#!/bin/bash
# TLS/SSL configuration tests
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/../config.sh"
OUT="$OUT/tls"
mkdir -p "$OUT"

echo '=== TLS/SSL TESTS ===' | tee "$OUT/summary.txt"

# Old TLS versions — 1.0/1.1 should be rejected at handshake (000 = EXPECTED/PASS)
echo '--- Old TLS Versions ---' | tee -a "$OUT/summary.txt"
for ver in '--tls-max 1.0' '--tls-max 1.1'; do
  resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 $ver "$TARGET/" 2>&1)
  echo "[${resp}] TLS: $ver (EXPECTED 000 — server rejects TLS<1.2 at handshake)" | tee -a "$OUT/summary.txt"
done
for ver in '--tlsv1.2' '--tlsv1.3'; do
  resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 $ver "$TARGET/" 2>&1)
  echo "[$resp] TLS: $ver" | tee -a "$OUT/summary.txt"
done

# Cipher suite check
echo '' | tee -a "$OUT/summary.txt"
echo '--- Cipher Suites ---' | tee -a "$OUT/summary.txt"
openssl s_client -connect pqcrypta.com:443 -cipher 'NULL' </dev/null 2>&1 | grep -E 'Cipher|error|DONE' | head -5 | tee -a "$OUT/summary.txt" || echo 'openssl NULL cipher rejected' | tee -a "$OUT/summary.txt"
openssl s_client -connect pqcrypta.com:443 -cipher 'RC4' </dev/null 2>&1 | grep -E 'Cipher|error|DONE' | head -5 | tee -a "$OUT/summary.txt" || echo 'openssl RC4 cipher test done' | tee -a "$OUT/summary.txt"

# Check security headers
echo '' | tee -a "$OUT/summary.txt"
echo '--- Security Headers Check ---' | tee -a "$OUT/summary.txt"
curl -sk -I --max-time 10 "$TARGET/" | grep -iE 'strict-transport|x-frame|x-content-type|content-security|x-xss|permissions-policy|referrer-policy' | tee -a "$OUT/summary.txt"

cat "$OUT/summary.txt"