Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-09-17 09:22:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Scan policy explained wrt IPv4/v6 addresses

Browse Source
This commit is contained in:
Dirk Wetter
2025-07-20 18:24:17 +02:00
parent a05e697fd1
commit 1fff5226af
3 changed files with 20 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
doc/testssl.1
View File

@ -92,6 +92,15 @@ testing each of 370 preconfigured ciphers
client simulation client simulation
.IP "10)" 4 .IP "10)" 4
rating rating
.PP
If a target FQDN has multiple IPv4 and/or multiple IPv6 addresses, it
scans all IPs with the specified options or using the default run -
unless specified otherwise, see \f[V]--ip\f[R], \f[V]-4\f[R] and
\f[V]-6\f[R].
IPv6 connectivity is automagically checked.
If there\[cq]s noch such thing you will see a banner \f[I]Testing all
\f[BI]IPv4\f[I] addresses\f[R] and all IPv6 addresses will appear in
round brackets.
.SS OPTIONS AND PARAMETERS .SS OPTIONS AND PARAMETERS
.PP .PP
Options are either short or long options. Options are either short or long options.

8
doc/testssl.1.html
View File

@ -99,6 +99,14 @@
<li><p>client simulation</p></li> <li><p>client simulation</p></li>
<li><p>rating</p></li> <li><p>rating</p></li>
</ol> </ol>
<p>If a target FQDN has multiple IPv4 and/or multiple IPv6
addresses, it scans all IPs with the specified options or using
the default run - unless specified otherwise, see
<code>--ip</code>, <code>-4</code> and <code>-6</code>. IPv6
connectivity is automagically checked. If theres noch such
thing you will see a banner <em>Testing all
<strong>IPv4</strong> addresses</em> and all IPv6 addresses will
appear in round brackets.</p>
<h2 id="options-and-parameters">OPTIONS AND PARAMETERS</h2> <h2 id="options-and-parameters">OPTIONS AND PARAMETERS</h2>
<p>Options are either short or long options. Any long or short <p>Options are either short or long options. Any long or short
option requiring a value can be called with or without an equal option requiring a value can be called with or without an equal

3
doc/testssl.1.md
View File

@ -58,6 +58,7 @@ linked OpenSSL binaries for major operating systems are supplied in `./bin/`.
10) rating 10) rating
If a target FQDN has multiple IPv4 and/or multiple IPv6 addresses, it scans all IPs with the specified options or using the default run - unless specified otherwise, see `--ip`, `-4` and `-6`. IPv6 connectivity is automagically checked. If there's noch such thing you will see a banner *Testing all **IPv4** addresses* and all IPv6 addresses will appear in round brackets.
## OPTIONS AND PARAMETERS ## OPTIONS AND PARAMETERS
@ -124,7 +125,7 @@ The same can be achieved by setting the environment variable `WARNINGS`.
`--mx <domain|host>` tests all MX records (STARTTLS on port 25) from high to low priority, one after the other. `--mx <domain|host>` tests all MX records (STARTTLS on port 25) from high to low priority, one after the other.
`--ip <ip>` tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in `<URI>`. IPv6 addresses need to be supplied in square brackets. `--ip=one` means: just test the first A record DNS returns (useful for multiple IPs). If `-6` and `--ip=one` was supplied an AAAA record will be picked if available. The ``--ip`` option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit `/etc/hosts` or `/c/Windows/System32/drivers/etc/hosts`. `--ip=proxy` tries a DNS resolution via proxy. `--ip=proxy` plus `--nodns=min` is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records. `--ip <ip>` tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in `<URI>`. IPv6 addresses need to be supplied in square brackets. `--ip=one` means: just test the first A record DNS returns (useful for multiple IPs). If `-6` and `--ip=one` was supplied an AAAA record will be picked if available. The `--ip` option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit `/etc/hosts` or `/c/Windows/System32/drivers/etc/hosts`. `--ip=proxy` tries a DNS resolution via proxy. `--ip=proxy` plus `--nodns=min` is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records.
`--proxy <host>:<port>` does ANY check via the specified proxy. `--proxy=auto` inherits the proxy setting from the environment. Any hostname supplied will be resolved to the first A record, if it does not exist the AAAA record is used. IPv4 and IPv6 addresses can be passed too, the latter *also* with square bracket notation. Please note that you need a newer OpenSSL or LibreSSL version for IPv6 proxy functionality. In addition if you want lookups via proxy you can specify `DNS_VIA_PROXY=true`. OCSP revocation checking (`-S --phone-out`) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 outgoing being blocked in your network an OCSP revocation check won't be performed. However if `IGN_OCSP_PROXY=true` has been supplied it will be tried directly. Authentication to the proxy is not supported, also no HTTPS or SOCKS proxy. `--proxy <host>:<port>` does ANY check via the specified proxy. `--proxy=auto` inherits the proxy setting from the environment. Any hostname supplied will be resolved to the first A record, if it does not exist the AAAA record is used. IPv4 and IPv6 addresses can be passed too, the latter *also* with square bracket notation. Please note that you need a newer OpenSSL or LibreSSL version for IPv6 proxy functionality. In addition if you want lookups via proxy you can specify `DNS_VIA_PROXY=true`. OCSP revocation checking (`-S --phone-out`) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 outgoing being blocked in your network an OCSP revocation check won't be performed. However if `IGN_OCSP_PROXY=true` has been supplied it will be tried directly. Authentication to the proxy is not supported, also no HTTPS or SOCKS proxy.