mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
save work of the past days
parent
04bee8d18c
commit
f02c4595a0
78
Man-page.md
78
Man-page.md
@ -167,29 +167,35 @@ If the server provides no matching record in Subject Alternative Name (SAN) but
|
||||
|
||||
`-U, --vulnerable` Just tests all (following) vulnerabilities. The environment variable `VULN_THRESHLD` determines after which value a separate headline for each vulnerability is being displayed. Default is `1` which means if you check for two vulnerabilities, only the general headline for vulnerabilities section is displayed -- in addition to the vulnerability and the ersult.
|
||||
|
||||
`-H, --heartbleed` tests for Heartbleed vulnerability
|
||||
`-H, --heartbleed` tests for Heartbleed which is an openssl vulnerability. Unless the server side doesn't support the heartbeat extension it is likely that this check runs into a timeout. The seconds to wait for a reply can be adjusted with `HEARTBLEED_MAX_WAITSOCK`. 8 is the default (unit: seconds)
|
||||
|
||||
`-I, --ccs, --ccs-injection` tests for CCS injection vulnerability
|
||||
`-I, --ccs, --ccs-injection` tests for CCS injection which is an openssl vulnerability. Sometimes also here the check needs to wait for a reply. The predefined timeout of 5 seconds can be changed with the enviroment variable `CCS_MAX_WAITSOCK`
|
||||
|
||||
`-T, --ticketbleed` tests for Ticketbleed vulnerability in BigIP loadbalancers
|
||||
|
||||
`-R, --renegotiation` tests for renegotiation vulnerabilities
|
||||
`-R, --renegotiation` tests for renegotiation vulnerabilities. Currently there's a check for "Secure Renegotiation" and for "Secure Client-Initiated Renegotiation". Please be aware that vulnerable servers to the latter can likely be DoSed very easily (HTTP). A check for "Insecure Client-Initiated Renegotiation" is not yet implemented
|
||||
|
||||
`-C, --compression, --crime` tests for CRIME vulnerability
|
||||
`-C, --compression, --crime` tests for CRIME ("Compression Ratio Info-leak Made Easy") vulnerability in TLS. CRIME in SPDY if offered is not yet being checked for.
|
||||
|
||||
`-B, --breach` tests for BREACH vulnerability
|
||||
`-B, --breach` tests for BREACH ("Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext") vulnerability. As for this vulnerabilty HTTP level compressoin is a prerequisite it'll be not tested if HTTP cannot be detected or the detection is not enforced via ``--assume-http`. Please note that only the URL supplied (normally "/" ) is being tested.
|
||||
|
||||
`-O, --poodle` tests for POODLE (SSL) vulnerability
|
||||
`-O, --poodle` tests for SSL POODLE ("Padding Oracle On Downgraded Legacy Encryption") vulnerability. It basically checks for the existence of CBC ciphers in SSLv3.
|
||||
|
||||
`-Z, --tls-fallback` checks TLS_FALLBACK_SCSV mitigation
|
||||
`-Z, --tls-fallback` checks TLS_FALLBACK_SCSV mitigation. It's a ciphersuite
|
||||
|
||||
`-F, --freak` tests for FREAK vulnerability
|
||||
`-W, --sweet32, tests 64 bit block ciphers (3DES, RC2 and IDEA): SWEET32 vulnerability
|
||||
|
||||
`-A, --beast` tests for BEAST vulnerability
|
||||
|
||||
`-J, --logjam` tests for LOGJAM vulnerability
|
||||
`-L, --lucky13` tests for LUCKY13 vulnerability
|
||||
|
||||
`-s, --pfs, --fs,--nsa ` checks (perfect) forward secrecy settings
|
||||
`-F, --freak` tests for FREAK vulnerability
|
||||
|
||||
`-J, --logjam` tests for LOGJAM vulnerability and checks for "common primes" which are preconfigured DH keys. DH keys =< 1024 Bit will be penelized
|
||||
|
||||
`-D, --drown` tests for DROWN vulnerability
|
||||
|
||||
`-f, --pfs, --fs,--nsa ` checks (perfect) forward secrecy settings
|
||||
|
||||
`-4, --rc4, --appelbaum` which RC4 ciphers are being offered?
|
||||
|
||||
@ -199,20 +205,31 @@ If the server provides no matching record in Subject Alternative Name (SAN) but
|
||||
|
||||
All output options can also be preset via environment variables.
|
||||
|
||||
--warnings <batch|off|false> "batch" doesn't wait for keypress, "off" or "false" skips connection warning
|
||||
--warnings <batch|off|false> "batch" doesn\'t wait for keypress, "off" or "false" skips connection warning
|
||||
--openssl-timeout <seconds> useful to avoid hangers. <seconds> to wait before openssl connect will be terminated
|
||||
--quiet don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner
|
||||
--wide wide output for tests like RC4, BEAST. PFS also with hexcode, kx, strength, RFC name
|
||||
--show-each for wide outputs: display all ciphers tested -- not only succeeded ones
|
||||
--mapping <no-rfc> don't display the RFC Cipher Suite Name
|
||||
|
||||
`--mapping <openssl|rfc|no-openssl|no-rfc>`
|
||||
|
||||
* `openssl`: use the OpenSSL cipher suite name as the primary name cipher suite name form (default),
|
||||
* `rfc`: use the RFC cipher suite name as the primary name cipher suite name form.
|
||||
* `no-openssl`: don't display the OpenSSL cipher suite name, display RFC names only.
|
||||
* `no-rfc`: don't display the RFC cipher suite name, display OpenSSL names only
|
||||
|
||||
--color <0|1|2> 0: no escape or other codes, 1: b/w escape codes, 2: color (default)
|
||||
--colorblind swap green and blue in the output
|
||||
--debug <0-6> 0: none
|
||||
1: screen output normal but debug output in temp files.
|
||||
2: list more what's going on, lists some errors of connections
|
||||
3: slight hexdumps + other info
|
||||
4: display bytes sent via sockets
|
||||
5: display bytes received via sockets
|
||||
6: whole 9 yards
|
||||
`--colorblind` swaps green and blue colors in the output, so that this percentage of folks can distuingish those findings better
|
||||
|
||||
`--debug <0-6>`
|
||||
|
||||
0. none
|
||||
1. screen output normal but debug output in temp files.
|
||||
2. list more what\'s going on, lists some errors of connections
|
||||
3. slight hexdumps + other info
|
||||
4. display bytes sent via sockets
|
||||
5. display bytes received via sockets
|
||||
6. whole 9 yards
|
||||
|
||||
### FILE OUTPUT OPTIONS
|
||||
|
||||
@ -222,12 +239,16 @@ A few file output options can also be preset via environment variables.
|
||||
--logfile <logfile> logs stdout to <file/NODE-YYYYMMDD-HHMM.log> if file is a dir or to specified log file
|
||||
--json additional output of findings to JSON file <NODE-YYYYMMDD-HHMM.json> in cwd
|
||||
--jsonfile <jsonfile> additional output to JSON and output JSON to the specified file
|
||||
--json-pretty additional JSON structured output of findings to a file <NODE>-p<port#><YYYYMMDD-HHMM>.json in cwd
|
||||
--jsonfile-pretty <jsonfile> additional JSON structured output to the specified file or directory, similar to --logfile
|
||||
--csv additional output of findings to CSV file <NODE-YYYYMMDD-HHMM.csv> in cwd
|
||||
--csvfile <csvfile> set output to CSV and output CSV to the specified file
|
||||
--html additional output as HTML to file <NODE>-p<port#><YYYYMMDD-HHMM>.html
|
||||
--htmlfile <htmlfile> additional output as HTML to the specifed file or directory, similar to --logfile
|
||||
<!--Need HTML output? Just pipe through "aha" (Ansi HTML Adapter: github.com/theZiz/aha) like
|
||||
`testssl.sh <options> <URI> | aha >output.html` -->
|
||||
--hints
|
||||
--severity <severity> severities with lower level will be filtered for CSV+JSON, possible values <LOW|MEDIUM|HIGH|CRITICAL>
|
||||
--append if <csvfile> or <jsonfile> exists rather append then overwrite
|
||||
|
||||
### COLOR RATINGS
|
||||
@ -272,21 +293,28 @@ does the same on the plain text IMAP port. Please note that for plain TLS-encryp
|
||||
### RFCs and other standards
|
||||
|
||||
* RFC 2246: The TLS Protocol Version 1.0
|
||||
* RFC 2595: Using TLS with IMAP, POP3 and ACAP
|
||||
* RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security
|
||||
* RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1
|
||||
* RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1
|
||||
* RFC 4366:
|
||||
* RFC 4492:
|
||||
* RFC 4366: Transport Layer Security (TLS) Extensions
|
||||
* RFC 4492: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)
|
||||
* RFC 5077: Transport Layer Security (TLS) Session Resumption
|
||||
* RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2
|
||||
* RFC 5321: Simple Mail Transfer Protocol
|
||||
* RFC 5746:
|
||||
* RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension
|
||||
* RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0
|
||||
* RFC 6120: Extensible Messaging and Presence Protocol (XMPP): Core
|
||||
* RFC 6125: Domain-Based Application Service Identity [..]
|
||||
* RFC 6797: HTTP Strict Transport Security (HSTS)
|
||||
* RFC 7685:
|
||||
* RFC 7469: Public Key Pinning Extension for HTTP (HPKP)
|
||||
* RFC 7507:
|
||||
* RFC 7507: TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks
|
||||
* RFC 7627: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension
|
||||
* RFC 7685: A Transport Layer Security (TLS) ClientHello Padding Extension
|
||||
* RFC 7905: ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
|
||||
* RFC 7919: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security
|
||||
* W3C CSP: Content Security Policy Level 1-3
|
||||
* TLSWG Draft: The Transport Layer Security (TLS) Protocol Version 1.3
|
||||
|
||||
|
||||
### FILES
|
||||
|
Loading…
Reference in New Issue
Block a user