Merge pull request #1986 from DimitriPapadopoulos/3.0

Typos found by codespell

Author: drwetter

.github/workflows/codespell.yml

@@ -0,0 +1,13 @@
+---
+name: Codespell
+on: [push, pull_request]
+jobs:
+  codespell:
+    name: Check for spelling errors
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: codespell-project/actions-codespell@master
+        with:
+          skip: ca_hashes.txt,tls_data.txt,*.pem,OPENSSL-LICENSE.txt
+          ignore_words_list: borken,gost,ciph,ba,bloc,isnt,chello,fo,alle,nmake

CHANGELOG.md

@@ -16,7 +16,7 @@
 * Socket timeouts (``--connect-timeout``)
 * IDN/IDN2 servername/URI + emoji support, supposed libidn/idn2 is installed and DNS resolver is recent) support
 * Initial support for certificate compression
-* Better JSON output: renamed IDs and findings shorter/better parsable, also includes certficate
+* Better JSON output: renamed IDs and findings shorter/better parsable, also includes certificate
 * JSON output now valid also for non-responding servers
 * Testing now per default 370 ciphers
 * Further improving the robustness of TLS sockets (sending and parsing)
@@ -61,7 +61,7 @@
 
 * Way better coverage of ciphers as most checks are done via bash sockets where ever possible
 * Further tests via TLS sockets and improvements (handshake parsing, completeness, robustness)
-* Testing 359 default ciphers (``testssl.sh -e/-E``) with a mixture of sockets and openssl. Same speed as with openssl only but addtional ciphers such as post-quantum ciphers, new CHAHA20/POLY1305, CamelliaGCM etc.
+* Testing 359 default ciphers (``testssl.sh -e/-E``) with a mixture of sockets and openssl. Same speed as with openssl only but additional ciphers such as post-quantum ciphers, new CHAHA20/POLY1305, CamelliaGCM etc.
 * TLS 1.2 protocol check via sockets in production
 * Finding more TLS extensions via sockets
 * TLS Supported Groups Registry (RFC 7919), key shares extension
@@ -105,7 +105,7 @@
 * Even more compatibility improvements for FreeBSD, NetBSD, Gentoo, RH-ish, F5 and Cisco systems
 * Considerable speed improvements for each cipher runs (-e/-E)
 * More robust SSLv2 + TLS socket interface
-* seperate check for curves
+* separate check for curves
 * OpenSSL 1.1.0 compliant
 * check for DROWN
 * Whole number of bugs squashed
@@ -124,7 +124,7 @@
   * (HTTP) proxy support! Also with sockets -- thx @jnewbigin
   * Extended validation certificate detection
   * Run in default mode through all ciphers at the end of a default run
-  * will test multiple IP adresses of one supplied server name in one shot, --ip= restricts it accordingly
+  * will test multiple IP addresses of one supplied server name in one shot, --ip= restricts it accordingly
   * new mass testing file option --file option where testssl.sh commands are being read from, see https://twitter.com/drwetter/status/627619848344989696
   * TLS time and HTTP time stamps
   * TLS time displayed also for STARTTLS protocols
@@ -193,10 +193,10 @@ Full changelog @  https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
 - IPv6 display fix
 
 1.111
-- NEW: tested unter FreeBSD (works with exception of xxd in CCS)
+- NEW: tested under FreeBSD (works with exception of xxd in CCS)
 - getent now works under Linux and FreeBSD
 - sed -i in hsts sacrificed for compatibility
-- reomved query for IP for finishing banner, is now called once in parse_hn_port
+- removed query for IP for finishing banner, is now called once in parse_hn_port
 - GOST warning after banner
 - empty build date is not displayed anymore
 - long build date strings minimized
@@ -286,7 +286,7 @@ Full changelog @  https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
 1.91
 - replaced most lcyan to brown (=not really bad but somehow)
 - empty server string better displayed
-- prefered CBC TLS 1.2 cipher is now brown (lucky13)
+- preferred CBC TLS 1.2 cipher is now brown (lucky13)
 
 1.90
 - fix for netweaver banner (server is lowercase)
@@ -295,7 +295,7 @@ Full changelog @  https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
 
 1.89
 - reordered! : protocols + cipher come first
-- colorized prefered server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green)
+- colorized preferred server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green)
 - SSLv3 is now light cyan
 - NEW: -P|--preference now in help menu
 - light cyan is more appropriate than red for HSTS
@@ -330,10 +330,10 @@ Full changelog @  https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
 - headline of -V / PFS+RC4 ciphers unified
 
 1.82
-- NEW: output for -V now better (bits seperate, spacing improved)
+- NEW: output for -V now better (bits separate, spacing improved)
 
 1.81
-- output for RC4+PFS now better (with headline, bits seperate, spacing improved)
+- output for RC4+PFS now better (with headline, bits separate, spacing improved)
 - both also sorted by encr. strength .. umm ..err bits!
 
 1.80
@@ -358,7 +358,7 @@ Full changelog @  https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
 - removed legacy code (PROD_REL var)
 
 1.76
-- bash was gone!! desaster for Ubuntu, fixed
+- bash was gone!! disaster for Ubuntu, fixed
 - starttls+rc4 check: bottom line was wrong
 - starttls had too much output (certificate) at first a/v check
 
@@ -454,7 +454,7 @@ Full changelog @  https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
 * NOPARANOID flag tells whether medium grade ciphers are ok. NOW they are (=<1.17 was paranoid)
 
 1.17
-* SSL tests now for renegotiation vulnerabilty!
+* SSL tests now for renegotiation vulnerability!
 * version detection of testssl.sh
 * program has a banner
 * fixed bug leading to a file named "1"
@@ -480,7 +480,7 @@ Full changelog @  https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
 * as a courtesy I am providing 64+32 Linux binaries for testing 56 Bit ciphers
 
 1.11
-* Hint for howto enable 56 Bit ciphers fpr testing
+* Hint for howto enable 56 Bit ciphers for testing
 * possible to specify where openssl is (hardcoded, $ENV, last resort: auto)
 * warns if netcat is not there
 

Readme.md

@@ -13,7 +13,7 @@ cryptographic flaws.
 * Clear output: you can tell easily whether anything is good or bad.
 * Machine readable output.
 * No installation needed: Linux, OSX/Darwin, FreeBSD, NetBSD, MSYS2/Cygwin,  WSL work out of the box. Only OpenBSD needs bash. No need to install  or to configure something.  No gems, CPAN, pip or the like.
-* A Dockerfile is provided, there's also an offical container @ dockerhub.
+* A Dockerfile is provided, there's also an official container @ dockerhub.
 * Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only web servers at port 443.
 * Toolbox: Several command line options help you to run *your* test and configure *your* output.
 * Reliability: features are tested thoroughly.
@@ -49,7 +49,7 @@ You can download testssl.sh by cloning this git repository:
 
     git clone --depth 1 https://github.com/drwetter/testssl.sh.git --branch 3.0
 
-For the stable version help yourself by downloading the [ZIP](https://codeload.github.com/drwetter/testssl.sh/zip/3.0.5) or the lastest testssl-3.0.X.tar.gz from [https://testssl.sh](https://testssl.sh/) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there.
+For the stable version help yourself by downloading the [ZIP](https://codeload.github.com/drwetter/testssl.sh/zip/3.0.5) or the latest testssl-3.0.X.tar.gz from [https://testssl.sh](https://testssl.sh/) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there.
 
 #### Docker
 

doc/testssl.1

@@ -122,7 +122,7 @@ Please note that \fBfname\fR has to be in Unix format\. DOS carriage returns won
 \fB\-\-mode <serial|parallel>\fR\. Mass testing to be done serial (default) or parallel (\fB\-\-parallel\fR is shortcut for the latter, \fB\-\-serial\fR is the opposite option)\. Per default mass testing is being run in serial mode, i\.e\. one line after the other is processed and invoked\. The variable \fBMASS_TESTING_MODE\fR can be defined to be either equal \fBserial\fR or \fBparallel\fR\.
 .
 .P
-\fB\-\-warnings <batch|off>\fR\. The warnings parameter determines how testssl\.sh will deal with situations where user input normally will be necessary\. There are two options\. \fBbatch\fR doesn\'t wait for a confirming keypress when a client\- or server\-side probem is encountered\. As of 3\.0 it just then terminates the particular scan\. This is automatically chosen for mass testing (\fB\-\-file\fR)\. \fBoff\fR just skips the warning, the confirmation but continues the scan, independent whether it makes sense or not\. Please note that there are conflicts where testssl\.sh will still ask for confirmation which are the ones which otherwise would have a drastic impact on the results\. Almost any other decision will be made in the future as a best guess by testssl\.sh\. The same can be achieved by setting the environment variable \fBWARNINGS\fR\.
+\fB\-\-warnings <batch|off>\fR\. The warnings parameter determines how testssl\.sh will deal with situations where user input normally will be necessary\. There are two options\. \fBbatch\fR doesn\'t wait for a confirming keypress when a client\- or server\-side problem is encountered\. As of 3\.0 it just then terminates the particular scan\. This is automatically chosen for mass testing (\fB\-\-file\fR)\. \fBoff\fR just skips the warning, the confirmation but continues the scan, independent whether it makes sense or not\. Please note that there are conflicts where testssl\.sh will still ask for confirmation which are the ones which otherwise would have a drastic impact on the results\. Almost any other decision will be made in the future as a best guess by testssl\.sh\. The same can be achieved by setting the environment variable \fBWARNINGS\fR\.
 .
 .P
 \fB\-\-connect\-timeout <seconds>\fR This is useful for socket TCP connections to a node\. If the node does not complete a TCP handshake (e\.g\. because it is down or behind a firewall or there\'s an IDS or a tarpit) testssl\.sh may usually hang for around 2 minutes or even much more\. This parameter instructs testssl\.sh to wait at most \fBseconds\fR for the handshake to complete before giving up\. This option only works if your OS has a timeout binary installed\. CONNECT_TIMEOUT is the corresponding environment variable\.
@@ -335,7 +335,7 @@ Security headers (X\-Frame\-Options, X\-XSS\-Protection, Expect\-CT,\.\.\. , CSP
 \fB\-g, \-\-grease\fR checks several server implementation bugs like tolerance to size limitations and GREASE, see https://www\.ietf\.org/archive/id/draft\-ietf\-tls\-grease\-01\.txt \. This checks doesn\'t run per default\.
 .
 .SS "VULNERABILITIES"
-\fB\-U, \-\-vulnerable, \-\-vulnerabilities\fR Just tests all (of the following) vulnerabilities\. The environment variable \fBVULN_THRESHLD\fR determines after which value a separate headline for each vulnerability is being displayed\. Default is \fB1\fR which means if you check for two vulnerabilities, only the general headline for vulnerabilities section is displayed \-\- in addition to the vulnerability and the result\. Otherwise each vulnerability or vulnerability section gets its own headline in addition to the output of the name of the vulnerabilty and test result\. A vulnerability section is comprised of more than one check, e\.g\. the renegotiation vulnerability check has two checks, so has Logjam\.
+\fB\-U, \-\-vulnerable, \-\-vulnerabilities\fR Just tests all (of the following) vulnerabilities\. The environment variable \fBVULN_THRESHLD\fR determines after which value a separate headline for each vulnerability is being displayed\. Default is \fB1\fR which means if you check for two vulnerabilities, only the general headline for vulnerabilities section is displayed \-\- in addition to the vulnerability and the result\. Otherwise each vulnerability or vulnerability section gets its own headline in addition to the output of the name of the vulnerability and test result\. A vulnerability section is comprised of more than one check, e\.g\. the renegotiation vulnerability check has two checks, so has Logjam\.
 .
 .P
 \fB\-H, \-\-heartbleed\fR Checks for Heartbleed, a memory leakage in openssl\. Unless the server side doesn\'t support the heartbeat extension it is likely that this check runs into a timeout\. The seconds to wait for a reply can be adjusted with \fBHEARTBLEED_MAX_WAITSOCK\fR\. 8 is the default\.
@@ -622,7 +622,7 @@ MAX_SOCKET_FAIL: A number which tells testssl\.sh how often a TCP socket connect
 MAX_OSSL_FAIL: A number which tells testssl\.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates\. The default is 2\. You can increase it to a higher value if you frequently see a message like \fIFatal error: repeated TCP connect problems, giving up\fR\.
 .
 .IP "\(bu" 4
-MAX_HEADER_FAIL: A number which tells testssl\.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates\. The default is 3\. Also here you can incerase the threshold when you spot messages like \fIFatal error: repeated HTTP header connect problems, doesn\'t make sense to continue\fR\.
+MAX_HEADER_FAIL: A number which tells testssl\.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates\. The default is 3\. Also here you can increase the threshold when you spot messages like \fIFatal error: repeated HTTP header connect problems, doesn\'t make sense to continue\fR\.
 .
 .IP "" 0
 .