From 165c83a933deb83951d068623f3a07a97b498d79 Mon Sep 17 00:00:00 2001
From: Magnus Larsen <magnusfynbo@hotmail.com>
Date: Tue, 11 Nov 2025 19:20:58 +0100
Subject: [PATCH] feat: --grade-only flag to only test checks required for
 rating

---
 testssl.sh | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/testssl.sh b/testssl.sh
index 7b441b645..67c422a39 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -21260,6 +21260,7 @@ single check as <options>  ("$PROG_NAME URI" does everything except -E and -g):
      -J, --logjam                  tests for LOGJAM vulnerability
      -D, --drown                   tests for DROWN vulnerability
      -4, --rc4, --appelbaum        which RC4 ciphers are being offered?
+     --grade-only                  test only the checks required for rating
 
 tuning / connect options (most also can be preset via environment variables):
      -9, --full                    includes tests for implementation bugs and cipher per protocol (could disappear)
@@ -21293,7 +21294,7 @@ output options (can also be preset via environment variables):
      --color <0|1|2|3>             0: no escape or other codes,  1: b/w escape codes,  2: color (default), 3: extra color (color all ciphers)
      --colorblind                  swap green and blue in the output
      --debug <0-6>                 1: screen output normal but keeps debug output in /tmp/.  2-6: see "grep -A 5 '^DEBUG=' testssl.sh"
-     --disable-rating              Explicitly disables the rating output
+     --disable-rating              explicitly disables the rating output
 
 file output options (can also be preset via environment variables)
      --log, --logging              logs stdout to '\${NODE}-p\${port}\${YYYYMMDD-HHMM}.log' in current working directory (cwd)
@@ -24734,6 +24735,27 @@ parse_cmd_line() {
                     [[ $? -eq 0 ]] && shift
                     REQHEADERS+=("$REQHEADER")
                     ;;
+               --grade[-_]only)
+                    # See set_rating_state() for required variables
+                    do_protocols=true
+                    do_cipherlists=true
+                    do_fs=true
+                    do_server_defaults=true
+                    do_header=true
+                    do_heartbleed=true
+                    do_ccs_injection=true
+                    do_ticketbleed=true
+                    do_robot=true
+                    do_renego=true
+                    do_crime=true
+                    do_ssl_poodle=true
+                    do_tls_fallback_scsv=true
+                    do_drown=true
+                    do_beast=true
+                    do_rc4=true
+                    do_logjam=true
+                    do_allciphers=true
+                    ;;
                (--) shift
                     break
                     ;;