Commit Graph

105 Commits

Author SHA1 Message Date
Dirk Wetter
c5b07e7d99 Make the client side security clearer for STARTTLS
... also in the man pages. See also #2564.
2024-09-08 12:22:52 +02:00
Dirk
52213d3072 Suppy documenation for TLS 1.3 only hosts
and the automagic wrt /usr/bin/openssl OPENSSL2 and OSSL_SHORTCUT
2024-09-06 17:32:53 +02:00
Dirk
ed087197fe Add docu for #2497 2024-05-24 14:00:59 +02:00
Maurizio S
55ef4c09fe
Update testssl.1.md 2024-01-20 11:49:50 +01:00
Dirk Wetter
d46301e9f7 Deprecate --ssl-native 2023-10-03 15:51:58 +02:00
Jeroen Dekkers
d5e3bc2e7a
Add --server-preference alias to documentation 2023-09-20 15:05:14 +02:00
Dirk
d001bba86b Finalize DNS via Proxy
See #2328, original PR #2295 from @w4ntun .

Formally testssl.sh returned an error when it wasn't not possible to determine IP
addresses through DNS resolution, even if --proxy and --ip=proxy flags are set.
The main function always tried to determine IP addresses via DNS and exits with
a fatal error if it cannot do it. Although the client cannot get the IP, the
proxy could, so the SSL/TLS analysis is still possible.

This PR allows the analysis for an HTTP service via a proxy server and the DNS
traffic can be sent directly or through the proxy using the flag --ip=proxy.

ATTENTION: This may be a breaking change for those who don't have a local resolver.
They now have to add --ip=proxy.

In addition:
* help() was amended to add --ip=proxy (was only in the ~i/doc dir before)
* amending ~/doc dir to document it's better to add --nodns=min when there's
  no local resolver
2023-03-21 19:40:40 +01:00
David Cooper
b661f7b8d3 Update documentation for cipherlists tests
The sets of cipher lists checked by `run_cipherslists()` changed in 3.1dev, but the documentation was not updated.
2023-02-03 11:24:04 -08:00
Dirk
28085e5ec9 Implement fixes in documentation from #2074
kudos @k0lter

* numbering
* some ticks / backticks

For now I left the html and roff files like they were. That should be reconsidered
later.
2022-04-01 13:12:02 +02:00
enxio
58ce18bf32 Update documentation related to PR #2114 2022-03-02 14:43:33 +01:00
Dirk Wetter
da3520f8b2 Update documentation
* remove hint that LDAP only works with STARTTLS
* Add the relevant LDAP RFC for STARTTLS
* Amend with sieve RFC
* Correct numbering order of RFC section
2022-01-31 11:05:52 +01:00
Emmanuel Bouthenot
6e050a780d Update doc for (manage)sieve protocol when used with STARTTLS 2021-12-20 17:20:01 +01:00
David Cooper
8b129577a7
Update testssl.1.md
testssl.1.md included '.SS "SINGLE CHECK OPTIONS"', which belongs in testssl.1, but not in testssl.1.md. This commit removes this extra line.
2021-09-30 14:09:17 -04:00
Dimitri Papadopoulos
fcb282e3c3
Typos found by codespell
Run codespell in CI
2021-09-14 13:33:39 +02:00
Dirk
15cfd849fe Replace --standard by --categories 2021-09-09 22:07:44 +02:00
Dirk
739f45015f Fix minor inconsistency in description of cipher categories
A longer while back the section ~ "Testing standard ciphers" was
renamed to "Testing cipher categories". However the internal help
didn't reflect that.

This fixes that, including an addtion to the documentation.

Note: the help still lists "-s --std, --standard" as a cmd line
switch.
2021-09-08 08:46:47 +02:00
a1346054
6782e2a3b9 Fix spelling 2021-09-04 12:39:03 +00:00
Dirk Wetter
e1a43e6e16
Merge branch '3.1dev' into starttls_injection 2020-12-29 13:46:18 +01:00
tosticated
351f36c943 Changed parameter to --reqheader for custom HTTP headers. 2020-12-25 20:10:02 +01:00
tosticated
c1a565fad8 Custom HTTP request headers support added. Addresses #1770 2020-12-22 22:33:25 +01:00
Dirk Wetter
5c5c4dcd58 Merge branch '3.1dev' into starttls_smtp_injection
Resolving conflicts because of do_winshock
2020-11-26 10:45:02 +01:00
Dirk Wetter
9d0744e229 Introducing --overwrite option
Sometimes it is needed to overwrite existing output files.
This has been requested in the past (#927). For safety reasons
it was not implemented.

However I realized that it could be useful. It requires some
responsible usage though.

Code added, help() and manpages added -- warnings added too.
2020-11-13 16:05:53 +01:00
Klaus Eisentraut
d130d70e8b fix #1757: manpage: --c has one dash to much 2020-10-29 20:05:44 +01:00
Chad Brigance
4d6dba79e6 Update man pages and CHANGELOG 2020-10-19 07:32:41 +00:00
Dirk
7d8cf71a94 Further robustness check to winshock (#1719)
This commit adds

* a check for the elliptical curves
* and a check for TLS extensions

which will again reduces false positives.

Background:
* https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Supported_elliptic_curves
* https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Extensions

Also:

* Docu phrased more precise (we're not checking ciphers and
  HTTP Server banner only
* As a last resort we also take 'Microsoft-HTTPAPI/2.0' as a server header on the HTTPS branch
  and query the HTTP branch for Microsoft-IIS/8.x.
* $EXPERIMENTAL overrides some banner and service related checks. So that e.g. SMTP servers can also
  be checked. Last but bot least ist's a vulnerability of the TLS stack.

For better debugging we'll keep the TLS extensions and offered curves in a file.
Also it adds a debug1() function which may be needed on other occasions.

Also the output is better coded as we put "check patches locally to confirm"
into a variable.

There's still room for improvement:

* More extensions (see https://raw.githubusercontent.com/cisco/joy/master/doc/using-joy-fingerprinting-00.pdf)
* We could need a separate determine_curves() function, see #1730 as otherwise
  we can't use the curves in a non-default run.
2020-09-22 13:04:18 +02:00
Dirk Wetter
1f8e65104c Add winshock to documentation 2020-09-08 22:08:05 +02:00
Dirk Wetter
35b79f65ee Add documentation for STARTTLS injection's cmd line flag
and also the modified one for ROBOT
2020-09-02 18:23:11 +02:00
Dirk Wetter
ecc6cd8160 Allow dir with PEM files for --add-CA
Idea which popped up while following #1700
2020-08-18 21:52:59 +02:00
Dirk Wetter
953e1bd0ff Phrase --version & friends as standalone
This PR fixes #1671.

Primarily there's now an additional case statement in the main while loop
which just calls fatal() when it detects --help -b --banner -v or --version.

The documentation was also updated to reflect that.

(Some grammar and other errors which I stumbled over were corrected too)
2020-08-13 20:41:57 +02:00
David Cooper
5b17bbcf87 Add RFC 8701 to list of RFCs
This commit adds RFC 8701 to the list of RFCs in the documentation.
2020-08-03 11:14:10 -04:00
David Cooper
57c4913260 Update GREASE reference
The GEASE Internet Draft is now RFC 8701. This commit updates the references.
2020-08-03 10:43:15 -04:00
a1346054
e8d2992add
Fix grammar 2020-08-02 21:48:15 +00:00
Dirk Wetter
288223c707 Polish STARTTLS rating output
Moved the sentence ~i "A grade better than T would lead to a false sense of security"
to the documentation. No reason for excuses in the output. ;-) Explanation fits
better in the doc.

See also #1657
2020-06-25 20:47:51 +02:00
Magnus Larsen
f647ae8264 Change to grade cap 2020-06-23 19:24:24 +02:00
Magnus Larsen
069c5ae917 Spelling 2020-06-22 19:16:20 +02:00
Magnus Larsen
2bff63b7db Add a comment about STARTTLS connections in the docs 2020-06-22 19:14:25 +02:00
Magnus Larsen
8b74d41487 unintended linebreak 2020-05-11 15:22:51 +02:00
Magnus Larsen
6119d8538e proper rating of dh group length 2020-05-11 15:20:16 +02:00
Unit 193
871db32fb5 Fix a couple typos.
enviroment → environment
ususally → usually
2020-05-08 22:48:20 -04:00
Dirk
908975380d Amendment to "Relax the possible GPL license contradiction"
fix it also in the man pages. See #1590 / #1593
2020-05-06 09:17:42 +02:00
Dirk
381fdfa985 Fix typo in docs: Strong grade Ciphers / AEAD 2020-05-02 19:49:01 +02:00
Dirk
0e6fb44bd3 add xmpp-server 2020-05-01 18:31:35 +02:00
Dirk
ebe75252fa Merge branch '3.1dev' into magnuslarsen-grading_dev 2020-05-01 17:36:29 +02:00
Dirk
a9d28949fe Clarify responsilility for rating 2020-04-28 21:13:36 +02:00
Dirk Wetter
97ac4c452e Update documentation (ADDITIONAL_CA_FILES -> ADDTL_CA_FILES)
which happened in d44a643fab in
testssl.sh .

This fixes it in the related files. See also #1581
2020-04-28 15:07:33 +02:00
Dirk
13a76bc719 (try to) resolve merge conflict 2020-04-28 13:35:24 +02:00
Dirk Wetter
680aff48e4 Update documentation related to extended run_server_preference() 2020-04-27 17:19:30 +02:00
Dirk Wetter
a9ab2bcd91 Update documentation (ADDITIONAL_CA_FILES -> ADDTL_CA_FILES)
which happened in d44a643fab in
testssl.sh .

This fixes it in the related files. See also #1581
2020-04-23 11:20:46 +02:00
Dirk Wetter
c3f09f56f7 Grading --> Rating
but we still hand out grades
2020-04-20 22:41:14 +02:00
Dirk Wetter
64735d0241 Remove env variable DISABLE_GRADING
as for run_* functions we currntly don't have that.

Also AEAD as WIP we can remove that from the doc
2020-04-17 13:22:30 +02:00