Commit Graph

77 Commits

Author SHA1 Message Date
Dirk 6ce0ad80e6 fit HTML man page to page width 2018-11-23 23:47:21 +01:00
Dirk f591126a1b Minor updates
added: client simulation, requirements.

Updated number of ciphers.
2018-11-12 21:36:43 +01:00
Dirk da233c939e RFC --> IANA
The cipher suites names in the RFCs stem (mostly) from IANA, see
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

This PR corrects that in places visible to the user. For backwards
compatibility the cmd line switches still work as before, but there's
a preference to IANA. The RFC naming is labeled as to be retired
in the future.
2018-11-08 20:26:52 +01:00
Dirk 44570541c0 Tell which OpenSSL versions support IPv6 out of the box 2018-09-10 09:52:59 +02:00
Dirk 8d7dd663f9 Finalizing proxy support for OCSP checks
As mentioned in #1106 proxying ocsp protocol doesn't work (yet)
This commit notifies the user that it is not possible. One
can ignore that and try by supplying IGN_OCSP_PROXY=true.

It also fixes a typo I probably introduced (pVULN_THRESHLD).
2018-08-24 15:43:25 +02:00
Dirk 3fdcd034f3 Fine tuning of --outprefix
The standard separator after $FNAME_PREFIX is now '-'.
You can as well supply a different <fname_prefix> ending in '.',  '_' or ',' , then
no no additional '-' will be appended.

Also a small bash function get_last_char() has been introduced which returns
the last char from a supplied string.
2018-08-23 11:40:50 +02:00
Dirk 5837e82c85 Supplying of both -6 and --ip=one results in picking an IPv6 address
... previously it depended on the order of DNS replies otherwise. This was
one outcome of discussion in #1026 where it seemed more logical
to pick an IPv6 address as opposed to an abitrary (v4/v6) address.
2018-08-16 12:03:56 +02:00
Dirk 33cf1d524c Fine tuning if Jac2NL's commit of IDS evasion
Reduce the offensive tests to 4: the others are "just" / mostly cipher
based checks which should not cause an IDS to block. (This maybe
subject to reconsider at a later time.)

Added a switch --ids-friendly

Updated VULN_COUNT accordingly

Added this (including PHONE_OUT to env debugging output)

Added help()

Manual section added
2018-06-26 13:04:30 +02:00
Dirk 87f0cda234 Fix #1071 : typos and link in docu 2018-06-25 18:31:55 +02:00
Dirk aa0f33e984 Update RFC section in ~/doc with soon to be TLS 1.3 RFC
See PR #1072, title taken from
https://github.com/ietf/draft-ietf-tls-tls13/blob/master/rfc8446.xml
(maybe subject to change).

Todo: Handle the obsolted ones, maybe by adding "obsolete"
2018-06-20 09:41:51 +02:00
Dirk c3927d00c8 Document --phone-out 2018-04-27 21:37:44 +02:00
Dirk ddf5ff6bc9 Minor additions wrt --color=3 and fname prefix 2018-04-26 09:39:30 +02:00
Dirk e7619fa8d9 Documenting exit error codes improvements
See prevoius commit b2be380b54 and
issue #985 / #752.
2018-04-12 18:14:14 +02:00
Dirk 36247fecf2 fix no-DNS related error in documentation 2018-04-12 01:19:02 +02:00
Dirk 2a4de68c59 Merge branch 'nodns-935' into 2.9dev 2018-04-12 01:06:33 +02:00
Dirk 557942cb0a Change logic and add conservative value for -n/--nodns (#935)
This PR changes the logic the no-DNS switch works. The switch
now expects a value. "min" does minimum lookups, "none" does
no lookups at all (details see testssl.sh(1) ). "none" is
equivalent to the paranoid (boolean) value "true" before.
2018-04-12 00:19:52 +02:00
Karsten Weiss eead9f62d9 Fix typos found by codespell 2018-04-10 17:37:04 +02:00
Dirk eb3b3a1988 be more verbose what --warnings=batch means (see #1027) 2018-04-05 22:02:35 +02:00
Dirk 1924c9a0a6 Connectivity problems, man page update
See previous commit

This commit finally fixes #1005 so that either a --ssl-native scan
terminates on the next (defined) occasion if there are network connectivity
problems. It introduces another set of variables (MAX_OSSL_FAIL vs. NR_OSSL_FAIL).
As "openssl s_client connect" is sometimes still being used without --ssl-native
it also shortens the wait for regular scans if an outage is encountered.
To make things easier bot sets (incl. *_SOCKET_FAIL) of variables are independent.

For the seldom case that somebody uses --ssl-native with client checks an exception
had to be made as otherwise only MAX_OSSL_FAIL client check would be performed.
This hasn't been understood yet...

As sometimes HTTP header requests (over OpenSSL) fail repeatedly in a way that an empty
reply is returned, the same strategy of detecting problems is applied here,
using MAX_HEADER_FAIL and NR_HEADER_FAIL.

All three detection mechanisims share a new function connectivity_problem().
2018-03-28 17:48:04 +02:00
Dirk 2e5dd0439a document variable for previous commit 080840f 2018-03-02 20:57:06 +01:00
Dirk b5fcc00031 reflect previous commit of changed treatment of --severity
... and some minor polishing
2018-03-01 15:13:55 +01:00
Dirk ba8d613aa5 Add documentation about the current and corrected exit codes 2018-02-14 23:40:08 +01:00
Dirk 01f7612bd0 add keys to server defaults, cert start/end time in GMT 2018-01-29 23:43:25 +01:00
Dirk 659a6176b6 Add TLS 1.3, better explanation for -6 2018-01-28 12:47:05 +01:00
Dirk 0bc1f6f708 make MAX_PARALLEL and MAX_WAIT_TEST configurable + documentation 2017-12-27 09:50:34 +01:00
Dirk 1488baeac5 Documentation of CA_BUNDLES_PATH
See also #941
2017-12-20 09:00:00 +01:00
Dirk 1984d7fc90 html version of man page added 2017-12-14 10:25:59 +01:00