Commit Graph

78 Commits

Author SHA1 Message Date
David Cooper
b661f7b8d3 Update documentation for cipherlists tests
The sets of cipher lists checked by `run_cipherslists()` changed in 3.1dev, but the documentation was not updated.
2023-02-03 11:24:04 -08:00
Dirk
83d4075465 fixes for roff and html 2022-04-01 14:45:48 +02:00
Dirk
28085e5ec9 Implement fixes in documentation from #2074
kudos @k0lter

* numbering
* some ticks / backticks

For now I left the html and roff files like they were. That should be reconsidered
later.
2022-04-01 13:12:02 +02:00
enxio
cdf97f556a Changes reflecting PR #2214. 2022-03-02 15:48:08 +01:00
Dirk Wetter
da3520f8b2 Update documentation
* remove hint that LDAP only works with STARTTLS
* Add the relevant LDAP RFC for STARTTLS
* Amend with sieve RFC
* Correct numbering order of RFC section
2022-01-31 11:05:52 +01:00
Dirk Wetter
1012a28958
again wide screen mode for HTML
see discussion on #2072
2021-12-27 17:09:59 +01:00
Emmanuel Bouthenot
6e050a780d Update doc for (manage)sieve protocol when used with STARTTLS 2021-12-20 17:20:01 +01:00
Dimitri Papadopoulos
fcb282e3c3
Typos found by codespell
Run codespell in CI
2021-09-14 13:33:39 +02:00
Dirk
15cfd849fe Replace --standard by --categories 2021-09-09 22:07:44 +02:00
Dirk
739f45015f Fix minor inconsistency in description of cipher categories
A longer while back the section ~ "Testing standard ciphers" was
renamed to "Testing cipher categories". However the internal help
didn't reflect that.

This fixes that, including an addtion to the documentation.

Note: the help still lists "-s --std, --standard" as a cmd line
switch.
2021-09-08 08:46:47 +02:00
a1346054
6782e2a3b9 Fix spelling 2021-09-04 12:39:03 +00:00
Dirk Wetter
e1a43e6e16
Merge branch '3.1dev' into starttls_injection 2020-12-29 13:46:18 +01:00
tosticated
351f36c943 Changed parameter to --reqheader for custom HTTP headers. 2020-12-25 20:10:02 +01:00
tosticated
c1a565fad8 Custom HTTP request headers support added. Addresses #1770 2020-12-22 22:33:25 +01:00
Dirk Wetter
5c5c4dcd58 Merge branch '3.1dev' into starttls_smtp_injection
Resolving conflicts because of do_winshock
2020-11-26 10:45:02 +01:00
Dirk Wetter
9d0744e229 Introducing --overwrite option
Sometimes it is needed to overwrite existing output files.
This has been requested in the past (#927). For safety reasons
it was not implemented.

However I realized that it could be useful. It requires some
responsible usage though.

Code added, help() and manpages added -- warnings added too.
2020-11-13 16:05:53 +01:00
Klaus Eisentraut
d130d70e8b fix #1757: manpage: --c has one dash to much 2020-10-29 20:05:44 +01:00
Chad Brigance
4d6dba79e6 Update man pages and CHANGELOG 2020-10-19 07:32:41 +00:00
Dirk
7d8cf71a94 Further robustness check to winshock (#1719)
This commit adds

* a check for the elliptical curves
* and a check for TLS extensions

which will again reduces false positives.

Background:
* https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Supported_elliptic_curves
* https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Extensions

Also:

* Docu phrased more precise (we're not checking ciphers and
  HTTP Server banner only
* As a last resort we also take 'Microsoft-HTTPAPI/2.0' as a server header on the HTTPS branch
  and query the HTTP branch for Microsoft-IIS/8.x.
* $EXPERIMENTAL overrides some banner and service related checks. So that e.g. SMTP servers can also
  be checked. Last but bot least ist's a vulnerability of the TLS stack.

For better debugging we'll keep the TLS extensions and offered curves in a file.
Also it adds a debug1() function which may be needed on other occasions.

Also the output is better coded as we put "check patches locally to confirm"
into a variable.

There's still room for improvement:

* More extensions (see https://raw.githubusercontent.com/cisco/joy/master/doc/using-joy-fingerprinting-00.pdf)
* We could need a separate determine_curves() function, see #1730 as otherwise
  we can't use the curves in a non-default run.
2020-09-22 13:04:18 +02:00
Dirk Wetter
1f8e65104c Add winshock to documentation 2020-09-08 22:08:05 +02:00
Dirk Wetter
35b79f65ee Add documentation for STARTTLS injection's cmd line flag
and also the modified one for ROBOT
2020-09-02 18:23:11 +02:00
Dirk Wetter
ecc6cd8160 Allow dir with PEM files for --add-CA
Idea which popped up while following #1700
2020-08-18 21:52:59 +02:00
Dirk Wetter
1d954233bd Document is in utf-8
See #1701
2020-08-13 20:43:54 +02:00
Dirk Wetter
953e1bd0ff Phrase --version & friends as standalone
This PR fixes #1671.

Primarily there's now an additional case statement in the main while loop
which just calls fatal() when it detects --help -b --banner -v or --version.

The documentation was also updated to reflect that.

(Some grammar and other errors which I stumbled over were corrected too)
2020-08-13 20:41:57 +02:00
David Cooper
5b17bbcf87 Add RFC 8701 to list of RFCs
This commit adds RFC 8701 to the list of RFCs in the documentation.
2020-08-03 11:14:10 -04:00
David Cooper
57c4913260 Update GREASE reference
The GEASE Internet Draft is now RFC 8701. This commit updates the references.
2020-08-03 10:43:15 -04:00
a1346054
5b44e43ec4
Fix grammar 2020-08-02 21:47:40 +00:00
Dirk Wetter
288223c707 Polish STARTTLS rating output
Moved the sentence ~i "A grade better than T would lead to a false sense of security"
to the documentation. No reason for excuses in the output. ;-) Explanation fits
better in the doc.

See also #1657
2020-06-25 20:47:51 +02:00
Dirk Wetter
b2d41330e0 port typo fixes to html and roff doc 2020-06-25 13:05:47 +02:00
Unit 193
871db32fb5 Fix a couple typos.
enviroment → environment
ususally → usually
2020-05-08 22:48:20 -04:00
Dirk
908975380d Amendment to "Relax the possible GPL license contradiction"
fix it also in the man pages. See #1590 / #1593
2020-05-06 09:17:42 +02:00
Dirk
381fdfa985 Fix typo in docs: Strong grade Ciphers / AEAD 2020-05-02 19:49:01 +02:00
Dirk
0e6fb44bd3 add xmpp-server 2020-05-01 18:31:35 +02:00
Dirk
ebe75252fa Merge branch '3.1dev' into magnuslarsen-grading_dev 2020-05-01 17:36:29 +02:00
Dirk Wetter
97ac4c452e Update documentation (ADDITIONAL_CA_FILES -> ADDTL_CA_FILES)
which happened in d44a643fab in
testssl.sh .

This fixes it in the related files. See also #1581
2020-04-28 15:07:33 +02:00
Dirk Wetter
680aff48e4 Update documentation related to extended run_server_preference() 2020-04-27 17:19:30 +02:00
Dirk Wetter
a9ab2bcd91 Update documentation (ADDITIONAL_CA_FILES -> ADDTL_CA_FILES)
which happened in d44a643fab in
testssl.sh .

This fixes it in the related files. See also #1581
2020-04-23 11:20:46 +02:00
Dirk Wetter
8c466bf2ee Rename PFS/perfect forward secrecy to FS/forward secrecy
In all instances:

* command line (will break things)
* JSON IDs (will break things)
* in the documentation
* in the travis checks where used
* everywhere in the code: variables, functions, comments
2020-04-14 15:53:05 +02:00
Dirk Wetter
4603d924be Last fine tuning for http basic auth
* create roff file and HTML
* add hint to $ENV

Avoid 1x subshell

See #1451.
2020-01-16 14:29:53 +01:00
Dirk Wetter
c228b578dd Remove --warnings=false from documenation
... and reorder manpages also so that --warnings, --connect-timeout
and --openssl-timeout appear in the "input parameter" section.

The HTML manpage looks in the diff view quite different as previously
another computer was used for converting the source format with ronn(1).

The manpage in (g)roff format was manually edited with .RE / .RS
for provide indented bulletpoints.

See also #1419
2020-01-08 14:24:41 +01:00
Dirk
3fdb5617db --connect-timeout 2019-12-10 20:44:55 +01:00
Alexander Naumov
966b464802
--html option looks like all others 2019-11-13 21:23:33 +01:00
Dirk Wetter
15df3316c1 Formatting fixed 2019-05-05 15:07:55 +02:00
Dirk Wetter
19e9137f79 Add --vulnerabilities and LDAP constraints to documentation 2019-05-04 11:57:03 +02:00
Dirk
c9ec73bce8 Add documentation to #1245
it accepts a directory.

This PR adds documenation for it.
2019-04-25 22:40:32 +02:00
Dirk Wetter
e92b7326bc Extra warning for certificates >= 5yrs, italics handling for BSDs
This PR fixes #803 and emit an extra warning if the certificate
has a lifetime longer or equal of five years which happens often
on appliances with self signed certificates. (CAs do not offer
such a long certificate lifetime.) This was tested under Linux,
FreeBSD and OpenBSD. On the latter however we only check the
years as opposed to other OS where we have a finer granularity
(seconds).

On the screen there's only an output if the lifetime is too long,
using JSON or CSV formats, it is always displayed (ID: cert_validityPeriod).

Also this PR changes the ID cert_expiration_status to cert_expirationStatus.

Older FreeBSD and OpenBSD can't deal with italics characters but it output
the escape codes which could result in a different markup. This PR detects
such OS and just doesn't dsiplay the escape sequence.

Also the manpage is reflecting the change and has updates in the server
defaults and standard cipher checks section.
2019-04-09 11:46:53 +02:00
Dirk
e29b1f40e6 Improve HTML-Formatting, minor additions
The HTML manual is now post processed through tidy
which removes the problem of ">" not HTML encoded.

--color 0 is now explicitly mentioned to avoid escaped codes in the
output.

Minor changes wrt certificate stores
2019-01-08 13:56:55 +01:00
Dirk
d10f66a4c5 Minor additions
1) add --add-ca option and remove eother references to ADDITIONAL_CA_FILES
2) add a paragraph 'TUNING OPTIONS'
3) add -iL as a n alternative to --file
2018-12-17 21:04:47 +01:00
Dirk
1416ff620b Major update, review
Review: grammar, spelling.  Errorneous and obsolete description.
        Some items reordered.

Updated: to reflect the current capabilities.

Moreover: (Almost) complete the tuning variables section.
2018-12-13 18:07:20 +01:00
Dirk
ab7ca281c0 Minor polishing 2018-12-07 14:35:49 +01:00