mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 17:20:57 +01:00
Default to dual stack if both A/AAAA records are available.
Test IPv6 by default if only AAAA records are discovered via DNS rather than failing. Allow IPv6-only testing via -only6 flag Allow IPv4-only testing via -only4 flag
This commit is contained in:
parent
56dcbcdc15
commit
603ae899b2
66
testssl.sh
66
testssl.sh
@ -183,7 +183,8 @@ FNAME_PREFIX=${FNAME_PREFIX:-""} # output filename prefix, see --outprefi
|
|||||||
APPEND=${APPEND:-false} # append to csv/json/html/log file
|
APPEND=${APPEND:-false} # append to csv/json/html/log file
|
||||||
OVERWRITE=${OVERWRITE:-false} # overwriting csv/json/html/log file
|
OVERWRITE=${OVERWRITE:-false} # overwriting csv/json/html/log file
|
||||||
[[ -z "$NODNS" ]] && declare NODNS # If unset it does all DNS lookups per default. "min" only for hosts or "none" at all
|
[[ -z "$NODNS" ]] && declare NODNS # If unset it does all DNS lookups per default. "min" only for hosts or "none" at all
|
||||||
HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
|
HAS_IPv6=${HAS_IPv6:-true} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
|
||||||
|
HAS_IPv4=${HAS_IPv4:-true} # if IPv4 networking is present, set to false eg on NAT64 or IPv6-only networks
|
||||||
ALL_CLIENTS=${ALL_CLIENTS:-false} # do you want to run all client simulation form all clients supplied by SSLlabs?
|
ALL_CLIENTS=${ALL_CLIENTS:-false} # do you want to run all client simulation form all clients supplied by SSLlabs?
|
||||||
OFFENSIVE=${OFFENSIVE:-true} # do you want to include offensive vulnerability tests which may cause blocking by an IDS?
|
OFFENSIVE=${OFFENSIVE:-true} # do you want to include offensive vulnerability tests which may cause blocking by an IDS?
|
||||||
ADDTL_CA_FILES="${ADDTL_CA_FILES:-""}" # single file with a CA in PEM format or comma separated lists of them
|
ADDTL_CA_FILES="${ADDTL_CA_FILES:-""}" # single file with a CA in PEM format or comma separated lists of them
|
||||||
@ -19417,7 +19418,8 @@ tuning / connect options (most also can be preset via environment variables):
|
|||||||
--ssl-native fallback to checks with OpenSSL where sockets are normally used
|
--ssl-native fallback to checks with OpenSSL where sockets are normally used
|
||||||
--openssl <PATH> use this openssl binary (default: look in \$PATH, \$RUN_DIR of $PROG_NAME)
|
--openssl <PATH> use this openssl binary (default: look in \$PATH, \$RUN_DIR of $PROG_NAME)
|
||||||
--proxy <host:port|auto> (experimental) proxy connects via <host:port>, auto: values from \$env (\$http(s)_proxy)
|
--proxy <host:port|auto> (experimental) proxy connects via <host:port>, auto: values from \$env (\$http(s)_proxy)
|
||||||
-6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity
|
-only6 only test IPv6, even if IPv4 is also present
|
||||||
|
-only4 only test IPv4, even if IPv6 is also present
|
||||||
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
|
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
|
||||||
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
|
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
|
||||||
-n, --nodns <min|none> if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records
|
-n, --nodns <min|none> if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records
|
||||||
@ -19526,6 +19528,7 @@ HAS_CURVES: $HAS_CURVES
|
|||||||
OSSL_SUPPORTED_CURVES: $OSSL_SUPPORTED_CURVES
|
OSSL_SUPPORTED_CURVES: $OSSL_SUPPORTED_CURVES
|
||||||
|
|
||||||
HAS_IPv6: $HAS_IPv6
|
HAS_IPv6: $HAS_IPv6
|
||||||
|
HAS_IPv4: $HAS_IPv4
|
||||||
HAS_SSL2: $HAS_SSL2
|
HAS_SSL2: $HAS_SSL2
|
||||||
HAS_SSL3: $HAS_SSL3
|
HAS_SSL3: $HAS_SSL3
|
||||||
HAS_TLS13: $HAS_TLS13
|
HAS_TLS13: $HAS_TLS13
|
||||||
@ -20308,29 +20311,36 @@ determine_ip_addresses() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# IPv6 only address
|
# construct IPADDRs
|
||||||
if [[ -z "$ip4" ]]; then
|
if "$HAS_IPv6"; then
|
||||||
if "$HAS_IPv6"; then
|
if [[ -n "$ip6" ]]; then
|
||||||
IPADDRs=$(newline_to_spaces "$ip6")
|
if ! [[ -z "$IPADDRs" ]]; then
|
||||||
IP46ADDRs="$IPADDRs" # IP46ADDRs are the ones to display, IPADDRs the ones to test
|
IPADDRs+=" "
|
||||||
fi
|
fi
|
||||||
else
|
IPADDRs+=$(newline_to_spaces "$ip6")
|
||||||
if "$HAS_IPv6" && [[ -n "$ip6" ]]; then
|
|
||||||
if is_ipv6addr "$CMDLINE_IP"; then
|
|
||||||
IPADDRs=$(newline_to_spaces "$ip6")
|
|
||||||
else
|
|
||||||
IPADDRs=$(newline_to_spaces "$ip4 $ip6")
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
IPADDRs=$(newline_to_spaces "$ip4")
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
if "$HAS_IPv4"; then
|
||||||
|
if [[ -n "$ip4" ]]; then
|
||||||
|
if ! [[ -z "$IPADDRs" ]]; then
|
||||||
|
IPADDRs+=" "
|
||||||
|
fi
|
||||||
|
IPADDRs+=$(newline_to_spaces "$ip4")
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ -z "$IPADDRs" ]]; then
|
if [[ -z "$IPADDRs" ]]; then
|
||||||
if [[ -n "$ip6" ]]; then
|
if [[ -z "$IP46ADDRs" ]]; then
|
||||||
fatal "Only IPv6 address(es) for \"$NODE\" available, maybe add \"-6\" to $0" $ERR_DNSLOOKUP
|
|
||||||
else
|
|
||||||
fatal "No IPv4/IPv6 address(es) for \"$NODE\" available" $ERR_DNSLOOKUP
|
fatal "No IPv4/IPv6 address(es) for \"$NODE\" available" $ERR_DNSLOOKUP
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ -n "$ip6" ]]; then
|
||||||
|
fatal "Only IPv6 address(es) for \"$NODE\" available but IPv4-only mode specified" $ERR_DNSLOOKUP
|
||||||
|
fi
|
||||||
|
if [[ -n "$ip4" ]]; then
|
||||||
|
fatal "Only IPv4 address(es) for \"$NODE\" available but IPv6-only mode specified" $ERR_DNSLOOKUP
|
||||||
|
fi
|
||||||
|
|
||||||
fi
|
fi
|
||||||
return 0 # IPADDR and IP46ADDR is set now
|
return 0 # IPADDR and IP46ADDR is set now
|
||||||
}
|
}
|
||||||
@ -22601,6 +22611,18 @@ parse_cmd_line() {
|
|||||||
-6) # doesn't work automagically. My versions have -DOPENSSL_USE_IPV6, CentOS/RHEL/FC do not
|
-6) # doesn't work automagically. My versions have -DOPENSSL_USE_IPV6, CentOS/RHEL/FC do not
|
||||||
HAS_IPv6=true
|
HAS_IPv6=true
|
||||||
;;
|
;;
|
||||||
|
-only6)
|
||||||
|
HAS_IPv4=false
|
||||||
|
if ! "$HAS_IPv6"; then
|
||||||
|
fatal "Options -only6 and -only4 are mutually exclusive"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
-only4)
|
||||||
|
if ! "$HAS_IPv4"; then
|
||||||
|
fatal "Options -only6 and -only4 are mutually exclusive"
|
||||||
|
fi
|
||||||
|
HAS_IPv6=false
|
||||||
|
;;
|
||||||
--has[-_]dhbits|--has[_-]dh[-_]bits)
|
--has[-_]dhbits|--has[_-]dh[-_]bits)
|
||||||
# Should work automagically. Helper switch for CentOS,RHEL+FC w openssl server temp key backport (version 1.0.1), see #190
|
# Should work automagically. Helper switch for CentOS,RHEL+FC w openssl server temp key backport (version 1.0.1), see #190
|
||||||
HAS_DH_BITS=true
|
HAS_DH_BITS=true
|
||||||
@ -22931,9 +22953,9 @@ lets_roll() {
|
|||||||
if ! determine_ip_addresses; then
|
if ! determine_ip_addresses; then
|
||||||
fatal "No IP address could be determined" $ERR_DNSLOOKUP
|
fatal "No IP address could be determined" $ERR_DNSLOOKUP
|
||||||
fi
|
fi
|
||||||
if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check
|
if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ip address to check
|
||||||
MULTIPLE_CHECKS=true
|
MULTIPLE_CHECKS=true
|
||||||
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
|
pr_bold "Testing all IP addresses (port $PORT): "; outln "$IPADDRs"
|
||||||
for ip in $IPADDRs; do
|
for ip in $IPADDRs; do
|
||||||
draw_line "-" $((TERM_WIDTH * 2 / 3))
|
draw_line "-" $((TERM_WIDTH * 2 / 3))
|
||||||
outln
|
outln
|
||||||
|
Loading…
Reference in New Issue
Block a user