From 4603d924be47959a8734b5245ed8a4a1b3fd38df Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Thu, 16 Jan 2020 14:29:53 +0100
Subject: [PATCH] Last fine tuning for http basic auth

* create roff file and HTML
* add hint to $ENV

Avoid 1x subshell

See #1451.
---
 doc/testssl.1      | 3 +++
 doc/testssl.1.html | 2 ++
 doc/testssl.1.md   | 2 +-
 testssl.sh         | 2 +-
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/doc/testssl.1 b/doc/testssl.1
index 5a17d6d6..822fbbd1 100644
--- a/doc/testssl.1
+++ b/doc/testssl.1
@@ -130,6 +130,9 @@ Please note that \fBfname\fR has to be in Unix format\. DOS carriage returns won
 .P
 \fB\-\-openssl\-timeout <seconds>\fR This is especially useful for all connects using openssl and practically useful for mass testing\. It avoids the openssl connect to hang for ~2 minutes\. The expected parameter \fBseconds\fR instructs testssl\.sh to wait before the openssl connect will be terminated\. The option is only available if your OS has a timeout binary installed\. As there are different implementations of \fBtimeout\fR: It automatically calls the binary with the right parameters\. OPENSSL_TIMEOUT is the equivalent environment variable\.
 .
+.P
+\fB\-\-basicauth <user:pass>\fR This can be set to provide HTTP basic auth credentials which are used during checks for security headers\. BASICAUTH is the ENV variable you can use instead\.
+.
 .SS "SPECIAL INVOCATIONS"
 \fB\-t <protocol>, \-\-starttls <protocol>\fR does a default run against a STARTTLS enabled \fBprotocol\fR\. \fBprotocol\fR must be one of \fBftp\fR, \fBsmtp\fR, \fBpop3\fR, \fBimap\fR, \fBxmpp\fR, \fBtelnet\fR, \fBldap\fR, \fBirc\fR, \fBlmtp\fR, \fBnntp\fR, \fBpostgres\fR, \fBmysql\fR\. For the latter four you need e\.g\. the supplied OpenSSL or OpenSSL version 1\.1\.1\. Please note: MongoDB doesn\'t offer a STARTTLS connection, LDAP currently only works with \fB\-\-ssl\-native\fR\. \fBtelnet\fR and \fBirc\fR is WIP\.
 .
diff --git a/doc/testssl.1.html b/doc/testssl.1.html
index 26cd87fc..56c24d82 100644
--- a/doc/testssl.1.html
+++ b/doc/testssl.1.html
@@ -185,6 +185,8 @@ The same can be achieved by setting the environment variable <code>WARNINGS</cod
 
 <p><code>--openssl-timeout &lt;seconds></code> This is especially useful for all connects using openssl and practically useful for mass testing. It avoids the openssl connect to hang for ~2 minutes. The expected parameter <code>seconds</code> instructs testssl.sh to wait before the openssl connect will be terminated. The option is only available if your OS has a timeout binary installed. As there are different implementations of <code>timeout</code>: It automatically calls the binary with the right parameters. OPENSSL_TIMEOUT is the equivalent environment variable.</p>
 
+<p><code>--basicauth &lt;user:pass></code> This can be set to provide HTTP basic auth credentials which are used during checks for security headers. BASICAUTH is the ENV variable you can use instead.</p>
+
 <h3 id="SPECIAL-INVOCATIONS">SPECIAL INVOCATIONS</h3>
 
 <p><code>-t &lt;protocol>, --starttls &lt;protocol></code>    does a default run against a STARTTLS enabled <code>protocol</code>. <code>protocol</code> must be one of <code>ftp</code>, <code>smtp</code>,  <code>pop3</code>, <code>imap</code>, <code>xmpp</code>, <code>telnet</code>, <code>ldap</code>, <code>irc</code>, <code>lmtp</code>, <code>nntp</code>, <code>postgres</code>, <code>mysql</code>. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with <code>--ssl-native</code>. <code>telnet</code> and <code>irc</code> is WIP.</p>
diff --git a/doc/testssl.1.md b/doc/testssl.1.md
index ee677f72..d2756b63 100644
--- a/doc/testssl.1.md
+++ b/doc/testssl.1.md
@@ -105,7 +105,7 @@ The same can be achieved by setting the environment variable `WARNINGS`.
 
 `--openssl-timeout <seconds>` This is especially useful for all connects using openssl and practically useful for mass testing. It avoids the openssl connect to hang for ~2 minutes. The expected parameter `seconds` instructs testssl.sh to wait before the openssl connect will be terminated. The option is only available if your OS has a timeout binary installed. As there are different implementations of `timeout`: It automatically calls the binary with the right parameters. OPENSSL_TIMEOUT is the equivalent environment variable.
 
-`--basicauth <user:pass>` This can be set to provide HTTP basic auth credentials which are used during checks for security headers. 
+`--basicauth <user:pass>` This can be set to provide HTTP basic auth credentials which are used during checks for security headers. BASICAUTH is the ENV variable you can use instead.
 
 
 ### SPECIAL INVOCATIONS
diff --git a/testssl.sh b/testssl.sh
index e5adb0b2..b7a8c0ec 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -18420,7 +18420,7 @@ determine_service() {
                ua="$UA_SNEAKY" || \
                ua="$UA_STD"
           if [[ ! -z "$BASICAUTH" ]]; then
-               basicauth_header="Authorization: Basic $(echo $BASICAUTH | openssl base64) \r\n"
+               basicauth_header="Authorization: Basic $(openssl base64 <<< $BASICAUTH) \r\n"
           fi
           GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\n$basicauth_header Accept-Encoding: identity\r\nAccept: text/*\r\nConnection: Close\r\n\r\n"
           # returns always 0: