From 5837e82c85d83f11eb3e2db68dd0dbfea336ed68 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 16 Aug 2018 12:03:56 +0200 Subject: [PATCH] Supplying of both -6 and --ip=one results in picking an IPv6 address ... previously it depended on the order of DNS replies otherwise. This was one outcome of discussion in #1026 where it seemed more logical to pick an IPv6 address as opposed to an abitrary (v4/v6) address. --- doc/testssl.1 | 4 ++-- doc/testssl.1.html | 4 ++-- doc/testssl.1.md | 2 +- testssl.sh | 17 ++++++++++------- 4 files changed, 15 insertions(+), 12 deletions(-) diff --git a/doc/testssl.1 b/doc/testssl.1 index 7262870..532b90b 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "TESTSSL" "1" "June 2018" "" "" +.TH "TESTSSL" "1" "August 2018" "" "" . .SH "NAME" \fBtestssl\fR @@ -128,7 +128,7 @@ Please note that the content of \fBfname\fR has to be in Unix format\. DOS carri \fB\-\-mx \fR tests all MX records (STARTTLS, port 25) from high to low priority one after the other\. . .P -\fB\-\-ip \fR tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in \fB\fR\. IPv6 addresses needs to be in square brackets\. \fB\-\-ip=one\fR means: just test the first DNS returns (useful for multiple IPs)\. It\'s also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit \fB/etc/hosts\fR or \fB/c/Windows/System32/drivers/etc/hosts\fR\. \fB\-\-ip=proxy\fR tries a DNS resolution via proxy\. +\fB\-\-ip \fR tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in \fB\fR\. IPv6 addresses needs to be in square brackets\. \fB\-\-ip=one\fR means: just test the first DNS returns (useful for multiple IPs)\. If \fB\-6\fR was supplied too, an IPv6 address is being picked if available and supported by the openssl binary\. It might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit \fB/etc/hosts\fR or \fB/c/Windows/System32/drivers/etc/hosts\fR\. \fB\-\-ip=proxy\fR tries a DNS resolution via proxy\. . .P \fB\-\-proxy :\fR does the whole check via the specified HTTP proxy\. \fB\-\-proxy=auto\fR inherits the proxy setting from the environment\. Proxying via IPv6 addresses is not possible\. The hostname supplied will only be resolved to the first A record\. Authentication to the proxy is not supported\. In addition if you want lookups via proxy you can specify \fBDNS_VIA_PROXY=true\fR\. diff --git a/doc/testssl.1.html b/doc/testssl.1.html index dbba727..1ee87d5 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -181,7 +181,7 @@ host.example.com:631

--mx <domain|host> tests all MX records (STARTTLS, port 25) from high to low priority one after the other.

--ip <ip> tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in <URI>. IPv6 addresses needs to be in square brackets. - --ip=one means: just test the first DNS returns (useful for multiple IPs). It's also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit /etc/hosts or /c/Windows/System32/drivers/etc/hosts. --ip=proxy tries a DNS resolution via proxy.

+ --ip=one means: just test the first DNS returns (useful for multiple IPs). If -6 was supplied too, an IPv6 address is being picked if available and supported by the openssl binary. It might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit /etc/hosts or /c/Windows/System32/drivers/etc/hosts. --ip=proxy tries a DNS resolution via proxy.

--proxy <host>:<port> does the whole check via the specified HTTP proxy. --proxy=auto inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible. The hostname supplied will only be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify DNS_VIA_PROXY=true.

@@ -571,7 +571,7 @@ to create the hashes for HPKP.
  1. -
  2. June 2018
  3. +
  4. August 2018
  5. testssl(1)
diff --git a/doc/testssl.1.md b/doc/testssl.1.md index 7a68587..14c3367 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -104,7 +104,7 @@ Please note that the content of `fname` has to be in Unix format. DOS carriage r `--mx ` tests all MX records (STARTTLS, port 25) from high to low priority one after the other. `--ip ` tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in ``. IPv6 addresses needs to be in square brackets. - `--ip=one` means: just test the first DNS returns (useful for multiple IPs). It's also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit `/etc/hosts` or `/c/Windows/System32/drivers/etc/hosts`. `--ip=proxy` tries a DNS resolution via proxy. + `--ip=one` means: just test the first DNS returns (useful for multiple IPs). If `-6` was supplied too, an IPv6 address is being picked if available and supported by the openssl binary. It might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit `/etc/hosts` or `/c/Windows/System32/drivers/etc/hosts`. `--ip=proxy` tries a DNS resolution via proxy. `--proxy :` does the whole check via the specified HTTP proxy. `--proxy=auto` inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible. The hostname supplied will only be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify `DNS_VIA_PROXY=true`. diff --git a/testssl.sh b/testssl.sh index b39686b..2fee393 100755 --- a/testssl.sh +++ b/testssl.sh @@ -16023,9 +16023,12 @@ determine_ip_addresses() { if [[ -n "$CMDLINE_IP" ]]; then # command line has supplied an IP address or "one" if [[ "$CMDLINE_IP" == one ]]; then - # use first IPv4 or IPv6 address - CMDLINE_IP="$(head -1 <<< "$ip4")" - [[ -z "$CMDLINE_IP" ]] && CMDLINE_IP="$(head -1 <<< "$ip6")" + # use first IPv6 or IPv4 address + if "$HAS_IPv6" && [[ -n "$ip6" ]]; then + CMDLINE_IP="$(head -1 <<< "$ip6")" + else + CMDLINE_IP="$(head -1 <<< "$ip4")" + fi fi NODEIP="$CMDLINE_IP" if is_ipv4addr "$NODEIP"; then @@ -16382,14 +16385,14 @@ display_rdns_etc() { outln "$(out_row_aligned_max_width "$further_ip_addrs" " $CORRECT_SPACES" $TERM_WIDTH)" fi if "$LOCAL_A"; then - outln " A record via $CORRECT_SPACES /etc/hosts " + outln " A record via: $CORRECT_SPACES /etc/hosts " elif "$LOCAL_AAAA"; then - outln " AAAA record via $CORRECT_SPACES /etc/hosts " + outln " AAAA record via: $CORRECT_SPACES /etc/hosts " elif [[ -n "$CMDLINE_IP" ]]; then if is_ipv6addr $"$CMDLINE_IP"; then - outln " AAAA record via $CORRECT_SPACES supplied IP \"$CMDLINE_IP\"" + outln " AAAA record via: $CORRECT_SPACES supplied IP \"$CMDLINE_IP\"" else - outln " A record via $CORRECT_SPACES supplied IP \"$CMDLINE_IP\"" + outln " A record via: $CORRECT_SPACES supplied IP \"$CMDLINE_IP\"" fi fi if [[ "$rDNS" =~ instructed ]]; then