From 8d8b6556a59e90d20d981b51957ab879ba6ec262 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Wed, 18 Feb 2026 10:37:31 +0100
Subject: [PATCH] docker + IPv6, incl. host networking

---
 FAQ.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/FAQ.md b/FAQ.md
index a5aab57..b81be27 100644
--- a/FAQ.md
+++ b/FAQ.md
@@ -10,6 +10,9 @@ This is a collection of frequently asked questions which should help to answer s
     * There is other bad cryptography though which you can't test this way, e.g. ancient SSL protocols. Modern OS supply OpenSSL binaries which have [SSLv2 and SSLv3 disabled in the source code or at least when compiling](https://docs.openssl.org/3.3/man7/ossl-guide-tls-introduction/#what-is-tls) which you can't re-enable during runtime. You might get a bit further with the by us supplied OpenSSL-bad version like `OPENSSL_CONF='' ./bin/openssl.Linux.x86_64 s_client -connect <host:port>` which has SSLv2 and SSLv3 enabled and much more  bad stuff. OTOH it doesn't support TLS 1.3 or modern elliptic curves. As said above this and any deficiency is compensated transparently either by using bash or in some cases by automagically and transparently by switching to the OpenSSL version from the vendor.
 * I get inconsistent results from testssl.sh when testing through (Cloudflare|CDN XYZ|OnPrem Loadbalancer). 
     * testssl.sh in general is deterministic and provides reproducible results. However the nature of its testing is that it opens a good amount of connections. Thus you might hit rate limits on the server side. Depending on how your testing is performed (terminal or automated) you may or may not see connection errors. If you can't allow-listing your IP you test from you may want to try just to run a restricted test like 'testssl.sh -P' / 'testssl.sh -S' or a series of that.
+* I am scanning an IPv6 address or a dual stacked host via the testssl.sh docker image but IPv6 doesn't work.
+    * That is is not testssl.sh related but a docker "feature": docker on the host doesn't hand out per default IPv6 addresses to the container, also routing on the host might need additional configuration, see the [docker documentation](https://docs.docker.com/engine/daemon/ipv6/#use-ipv6-for-the-default-bridge-network). The fastest "fix" is just to use [host networking](https://docs.docker.com/engine/network/drivers/host/) like e.g. ``docker run --rm -ti  --net=host  drwetter/testssl.sh -6 ipv6.google.com``
+
   
 
 #### 2. Rating / Grading