Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2026-02-22 21:03:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2994 from testssl/drwetter-patch-1

Browse Source 
Docker + IPv6
This commit is contained in:
Dirk Wetter
2026-02-18 10:01:48 +01:00
committed by GitHub
parent cdc892e323 6cc8c857a8
commit 4086cb593e
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
FAQ.md
View File

@@ -10,6 +10,8 @@ This is a collection of frequently asked questions which should help to answer s
* There is other bad cryptography though which you can't test this way, e.g. ancient SSL protocols. Modern OS supply OpenSSL binaries which have [SSLv2 and SSLv3 disabled in the source code or at least when compiling](https://docs.openssl.org/3.3/man7/ossl-guide-tls-introduction/#what-is-tls) which you can't re-enable during runtime. You might get a bit further with the by us supplied OpenSSL-bad version like `OPENSSL_CONF='' ./bin/openssl.Linux.x86_64 s_client -connect <host:port>` which has SSLv2 and SSLv3 enabled and much more bad stuff. OTOH it doesn't support TLS 1.3 or modern elliptic curves. As said above this and any deficiency is compensated transparently either by using bash or in some cases by automagically and transparently by switching to the OpenSSL version from the vendor. * There is other bad cryptography though which you can't test this way, e.g. ancient SSL protocols. Modern OS supply OpenSSL binaries which have [SSLv2 and SSLv3 disabled in the source code or at least when compiling](https://docs.openssl.org/3.3/man7/ossl-guide-tls-introduction/#what-is-tls) which you can't re-enable during runtime. You might get a bit further with the by us supplied OpenSSL-bad version like `OPENSSL_CONF='' ./bin/openssl.Linux.x86_64 s_client -connect <host:port>` which has SSLv2 and SSLv3 enabled and much more bad stuff. OTOH it doesn't support TLS 1.3 or modern elliptic curves. As said above this and any deficiency is compensated transparently either by using bash or in some cases by automagically and transparently by switching to the OpenSSL version from the vendor.
* I get inconsistent results from testssl.sh when testing through (Cloudflare|CDN XYZ|OnPrem Loadbalancer). * I get inconsistent results from testssl.sh when testing through (Cloudflare|CDN XYZ|OnPrem Loadbalancer).
* testssl.sh in general is deterministic and provides reproducible results. However the nature of its testing is that it opens a good amount of connections. Thus you might hit rate limits on the server side. Depending on how your testing is performed (terminal or automated) you may or may not see connection errors. If you can't allow-listing your IP you test from you may want to try just to run a restricted test like 'testssl.sh -P' / 'testssl.sh -S' or a series of that. * testssl.sh in general is deterministic and provides reproducible results. However the nature of its testing is that it opens a good amount of connections. Thus you might hit rate limits on the server side. Depending on how your testing is performed (terminal or automated) you may or may not see connection errors. If you can't allow-listing your IP you test from you may want to try just to run a restricted test like 'testssl.sh -P' / 'testssl.sh -S' or a series of that.
* I am scanning an IPv6 address or a dual stacked host via the testssl.sh docker image but IPv6 doesn't work.
* That is a docker "feature" and is not testssl.sh related: docker doesn't hand out per default IPv6 addresses to the container and maybe routing on the host might need additional configuration, see the [docker documentation](https://docs.docker.com/engine/daemon/ipv6/#use-ipv6-for-the-default-bridge-network).
#### 2. Rating / Grading #### 2. Rating / Grading