diff --git a/Usage-Documentation.md b/Usage-Documentation.md index 1fb5467..19cd36b 100644 --- a/Usage-Documentation.md +++ b/Usage-Documentation.md @@ -24,15 +24,22 @@ All options requiring a value can be called with or without '=' e.g. ``testssl.s (if pattern not a number: word match) ##### INPUT PARAMETERS - URI host|host:port|URL|URL:port (port 443 is assumed unless otherwise specified) + URI {host,ip,URL}: (port 443 is assumed unless otherwise specified) + Please be careful: if checks for the IP address might not hit the vhost you want. + pattern an ignore case word pattern of cipher hexcode or any other string in the name, kx or bits protocol is one of ftp,smtp,pop3,imap,xmpp,telnet,ldap (for the latter two you need e.g. the supplied openssl) --file Mass testing option: Reads command lines from in plaintext format, one line per instance. Comments via # allowed, EOF signals end of . Implicitly turns on "--warnings batch". Per default mass testing is being run in serial mode, i.e. one line after the other is processed and invoked. - Besides having individual command line options per line in the supplied file you can additionally specify options on the command line. The command line options in the file and on the command line must not conflict. + Besides having individual command line options per line in the supplied file you can additionally specify options on the command line. + The command line options in the file and on the command line must not conflict. - Alternatively can be in nmap's greppable output format (-oG). Currently only 1x port per line is allowed. The ports can be different per line, however per mass testing run they can be either STARTTLS enabled ports OR plain TLS/SSL ports. + Alternatively can be in nmap's grep(p)able output format (-oG). Only open ports will be considered. Currently only 1x port per line is allowed. + The ports can be different per line, however per mass testing run they can be either STARTTLS enabled ports OR plain TLS/SSL ports, not both. + nmap returns in that putput always IP addresses and -- only if there's a PTR DNS record available -- a hostname. + Unfortunately this hostname from nmap is not checked whether it matches the IP (A or AAAA record). testssl.sh does this for you: + if the A record of the hostname matches the IP address, the hostname is used and not the IP address. Please be careful: checks for the IP address might not hit the vhost you want. --mode Mass testing to be done serial (default) or parallel (--parallel is shortcut for the latter)