From 44570541c06b158c07833f8570b137f0231c7ddf Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 10 Sep 2018 09:52:59 +0200 Subject: [PATCH] Tell which OpenSSL versions support IPv6 out of the box --- doc/testssl.1 | 4 ++-- doc/testssl.1.html | 4 ++-- doc/testssl.1.md | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/testssl.1 b/doc/testssl.1 index d76f662..42df27d 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "TESTSSL" "1" "August 2018" "" "" +.TH "TESTSSL" "1" "September 2018" "" "" . .SH "NAME" \fBtestssl\fR @@ -134,7 +134,7 @@ Please note that the content of \fBfname\fR has to be in Unix format\. DOS carri \fB\-\-proxy :\fR does ANY check via the specified proxy\. \fB\-\-proxy=auto\fR inherits the proxy setting from the environment\. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported\. The hostname supplied will be resolved to the first A record\. Authentication to the proxy is not supported\. In addition if you want lookups via proxy you can specify \fBDNS_VIA_PROXY=true\fR\. OCSP revocation checking (\fB\-S \-\-phone\-out\fR) is not supported by OpenSSL via proxy\. As supplying a proxy is an indicator for port 80 and 443 being blocked outgoing this check won\'t be performed\. However if \fBIGN_OCSP_PROXY=true\fR has been supplied it will be tried directly\. . .P -\fB\-6\fR does (also) IPv6 checks\. Please note if a supplied URI resolves (also) to an IPv6 address that testssl\.sh doesn\'t do checks on an IPv6 address automatically\. This is because testssl\.sh does no connectivity checks for IPv6\. It also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support\. \fB\-6\fR assumes both is the case\. If both conditions are met and you want in general enable IPv6 tests you might as well add \fBHAS_IPv6\fR to your shell environment\. +\fB\-6\fR does (also) IPv6 checks\. Please note if a supplied URI resolves (also) to an IPv6 address that testssl\.sh doesn\'t perform checks on an IPv6 address automatically\. This is because testssl\.sh does no connectivity checks for IPv6\. It cannot determine reliably whether the OpenSSL binary you are using has IPv6 support\. \fB\-6\fR assumes both is the case\. If both conditions are met and you want in general enable IPv6 tests you might as well add \fBHAS_IPv6\fR to your shell environment\. Besides the OpenSSL binary supplied IPv6 is known to work with vanilla OpenSSL >= 1\.1\.0, RHEL\'s, CentOS\', FC\'s and Gentoo\'s OpenSSL version 1\.0\.2\. . .P \fB\-\-ssl\-native\fR instead of using a mixture of bash sockets and openssl s_client connects testssl\.sh uses the latter only\. This is at the moment faster but provides less accurate results, especially in the client simulation and if the openssl binary lacks cipher support\. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl\.sh internally can tell if one check cannot be performed or will give you inaccurate results\. For e\.g\. single cipher checks (\fB\-\-each\-cipher\fR and \fB\-\-cipher\-per\-proto\fR) you might end up getting false negatives without a warning\. diff --git a/doc/testssl.1.html b/doc/testssl.1.html index bd2ee92..5856d20 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -185,7 +185,7 @@ host.example.com:631

--proxy <host>:<port> does ANY check via the specified proxy. --proxy=auto inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported. The hostname supplied will be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify DNS_VIA_PROXY=true. OCSP revocation checking (-S --phone-out) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 being blocked outgoing this check won't be performed. However if IGN_OCSP_PROXY=true has been supplied it will be tried directly.

-

-6 does (also) IPv6 checks. Please note if a supplied URI resolves (also) to an IPv6 address that testssl.sh doesn't do checks on an IPv6 address automatically. This is because testssl.sh does no connectivity checks for IPv6. It also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. -6 assumes both is the case. If both conditions are met and you want in general enable IPv6 tests you might as well add HAS_IPv6 to your shell environment.

+

-6 does (also) IPv6 checks. Please note if a supplied URI resolves (also) to an IPv6 address that testssl.sh doesn't perform checks on an IPv6 address automatically. This is because testssl.sh does no connectivity checks for IPv6. It cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. -6 assumes both is the case. If both conditions are met and you want in general enable IPv6 tests you might as well add HAS_IPv6 to your shell environment. Besides the OpenSSL binary supplied IPv6 is known to work with vanilla OpenSSL >= 1.1.0, RHEL's, CentOS', FC's and Gentoo's OpenSSL version 1.0.2.

--ssl-native instead of using a mixture of bash sockets and openssl s_client connects testssl.sh uses the latter only. This is at the moment faster but provides less accurate results, especially in the client simulation and if the openssl binary lacks cipher support. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl.sh internally can tell if one check cannot be performed or will give you inaccurate results. For e.g. single cipher checks (--each-cipher and --cipher-per-proto) you might end up getting false negatives without a warning.

@@ -571,7 +571,7 @@ to create the hashes for HPKP.
  1. -
  2. August 2018
    3. +
  3. September 2018
  4. testssl(1)
diff --git a/doc/testssl.1.md b/doc/testssl.1.md index d92486a..573ee84 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -108,7 +108,7 @@ Please note that the content of `fname` has to be in Unix format. DOS carriage r `--proxy :` does ANY check via the specified proxy. `--proxy=auto` inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported. The hostname supplied will be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify `DNS_VIA_PROXY=true`. OCSP revocation checking (`-S --phone-out`) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 being blocked outgoing this check won't be performed. However if `IGN_OCSP_PROXY=true` has been supplied it will be tried directly. -`-6` does (also) IPv6 checks. Please note if a supplied URI resolves (also) to an IPv6 address that testssl.sh doesn't do checks on an IPv6 address automatically. This is because testssl.sh does no connectivity checks for IPv6. It also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. `-6` assumes both is the case. If both conditions are met and you want in general enable IPv6 tests you might as well add `HAS_IPv6` to your shell environment. +`-6` does (also) IPv6 checks. Please note if a supplied URI resolves (also) to an IPv6 address that testssl.sh doesn't perform checks on an IPv6 address automatically. This is because testssl.sh does no connectivity checks for IPv6. It cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. `-6` assumes both is the case. If both conditions are met and you want in general enable IPv6 tests you might as well add `HAS_IPv6` to your shell environment. Besides the OpenSSL binary supplied IPv6 is known to work with vanilla OpenSSL >= 1.1.0, RHEL's, CentOS', FC's and Gentoo's OpenSSL version 1.0.2. `--ssl-native` instead of using a mixture of bash sockets and openssl s_client connects testssl.sh uses the latter only. This is at the moment faster but provides less accurate results, especially in the client simulation and if the openssl binary lacks cipher support. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl.sh internally can tell if one check cannot be performed or will give you inaccurate results. For e.g. single cipher checks (`--each-cipher` and `--cipher-per-proto`) you might end up getting false negatives without a warning.