diff --git a/Man-page.md b/Man-page.md index a405664..aa03263 100644 --- a/Man-page.md +++ b/Man-page.md @@ -51,7 +51,7 @@ Options are either short or long options. All options requiring a value can be c `` or `--file ` always needs to be the last parameter. -##### BANNER OPTIONS +### BANNER OPTIONS `--help` (or no arg) display command line help @@ -61,7 +61,7 @@ Options are either short or long options. All options requiring a value can be c `-V , --local ` pretty print all local ciphers supported by openssl version. If a pattern is supplied it performs a match (ignore case) on any of the strings supplied in the wide output, see below. The pattern will be searched in the any of the columns: hexcode, cipher suite name (OpenSSL or RFC), key exchange, encryption, bits. It does a word pattern match for non-numbers, for number just a normal match applies. Numbers here are defined as [0-9,A-F]. This means (attention: catch) that the pattern CBC is matched as non-word, but AES as word. -##### INPUT PARAMETERS +### INPUT PARAMETERS `` can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL. IPv6 addresses need to be in square brackets. For any given parameter port 443 is assumed unless specified by appending a colon and a port number. The only preceding protocol specifier allowed is `https`. You need to be aware that checks for an IP address might not hit the vhost you want. DNS resolution (A/AAAA record) is being performed unless you have an `/etc/hosts` entry for the hostname. @@ -102,7 +102,7 @@ Please note that `` has to be in Unix format. DOS carriage returns won't `--proxy :` does the whole check via the specified HTTP proxy. `--proxy=auto` inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible. The hostname supplied will only be resolved to the first A record. Authentication to the proxy is not supported. -`-6` does (also) IPv6 checks. This works only with both a supporting openssl binary like the one supplied and IPv6 connectivity. testssl.sh does no connectivity checks for IPv6, it also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. +`-6` does (also) IPv6 checks. This works only with both a supporting openssl binary like the one supplied and IPv6 connectivity. testssl.sh does no connectivity checks for IPv6, it also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. `HAS_IPv6` is the respective enviroment variable. `--ssl-native` instead of using a mixture of bash sockets and openssl s_client connects testssl.sh uses the latter only. This is at the moment faster but provides less accurate results, especially in the client simulation and if the openssl binary lacks cipher support. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl.sh internally can tell if one check cannot be performed or will give you inaccurate results. For e.g. single cipher checks (`--each-cipher` and `--cipher-per-proto`) you might end up getting false negatives without a warning. @@ -123,7 +123,7 @@ Please note that `` has to be in Unix format. DOS carriage returns won't Any single option supplied prevents testssl.sh from doing a default run. It just takes this and if supplied other options and runs them - in the order they would also appear in the default run. -`-e, --each-cipher` checks each of the local 359 cipher (openssl + sockets) remotely on the server and reports back the result in wide mode. If you want to display each cipher tested you need to add `--show-each` +`-e, --each-cipher` checks each of the local 359 cipher (openssl + sockets) remotely on the server and reports back the result in wide mode. If you want to display each cipher tested you need to add `--show-each`. The default is here to list the following parameter: `hexcode`,`OpenSSL cipher suite name`,`key exchange`, `encryption bits`, `RFC cipher suite name (RFC)`. Please note the `--mapping` parameter changes what cipher suite names you will see here and at which position. Also please note that the __bit__ length for the encryption is shown and not the __security__ length. For 3DES due to the Meet-in-the-Middle problem the bit size of 168 bits is equivalent to the security size of 112 bits. `-E, --cipher-per-proto` checks each of the possible ciphers per protocol. If you want to display each cipher tested you need to add `--show-each` @@ -203,7 +203,6 @@ If the server provides no matching record in Subject Alternative Name (SAN) but ### OUTPUT OPTIONS -All output options can also be preset via environment variables. `--warnings ` The warnings parameter determines how testssl.sh will deal with situations where user input will normally be necessary. There are a couple of options here. `batch` doesn\'t wait for a confirming keypress. This is automatically being chosen for mass testing (`--file`). `-false` just skips the warning AND the confirimation. Please note that there are conflicts where testssl.sh will still asking for confirmation. Those are ones which would have a drastic impact on the results. The same can be achived by setting the environment variable `WARNINGS`. @@ -242,9 +241,9 @@ Setting the environment varable `COLOR` achives the same result. `--debug <0-6>` This gives you additional output on the screen (2-6), only useful for debugging: 0. none (default) -1. screen output normal but debug leaves output in /tmp/testssl.XXXXXX/ . The info about the excat directory is included in the screen output. +1. screen output normal but leaves useful debug output in __/tmp/testssl.XXXXXX/__ . The info about the exact directory is included in the screen output. 2. list more what\'s going on, e.g. lists some errors of connections and general debug statements -3. slightly more info: hexdumps + other info +3. even slightly more info: hexdumps + other info 4. display bytes sent via sockets 5. display bytes received via sockets 6. whole 9 yards @@ -274,13 +273,48 @@ A few file output options can also be preset via environment variables. ### COLOR RATINGS -### TUNING via ENV variables +Testssl.sh makes use of standard terminal colors (currently: 8). The color scheme is as follows: + +* light red: a critical finding +* red: a high finding +* brown: a medium finding +* yellow: a low finding +* green (blue if COLORBLIND is set): something which is either in general a good thing or a negative result of a check which otherwise results in a high finding +* light green (light blue if COLORBLIND) : something which is either in general a very good thing or a negative result of a check which otherwise results in a critical finding +* no color at places where also a finding can be expected: a finding on an info level +* cyan: currently used for `--show-each` or an additional hint +* magenta: signals a warning condition, e.g. either a local lack of capabilities on the client side or another problem +* light magenta: a fatal error which either requires strict consent from the user to continue or a condition which leaves no other choice for testssl.sh to quit + +What is labeled as "light" above appears as such on the screen but is in technically "bold". Markup (without any color) is used in the following manner: + +* bold: for the name of the test +* underline + bold: for the headline of each test section +* underline: for a sub-headline +* italics: for strings just reflecting a value + + +### TUNING via ENV variables and more options + +Except the environment variables which replace command line options here a some VARIABLES which cannot be set otherwise. Variables used for tuning are preset with reasonable values. There should be no reason to change them unless you use testssl.sh under special conditions. * DEBUGTIME * DEBUG_ALLINONE +* FAST_SOCKET +* SHOW_SIGALGO +* FAST +* EXPERIMENTAL +* UNBRACKTD_IPV6 some versions of OpenSSL (like from Gentoo) don\'t support [bracketed] IPv6 addresses +* HEADER_MAXSLEEP: To wait how long before killing the process to retrieve a service banner / HTTP header +* readonly MAX_WAITSOCK=10 # waiting at max 10 seconds for socket reply +* readonly CCS_MAX_WAITSOCK=5 # for the two CCS payload (each) +* readonly HEARTBLEED_MAX_WAITSOCK=8 # for the heartbleed payload + + ### EXAMPLES + testssl.sh testssl.sh does a default run on https://testssl.sh (protocols, standard cipher lists, PFS, server preferences, server defaults, vulnerabilities, testing all (359 possible) ciphers, client simulation. @@ -303,13 +337,13 @@ does the same on the plain text IMAP port. Please note that for plain TLS-encryp ### Exit status -**0** testssl.sh finished successfully -**245** no bash used or called with sh -**249** temp file generation problem -**251** feature not yet supported -**252** no DNS resolver found or not executable / proxy couldn't be determined from given values / -xmpphost supplied but OPENSSL too old -**253** no SSL/TLS enabled server / OPENSSL too old / couldn\'t connect to proxy / couldn't connect via STARTTLS -**254** no OPENSSL found or not exexutable / no IPv4 address could be determined / illegal STARTTLS protocol supplied / supplied file name not readable +* 0 testssl.sh finished successfully +* 245 no bash used +* 249 temp file creation problem +* 251 feature not yet supported +* 252 no DNS resolver found or not executable / proxy couldn't be determined from given values / -xmpphost supplied but OPENSSL too old +* 253 no SSL/TLS enabled server / OPENSSL too old / couldn\'t connect to proxy / couldn't connect via STARTTLS +* 254 no OPENSSL found or not exexutable / no IPv4 address could be determined / illegal STARTTLS protocol supplied / supplied file name not readable ### RFCs and other standards