Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-22 08:29:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

minor

Dirk Wetter 2017-06-18 16:48:41 +02:00
parent f038836385
commit 03dd78b43e
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Man-page.md

@ -55,11 +55,11 @@ The nmap output always returns IP addresses and -- only if there's a PTR DNS rec
``--ssl-native`` Instead of using a mixture of bash sockets and openssl s_client connects testssl.sh uses the latter only. This is at the moment faster but provides less accurate results, especially in the client
simulation and if the openssl binary lacks cipher support. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl.sh internally can tell if one check cannot be performed or will give you inaccurate results. For e.g. single cipher checks (``--each-cipher`` and ``--cipher-per-proto``) you might end up getting false negatives without a warning.
``--openssl <PATH>`` testssl.sh tries very hard to find the binary supplied (from he directory where testssl.sh has been started from, where the tree of testssl.sh resides) and falls back to the one from the OS (``$PATH```) if that fails. With this option you can point testssl.sh to your binary of choice and override any interal magic to find the openssl binary. ``OPENSSL=<path_to_openssl>`` is equivalent.
``--openssl <PATH>`` testssl.sh tries very hard to find the binary supplied (from he directory where testssl.sh has been started from, where the tree of testssl.sh resides) and falls back to the one from the OS (``$PATH``) if that fails. With this option you can point testssl.sh to your binary of choice and override any interal magic to find the openssl binary. ``OPENSSL=<path_to_openssl>`` is equivalent.
``--bugs`` does some workarounds for buggy servers like padding for old F5 devices. The option is passed as ``-bug`` to openssl when needed. For the socket part testssl.sh tries its best without that option to cope with broken server implementations.
``--bugs`` does some workarounds for buggy servers like padding for old F5 devices. The option is passed as ``-bug`` to openssl when needed, see ``s_client(1)``. For the socket part testssl.sh tries its best without that option to cope with broken server implementations.
``--assuming-http`` testssl.sh does upfront a protocol detection on the application layer. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It helps you to tell testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers.
``--assuming-http`` testssl.sh does upfront a protocol detection on the application layer. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It helps you to tell testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers. Sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.
##### DEFAULT CHECKS
@ -125,6 +125,10 @@ A few file output options can also be preset via environment variables.
`testssl.sh <options> <URI> | aha >output.html` -->
--append if <csvfile> or <jsonfile> exists rather append then overwrite
### COLOR RATINGS
### TUNING via ENV variables
### EXAMPLES
testssl.sh testssl.sh