tuning options integrated

2025-01-22 16:39:30 +01:00 · 2017-06-18 16:41:39 +02:00 · 2017-06-18 16:41:39 +02:00 · f038836385
commit f038836385
parent 5981b2fbfd
1 changed files with 15 additions and 15 deletions
--- a/Man-page.md
+++ b/Man-page.md
@ -25,7 +25,7 @@ Options are either short or long options. All options requiring a value can be c
 ##### INPUT PARAMETERS
-``URI``     can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL. For any given parameter port 443 is assumed unless otherwise specified  by appending a colon and a port number. The only preceding protocol specifier allowed is ``https``. You need to be aware that checks for an IP address might not hit the vhost you want. DNS resolution (A/AAAA record) is being performed unless you have an ``/etc/hosts`` entry for the hostname.
+``URI``     can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL. IPv6 addresses need to be in square brackets. For any given parameter port 443 is assumed unless specified by appending a colon and a port number. The only preceding protocol specifier allowed is ``https``. You need to be aware that checks for an IP address might not hit the vhost you want. DNS resolution (A/AAAA record) is being performed unless you have an ``/etc/hosts`` entry for the hostname.
 ``--file <fname>`` is the mass testing option. Per default it implicitly turns on ``--warnings batch``.  
 In its first incarnation the mass testing option reads command lines from ``\<fname\>``. ``\<fname\>`` consists of command lines of testssl, one line per instance. Comments after ``#`` are ignored, ``EOF`` signals the end of \<fname\> any subsequent lines will be ignored too. You can also supply additional options which will be inherited to each child, e.g.  When invoking ``testssl.sh --wide --log --file <fname>`` . Each single line in ``\<fname\>`` is parsed upon execution. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies.
@ -34,7 +34,7 @@ Alternatively ``\<fname>\`` can be in ``nmap``'s grep(p)able output format (``-o
 The nmap output always returns IP addresses and -- only if there's a PTR DNS record available -- a hostname.                                    As it is not checked by nmap whether the hostname matches the IP (A or AAAA record), testssl.sh does this for you. If the A record of the hostname matches the IP address, the hostname is used and not the IP address. As stated above, checks against an IP address might not hit the vhost you maybe were aiming at.
-``--mode <serial|parallel>``. Mass testing to be done serial (default) or parallel (``--parallel ``is shortcut for the latter, ``--serial`` is the opposite option). Per default mass testing is being run in serial mode, i.e. one line after the other is processed and invoked. The variable MASS_TESTING_MODE can be defined to be either equal ``serial`` or ``parallel``.
+``--mode <serial|parallel>``. Mass testing to be done serial (default) or parallel (``--parallel ``is shortcut for the latter, ``--serial`` is the opposite option). Per default mass testing is being run in serial mode, i.e. one line after the other is processed and invoked. The variable ``MASS_TESTING_MODE`` can be defined to be either equal ``serial`` or ``parallel``.
 #####  SPECIAL INVOCATIONS:
@ -45,10 +45,21 @@ The nmap output always returns IP addresses and -- only if there's a PTR DNS rec
 ``--mx <domain/host>``     tests all MX records  (STARTTLS, port 25) from high to low priority one after the other.
-``--ip <ip>``              Tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in URI.                    ``--ip=one`` means: just test the first DNS returns (useful for multiple IPs). It's also useful if you want to resolve the supplied hostname to  a different IP, similar as if you would edit ``/etc/hosts``. ``--ip=proxy`` tries a DNS resolution via proxy.
+``--ip <ip>``              Tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in URI. IPv6 addresses needs to be in square brackets.
                   ``--ip=one`` means: just test the first DNS returns (useful for multiple IPs). It's also useful if you want to resolve the supplied hostname to  a different IP, similar as if you would edit ``/etc/hosts``. ``--ip=proxy`` tries a DNS resolution via proxy. 
-``--proxy <host>:<port>``    Does the whole check via the specified HTTP proxy. ``--proxy=auto`` inherits the proxy setting from the environment variablenm,./.
+``--proxy <host>:<port>``    Does the whole check via the specified HTTP proxy. ``--proxy=auto`` inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible. The hostname supplied will only be resolved to the first A record. Authentication to the proxy is not supported.
 ``-6``       Does (also) IPv6 checks. This works only with both a supporting OpenSSL binary like the one supplied and IPv6 connectivity. testssl.sh does no connectivity checks for IPv6, it also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support.
 ``--ssl-native``               Instead of using a mixture of bash sockets and openssl s_client connects testssl.sh uses the latter only. This is at the moment faster but provides less accurate results, especially in the client 
 simulation and if the openssl binary lacks cipher support. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl.sh internally can tell if one check cannot be performed or will give you inaccurate results. For e.g. single cipher checks (``--each-cipher`` and ``--cipher-per-proto``) you might end up getting false negatives without a warning.
 ``--openssl <PATH>``           testssl.sh tries very hard to find the binary supplied (from he directory where testssl.sh has been started from, where the tree of testssl.sh resides) and falls back to the one from the OS (``$PATH```) if that fails. With this option you can point testssl.sh to your binary of choice and override any interal magic to find the openssl binary. ``OPENSSL=<path_to_openssl>`` is equivalent.
 ``--bugs``                    does some workarounds for buggy servers like padding for old F5 devices. The option is passed as ``-bug`` to openssl when needed. For the socket part testssl.sh tries its best without that option to cope with broken server implementations.
 ``--assuming-http``           testssl.sh does upfront a protocol detection on the application layer. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It helps you to tell testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers.
 ##### DEFAULT CHECKS
@ -78,17 +89,6 @@ testssl.sh <options> URI    (`testssl.sh URI` does everything except `-E`)
     -4, --rc4, --appelbaum        which RC4 ciphers are being offered?
     -H, --header, --headers       tests HSTS, HPKP, server/app banner, security headers, cookie, reverse proxy, IPv4 address
 ##### TUNING OPTIONS 
 Some can also be preset via environment variables.
     --bugs                        enables the "-bugs" option of s_client and some other workarounds. This could be needed e.g. for some buggy F5 loadbalancers
     --assuming-http               if protocol check fails it assumes HTTP protocol and enforces HTTP checks
     --ssl-native                  fallback to checks with OpenSSL where sockets are normally used
     --openssl <PATH>              use this openssl binary (default: look in $PATH, $RUN_DIR of testssl.sh
     --proxy <host>:<port>         connect via the specified HTTP proxy
     -6                            Use also IPv6 checks. This works only with a supporting OpenSSL binary (e.g. the one supplied) and IPv6 connectivity. testssl.sh does no connectivity checks for IPv6, it also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support.
 ##### OUTPUT OPTIONS