ERR_RESOURCE) Resources testssl\.sh needs couldn\'t be read
|
||||||
.
|
.
|
||||||
.IP "\(bu" 4
|
.IP "\(bu" 4
|
||||||
251 feature not yet supported
|
245 (ERR_CLUELESS) Weird state, either though user options or testssl\.sh
|
||||||
.
|
.
|
||||||
.IP "\(bu" 4
|
.IP "\(bu" 4
|
||||||
252 no DNS resolver found or not executable / proxy couldn\'t be determined from given values / \-xmpphost supplied but OPENSSL too old
|
246 (ERR_CONNECT) Connectivity problem
|
||||||
.
|
.
|
||||||
.IP "\(bu" 4
|
.IP "\(bu" 4
|
||||||
253 no SSL/TLS enabled server / OPENSSL too old / couldn\'t connect to proxy / couldn\'t connect via STARTTLS
|
247 (ERR_DNSLOOKUP) Problem with resolving IP addresses or names
|
||||||
.
|
.
|
||||||
.IP "\(bu" 4
|
.IP "\(bu" 4
|
||||||
254 no OPENSSL found or not executable / no IPv4 address could be determined / illegal STARTTLS protocol supplied / supplied file name not readable
|
248 (ERR_OTHERCLIENT) Other client problem
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
249 (ERR_DNSBIN) Problem with DNS lookup binaries
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
250 (ERR_OSSLBIN) Problem with OpenSSL binary
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
251 (ERR_NOSUPPORT) Feature requested is not supported
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
252 (ERR_FNAMEPARSE) Input file couldn\'t be parsed
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
253 (ERR_FCREATE) Output file couldn\'t be created
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
254 (ERR_CMDLINE) Cmd line couldn\'t be parsed
|
||||||
|
.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
255 (ERR_BASH ) Bash version incorrect
|
||||||
.
|
.
|
||||||
.IP "" 0
|
.IP "" 0
|
||||||
.
|
.
|
||||||
|
@ -196,13 +196,11 @@ host.example.com:631
|
|||||||
|
|
||||||
<p><code>--assuming-http</code> testssl.sh does upfront an application protocol detection. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It tells testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers. Sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.</p>
|
<p><code>--assuming-http</code> testssl.sh does upfront an application protocol detection. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It tells testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers. Sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.</p>
|
||||||
|
|
||||||
<ul>
|
<p><code>-n, --nodns <min|none></code> tells testssl.sh which DNS lookups should be performed. <code>min</code> uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name. <code>none</code> performs no
|
||||||
<li><p><code>-n, --nodns <min|none></code> tells testssl.sh which DNS lookups should be performed. <code>min</code> uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name. <code>none</code> performs no
|
|
||||||
DNS lookups at all. For the latter you either have to supply the IP address as a target, to use <code>--ip</code> or have the IP address
|
DNS lookups at all. For the latter you either have to supply the IP address as a target, to use <code>--ip</code> or have the IP address
|
||||||
in /etc/hosts. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentestsi. In general this option could e.g. help you to avoid timeouts by DNS lookups. <code>NODNS</code> is the enviroment variable for this.</p></li>
|
in /etc/hosts. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentestsi. In general this option could e.g. help you to avoid timeouts by DNS lookups. <code>NODNS</code> is the enviroment variable for this.</p>
|
||||||
<li><p><code>--sneaky</code> as a friendly feature for the server side testssl.sh uses a HTTP user agent <code>TLS tester from ${URL}</code>. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via <code>SNEAKY=true</code>).</p></li>
|
|
||||||
</ul>
|
|
||||||
|
|
||||||
|
<p><code>--sneaky</code> as a friendly feature for the server side testssl.sh uses a HTTP user agent <code>TLS tester from ${URL}</code>. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via <code>SNEAKY=true</code>).</p>
|
||||||
|
|
||||||
<h3 id="SINGLE-CHECK-OPTIONS">SINGLE CHECK OPTIONS</h3>
|
<h3 id="SINGLE-CHECK-OPTIONS">SINGLE CHECK OPTIONS</h3>
|
||||||
|
|
||||||
@ -516,12 +514,19 @@ to create the hashes for HPKP.</li>
|
|||||||
<li>1 testssl.sh has encountered exactly one ambiguous situation or an error during run</li>
|
<li>1 testssl.sh has encountered exactly one ambiguous situation or an error during run</li>
|
||||||
<li>1+n same as previous. The errors or ambiguous results are added, also per IP.</li>
|
<li>1+n same as previous. The errors or ambiguous results are added, also per IP.</li>
|
||||||
<li>50-200 reserved for returning a vulnerability scoring for system monitoring or a CI tools</li>
|
<li>50-200 reserved for returning a vulnerability scoring for system monitoring or a CI tools</li>
|
||||||
<li>245 no bash used</li>
|
<li>242 (ERR_CHILD) Child received a signal from master</li>
|
||||||
<li>249 temp file creation problem</li>
|
<li>244 (ERR_RESOURCE) Resources testssl.sh needs couldn't be read</li>
|
||||||
<li>251 feature not yet supported</li>
|
<li>245 (ERR_CLUELESS) Weird state, either though user options or testssl.sh</li>
|
||||||
<li>252 no DNS resolver found or not executable / proxy couldn't be determined from given values / -xmpphost supplied but OPENSSL too old</li>
|
<li>246 (ERR_CONNECT) Connectivity problem</li>
|
||||||
<li>253 no SSL/TLS enabled server / OPENSSL too old / couldn't connect to proxy / couldn't connect via STARTTLS</li>
|
<li>247 (ERR_DNSLOOKUP) Problem with resolving IP addresses or names</li>
|
||||||
<li>254 no OPENSSL found or not executable / no IPv4 address could be determined / illegal STARTTLS protocol supplied / supplied file name not readable</li>
|
<li>248 (ERR_OTHERCLIENT) Other client problem</li>
|
||||||
|
<li>249 (ERR_DNSBIN) Problem with DNS lookup binaries</li>
|
||||||
|
<li>250 (ERR_OSSLBIN) Problem with OpenSSL binary</li>
|
||||||
|
<li>251 (ERR_NOSUPPORT) Feature requested is not supported</li>
|
||||||
|
<li>252 (ERR_FNAMEPARSE) Input file couldn't be parsed</li>
|
||||||
|
<li>253 (ERR_FCREATE) Output file couldn't be created</li>
|
||||||
|
<li>254 (ERR_CMDLINE) Cmd line couldn't be parsed</li>
|
||||||
|
<li>255 (ERR_BASH ) Bash version incorrect</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
|
|
||||||
|
@ -119,11 +119,11 @@ Please note that the content of `fname` has to be in Unix format. DOS carriage r
|
|||||||
|
|
||||||
`--assuming-http` testssl.sh does upfront an application protocol detection. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It tells testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers. Sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.
|
`--assuming-http` testssl.sh does upfront an application protocol detection. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It tells testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers. Sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.
|
||||||
|
|
||||||
* `-n, --nodns <min|none>` tells testssl.sh which DNS lookups should be performed. `min` uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name. `none` performs no
|
`-n, --nodns <min|none>` tells testssl.sh which DNS lookups should be performed. `min` uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name. `none` performs no
|
||||||
DNS lookups at all. For the latter you either have to supply the IP address as a target, to use `--ip` or have the IP address
|
DNS lookups at all. For the latter you either have to supply the IP address as a target, to use `--ip` or have the IP address
|
||||||
in /etc/hosts. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentestsi. In general this option could e.g. help you to avoid timeouts by DNS lookups. `NODNS` is the enviroment variable for this.
|
in /etc/hosts. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentestsi. In general this option could e.g. help you to avoid timeouts by DNS lookups. `NODNS` is the enviroment variable for this.
|
||||||
|
|
||||||
* `--sneaky` as a friendly feature for the server side testssl.sh uses a HTTP user agent `TLS tester from ${URL}`. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=true`).
|
`--sneaky` as a friendly feature for the server side testssl.sh uses a HTTP user agent `TLS tester from ${URL}`. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=true`).
|
||||||
|
|
||||||
|
|
||||||
### SINGLE CHECK OPTIONS
|
### SINGLE CHECK OPTIONS
|
||||||
@ -441,13 +441,19 @@ does the same on the plain text IMAP port. Please note that for plain TLS-encryp
|
|||||||
* 1 testssl.sh has encountered exactly one ambiguous situation or an error during run
|
* 1 testssl.sh has encountered exactly one ambiguous situation or an error during run
|
||||||
* 1+n same as previous. The errors or ambiguous results are added, also per IP.
|
* 1+n same as previous. The errors or ambiguous results are added, also per IP.
|
||||||
* 50-200 reserved for returning a vulnerability scoring for system monitoring or a CI tools
|
* 50-200 reserved for returning a vulnerability scoring for system monitoring or a CI tools
|
||||||
* 245 no bash used
|
* 242 (ERR_CHILD) Child received a signal from master
|
||||||
* 249 temp file creation problem
|
* 244 (ERR_RESOURCE) Resources testssl.sh needs couldn't be read
|
||||||
* 251 feature not yet supported
|
* 245 (ERR_CLUELESS) Weird state, either though user options or testssl.sh
|
||||||
* 252 no DNS resolver found or not executable / proxy couldn't be determined from given values / -xmpphost supplied but OPENSSL too old
|
* 246 (ERR_CONNECT) Connectivity problem
|
||||||
* 253 no SSL/TLS enabled server / OPENSSL too old / couldn't connect to proxy / couldn't connect via STARTTLS
|
* 247 (ERR_DNSLOOKUP) Problem with resolving IP addresses or names
|
||||||
* 254 no OPENSSL found or not executable / no IPv4 address could be determined / illegal STARTTLS protocol supplied / supplied file name not readable
|
* 248 (ERR_OTHERCLIENT) Other client problem
|
||||||
|
* 249 (ERR_DNSBIN) Problem with DNS lookup binaries
|
||||||
|
* 250 (ERR_OSSLBIN) Problem with OpenSSL binary
|
||||||
|
* 251 (ERR_NOSUPPORT) Feature requested is not supported
|
||||||
|
* 252 (ERR_FNAMEPARSE) Input file couldn't be parsed
|
||||||
|
* 253 (ERR_FCREATE) Output file couldn't be created
|
||||||
|
* 254 (ERR_CMDLINE) Cmd line couldn't be parsed
|
||||||
|
* 255 (ERR_BASH ) Bash version incorrect
|
||||||
|
|
||||||
## FILES
|
## FILES
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user