Skip to content

feat: bump ssllabs rating guide to 2009r #2834

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 10, 2025
Merged

feat: bump ssllabs rating guide to 2009r #2834

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 12 additions & 8 deletions testssl.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2817,6 +2817,7 @@ run_hsts() {
if ! is_number "$hsts_age_sec"; then
pr_svrty_medium "misconfiguration: \'"$hsts_age_sec"\' is not a valid max-age specification"
fileout "${jsonID}_time" "MEDIUM" "misconfiguration, specified not a number for max-age"
set_grade_warning "HSTS max-age is misconfigured"
else
if [[ -n $hsts_age_sec ]]; then
hsts_age_days=$(( hsts_age_sec / 86400))
Expand All @@ -2826,18 +2827,18 @@ run_hsts() {
if [[ $hsts_age_days -eq -1 ]]; then
pr_svrty_medium "misconfiguration: HSTS max-age (recommended > $HSTS_MIN seconds = $((HSTS_MIN/86400)) days ) is required but missing"
fileout "${jsonID}_time" "MEDIUM" "misconfiguration, parameter max-age (recommended > $HSTS_MIN seconds = $((HSTS_MIN/86400)) days) missing"
set_grade_cap "A" "HSTS max-age is misconfigured"
set_grade_warning "HSTS max-age is misconfigured"
elif [[ $hsts_age_sec -eq 0 ]]; then
pr_svrty_low "HSTS max-age is set to 0. HSTS is disabled"
fileout "${jsonID}_time" "LOW" "0. HSTS is disabled"
set_grade_cap "A" "HSTS is disabled"
set_grade_warning "HSTS is disabled"
elif [[ $hsts_age_sec -ge $HSTS_MIN ]]; then
pr_svrty_good "$hsts_age_days days" ; out "=$hsts_age_sec s"
fileout "${jsonID}_time" "OK" "$hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN seconds"
else
pr_svrty_medium "$hsts_age_sec s = $hsts_age_days days is too short ( >= $HSTS_MIN seconds recommended)"
fileout "${jsonID}_time" "MEDIUM" "max-age too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN seconds"
set_grade_cap "A" "HSTS max-age is too short"
set_grade_warning "HSTS max-age is too short"
fi
fi
if includeSubDomains "$TMPFILE"; then
Expand All @@ -2856,7 +2857,6 @@ run_hsts() {
else
pr_svrty_low "not offered"
fileout "$jsonID" "LOW" "not offered"
set_grade_cap "A" "HSTS is not offered"
fi
outln

Expand Down Expand Up @@ -6068,6 +6068,7 @@ run_protocols() {
fileout "$jsonID" "CRITICAL" "connection failed rather than downgrading to $latest_supported_string"
fi
add_proto_offered tls1_3 no
set_grade_warning "TLS 1.3 is not supported"
;;
2) if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then
detected_version_string="SSLv3"
Expand All @@ -6091,16 +6092,19 @@ run_protocols() {
fileout "$jsonID" "CRITICAL" "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
fi
add_proto_offered tls1_3 no
set_grade_warning "TLS 1.3 is not supported"
;;
3) out "not offered "
fileout "$jsonID" "INFO" "not offered"
add_proto_offered tls1_3 no
set_grade_warning "TLS 1.3 is not supported"
pr_warning "TLS downgraded to STARTTLS plaintext"; outln
fileout "$jsonID" "WARN" "TLS downgraded to STARTTLS plaintext"
;;
4) out "likely not offered, " # STARTTLS problem
fileout "$jsonID" "INFO" "likely not offered"
add_proto_offered tls1_3 no
set_grade_warning "TLS 1.3 is not supported"
pr_warning "received 4xx/5xx after STARTTLS handshake"; outln "$debug_recomm"
fileout "$jsonID" "WARN" "received 4xx/5xx after STARTTLS handshake${debug_recomm}"
;;
Expand Down Expand Up @@ -8070,6 +8074,7 @@ determine_cert_compression() {
tls_sockets "04" "$TLS13_CIPHER" "all+" "00,1b, 00,$len2, $len1$methods_to_test"
if [[ $? -ne 0 ]]; then
add_proto_offered tls1_3 no
set_grade_warning "TLS 1.3 is not supported"
return 1
fi
add_proto_offered tls1_3 yes
Expand Down Expand Up @@ -18500,8 +18505,6 @@ run_tls_fallback_scsv() {
pr_svrty_medium "Downgrade attack prevention NOT supported"
fileout "$jsonID" "MEDIUM" "NOT supported"
fi
set_grade_cap "A" "Does not support TLS_FALLBACK_SCSV"

elif grep -qa "alert inappropriate fallback" "$TMPFILE"; then
pr_svrty_good "Downgrade attack prevention supported (OK)"
fileout "$jsonID" "OK" "supported"
Expand Down Expand Up @@ -22506,6 +22509,7 @@ determine_optimal_sockets_params() {
all_failed=false
else
add_proto_offered tls1_3 no
set_grade_warning "TLS 1.3 is not supported"
KEY_SHARE_EXTN_NR="33"
fi
fi
Expand Down Expand Up @@ -23673,10 +23677,10 @@ run_rating() {
# For other than SMTP on port 25 and port 587 and SIEVE (there's no implicit TLS port) you should use implicit TLS as per RFC 8314.
# Instead of port 587 (STARTTLS) implicit TLS on port 465 should be considered.

pr_bold " Rating specs"; out " (not complete) "; outln "SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)"
pr_bold " Rating specs"; out " (not complete) "; outln "SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)"
pr_bold " Specification documentation "; pr_url "https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide"
outln
fileout "rating_spec" "INFO" "SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)"
fileout "rating_spec" "INFO" "SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)"
fileout "rating_doc" "INFO" "https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide"

# No point in calculating a score, if a cap of "F", "T", or "M" has been set
Expand Down