Skip to content

Commit f674cde

Browse files
drwetterdrwetter
authored
Merge pull request #2834 from magnuslarsen/3.2
feat: bump ssllabs rating guide to 2009r
2 parents b783fbc + 826adbd commit f674cde

1 file changed

Lines changed: 12 additions & 8 deletions

File tree

testssl.sh

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -2817,6 +2817,7 @@ run_hsts() {
28172817
if ! is_number "$hsts_age_sec"; then
28182818
pr_svrty_medium "misconfiguration: \'"$hsts_age_sec"\' is not a valid max-age specification"
28192819
fileout "${jsonID}_time" "MEDIUM" "misconfiguration, specified not a number for max-age"
2820+
set_grade_warning "HSTS max-age is misconfigured"
28202821
else
28212822
if [[ -n $hsts_age_sec ]]; then
28222823
hsts_age_days=$(( hsts_age_sec / 86400))
@@ -2826,18 +2827,18 @@ run_hsts() {
28262827
if [[ $hsts_age_days -eq -1 ]]; then
28272828
pr_svrty_medium "misconfiguration: HSTS max-age (recommended > $HSTS_MIN seconds = $((HSTS_MIN/86400)) days ) is required but missing"
28282829
fileout "${jsonID}_time" "MEDIUM" "misconfiguration, parameter max-age (recommended > $HSTS_MIN seconds = $((HSTS_MIN/86400)) days) missing"
2829-
set_grade_cap "A" "HSTS max-age is misconfigured"
2830+
set_grade_warning "HSTS max-age is misconfigured"
28302831
elif [[ $hsts_age_sec -eq 0 ]]; then
28312832
pr_svrty_low "HSTS max-age is set to 0. HSTS is disabled"
28322833
fileout "${jsonID}_time" "LOW" "0. HSTS is disabled"
2833-
set_grade_cap "A" "HSTS is disabled"
2834+
set_grade_warning "HSTS is disabled"
28342835
elif [[ $hsts_age_sec -ge $HSTS_MIN ]]; then
28352836
pr_svrty_good "$hsts_age_days days" ; out "=$hsts_age_sec s"
28362837
fileout "${jsonID}_time" "OK" "$hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN seconds"
28372838
else
28382839
pr_svrty_medium "$hsts_age_sec s = $hsts_age_days days is too short ( >= $HSTS_MIN seconds recommended)"
28392840
fileout "${jsonID}_time" "MEDIUM" "max-age too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN seconds"
2840-
set_grade_cap "A" "HSTS max-age is too short"
2841+
set_grade_warning "HSTS max-age is too short"
28412842
fi
28422843
fi
28432844
if includeSubDomains "$TMPFILE"; then
@@ -2856,7 +2857,6 @@ run_hsts() {
28562857
else
28572858
pr_svrty_low "not offered"
28582859
fileout "$jsonID" "LOW" "not offered"
2859-
set_grade_cap "A" "HSTS is not offered"
28602860
fi
28612861
outln
28622862

@@ -6068,6 +6068,7 @@ run_protocols() {
60686068
fileout "$jsonID" "CRITICAL" "connection failed rather than downgrading to $latest_supported_string"
60696069
fi
60706070
add_proto_offered tls1_3 no
6071+
set_grade_warning "TLS 1.3 is not supported"
60716072
;;
60726073
2) if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then
60736074
detected_version_string="SSLv3"
@@ -6091,16 +6092,19 @@ run_protocols() {
60916092
fileout "$jsonID" "CRITICAL" "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
60926093
fi
60936094
add_proto_offered tls1_3 no
6095+
set_grade_warning "TLS 1.3 is not supported"
60946096
;;
60956097
3) out "not offered "
60966098
fileout "$jsonID" "INFO" "not offered"
60976099
add_proto_offered tls1_3 no
6100+
set_grade_warning "TLS 1.3 is not supported"
60986101
pr_warning "TLS downgraded to STARTTLS plaintext"; outln
60996102
fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext"
61006103
;;
61016104
4) out "likely not offered, " # STARTTLS problem
61026105
fileout "$jsonID" "INFO" "likely not offered"
61036106
add_proto_offered tls1_3 no
6107+
set_grade_warning "TLS 1.3 is not supported"
61046108
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
61056109
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
61066110
;;
@@ -8070,6 +8074,7 @@ determine_cert_compression() {
80708074
tls_sockets "04" "$TLS13_CIPHER" "all+" "00,1b, 00,$len2, $len1$methods_to_test"
80718075
if [[ $? -ne 0 ]]; then
80728076
add_proto_offered tls1_3 no
8077+
set_grade_warning "TLS 1.3 is not supported"
80738078
return 1
80748079
fi
80758080
add_proto_offered tls1_3 yes
@@ -18500,8 +18505,6 @@ run_tls_fallback_scsv() {
1850018505
pr_svrty_medium "Downgrade attack prevention NOT supported"
1850118506
fileout "$jsonID" "MEDIUM" "NOT supported"
1850218507
fi
18503-
set_grade_cap "A" "Does not support TLS_FALLBACK_SCSV"
18504-
1850518508
elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then
1850618509
pr_svrty_good "Downgrade attack prevention supported (OK)"
1850718510
fileout "$jsonID" "OK" "supported"
@@ -22506,6 +22509,7 @@ determine_optimal_sockets_params() {
2250622509
all_failed=false
2250722510
else
2250822511
add_proto_offered tls1_3 no
22512+
set_grade_warning "TLS 1.3 is not supported"
2250922513
KEY_SHARE_EXTN_NR="33"
2251022514
fi
2251122515
fi
@@ -23673,10 +23677,10 @@ run_rating() {
2367323677
# For other than SMTP on port 25 and port 587 and SIEVE (there's no implicit TLS port) you should use implicit TLS as per RFC 8314.
2367423678
# Instead of port 587 (STARTTLS) implicit TLS on port 465 should be considered.
2367523679

23676-
pr_bold " Rating specs"; out " (not complete) "; outln "SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)"
23680+
pr_bold " Rating specs"; out " (not complete) "; outln "SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)"
2367723681
pr_bold " Specification documentation "; pr_url "https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide"
2367823682
outln
23679-
fileout "rating_spec" "INFO" "SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)"
23683+
fileout "rating_spec" "INFO" "SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)"
2368023684
fileout "rating_doc" "INFO" "https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide"
2368123685

2368223686
# No point in calculating a score, if a cap of "F", "T", or "M" has been set

0 commit comments

Comments
 (0)