* remove hint that LDAP only works with STARTTLS
* Add the relevant LDAP RFC for STARTTLS
* Amend with sieve RFC
* Correct numbering order of RFC section
A longer while back the section ~ "Testing standard ciphers" was
renamed to "Testing cipher categories". However the internal help
didn't reflect that.
This fixes that, including an addtion to the documentation.
Note: the help still lists "-s --std, --standard" as a cmd line
switch.
Sometimes it is needed to overwrite existing output files.
This has been requested in the past (#927). For safety reasons
it was not implemented.
However I realized that it could be useful. It requires some
responsible usage though.
Code added, help() and manpages added -- warnings added too.
This commit adds
* a check for the elliptical curves
* and a check for TLS extensions
which will again reduces false positives.
Background:
* https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Supported_elliptic_curves
* https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Extensions
Also:
* Docu phrased more precise (we're not checking ciphers and
HTTP Server banner only
* As a last resort we also take 'Microsoft-HTTPAPI/2.0' as a server header on the HTTPS branch
and query the HTTP branch for Microsoft-IIS/8.x.
* $EXPERIMENTAL overrides some banner and service related checks. So that e.g. SMTP servers can also
be checked. Last but bot least ist's a vulnerability of the TLS stack.
For better debugging we'll keep the TLS extensions and offered curves in a file.
Also it adds a debug1() function which may be needed on other occasions.
Also the output is better coded as we put "check patches locally to confirm"
into a variable.
There's still room for improvement:
* More extensions (see https://raw.githubusercontent.com/cisco/joy/master/doc/using-joy-fingerprinting-00.pdf)
* We could need a separate determine_curves() function, see #1730 as otherwise
we can't use the curves in a non-default run.
This PR fixes#1671.
Primarily there's now an additional case statement in the main while loop
which just calls fatal() when it detects --help -b --banner -v or --version.
The documentation was also updated to reflect that.
(Some grammar and other errors which I stumbled over were corrected too)
Moved the sentence ~i "A grade better than T would lead to a false sense of security"
to the documentation. No reason for excuses in the output. ;-) Explanation fits
better in the doc.
See also #1657
In all instances:
* command line (will break things)
* JSON IDs (will break things)
* in the documentation
* in the travis checks where used
* everywhere in the code: variables, functions, comments
... and reorder manpages also so that --warnings, --connect-timeout
and --openssl-timeout appear in the "input parameter" section.
The HTML manpage looks in the diff view quite different as previously
another computer was used for converting the source format with ronn(1).
The manpage in (g)roff format was manually edited with .RE / .RS
for provide indented bulletpoints.
See also #1419
Dirk
enxio
Emmanuel Bouthenot
David Cooper
Dimitri Papadopoulos
a1346054
tosticated
Klaus Eisentraut
Chad Brigance
Magnus Larsen
Magnus Larsen
Unit 193
manuel
Alexander Naumov