Skip to content

Commit 69bdbeb

Browse files
committed
feat(rating): line-wrapping comments for grade_cap_reasons
1 parent 92bc6d4 commit 69bdbeb

File tree

1 file changed

+14
-9
lines changed

1 file changed

+14
-9
lines changed

testssl.sh

+14-9
Original file line numberDiff line numberDiff line change
@@ -22933,15 +22933,20 @@ run_rating() {
2293322933
pr_headlineln " Rating (experimental) "
2293422934
outln
2293522935

22936-
[[ -n "$STARTTLS_PROTOCOL" ]] && set_grade_cap "T" "STARTTLS encryption is not mandatory for clients. STARTTLS can only be secured client-side"
2293722936

22938-
# TL;DR: E-mail transfer via port 25 is broken and the amendments suggested so far are duct tape. So please do not expect testssl.sh to shut up.
22937+
if [[ -n "$STARTTLS_PROTOCOL" ]]; then
22938+
read -r -d '' grade_cap_reason <<'EOF'
22939+
TL;DR: E-mail transfer via port 25 is broken and the amendments suggested so far are duct tape. So please do not expect testssl.sh to shut up.
2293922940

22940-
# Explanation: For other than SMTP you should use TLS as per RFC 8314 . For SMTP however there's this thing named reality: A mail server cannot
22941-
# just switch to the mail submission port 587 only and continue to receive mail from everyone. Even if you advertise this via SRV record (RFC 6186).
22942-
# For STARTTLS there's no way to tell for testssl.sh whether it is secure. A MitM can always intercept the connection, unless the client checks
22943-
# the certificate accordingly (it's getting better but some just don't). TLSA Records/DANE and MTA-STS (RFC-8461) on the server side can help too.
22944-
# But as said, it's useless unless the client MTA checks all that which no tool can check.
22941+
Explanation: For other than SMTP you should use TLS as per RFC 8314. For SMTP however there's this thing named reality: A mail server cannot
22942+
just switch to the mail submission port 587 only and continue to receive mail from everyone. Even if you advertise this via SRV record (RFC 6186).
22943+
For STARTTLS there's no way to tell for testssl.sh whether it is secure. A MitM can always intercept the connection, unless the client checks
22944+
the certificate accordingly (it's getting better but some just don't). TLSA Records/DANE and MTA-STS (RFC-8461) on the server side can help too.
22945+
But as said, it's useless unless the client MTA checks all that which no tool can check.
22946+
EOF
22947+
# We can't use newlines in the message, as the grade-sorting function will mess up the reason
22948+
set_grade_cap "T" "$(tr '\n' ' ' <<<$grade_cap_reason)"
22949+
fi
2294522950

2294622951
pr_bold " Rating specs"; out " (not complete) "; outln "SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)"
2294722952
pr_bold " Specification documentation "; pr_url "https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide"
@@ -23127,9 +23132,9 @@ run_rating() {
2312723132
# Pretty print - again, it's just nicer to read
2312823133
for reason in "${sorted_reasons[@]}"; do
2312923134
if [[ $reason_nr -eq 0 ]]; then
23130-
pr_bold " Grade cap reasons "; outln "$reason"
23135+
pr_bold " Grade cap reasons "; out_row_aligned_max_width "$reason\n" ' ' $TERM_WIDTH
2313123136
else
23132-
outln " $reason"
23137+
out_row_aligned_max_width " $reason\n" ' ' $TERM_WIDTH
2313323138
fi
2313423139
((reason_nr++))
2313523140
fileout "grade_cap_reason_${reason_nr}" "INFO" "$reason"

0 commit comments

Comments
 (0)