Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2026-06-23 08:47:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

Auto-generate docs from testssl.1.md [skip ci]

Browse Source
This commit is contained in:
github-actions[bot]
2026-06-22 14:38:35 +00:00
parent 859d24df20
commit f284366aee
2 changed files with 28 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
doc/testssl.1
+14 -5
View File
@@ -50,9 +50,11 @@ of appearance):
.IP " 0)" 4 .IP " 0)" 4
displays a banner (see below), does a DNS lookup also for further IP displays a banner (see below), does a DNS lookup also for further IP
addresses and does for the returned IP address a reverse lookup. addresses and does for the returned IP address a reverse lookup.
Also the so called DNS HTTPS record is being queried and displayed (for
the first IP only).
Last but not least a service check is being done. Last but not least a service check is being done.
.IP " 1)" 4 .IP " 1)" 4
SSL/TLS protocol check SSL/TLS protocol check plus QUIC and ALPN check
.IP " 2)" 4 .IP " 2)" 4
standard cipher categories standard cipher categories
.IP " 3)" 4 .IP " 3)" 4
@@ -329,10 +331,11 @@ If you don\(cqt want this behavior, you need to supply \f[CR]\-4.\f[R]
of the target won\(cqt be scanned. of the target won\(cqt be scanned.
.PP .PP
\f[CR]\-\-ssl\-native\f[R] Instead of using a mixture of bash sockets \f[CR]\-\-ssl\-native\f[R] Instead of using a mixture of bash sockets
and a few openssl s_client connects, testssl.sh uses the latter (almost) and a few \f[CR]openssl s_client connect\f[R]s, testssl.sh uses the
only. latter (almost) only.
This is faster but provides less accurate results, especially for the This is faster but doesn\(cqt provides accurate results, especially for
client simulation and for cipher support. the client simulation and for cipher support.
Thus this is not recommended anymore.
For all checks you will see a warning if testssl.sh cannot tell if a For all checks you will see a warning if testssl.sh cannot tell if a
particular check cannot be performed. particular check cannot be performed.
For some checks however you might end up getting false negatives without For some checks however you might end up getting false negatives without
@@ -519,6 +522,9 @@ If a TLS\-1.3\-only host is encountered and the openssl\-bad version is
used testssl.sh will e.g.\ for HTTP header checks switch to used testssl.sh will e.g.\ for HTTP header checks switch to
\f[CR]/usr/bin/openssl\f[R] (or when defined via ENV to OPENSSL2). \f[CR]/usr/bin/openssl\f[R] (or when defined via ENV to OPENSSL2).
Also this will be tried for the QUIC check. Also this will be tried for the QUIC check.
You will get an additional message if the DNS HTTPS Resource Record
matches the QUIC finding.
Also if there are negative consequences (h3 advertised but not offered).
.PP .PP
\f[CR]\-P, \-\-server\-preference, \-\-preference\f[R] displays the \f[CR]\-P, \-\-server\-preference, \-\-preference\f[R] displays the
servers preferences: cipher order, with used openssl client: negotiated servers preferences: cipher order, with used openssl client: negotiated
@@ -1422,6 +1428,9 @@ RFC 8701: Applying Generate Random Extensions And Sustain Extensibility
.IP \(bu 2 .IP \(bu 2
RFC 9000: QUIC: A UDP\-Based Multiplexed and Secure Transport RFC 9000: QUIC: A UDP\-Based Multiplexed and Secure Transport
.IP \(bu 2 .IP \(bu 2
RFC 9460: Service Binding and Parameter Specification via the DNS (SVCB
and HTTPS Resource Records)
.IP \(bu 2
W3C CSP: Content Security Policy Level 1\-3 W3C CSP: Content Security Policy Level 1\-3
.IP \(bu 2 .IP \(bu 2
TLSWG Draft: The Transport Layer Security (TLS) Protocol Version 1.3 TLSWG Draft: The Transport Layer Security (TLS) Protocol Version 1.3
doc/testssl.1.html
+14 -8
View File
@@ -84,9 +84,10 @@
<ol start="0" type="1"> <ol start="0" type="1">
<li><p>displays a banner (see below), does a DNS lookup also for <li><p>displays a banner (see below), does a DNS lookup also for
further IP addresses and does for the returned IP address a further IP addresses and does for the returned IP address a
reverse lookup. Last but not least a service check is being reverse lookup. Also the so called DNS HTTPS record is being
done.</p></li> queried and displayed (for the first IP only). Last but not
<li><p>SSL/TLS protocol check</p></li> least a service check is being done.</p></li>
<li><p>SSL/TLS protocol check plus QUIC and ALPN check</p></li>
<li><p>standard cipher categories</p></li> <li><p>standard cipher categories</p></li>
<li><p>servers cipher preferences (server order?)</p></li> <li><p>servers cipher preferences (server order?)</p></li>
<li><p>forward secrecy: ciphers and elliptical curves</p></li> <li><p>forward secrecy: ciphers and elliptical curves</p></li>
@@ -321,10 +322,11 @@
<p><code>-4</code> scans only IPv4 addresses of the target, IPv6 <p><code>-4</code> scans only IPv4 addresses of the target, IPv6
addresses of the target wont be scanned.</p> addresses of the target wont be scanned.</p>
<p><code>--ssl-native</code> Instead of using a mixture of bash <p><code>--ssl-native</code> Instead of using a mixture of bash
sockets and a few openssl s_client connects, testssl.sh uses the sockets and a few <code>openssl s_client connect</code>s,
latter (almost) only. This is faster but provides less accurate testssl.sh uses the latter (almost) only. This is faster but
results, especially for the client simulation and for cipher doesnt provides accurate results, especially for the client
support. For all checks you will see a warning if testssl.sh simulation and for cipher support. Thus this is not recommended
anymore. For all checks you will see a warning if testssl.sh
cannot tell if a particular check cannot be performed. For some cannot tell if a particular check cannot be performed. For some
checks however you might end up getting false negatives without checks however you might end up getting false negatives without
a warning. Thus it is not recommended to use. It should only be a warning. Thus it is not recommended to use. It should only be
@@ -483,7 +485,9 @@
the openssl-bad version is used testssl.sh will e.g. for HTTP the openssl-bad version is used testssl.sh will e.g. for HTTP
header checks switch to <code>/usr/bin/openssl</code> (or when header checks switch to <code>/usr/bin/openssl</code> (or when
defined via ENV to OPENSSL2). Also this will be tried for the defined via ENV to OPENSSL2). Also this will be tried for the
QUIC check.</p> QUIC check. You will get an additional message if the DNS HTTPS
Resource Record matches the QUIC finding. Also if there are
negative consequences (h3 advertised but not offered).</p>
<p><code>-P, --server-preference, --preference</code> displays <p><code>-P, --server-preference, --preference</code> displays
the servers preferences: cipher order, with used openssl client: the servers preferences: cipher order, with used openssl client:
negotiated protocol and cipher. If theres a cipher order negotiated protocol and cipher. If theres a cipher order
@@ -1201,6 +1205,8 @@
Extensibility (GREASE) to TLS Extensibility</li> Extensibility (GREASE) to TLS Extensibility</li>
<li>RFC 9000: QUIC: A UDP-Based Multiplexed and Secure <li>RFC 9000: QUIC: A UDP-Based Multiplexed and Secure
Transport</li> Transport</li>
<li>RFC 9460: Service Binding and Parameter Specification via
the DNS (SVCB and HTTPS Resource Records)</li>
<li>W3C CSP: Content Security Policy Level 1-3</li> <li>W3C CSP: Content Security Policy Level 1-3</li>
<li>TLSWG Draft: The Transport Layer Security (TLS) Protocol <li>TLSWG Draft: The Transport Layer Security (TLS) Protocol
Version 1.3</li> Version 1.3</li>