Merge pull request #2721 from testssl/fix_some_ipv6proxy_issues

Fix some ipv6proxy issues

testssl.sh

@@ -22205,20 +22205,42 @@ check_proxy() {
                [[ -z "$PROXY" ]] && PROXY="${http_proxy#*\/\/}"
                [[ -z "$PROXY" ]] && fatal "you specified \"--proxy=auto\" but \"\$http(s)_proxy\" is empty" $ERR_CMDLINE
           fi
-          # strip off http/https part if supplied:
+          # strip http/https part if supplied:
           PROXY="${PROXY/http\:\/\//}"
           PROXY="${PROXY/https\:\/\//}"      # this shouldn't be needed
+          PROXYPORT="${PROXY##*:}"
           PROXYNODE="${PROXY%:*}"
-          PROXYPORT="${PROXY#*:}"
+          # strip square brackets in IPv6 notation, but we may enter them later
+          PROXYNODE="${PROXYNODE/\[/}"
+          PROXYNODE="${PROXYNODE/\]/}"
           is_number "$PROXYPORT" || fatal "Proxy port cannot be determined from \"$PROXY\"" $ERR_CMDLINE
 
-          #if is_ipv4addr "$PROXYNODE" || is_ipv6addr "$PROXYNODE" ; then
-          # IPv6 via openssl -proxy: that doesn't work. Sockets does
-#FIXME: finish this with LibreSSL which supports an IPv6 proxy
           if is_ipv4addr "$PROXYNODE"; then
                PROXYIP="$PROXYNODE"
+          elif is_ipv6addr "$PROXYNODE"; then
+               # Maybe an option like --proxy6 is better for purists
+               if [[ "$OSSL_NAME" =~ LibreSSL ]]; then
+                    PROXYIP="$PROXYNODE"
+               else
+                    # This was tested with vanilla OpenSSL versions
+                    if [[ ${OSSL_VER_MAJOR$}${OSSL_VER_MINOR} -ge 11 ]]; then
+                         PROXYIP="[$PROXYNODE]"
+                    else
+                         fatal_cmd_line "OpenSSL version >= 1.1.0 required for IPv6 proxy support" $ERR_OSSLBIN
+                    fi
+               fi
           else
+               # We check now preferred whether there was an IPv4 proxy via DNS specified
+               # If it fails it could be an IPv6 only proxy via DNS or we just can't reach the proxy
                PROXYIP="$(get_a_record "$PROXYNODE" 2>/dev/null | grep -v alias | sed 's/^.*address //')"
+               if [[ -z "$PROXYIP" ]]; then
+                    PROXYIP="$(get_aaaa_record "$PROXYNODE" 2>/dev/null | grep -v alias | sed 's/^.*address //')"
+                    if [[ -n "$PROXYIP" ]]; then
+                         if [[ ${OSSL_VER_MAJOR$}${OSSL_VER_MINOR} -lt 11 ]]; then
+                              fatal_cmd_line "OpenSSL version >= 1.1.0 required for IPv6 proxy support" $ERR_OSSLBIN
+                         fi
+                    fi
+               fi
                [[ -z "$PROXYIP" ]] && fatal "Proxy IP cannot be determined from \"$PROXYNODE\"" $ERR_CMDLINE
           fi
           PROXY="-proxy $PROXYIP:$PROXYPORT"