From f9edaa7fe1465d0fd099d28f7fe17bdeb82c37e0 Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Sat, 7 Sep 2024 15:51:12 +0200
Subject: [PATCH] Phrasing of STARTTLS grading improved

... a a comment added in the desciption.

Unfortunately I couldn't get the line wrapping working.
---
 testssl.sh | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index cc824a8..35a45de 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -22912,7 +22912,15 @@ run_rating() {
      pr_headlineln " Rating (experimental) "
      outln
 
-     [[ -n "$STARTTLS_PROTOCOL" ]] && set_grade_cap "T" "Encryption via STARTTLS is not mandatory (opportunistic)."
+     [[ -n "$STARTTLS_PROTOCOL" ]] && set_grade_cap "T" "STARTTLS encryption is not mandatory for clients. STARTTLS can only be secured clientside"
+
+     # TL;DR: E-mail transfer via port 25 is broken and the amendments suggested so far are duct tape. So please do not expect testssl.sh to shut up.
+
+     # Explanation: For other than SMTP you should use TLS as per RFC 8314 . For SMTP however there's this thing named reality: A mail server cannot
+     # just switch to the mail submission port 587 only and continue to receive mail from everyone. Even if you advertise this via SRV record (RFC 6186).
+     # For STARTTLS there's no way to tell for testssl.sh whether it is secure. A MitM can always intercept the connection, unless the client checks
+     # the certificate accordingly (it's getting better but some just don't). TLSA Records/DANE and MTA-STS (RFC-8461) on the server side can help too.
+     # But as said, it's useless unless the client MTA checks all that which no tool can check.
 
      pr_bold " Rating specs"; out " (not complete)  "; outln "SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)"
      pr_bold " Specification documentation  "; pr_url "https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide"
@@ -22965,7 +22973,7 @@ run_rating() {
                c1_worst=80
           elif [[ $(has_server_protocol "tls1") -eq 0 ]]; then
                c1_worst=90
-          elif [[ $(has_server_protocol "tls1_1") -eq 0 ]]; then
+          elif [[ $(as_server_protocol "tls1_1") -eq 0 ]]; then
                c1_worst=95
           else # TLS1.2 and TLS1.3 both give 100 points
                c1_worst=100