diff --git a/doc/testssl.1 b/doc/testssl.1 index f0a0a58..1a7c5f2 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -50,9 +50,11 @@ of appearance): .IP " 0)" 4 displays a banner (see below), does a DNS lookup also for further IP addresses and does for the returned IP address a reverse lookup. +Also the so called DNS HTTPS record is being queried and displayed (for +the first IP only). Last but not least a service check is being done. .IP " 1)" 4 -SSL/TLS protocol check +SSL/TLS protocol check plus QUIC and ALPN check .IP " 2)" 4 standard cipher categories .IP " 3)" 4 @@ -329,10 +331,11 @@ If you don\(cqt want this behavior, you need to supply \f[CR]\-4.\f[R] of the target won\(cqt be scanned. .PP \f[CR]\-\-ssl\-native\f[R] Instead of using a mixture of bash sockets -and a few openssl s_client connects, testssl.sh uses the latter (almost) -only. -This is faster but provides less accurate results, especially for the -client simulation and for cipher support. +and a few \f[CR]openssl s_client connect\f[R]s, testssl.sh uses the +latter (almost) only. +This is faster but doesn\(cqt provides accurate results, especially for +the client simulation and for cipher support. +Thus this is not recommended anymore. For all checks you will see a warning if testssl.sh cannot tell if a particular check cannot be performed. For some checks however you might end up getting false negatives without @@ -519,6 +522,9 @@ If a TLS\-1.3\-only host is encountered and the openssl\-bad version is used testssl.sh will e.g.\ for HTTP header checks switch to \f[CR]/usr/bin/openssl\f[R] (or when defined via ENV to OPENSSL2). Also this will be tried for the QUIC check. +You will get an additional message if the DNS HTTPS Resource Record +matches the QUIC finding. +Also if there are negative consequences (h3 advertised but not offered). .PP \f[CR]\-P, \-\-server\-preference, \-\-preference\f[R] displays the servers preferences: cipher order, with used openssl client: negotiated @@ -1422,6 +1428,9 @@ RFC 8701: Applying Generate Random Extensions And Sustain Extensibility .IP \(bu 2 RFC 9000: QUIC: A UDP\-Based Multiplexed and Secure Transport .IP \(bu 2 +RFC 9460: Service Binding and Parameter Specification via the DNS (SVCB +and HTTPS Resource Records) +.IP \(bu 2 W3C CSP: Content Security Policy Level 1\-3 .IP \(bu 2 TLSWG Draft: The Transport Layer Security (TLS) Protocol Version 1.3 diff --git a/doc/testssl.1.html b/doc/testssl.1.html index 347a120..06a0010 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -84,9 +84,10 @@

  1. displays a banner (see below), does a DNS lookup also for further IP addresses and does for the returned IP address a - reverse lookup. Last but not least a service check is being - done.

    2. -

  2. SSL/TLS protocol check

    3. + reverse lookup. Also the so called DNS HTTPS record is being + queried and displayed (for the first IP only). Last but not + least a service check is being done.

    +

  3. SSL/TLS protocol check plus QUIC and ALPN check

  4. standard cipher categories

  5. server’s cipher preferences (server order?)

  6. forward secrecy: ciphers and elliptical curves

    7. @@ -321,10 +322,11 @@

    -4 scans only IPv4 addresses of the target, IPv6 addresses of the target won’t be scanned.

    --ssl-native Instead of using a mixture of bash - sockets and a few openssl s_client connects, testssl.sh uses the - latter (almost) only. This is faster but provides less accurate - results, especially for the client simulation and for cipher - support. For all checks you will see a warning if testssl.sh + sockets and a few openssl s_client connects, + testssl.sh uses the latter (almost) only. This is faster but + doesn’t provides accurate results, especially for the client + simulation and for cipher support. Thus this is not recommended + anymore. For all checks you will see a warning if testssl.sh cannot tell if a particular check cannot be performed. For some checks however you might end up getting false negatives without a warning. Thus it is not recommended to use. It should only be @@ -483,7 +485,9 @@ the openssl-bad version is used testssl.sh will e.g. for HTTP header checks switch to /usr/bin/openssl (or when defined via ENV to OPENSSL2). Also this will be tried for the - QUIC check.

    + QUIC check. You will get an additional message if the DNS HTTPS + Resource Record matches the QUIC finding. Also if there are + negative consequences (h3 advertised but not offered).

    -P, --server-preference, --preference displays the servers preferences: cipher order, with used openssl client: negotiated protocol and cipher. If there’s a cipher order @@ -1201,6 +1205,8 @@ Extensibility (GREASE) to TLS Extensibility

  7. RFC 9000: QUIC: A UDP-Based Multiplexed and Secure Transport
    8. +
  8. RFC 9460: Service Binding and Parameter Specification via + the DNS (SVCB and HTTPS Resource Records)
  9. W3C CSP: Content Security Policy Level 1-3
  10. TLSWG Draft: The Transport Layer Security (TLS) Protocol Version 1.3