From 127cf95e2266384c505d541a79b727b701f160f6 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Mon, 20 Apr 2020 12:26:33 +0200
Subject: [PATCH] Address rating for STARTTLS tests

STARTTLS tests should always give a bad rating because of the missing
trust 1) . That's why we don't provide more details as "T". Maybe we
decide later to provide an environment variable which still
shows this warning but divulges more details. TBC.

Documentation is missing for STARTTLS + grades.

1) There might be cases also for STARTTLS where encryption is enforced
   and e.g. the certificate fingerprint is validated. As this is highly
   protcol specific we won't test that.
---
 testssl.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/testssl.sh b/testssl.sh
index be47c72..74b03ac 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -20546,6 +20546,14 @@ run_grading() {
      pr_headlineln " Calculating grades (experimental)"
      outln
 
+     if [[ -n "$STARTTLS_PROTOCOL" ]]; then
+          pr_bold " Grade                        "; pr_svrty_critical "T"
+          outln   " - STARTTLS encryption is opportunistic"
+          outln   "                                  (Further details would lead to a false sense of security)"
+          fileout "grade" "CRITICAL" "T, No more details shown as it would lead to a false sense of security"
+          return 0
+     fi
+
      # Sort the reasons. This is just nicer to read in genereal
      IFS=$'\n' sorted_reasons=($(sort -ru <<<"${GRADE_CAP_REASONS[*]}"))
      IFS=$'\n' sorted_warnings=($(sort -u <<<"${GRADE_WARNINGS[*]}"))