Commit 5a75801a authored by ChangZhuo Chen's avatar ChangZhuo Chen

New upstream version 2.9.5-5+dfsg1

parent 242e94c3
FROM alpine:latest
RUN apk update && apk upgrade
RUN apk add bash procps drill git coreutils
RUN addgroup testssl
RUN adduser -G testssl -g "testssl user" -s /bin/bash -D testssl
RUN ln -s /home/testssl/testssl.sh /usr/local/bin/
USER testssl
WORKDIR /home/testssl/
RUN git clone --depth=1 https://github.com/drwetter/testssl.sh.git .
ENTRYPOINT ["testssl.sh"]
CMD ["--help"]
## Usage:
(in git directory):
```
docker build -t mytestssl .
docker run -t mytestssl example.com
```
You can also supply command line options like:
``docker run -t mytestssl -p --header example.com``
Please keep in mind that any output file (--log, --html, --json etc.) will be created
in the container.
You can also pull the image from docker hub, then run:
```
docker run -t drwetter/testssl.sh --pfs example.com
```
Also if you don't provide a user, this docker container uses
a non-root user.
This is an experimental version with Alpine Linux. Don\'t rely on it!
Besides the "latest" branch supported tags are currently "2.9dev" (equal to "latest"), and
"2.9.5" = "stable": ``docker run -t drwetter/testssl.sh:stable example.com``.
......@@ -30,11 +30,10 @@ cryptographic flaws.
You can download testssl.sh by cloning this git repository:
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
git clone --depth 1 --branch 2.9.5 https://github.com/drwetter/testssl.sh.git
Or help yourself downloading the ZIP archive
https://github.com/drwetter/testssl.sh/archive/2.9.5.zip. Then ``testssl.sh
--help`` will give you some help upfront. More help: see doc directory. Older
Or help yourself downloading the ZIP archive https://github.com/drwetter/testssl.sh/archive/v2.9.5-1.zip.
Then ``testssl.sh --help`` will give you some help upfront. More help: see doc directory. Older
sample runs are at https://testssl.sh/.
#### Compatibility
......@@ -59,10 +58,10 @@ usage before taking the next step in the development of this project.
#### Features implemented in 2.9.5
* TLS 1.2 protocol check via socket in production
* Way better coverage of ciphers as most checks are done via sockets, using bash sockets where ever possible
* Further tests via TLS sockets and improvements (handshake parsing, completeness, robustness)
* Testing 359 default ciphers (``testssl.sh -e/-E``) with a mixture of sockets and openssl. Same speed as with openssl only but addtional ciphers such as post-quantum ciphers, new CHAHA20/POLY1305, CamelliaGCM etc.
* TLS 1.2 protocol check via sockets in production
* Finding more TLS extensions via sockets
* TLS Supported Groups Registry (RFC 7919), key shares extension
* Non-flat JSON output support
......@@ -72,13 +71,13 @@ usage before taking the next step in the development of this project.
* Ticketbleed check
* LOGJAM: now checking also for known DH parameters
* Support of supplying timeout value for ``openssl connect`` -- useful for batch/mass scanning
* Parallel mass testing
* Check for CAA RR
* Check for OCSP must staple
* Check for Certificate Transparency
* Check for session resumption (Ticket, ID)
* Better formatting of output (indentation)
* Choice showing the RFC naming scheme only
* Parallel mass testing
* File input for mass testing can be also in nmap grep(p)able (-oG) format
* Postgres und MySQL STARTTLS support
* Man page
......
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "TESTSSL" "1" "August 2017" "" ""
.TH "TESTSSL" "1" "April 2018" "" ""
.
.SH "NAME"
\fBtestssl\fR
......@@ -296,7 +296,7 @@ Security headers (X\-Frame\-Options, X\-XSS\-Protection, \.\.\., CSP headers)
\fB\-4, \-\-rc4, \-\-appelbaum\fR Checks which RC4 stream ciphers are being offered\.
.
.SS "OUTPUT OPTIONS"
\fB\-\-warnings <batch|off>\fR The warnings parameter determines how testssl\.sh will deal with situations where user input will normally be necessary\. There are a couple of options here\. \fBbatch\fR doesn\'t wait for a confirming keypress\. This is automatically being chosen for mass testing (\fB\-\-file\fR)\. \fB\-false\fR just skips the warning AND the confirmation\. Please note that there are conflicts where testssl\.sh will still ask for confirmation\. Those are ones which would have a drastic impact on the results\. The same can be achived by setting the environment variable \fBWARNINGS\fR\.
\fB\-\-warnings <batch|off>\fR The warnings parameter determines how testssl\.sh will deal with situations where user input normally will be necessary\. There are a couple of options here\. \fBbatch\fR doesn\'t wait for a confirming keypress\. This is automatically being chosen for mass testing (\fB\-\-file\fR)\. \fB\-false\fR just skips the warning AND the confirmation\. Please note that there are conflicts where testssl\.sh will still ask for a confirmation which are the ones which would have a drastic impact on the results\. Almost any other decision will be made as a best guess by testssl\.sh\. The same can be achived by setting the environment variable \fBWARNINGS\fR\.
.
.P
\fB\-\-openssl\-timeout <seconds>\fR This is especially useful for all connects using openssl and practically useful for mass testing\. It avoids the openssl connect to hang for ~2 minutes\. The expected parameter \fB<seconds>\fR instructs testssl\.sh to wait before the openssl connect will be terminated\. The option is only available if your OS has a timeout binary installed\. As there are different implementations of \fBtimeout\fR: It automatically calls the binary with the right parameters\.
......
......@@ -204,7 +204,7 @@ If the server provides no matching record in Subject Alternative Name (SAN) but
### OUTPUT OPTIONS
`--warnings <batch|off>` The warnings parameter determines how testssl.sh will deal with situations where user input will normally be necessary. There are a couple of options here. `batch` doesn't wait for a confirming keypress. This is automatically being chosen for mass testing (`--file`). `-false` just skips the warning AND the confirmation. Please note that there are conflicts where testssl.sh will still ask for confirmation. Those are ones which would have a drastic impact on the results.
`--warnings <batch|off>` The warnings parameter determines how testssl.sh will deal with situations where user input normally will be necessary. There are a couple of options here. `batch` doesn't wait for a confirming keypress. This is automatically being chosen for mass testing (`--file`). `-false` just skips the warning AND the confirmation. Please note that there are conflicts where testssl.sh will still ask for a confirmation which are the ones which would have a drastic impact on the results. Almost any other decision will be made as a best guess by testssl.sh.
The same can be achived by setting the environment variable `WARNINGS`.
`--openssl-timeout <seconds>` This is especially useful for all connects using openssl and practically useful for mass testing. It avoids the openssl connect to hang for ~2 minutes. The expected parameter `<seconds>` instructs testssl.sh to wait before the openssl connect will be terminated. The option is only available if your OS has a timeout binary installed. As there are different implementations of `timeout`: It automatically calls the binary with the right parameters.
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment