Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2024-12-28 04:19:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add docu for #2497

Browse Source
This commit is contained in:
Dirk 2024-05-24 14:00:59 +02:00
parent 0d5bb1cd17
commit ed087197fe
3 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/testssl.1
View File

@ -60,7 +60,7 @@ Options are either short or long options\. Any long or short option requiring a
.SS "INPUT PARAMETERS"
\fBURI\fR can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL\. IPv6 addresses need to be in square brackets\. For any given parameter port 443 is assumed unless specified by appending a colon and a port number\. The only preceding protocol specifier allowed is \fBhttps\fR\. You need to be aware that checks for an IP address might not hit the vhost you want\. DNS resolution (A/AAAA record) is being performed unless you have an \fB/etc/hosts\fR entry for the hostname\.
.P
\fB\-\-file <fname>\fR or the equivalent \fB\-iL <fname>\fR are mass testing options\. Per default it implicitly turns on \fB\-\-warnings batch\fR\. In its first incarnation the mass testing option reads command lines from \fBfname\fR\. \fBfname\fR consists of command lines of testssl, one line per instance\. Comments after \fB#\fR are ignored, \fBEOF\fR signals the end of fname any subsequent lines will be ignored too\. You can also supply additional options which will be inherited to each child, e\.g\. When invoking \fBtestssl\.sh \-\-wide \-\-log \-\-file <fname>\fR \. Each single line in \fBfname\fR is parsed upon execution\. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer\. In parallel mode the mileage varies, likely a line won't be scanned\.
\fB\-\-file <fname>\fR or the equivalent \fB\-iL <fname>\fR are mass testing options\. Per default it implicitly turns on \fB\-\-warnings batch\fR\, unless warnings has been set to off before. In its first incarnation the mass testing option reads command lines from \fBfname\fR\. \fBfname\fR consists of command lines of testssl, one line per instance\. Comments after \fB#\fR are ignored, \fBEOF\fR signals the end of fname any subsequent lines will be ignored too\. You can also supply additional options which will be inherited to each child, e\.g\. When invoking \fBtestssl\.sh \-\-wide \-\-log \-\-file <fname>\fR \. Each single line in \fBfname\fR is parsed upon execution\. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer\. In parallel mode the mileage varies, likely a line won't be scanned\.
.P
Alternatively \fBfname\fR can be in \fBnmap\fR's grep(p)able output format (\fB\-oG\fR)\. Only open ports will be considered\. Multiple ports per line are allowed\. The ports can be different and will be tested by testssl\.sh according to common practice in the internet, i\.e\. if nmap shows in its output an open port 25, automatically \fB\-t smtp\fR will be added before the URI whereas port 465 will be treated as a plain TLS/SSL port, not requiring an STARTTLS SMTP handshake upfront\. This is done by an internal table which correlates nmap's open port detected to the STARTTLS/plain text decision from testssl\.sh\.
.P

4
doc/testssl.1.html
View File

@ -160,7 +160,7 @@ linked OpenSSL binaries for major operating systems are supplied in <code>./bin/
<p><code>URI</code> can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL. IPv6 addresses need to be in square brackets. For any given parameter port 443 is assumed unless specified by appending a colon and a port number. The only preceding protocol specifier allowed is <code>https</code>. You need to be aware that checks for an IP address might not hit the vhost you want. DNS resolution (A/AAAA record) is being performed unless you have an <code>/etc/hosts</code> entry for the hostname.</p>
<p><code>--file &lt;fname&gt;</code> or the equivalent <code>-iL &lt;fname&gt;</code> are mass testing options. Per default it implicitly turns on <code>--warnings batch</code>. In its first incarnation the mass testing option reads command lines from <code>fname</code>. <code>fname</code> consists of command lines of testssl, one line per instance. Comments after <code>#</code> are ignored, <code>EOF</code> signals the end of fname any subsequent lines will be ignored too. You can also supply additional options which will be inherited to each child, e.g. When invoking <code>testssl.sh --wide --log --file &lt;fname&gt;</code> . Each single line in <code>fname</code> is parsed upon execution. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies, likely a line won't be scanned.</p>
<p><code>--file &lt;fname&gt;</code> or the equivalent <code>-iL &lt;fname&gt;</code> are mass testing options. Per default it implicitly turns on <code>--warnings batch</code>, unless warnings has been set to off before. In its first incarnation the mass testing option reads command lines from <code>fname</code>. <code>fname</code> consists of command lines of testssl, one line per instance. Comments after <code>#</code> are ignored, <code>EOF</code> signals the end of fname any subsequent lines will be ignored too. You can also supply additional options which will be inherited to each child, e.g. When invoking <code>testssl.sh --wide --log --file &lt;fname&gt;</code> . Each single line in <code>fname</code> is parsed upon execution. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies, likely a line won't be scanned.</p>
<p>Alternatively <code>fname</code> can be in <code>nmap</code>'s grep(p)able output format (<code>-oG</code>). Only open ports will be considered. Multiple ports per line are allowed. The ports can be different and will be tested by testssl.sh according to common practice in the internet, i.e. if nmap shows in its output an open port 25, automatically <code>-t smtp</code> will be added before the URI whereas port 465 will be treated as a plain TLS/SSL port, not requiring an STARTTLS SMTP handshake upfront. This is done by an internal table which correlates nmap's open port detected to the STARTTLS/plain text decision from testssl.sh.</p>
@ -193,7 +193,7 @@ The same can be achieved by setting the environment variable <code>WARNINGS</cod
<p><code>--reqheader &lt;header&gt;</code> This can be used to add additional HTTP request headers in the correct format <code>Headername: headercontent</code>. This parameter can be called multiple times if required. For example: <code>--reqheader 'Proxy-Authorization: Basic dGVzdHNzbDpydWxlcw==' --reqheader 'ClientID: 0xDEADBEAF'</code>. REQHEADER is the corresponding environment variable.</p>
<p><code>--mtls &lt;path_to_client_cert&gt;</code> This can be set to provide a file containing a client certificatete and a private key (not encrypted) in PEM format, which is used when a mutual TLS authentication is required by the remote server. MTLS is the is the equivalent environment variable.</p>
<h3 id="SPECIAL-INVOCATIONS">SPECIAL INVOCATIONS</h3>
<p><code>-t &lt;protocol&gt;, --starttls &lt;protocol&gt;</code> does a default run against a STARTTLS enabled <code>protocol</code>. <code>protocol</code> must be one of <code>ftp</code>, <code>smtp</code>, <code>pop3</code>, <code>imap</code>, <code>xmpp</code>, <code>sieve</code>, <code>xmpp-server</code>, <code>telnet</code>, <code>ldap</code>, <code>irc</code>, <code>lmtp</code>, <code>nntp</code>, <code>postgres</code>, <code>mysql</code>. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, IRC currently only works with <code>--ssl-native</code>. <code>irc</code> is WIP.</p>

2
doc/testssl.1.md
View File

@ -80,7 +80,7 @@ Options are either short or long options. Any long or short option requiring a v
`URI` can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL. IPv6 addresses need to be in square brackets. For any given parameter port 443 is assumed unless specified by appending a colon and a port number. The only preceding protocol specifier allowed is `https`. You need to be aware that checks for an IP address might not hit the vhost you want. DNS resolution (A/AAAA record) is being performed unless you have an `/etc/hosts` entry for the hostname.
`--file <fname>` or the equivalent `-iL <fname>` are mass testing options. Per default it implicitly turns on `--warnings batch`. In its first incarnation the mass testing option reads command lines from `fname`. `fname` consists of command lines of testssl, one line per instance. Comments after `#` are ignored, `EOF` signals the end of fname any subsequent lines will be ignored too. You can also supply additional options which will be inherited to each child, e.g. When invoking `testssl.sh --wide --log --file <fname>` . Each single line in `fname` is parsed upon execution. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies, likely a line won't be scanned.
`--file <fname>` or the equivalent `-iL <fname>` are mass testing options. Per default it implicitly turns on `--warnings batch`, unless warnings has been set to off before. In its first incarnation the mass testing option reads command lines from `fname`. `fname` consists of command lines of testssl, one line per instance. Comments after `#` are ignored, `EOF` signals the end of fname any subsequent lines will be ignored too. You can also supply additional options which will be inherited to each child, e.g. When invoking `testssl.sh --wide --log --file <fname>` . Each single line in `fname` is parsed upon execution. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies, likely a line won't be scanned.
Alternatively `fname` can be in `nmap`'s grep(p)able output format (`-oG`). Only open ports will be considered. Multiple ports per line are allowed. The ports can be different and will be tested by testssl.sh according to common practice in the internet, i.e. if nmap shows in its output an open port 25, automatically `-t smtp` will be added before the URI whereas port 465 will be treated as a plain TLS/SSL port, not requiring an STARTTLS SMTP handshake upfront. This is done by an internal table which correlates nmap's open port detected to the STARTTLS/plain text decision from testssl.sh.