From d19675136aed0354469d1e79feca7e8235160c66 Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 28 Aug 2023 15:53:02 +0200 Subject: [PATCH 1/2] Deprecating $FAST / --fast As this option shows inconsistencies / wrong results and a fix would require too much work at this moment this option is being hidden from the help. It wasn't in the ~/doc . See #849 , #2382, #1732 etc. --- testssl.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index f21951c..9534f93 100755 --- a/testssl.sh +++ b/testssl.sh @@ -20343,7 +20343,6 @@ single check as ("$PROG_NAME URI" does everything except -E and -g): -4, --rc4, --appelbaum which RC4 ciphers are being offered? tuning / connect options (most also can be preset via environment variables): - --fast omits some checks: using openssl for all ciphers (-e), show only first preferred cipher. -9, --full includes tests for implementation bugs and cipher per protocol (could disappear) --bugs enables the "-bugs" option of s_client, needed e.g. for some buggy F5s --assume-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks From 0fcddff1cd473b8039bc7e12e3c1af26f2255776 Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 28 Aug 2023 16:08:04 +0200 Subject: [PATCH 2/2] Warn when using --fast ... in the terminal only for now. --- testssl.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/testssl.sh b/testssl.sh index 9534f93..854f6da 100755 --- a/testssl.sh +++ b/testssl.sh @@ -23718,6 +23718,8 @@ parse_cmd_line() { grep -q 'BEGIN CERTIFICATE' "$fname" || fatal "\"$fname\" is not CA file in PEM format" $ERR_RESOURCE done + "$FAST" && pr_warning "\n'--fast' can have some undesired side effects thus it is not recommended to use anymore\n" + if "$do_starttls_injection" && [[ "$STARTTLS_PROTOCOL" =~ smtp ]]; then ((VULN_COUNT++)) fi