From ed087197fe9357eb84e884fe720c35dd394c292c Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 24 May 2024 14:00:59 +0200 Subject: [PATCH] Add docu for #2497 --- doc/testssl.1 | 2 +- doc/testssl.1.html | 4 ++-- doc/testssl.1.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/testssl.1 b/doc/testssl.1 index 7d01acb..c192cb3 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -60,7 +60,7 @@ Options are either short or long options\. Any long or short option requiring a .SS "INPUT PARAMETERS" \fBURI\fR can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL\. IPv6 addresses need to be in square brackets\. For any given parameter port 443 is assumed unless specified by appending a colon and a port number\. The only preceding protocol specifier allowed is \fBhttps\fR\. You need to be aware that checks for an IP address might not hit the vhost you want\. DNS resolution (A/AAAA record) is being performed unless you have an \fB/etc/hosts\fR entry for the hostname\. .P -\fB\-\-file \fR or the equivalent \fB\-iL \fR are mass testing options\. Per default it implicitly turns on \fB\-\-warnings batch\fR\. In its first incarnation the mass testing option reads command lines from \fBfname\fR\. \fBfname\fR consists of command lines of testssl, one line per instance\. Comments after \fB#\fR are ignored, \fBEOF\fR signals the end of fname any subsequent lines will be ignored too\. You can also supply additional options which will be inherited to each child, e\.g\. When invoking \fBtestssl\.sh \-\-wide \-\-log \-\-file \fR \. Each single line in \fBfname\fR is parsed upon execution\. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer\. In parallel mode the mileage varies, likely a line won't be scanned\. +\fB\-\-file \fR or the equivalent \fB\-iL \fR are mass testing options\. Per default it implicitly turns on \fB\-\-warnings batch\fR\, unless warnings has been set to off before. In its first incarnation the mass testing option reads command lines from \fBfname\fR\. \fBfname\fR consists of command lines of testssl, one line per instance\. Comments after \fB#\fR are ignored, \fBEOF\fR signals the end of fname any subsequent lines will be ignored too\. You can also supply additional options which will be inherited to each child, e\.g\. When invoking \fBtestssl\.sh \-\-wide \-\-log \-\-file \fR \. Each single line in \fBfname\fR is parsed upon execution\. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer\. In parallel mode the mileage varies, likely a line won't be scanned\. .P Alternatively \fBfname\fR can be in \fBnmap\fR's grep(p)able output format (\fB\-oG\fR)\. Only open ports will be considered\. Multiple ports per line are allowed\. The ports can be different and will be tested by testssl\.sh according to common practice in the internet, i\.e\. if nmap shows in its output an open port 25, automatically \fB\-t smtp\fR will be added before the URI whereas port 465 will be treated as a plain TLS/SSL port, not requiring an STARTTLS SMTP handshake upfront\. This is done by an internal table which correlates nmap's open port detected to the STARTTLS/plain text decision from testssl\.sh\. .P diff --git a/doc/testssl.1.html b/doc/testssl.1.html index 05dc144..17a8ddf 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -160,7 +160,7 @@ linked OpenSSL binaries for major operating systems are supplied in ./bin/

URI can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL. IPv6 addresses need to be in square brackets. For any given parameter port 443 is assumed unless specified by appending a colon and a port number. The only preceding protocol specifier allowed is https. You need to be aware that checks for an IP address might not hit the vhost you want. DNS resolution (A/AAAA record) is being performed unless you have an /etc/hosts entry for the hostname.

-

--file <fname> or the equivalent -iL <fname> are mass testing options. Per default it implicitly turns on --warnings batch. In its first incarnation the mass testing option reads command lines from fname. fname consists of command lines of testssl, one line per instance. Comments after # are ignored, EOF signals the end of fname any subsequent lines will be ignored too. You can also supply additional options which will be inherited to each child, e.g. When invoking testssl.sh --wide --log --file <fname> . Each single line in fname is parsed upon execution. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies, likely a line won't be scanned.

+

--file <fname> or the equivalent -iL <fname> are mass testing options. Per default it implicitly turns on --warnings batch, unless warnings has been set to off before. In its first incarnation the mass testing option reads command lines from fname. fname consists of command lines of testssl, one line per instance. Comments after # are ignored, EOF signals the end of fname any subsequent lines will be ignored too. You can also supply additional options which will be inherited to each child, e.g. When invoking testssl.sh --wide --log --file <fname> . Each single line in fname is parsed upon execution. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies, likely a line won't be scanned.

Alternatively fname can be in nmap's grep(p)able output format (-oG). Only open ports will be considered. Multiple ports per line are allowed. The ports can be different and will be tested by testssl.sh according to common practice in the internet, i.e. if nmap shows in its output an open port 25, automatically -t smtp will be added before the URI whereas port 465 will be treated as a plain TLS/SSL port, not requiring an STARTTLS SMTP handshake upfront. This is done by an internal table which correlates nmap's open port detected to the STARTTLS/plain text decision from testssl.sh.

@@ -193,7 +193,7 @@ The same can be achieved by setting the environment variable WARNINGS--reqheader <header> This can be used to add additional HTTP request headers in the correct format Headername: headercontent. This parameter can be called multiple times if required. For example: --reqheader 'Proxy-Authorization: Basic dGVzdHNzbDpydWxlcw==' --reqheader 'ClientID: 0xDEADBEAF'. REQHEADER is the corresponding environment variable.

--mtls <path_to_client_cert> This can be set to provide a file containing a client certificatete and a private key (not encrypted) in PEM format, which is used when a mutual TLS authentication is required by the remote server. MTLS is the is the equivalent environment variable.

- +

SPECIAL INVOCATIONS

-t <protocol>, --starttls <protocol> does a default run against a STARTTLS enabled protocol. protocol must be one of ftp, smtp, pop3, imap, xmpp, sieve, xmpp-server, telnet, ldap, irc, lmtp, nntp, postgres, mysql. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, IRC currently only works with --ssl-native. irc is WIP.

diff --git a/doc/testssl.1.md b/doc/testssl.1.md index 2459d48..65c1df9 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -80,7 +80,7 @@ Options are either short or long options. Any long or short option requiring a v `URI` can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL. IPv6 addresses need to be in square brackets. For any given parameter port 443 is assumed unless specified by appending a colon and a port number. The only preceding protocol specifier allowed is `https`. You need to be aware that checks for an IP address might not hit the vhost you want. DNS resolution (A/AAAA record) is being performed unless you have an `/etc/hosts` entry for the hostname. -`--file ` or the equivalent `-iL ` are mass testing options. Per default it implicitly turns on `--warnings batch`. In its first incarnation the mass testing option reads command lines from `fname`. `fname` consists of command lines of testssl, one line per instance. Comments after `#` are ignored, `EOF` signals the end of fname any subsequent lines will be ignored too. You can also supply additional options which will be inherited to each child, e.g. When invoking `testssl.sh --wide --log --file ` . Each single line in `fname` is parsed upon execution. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies, likely a line won't be scanned. +`--file ` or the equivalent `-iL ` are mass testing options. Per default it implicitly turns on `--warnings batch`, unless warnings has been set to off before. In its first incarnation the mass testing option reads command lines from `fname`. `fname` consists of command lines of testssl, one line per instance. Comments after `#` are ignored, `EOF` signals the end of fname any subsequent lines will be ignored too. You can also supply additional options which will be inherited to each child, e.g. When invoking `testssl.sh --wide --log --file ` . Each single line in `fname` is parsed upon execution. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies, likely a line won't be scanned. Alternatively `fname` can be in `nmap`'s grep(p)able output format (`-oG`). Only open ports will be considered. Multiple ports per line are allowed. The ports can be different and will be tested by testssl.sh according to common practice in the internet, i.e. if nmap shows in its output an open port 25, automatically `-t smtp` will be added before the URI whereas port 465 will be treated as a plain TLS/SSL port, not requiring an STARTTLS SMTP handshake upfront. This is done by an internal table which correlates nmap's open port detected to the STARTTLS/plain text decision from testssl.sh.