Auto-generate docs from testssl.1.md [skip ci]

doc/testssl.1

@@ -50,9 +50,11 @@ of appearance):
 .IP " 0)" 4
 displays a banner (see below), does a DNS lookup also for further IP
 addresses and does for the returned IP address a reverse lookup.
+Also the so called DNS HTTPS record is being queried and displayed (for
+the first IP only).
 Last but not least a service check is being done.
 .IP " 1)" 4
-SSL/TLS protocol check
+SSL/TLS protocol check plus QUIC and ALPN check
 .IP " 2)" 4
 standard cipher categories
 .IP " 3)" 4
@@ -329,10 +331,11 @@ If you don\(cqt want this behavior, you need to supply \f[CR]\-4.\f[R]
 of the target won\(cqt be scanned.
 .PP
 \f[CR]\-\-ssl\-native\f[R] Instead of using a mixture of bash sockets
-and a few openssl s_client connects, testssl.sh uses the latter (almost)
-only.
-This is faster but provides less accurate results, especially for the
-client simulation and for cipher support.
+and a few \f[CR]openssl s_client connect\f[R]s, testssl.sh uses the
+latter (almost) only.
+This is faster but doesn\(cqt provides accurate results, especially for
+the client simulation and for cipher support.
+Thus this is not recommended anymore.
 For all checks you will see a warning if testssl.sh cannot tell if a
 particular check cannot be performed.
 For some checks however you might end up getting false negatives without
@@ -519,6 +522,9 @@ If a TLS\-1.3\-only host is encountered and the openssl\-bad version is
 used testssl.sh will e.g.\ for HTTP header checks switch to
 \f[CR]/usr/bin/openssl\f[R] (or when defined via ENV to OPENSSL2).
 Also this will be tried for the QUIC check.
+You will get an additional message if the DNS HTTPS Resource Record
+matches the QUIC finding.
+Also if there are negative consequences (h3 advertised but not offered).
 .PP
 \f[CR]\-P, \-\-server\-preference, \-\-preference\f[R] displays the
 servers preferences: cipher order, with used openssl client: negotiated
@@ -1422,6 +1428,9 @@ RFC 8701: Applying Generate Random Extensions And Sustain Extensibility
 .IP \(bu 2
 RFC 9000: QUIC: A UDP\-Based Multiplexed and Secure Transport
 .IP \(bu 2
+RFC 9460: Service Binding and Parameter Specification via the DNS (SVCB
+and HTTPS Resource Records)
+.IP \(bu 2
 W3C CSP: Content Security Policy Level 1\-3
 .IP \(bu 2
 TLSWG Draft: The Transport Layer Security (TLS) Protocol Version 1.3

doc/testssl.1.html

@@ -84,9 +84,10 @@
         <ol start="0" type="1">
         <li><p>displays a banner (see below), does a DNS lookup also for
         further IP addresses and does for the returned IP address a
-        reverse lookup. Last but not least a service check is being
-        done.</p></li>
-        <li><p>SSL/TLS protocol check</p></li>
+        reverse lookup. Also the so called DNS HTTPS record is being
+        queried and displayed (for the first IP only). Last but not
+        least a service check is being done.</p></li>
+        <li><p>SSL/TLS protocol check plus QUIC and ALPN check</p></li>
         <li><p>standard cipher categories</p></li>
         <li><p>server’s cipher preferences (server order?)</p></li>
         <li><p>forward secrecy: ciphers and elliptical curves</p></li>
@@ -321,10 +322,11 @@
         <p><code>-4</code> scans only IPv4 addresses of the target, IPv6
         addresses of the target won’t be scanned.</p>
         <p><code>--ssl-native</code> Instead of using a mixture of bash
-        sockets and a few openssl s_client connects, testssl.sh uses the
-        latter (almost) only. This is faster but provides less accurate
-        results, especially for the client simulation and for cipher
-        support. For all checks you will see a warning if testssl.sh
+        sockets and a few <code>openssl s_client connect</code>s,
+        testssl.sh uses the latter (almost) only. This is faster but
+        doesn’t provides accurate results, especially for the client
+        simulation and for cipher support. Thus this is not recommended
+        anymore. For all checks you will see a warning if testssl.sh
         cannot tell if a particular check cannot be performed. For some
         checks however you might end up getting false negatives without
         a warning. Thus it is not recommended to use. It should only be
@@ -483,7 +485,9 @@
         the openssl-bad version is used testssl.sh will e.g. for HTTP
         header checks switch to <code>/usr/bin/openssl</code> (or when
         defined via ENV to OPENSSL2). Also this will be tried for the
-        QUIC check.</p>
+        QUIC check. You will get an additional message if the DNS HTTPS
+        Resource Record matches the QUIC finding. Also if there are
+        negative consequences (h3 advertised but not offered).</p>
         <p><code>-P, --server-preference, --preference</code> displays
         the servers preferences: cipher order, with used openssl client:
         negotiated protocol and cipher. If there’s a cipher order
@@ -1201,6 +1205,8 @@
         Extensibility (GREASE) to TLS Extensibility</li>
         <li>RFC 9000: QUIC: A UDP-Based Multiplexed and Secure
         Transport</li>
+        <li>RFC 9460: Service Binding and Parameter Specification via
+        the DNS (SVCB and HTTPS Resource Records)</li>
         <li>W3C CSP: Content Security Policy Level 1-3</li>
         <li>TLSWG Draft: The Transport Layer Security (TLS) Protocol
         Version 1.3</li>