From d46301e9f7fa44713e286ba2102cbf956b49635c Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Tue, 3 Oct 2023 15:51:58 +0200 Subject: [PATCH 1/2] Deprecate --ssl-native --- doc/testssl.1 | 2 +- doc/testssl.1.html | 2 +- doc/testssl.1.md | 2 +- testssl.sh | 3 ++- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/doc/testssl.1 b/doc/testssl.1 index 324350c51..7d01acbfc 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -94,7 +94,7 @@ A typical internal conversion to testssl\.sh file format from nmap's grep(p)able .P \fB\-6\fR does (also) IPv6 checks\. Please note that testssl\.sh doesn't perform checks on an IPv6 address automatically, because of two reasons: testssl\.sh does no connectivity checks for IPv6 and it cannot determine reliably whether the OpenSSL binary you're using has IPv6 s_client support\. \fB\-6\fR assumes both is the case\. If both conditions are met and you in general prefer to test for IPv6 branches as well you can add \fBHAS_IPv6\fR to your shell environment\. Besides the OpenSSL binary supplied IPv6 is known to work with vanilla OpenSSL >= 1\.1\.0 and older versions >=1\.0\.2 in RHEL/CentOS/FC and Gentoo\. .P -\fB\-\-ssl\-native\fR Instead of using a mixture of bash sockets and a few openssl s_client connects, testssl\.sh uses the latter (almost) only\. This is faster at the moment but provides less accurate results, especially for the client simulation and for cipher support\. For all checks you will see a warning if testssl\.sh cannot tell if a particular check cannot be performed\. For some checks however you might end up getting false negatives without a warning\. This option is only recommended if you prefer speed over accuracy or you know that your target has sufficient overlap with the protocols and cipher provided by your openssl binary\. +\fB\-\-ssl\-native\fR Instead of using a mixture of bash sockets and a few openssl s_client connects, testssl\.sh uses the latter (almost) only\. This is faster but provides less accurate results, especially for the client simulation and for cipher support\. For all checks you will see a warning if testssl\.sh cannot tell if a particular check cannot be performed\. For some checks however you might end up getting false negatives without a warning\. Thus it is not recommended to use\. It should only be used if you prefer speed over accuracy or you know that your target has sufficient overlap with the protocols and cipher provided by your openssl binary\. .P \fB\-\-openssl \fR testssl\.sh tries very hard to find automagically the binary supplied (where the tree of testssl\.sh resides, from the directory where testssl\.sh has been started from, etc\.)\. If all that doesn't work it falls back to openssl supplied from the OS (\fB$PATH\fR)\. With this option you can point testssl\.sh to your binary of choice and override any internal magic to find the openssl binary\. (Environment preset via \fBOPENSSL=\fR)\. .SS "TUNING OPTIONS" diff --git a/doc/testssl.1.html b/doc/testssl.1.html index 45407ee5c..1584bf07d 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -206,7 +206,7 @@

SPECIAL INVOCATIONS

-6 does (also) IPv6 checks. Please note that testssl.sh doesn't perform checks on an IPv6 address automatically, because of two reasons: testssl.sh does no connectivity checks for IPv6 and it cannot determine reliably whether the OpenSSL binary you're using has IPv6 s_client support. -6 assumes both is the case. If both conditions are met and you in general prefer to test for IPv6 branches as well you can add HAS_IPv6 to your shell environment. Besides the OpenSSL binary supplied IPv6 is known to work with vanilla OpenSSL >= 1.1.0 and older versions >=1.0.2 in RHEL/CentOS/FC and Gentoo.

-

--ssl-native Instead of using a mixture of bash sockets and a few openssl s_client connects, testssl.sh uses the latter (almost) only. This is faster at the moment but provides less accurate results, especially for the client simulation and for cipher support. For all checks you will see a warning if testssl.sh cannot tell if a particular check cannot be performed. For some checks however you might end up getting false negatives without a warning. This option is only recommended if you prefer speed over accuracy or you know that your target has sufficient overlap with the protocols and cipher provided by your openssl binary.

+

--ssl-native Instead of using a mixture of bash sockets and a few openssl s_client connects, testssl.sh uses the latter (almost) only. This is faster but provides less accurate results, especially for the client simulation and for cipher support. For all checks you will see a warning if testssl.sh cannot tell if a particular check cannot be performed. For some checks however you might end up getting false negatives without a warning. Thus it is not recommended to use. It should be only used if you prefer speed over accuracy or you know that your target has sufficient overlap with the protocols and cipher provided by your openssl binary.

--openssl <path_to_openssl> testssl.sh tries very hard to find automagically the binary supplied (where the tree of testssl.sh resides, from the directory where testssl.sh has been started from, etc.). If all that doesn't work it falls back to openssl supplied from the OS ($PATH). With this option you can point testssl.sh to your binary of choice and override any internal magic to find the openssl binary. (Environment preset via OPENSSL=<path_to_openssl>).

diff --git a/doc/testssl.1.md b/doc/testssl.1.md index 0078bd232..158353640 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -128,7 +128,7 @@ The same can be achieved by setting the environment variable `WARNINGS`. `-6` does (also) IPv6 checks. Please note that testssl.sh doesn't perform checks on an IPv6 address automatically, because of two reasons: testssl.sh does no connectivity checks for IPv6 and it cannot determine reliably whether the OpenSSL binary you're using has IPv6 s_client support. `-6` assumes both is the case. If both conditions are met and you in general prefer to test for IPv6 branches as well you can add `HAS_IPv6` to your shell environment. Besides the OpenSSL binary supplied IPv6 is known to work with vanilla OpenSSL >= 1.1.0 and older versions >=1.0.2 in RHEL/CentOS/FC and Gentoo. -`--ssl-native` Instead of using a mixture of bash sockets and a few openssl s_client connects, testssl.sh uses the latter (almost) only. This is faster at the moment but provides less accurate results, especially for the client simulation and for cipher support. For all checks you will see a warning if testssl.sh cannot tell if a particular check cannot be performed. For some checks however you might end up getting false negatives without a warning. This option is only recommended if you prefer speed over accuracy or you know that your target has sufficient overlap with the protocols and cipher provided by your openssl binary. +`--ssl-native` Instead of using a mixture of bash sockets and a few openssl s_client connects, testssl.sh uses the latter (almost) only. This is faster but provides less accurate results, especially for the client simulation and for cipher support. For all checks you will see a warning if testssl.sh cannot tell if a particular check cannot be performed. For some checks however you might end up getting false negatives without a warning. Thus it is not recommended to use. It should only be used if you prefer speed over accuracy or you know that your target has sufficient overlap with the protocols and cipher provided by your openssl binary. `--openssl ` testssl.sh tries very hard to find automagically the binary supplied (where the tree of testssl.sh resides, from the directory where testssl.sh has been started from, etc.). If all that doesn't work it falls back to openssl supplied from the OS (`$PATH`). With this option you can point testssl.sh to your binary of choice and override any internal magic to find the openssl binary. (Environment preset via `OPENSSL=`). diff --git a/testssl.sh b/testssl.sh index c27998981..cdc22dcd1 100755 --- a/testssl.sh +++ b/testssl.sh @@ -20438,7 +20438,7 @@ tuning / connect options (most also can be preset via environment variables): -9, --full includes tests for implementation bugs and cipher per protocol (could disappear) --bugs enables the "-bugs" option of s_client, needed e.g. for some buggy F5s --assume-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks - --ssl-native fallback to checks with OpenSSL where sockets are normally used + --ssl-native use OpenSSL where sockets are normally used. Faster but inaccurate, avoid it when possible --openssl use this openssl binary (default: look in \$PATH, \$RUN_DIR of $PROG_NAME) --proxy (experimental) proxy connects via , auto: values from \$env (\$http(s)_proxy) -6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity @@ -23804,6 +23804,7 @@ parse_cmd_line() { done "$FAST" && pr_warning "\n'--fast' can have some undesired side effects thus it is not recommended to use anymore\n" + "$SSL_NATIVE" && pr_warning "\nusage of '--ssl-native' is not recommended as it will return incomplete and may even return incorrect results\n" if "$do_starttls_injection" && [[ "$STARTTLS_PROTOCOL" =~ smtp ]]; then ((VULN_COUNT++)) From 65da627820f2d70bbbc45995d9f96d724c9827be Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Tue, 3 Oct 2023 15:56:18 +0200 Subject: [PATCH 2/2] better English --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index cdc22dcd1..2b8bcc6a2 100755 --- a/testssl.sh +++ b/testssl.sh @@ -20438,7 +20438,7 @@ tuning / connect options (most also can be preset via environment variables): -9, --full includes tests for implementation bugs and cipher per protocol (could disappear) --bugs enables the "-bugs" option of s_client, needed e.g. for some buggy F5s --assume-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks - --ssl-native use OpenSSL where sockets are normally used. Faster but inaccurate, avoid it when possible + --ssl-native use OpenSSL where sockets are normally used. Faster but inaccurate, avoid it if possible --openssl use this openssl binary (default: look in \$PATH, \$RUN_DIR of $PROG_NAME) --proxy (experimental) proxy connects via , auto: values from \$env (\$http(s)_proxy) -6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity