save work of the past days

2024-11-29 14:26:53 +01:00 · 2017-06-24 14:27:47 +02:00 · 2017-06-24 14:27:47 +02:00 · f02c4595a0
commit f02c4595a0
parent 04bee8d18c
1 changed files with 53 additions and 25 deletions
--- a/Man-page.md
+++ b/Man-page.md
@ -167,29 +167,35 @@ If the server provides no matching record in Subject Alternative Name (SAN) but

 `-U, --vulnerable`              Just tests all (following) vulnerabilities. The environment variable `VULN_THRESHLD` determines after which value a separate headline for each vulnerability is being displayed. Default is `1` which means if you check for two vulnerabilities, only the general headline for vulnerabilities section is displayed -- in addition to the vulnerability and the ersult.

-`-H, --heartbleed`              tests for Heartbleed vulnerability
+`-H, --heartbleed`              tests for Heartbleed which is an openssl vulnerability. Unless the server side doesn't support the heartbeat extension it is likely that this check runs into a timeout. The seconds to wait for a reply can be adjusted with `HEARTBLEED_MAX_WAITSOCK`. 8 is the default (unit: seconds)

-`-I, --ccs, --ccs-injection`    tests for CCS injection vulnerability
+`-I, --ccs, --ccs-injection`    tests for CCS injection which is an openssl vulnerability. Sometimes also here the check needs to wait for a reply. The predefined timeout of 5 seconds can be changed with the enviroment variable `CCS_MAX_WAITSOCK`

 `-T, --ticketbleed`		tests for Ticketbleed vulnerability in BigIP loadbalancers

-`-R, --renegotiation`           tests for renegotiation vulnerabilities
+`-R, --renegotiation`           tests for renegotiation vulnerabilities. Currently there's a check for "Secure Renegotiation" and for "Secure Client-Initiated Renegotiation". Please be aware that vulnerable servers to the latter can likely be DoSed very easily (HTTP). A check for "Insecure Client-Initiated Renegotiation" is not yet implemented

-`-C, --compression, --crime`    tests for CRIME vulnerability
+`-C, --compression, --crime`    tests for CRIME ("Compression Ratio Info-leak Made Easy") vulnerability in TLS. CRIME in SPDY if offered is not yet being checked for.

-`-B, --breach`                  tests for BREACH vulnerability
+`-B, --breach`                  tests for BREACH ("Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext") vulnerability. As for this vulnerabilty HTTP level compressoin is a prerequisite it'll be not tested if HTTP cannot be detected or the detection is not enforced via ``--assume-http`. Please note that only the URL supplied (normally "/" ) is being tested.

-`-O, --poodle`                  tests for POODLE (SSL) vulnerability
+`-O, --poodle`                  tests for SSL POODLE ("Padding Oracle On Downgraded Legacy Encryption") vulnerability. It basically checks for the existence of CBC ciphers in SSLv3.

-`-Z, --tls-fallback`            checks TLS_FALLBACK_SCSV mitigation
+`-Z, --tls-fallback`            checks TLS_FALLBACK_SCSV mitigation. It's a ciphersuite

-`-F, --freak`                   tests for FREAK vulnerability
+`-W, --sweet32,                 tests 64 bit block ciphers (3DES, RC2 and IDEA): SWEET32 vulnerability

 `-A, --beast`                   tests for BEAST vulnerability

-`-J, --logjam`                  tests for LOGJAM vulnerability
+`-L, --lucky13`                 tests for LUCKY13 vulnerability

-`-s, --pfs, --fs,--nsa `        checks (perfect) forward secrecy settings
+`-F, --freak`                   tests for FREAK vulnerability
+
+`-J, --logjam`                  tests for LOGJAM vulnerability and checks for "common primes" which are preconfigured DH keys. DH keys =< 1024 Bit will be penelized
+
+`-D, --drown`                   tests for DROWN vulnerability
+
+`-f, --pfs, --fs,--nsa `        checks (perfect) forward secrecy settings

 `-4, --rc4, --appelbaum`        which RC4 ciphers are being offered?

@ -199,20 +205,31 @@ If the server provides no matching record in Subject Alternative Name (SAN) but

 All output options can also be preset via environment variables.

-     --warnings <batch|off|false>  "batch" doesn't wait for keypress, "off" or "false" skips connection warning
+     --warnings <batch|off|false>  "batch" doesn\'t wait for keypress, "off" or "false" skips connection warning
+     --openssl-timeout <seconds>   useful to avoid hangers. <seconds> to wait before openssl connect will be terminated
     --quiet                       don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner
     --wide                        wide output for tests like RC4, BEAST. PFS also with hexcode, kx, strength, RFC name
     --show-each                   for wide outputs: display all ciphers tested -- not only succeeded ones
-     --mapping <no-rfc>            don't display the RFC Cipher Suite Name
+
+`--mapping <openssl|rfc|no-openssl|no-rfc>`
+
+* `openssl`: use the OpenSSL cipher suite name as the primary name cipher suite name form (default),
+* `rfc`: use the RFC cipher suite name as the primary name cipher suite name form.
+* `no-openssl`: don't display the OpenSSL cipher suite name, display RFC names only.
+* `no-rfc`: don't display the RFC cipher suite name, display OpenSSL names only
+
     --color <0|1|2>               0: no escape or other codes,  1: b/w escape codes,  2: color (default)
-     --colorblind                  swap green and blue in the output
-      --debug <0-6>                0: none
-                                   1: screen output normal but debug output in temp files.
-                                   2: list more what's going on, lists some errors of connections
-                                   3: slight hexdumps + other info
-                                   4: display bytes sent via sockets
-                                   5: display bytes received via sockets
-                                   6: whole 9 yards
+`--colorblind`                  swaps green and blue colors in the output, so that this percentage of folks can distuingish those findings better
+
+`--debug <0-6>`
+
+0. none
+1. screen output normal but debug output in temp files.
+2. list more what\'s going on, lists some errors of connections
+3. slight hexdumps + other info
+4. display bytes sent via sockets
+5. display bytes received via sockets
+6. whole 9 yards

 ### FILE OUTPUT OPTIONS

@ -222,12 +239,16 @@ A few file output options can also be preset via environment variables.
     --logfile <logfile>           logs stdout to <file/NODE-YYYYMMDD-HHMM.log> if file is a dir or to specified log file
     --json                        additional output of findings to JSON file <NODE-YYYYMMDD-HHMM.json> in cwd
     --jsonfile <jsonfile>         additional output to JSON and output JSON to the specified file
+     --json-pretty                 additional JSON structured output of findings to a file <NODE>-p<port#><YYYYMMDD-HHMM>.json in cwd
+    --jsonfile-pretty <jsonfile>  additional JSON structured output to the specified file or directory, similar to --logfile
     --csv                         additional output of findings to CSV file  <NODE-YYYYMMDD-HHMM.csv> in cwd
     --csvfile <csvfile>           set output to CSV and output CSV to the specified file
     --html                        additional output as HTML to file <NODE>-p<port#><YYYYMMDD-HHMM>.html
     --htmlfile <htmlfile>         additional output as HTML to the specifed file or directory, similar to --logfile
 <!--Need HTML output? Just pipe through "aha" (Ansi HTML Adapter: github.com/theZiz/aha) like
   `testssl.sh <options> <URI> | aha >output.html` -->
+    --hints
+    --severity <severity>          severities with lower level will be filtered for CSV+JSON, possible values <LOW|MEDIUM|HIGH|CRITICAL>
     --append                      if <csvfile> or <jsonfile> exists rather append then overwrite

 ### COLOR RATINGS
@ -272,21 +293,28 @@ does the same on the plain text IMAP port. Please note that for plain TLS-encryp
 ### RFCs and other standards

 * RFC 2246: The TLS Protocol Version 1.0
+* RFC 2595: Using TLS with IMAP, POP3 and ACAP
+* RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security
+* RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1
 * RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1
-* RFC 4366: 
-* RFC 4492: 
+* RFC 4366: Transport Layer Security (TLS) Extensions
+* RFC 4492: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)
 * RFC 5077: Transport Layer Security (TLS) Session Resumption
 * RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2
 * RFC 5321: Simple Mail Transfer Protocol
-* RFC 5746:
+* RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension
 * RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0
+* RFC 6120: Extensible Messaging and Presence Protocol (XMPP): Core
 * RFC 6125: Domain-Based Application Service Identity [..]
 * RFC 6797: HTTP Strict Transport Security (HSTS)
-* RFC 7685: 
 * RFC 7469: Public Key Pinning Extension for HTTP (HPKP)
-* RFC 7507:
+* RFC 7507: TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks
+* RFC 7627: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension
+* RFC 7685: A Transport Layer Security (TLS) ClientHello Padding Extension
+* RFC 7905: ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
 * RFC 7919: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security
 * W3C CSP: Content Security Policy Level 1-3
+* TLSWG Draft: The Transport Layer Security (TLS) Protocol Version 1.3


 ### FILES