From 18da1b8df5069ada5dede40a4e90f9b0f7d38d81 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Tue, 25 Mar 2025 19:13:30 +0100
Subject: [PATCH] Fix some IPv6 proxy issues

As a quick hack this PR enables *basically* the IPv6 proxy which results that testssl.sh
will use an IPv6 proxy when

* the binary supports that
* the binary is used an not tls_sockets()
* there's no A record but an AAAA record of the proxy or an IPv6 address as proxy address was specified.

The latter should guarantee that it doesn't break anything.

However tls_sockets() still uses IPv4 for the connection to the proxy.

See #1105
---
 testssl.sh | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 6c61a38..0ca9a5b 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -21962,17 +21962,23 @@ check_proxy() {
           # strip off http/https part if supplied:
           PROXY="${PROXY/http\:\/\//}"
           PROXY="${PROXY/https\:\/\//}"      # this shouldn't be needed
+          PROXYPORT="${PROXY##*:}"
           PROXYNODE="${PROXY%:*}"
-          PROXYPORT="${PROXY#*:}"
           is_number "$PROXYPORT" || fatal "Proxy port cannot be determined from \"$PROXY\"" $ERR_CMDLINE
 
-          #if is_ipv4addr "$PROXYNODE" || is_ipv6addr "$PROXYNODE" ; then
-          # IPv6 via openssl -proxy: that doesn't work. Sockets does
-#FIXME: finish this with LibreSSL which supports an IPv6 proxy
+          #FIXME: finish this with IPv6 proxy support, see #1105.
           if is_ipv4addr "$PROXYNODE"; then
                PROXYIP="$PROXYNODE"
+          elif is_ipv6addr "$PROXYNODE"; then
+               # Maybe an option like --proxy6 is better for purists
+               PROXYIP="[$PROXYNODE]"
           else
+               # We check now preferred whether there was an IPv4 proxy via DNS specified
+               # If it fails it could be an IPv6 only proxy via DNS or we just can't reach the proxy
                PROXYIP="$(get_a_record "$PROXYNODE" 2>/dev/null | grep -v alias | sed 's/^.*address //')"
+               if [[ -z "$PROXYIP" ]]; then
+                    PROXYIP="$(get_aaaa_record "$PROXYNODE" 2>/dev/null | grep -v alias | sed 's/^.*address //')"
+               fi
                [[ -z "$PROXYIP" ]] && fatal "Proxy IP cannot be determined from \"$PROXYNODE\"" $ERR_CMDLINE
           fi
           PROXY="-proxy $PROXYIP:$PROXYPORT"