add opossum to docs

Author: drwetter

doc/testssl.1

@@ -659,6 +659,9 @@ variable \f[CR]CCS_MAX_WAITSOCK\f[R].
 \f[CR]\-T, \-\-ticketbleed\f[R] Checks for Ticketbleed memory leakage in
 BigIP loadbalancers.
 .PP
+\f[CR]\-\-OP, \-\-opossum\f[R] Checks for HTTP to HTTPS upgrade
+vulnerability named Opossum.
+.PP
 \f[CR]\-\-BB, \-\-robot\f[R] Checks for vulnerability to ROBOT /
 (\f[I]Return Of Bleichenbacher\[cq]s Oracle Threat\f[R]) attack.
 .PP
@@ -1312,6 +1315,8 @@ RFC 2246: The TLS Protocol Version 1.0
 .IP \[bu] 2
 RFC 2595: Using TLS with IMAP, POP3 and ACAP
 .IP \[bu] 2
+RFC 2817: Upgrading to TLS Within HTTP/1.1
+.IP \[bu] 2
 RFC 2818: HTTP Over TLS
 .IP \[bu] 2
 RFC 2830: Lightweight Directory Access Protocol (v3): Extension for

doc/testssl.1.html

@@ -590,6 +590,8 @@ <h3 id="vulnerabilities">VULNERABILITIES</h3>
         <code>CCS_MAX_WAITSOCK</code>.</p>
         <p><code>-T, --ticketbleed</code> Checks for Ticketbleed memory
         leakage in BigIP loadbalancers.</p>
+        <p><code>--OP, --opossum</code> Checks for HTTP to HTTPS upgrade
+        vulnerability named Opossum.</p>
         <p><code>--BB, --robot</code> Checks for vulnerability to ROBOT
         / (<em>Return Of Bleichenbacher’s Oracle Threat</em>)
         attack.</p>
@@ -1131,6 +1133,7 @@ <h2 id="rfcs-and-other-standards">RFCs and other standards</h2>
         <ul>
         <li>RFC 2246: The TLS Protocol Version 1.0</li>
         <li>RFC 2595: Using TLS with IMAP, POP3 and ACAP</li>
+        <li>RFC 2817: Upgrading to TLS Within HTTP/1.1</li>
         <li>RFC 2818: HTTP Over TLS</li>
         <li>RFC 2830: Lightweight Directory Access Protocol (v3):
         Extension for Transport Layer Security</li>

doc/testssl.1.md

@@ -236,9 +236,11 @@ Also for multiple server certificates are being checked for as well as for the c
 
 `-T, --ticketbleed`             Checks for Ticketbleed memory leakage in BigIP loadbalancers.
 
-`--BB, --robot`          Checks for vulnerability to ROBOT / (*Return Of Bleichenbacher's Oracle Threat*) attack.
+`--OP, --opossum`               Checks for HTTP to HTTPS upgrade vulnerability named Opossum.
 
-`--SI, --starttls-injection`          Checks for STARTTLS injection vulnerabilities (SMTP, IMAP, POP3 only). `socat` and OpenSSL >=1.1.0 is needed.
+`--BB, --robot`                 Checks for vulnerability to ROBOT / (*Return Of Bleichenbacher's Oracle Threat*) attack.
+
+`--SI, --starttls-injection`    Checks for STARTTLS injection vulnerabilities (SMTP, IMAP, POP3 only). `socat` and OpenSSL >=1.1.0 is needed.
 
 `-R, --renegotiation`           Tests renegotiation vulnerabilities. Currently there's a check for *Secure Renegotiation* and for *Secure Client-Initiated Renegotiation*. Please be aware that vulnerable servers to the latter can likely be DoSed very easily (HTTP). A check for *Insecure Client-Initiated Renegotiation* is not yet implemented.
 
@@ -490,6 +492,7 @@ Please note that for plain TLS-encrypted ports you must not specify the protocol
 
 * RFC 2246: The TLS Protocol Version 1.0
 * RFC 2595: Using TLS with IMAP, POP3 and ACAP
+* RFC 2817: Upgrading to TLS Within HTTP/1.1
 * RFC 2818: HTTP Over TLS
 * RFC 2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security
 * RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security
@@ -551,7 +554,6 @@ Please note that for plain TLS-encrypted ports you must not specify the protocol
 
 **etc/client-simulation.txt**  contains client simulation data.
 
-
 **etc/cipher-mapping.txt**  provides a mandatory file with mapping from OpenSSL cipher suites names to the ones from IANA / used in the RFCs.
 
 **etc/tls_data.txt**        provides a mandatory file for ciphers (bash sockets) and key material.