1
0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-02-25 09:01:16 +01:00
Commit Graph

77 Commits

Author SHA1 Message Date
Dirk
6ce0ad80e6 fit HTML man page to page width 2018-11-23 23:47:21 +01:00
Dirk
f591126a1b Minor updates
added: client simulation, requirements.

Updated number of ciphers.
2018-11-12 21:36:43 +01:00
Dirk
da233c939e RFC --> IANA
The cipher suites names in the RFCs stem (mostly) from IANA, see
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

This PR corrects that in places visible to the user. For backwards
compatibility the cmd line switches still work as before, but there's
a preference to IANA. The RFC naming is labeled as to be retired
in the future.
2018-11-08 20:26:52 +01:00
Dirk
44570541c0 Tell which OpenSSL versions support IPv6 out of the box 2018-09-10 09:52:59 +02:00
Dirk
8d7dd663f9 Finalizing proxy support for OCSP checks
As mentioned in  proxying ocsp protocol doesn't work (yet)
This commit notifies the user that it is not possible. One
can ignore that and try by supplying IGN_OCSP_PROXY=true.

It also fixes a typo I probably introduced (pVULN_THRESHLD).
2018-08-24 15:43:25 +02:00
Dirk
3fdcd034f3 Fine tuning of --outprefix
The standard separator after $FNAME_PREFIX is now '-'.
You can as well supply a different <fname_prefix> ending in '.',  '_' or ',' , then
no no additional '-' will be appended.

Also a small bash function get_last_char() has been introduced which returns
the last char from a supplied string.
2018-08-23 11:40:50 +02:00
Dirk
5837e82c85 Supplying of both -6 and --ip=one results in picking an IPv6 address
... previously it depended on the order of DNS replies otherwise. This was
one outcome of discussion in  where it seemed more logical
to pick an IPv6 address as opposed to an abitrary (v4/v6) address.
2018-08-16 12:03:56 +02:00
Dirk
33cf1d524c Fine tuning if Jac2NL's commit of IDS evasion
Reduce the offensive tests to 4: the others are "just" / mostly cipher
based checks which should not cause an IDS to block. (This maybe
subject to reconsider at a later time.)

Added a switch --ids-friendly

Updated VULN_COUNT accordingly

Added this (including PHONE_OUT to env debugging output)

Added help()

Manual section added
2018-06-26 13:04:30 +02:00
Dirk
87f0cda234 Fix : typos and link in docu 2018-06-25 18:31:55 +02:00
Dirk
aa0f33e984 Update RFC section in ~/doc with soon to be TLS 1.3 RFC
See PR , title taken from
https://github.com/ietf/draft-ietf-tls-tls13/blob/master/rfc8446.xml
(maybe subject to change).

Todo: Handle the obsolted ones, maybe by adding "obsolete"
2018-06-20 09:41:51 +02:00
Dirk
c3927d00c8 Document --phone-out 2018-04-27 21:37:44 +02:00
Dirk
ddf5ff6bc9 Minor additions wrt --color=3 and fname prefix 2018-04-26 09:39:30 +02:00
Dirk
e7619fa8d9 Documenting exit error codes improvements
See prevoius commit b2be380b54 and
issue  / .
2018-04-12 18:14:14 +02:00
Dirk
36247fecf2 fix no-DNS related error in documentation 2018-04-12 01:19:02 +02:00
Dirk
2a4de68c59 Merge branch 'nodns-935' into 2.9dev 2018-04-12 01:06:33 +02:00
Dirk
557942cb0a Change logic and add conservative value for -n/--nodns ()
This PR changes the logic the no-DNS switch works. The switch
now expects a value. "min" does minimum lookups, "none" does
no lookups at all (details see testssl.sh(1) ). "none" is
equivalent to the paranoid (boolean) value "true" before.
2018-04-12 00:19:52 +02:00
Karsten Weiss
eead9f62d9 Fix typos found by codespell 2018-04-10 17:37:04 +02:00
Dirk
eb3b3a1988 be more verbose what --warnings=batch means (see ) 2018-04-05 22:02:35 +02:00
Dirk
1924c9a0a6 Connectivity problems, man page update
See previous commit

This commit finally fixes  so that either a --ssl-native scan
terminates on the next (defined) occasion if there are network connectivity
problems. It introduces another set of variables (MAX_OSSL_FAIL vs. NR_OSSL_FAIL).
As "openssl s_client connect" is sometimes still being used without --ssl-native
it also shortens the wait for regular scans if an outage is encountered.
To make things easier bot sets (incl. *_SOCKET_FAIL) of variables are independent.

For the seldom case that somebody uses --ssl-native with client checks an exception
had to be made as otherwise only MAX_OSSL_FAIL client check would be performed.
This hasn't been understood yet...

As sometimes HTTP header requests (over OpenSSL) fail repeatedly in a way that an empty
reply is returned, the same strategy of detecting problems is applied here,
using MAX_HEADER_FAIL and NR_HEADER_FAIL.

All three detection mechanisims share a new function connectivity_problem().
2018-03-28 17:48:04 +02:00
Dirk
2e5dd0439a document variable for previous commit 080840f 2018-03-02 20:57:06 +01:00
Dirk
b5fcc00031 reflect previous commit of changed treatment of --severity
... and some minor polishing
2018-03-01 15:13:55 +01:00
Dirk
ba8d613aa5 Add documentation about the current and corrected exit codes 2018-02-14 23:40:08 +01:00
Dirk
01f7612bd0 add keys to server defaults, cert start/end time in GMT 2018-01-29 23:43:25 +01:00
Dirk
659a6176b6 Add TLS 1.3, better explanation for -6 2018-01-28 12:47:05 +01:00
Dirk
0bc1f6f708 make MAX_PARALLEL and MAX_WAIT_TEST configurable + documentation 2017-12-27 09:50:34 +01:00
Dirk
1488baeac5 Documentation of CA_BUNDLES_PATH
See also 
2017-12-20 09:00:00 +01:00
Dirk
1984d7fc90 html version of man page added 2017-12-14 10:25:59 +01:00