mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
Default to dual stack if both A/AAAA records are available.
Test IPv6 by default if only AAAA records are discovered via DNS rather than failing. Allow IPv6-only testing via -only6 flag Allow IPv4-only testing via -only4 flag
This commit is contained in:
parent
56dcbcdc15
commit
603ae899b2
68
testssl.sh
68
testssl.sh
@ -183,7 +183,8 @@ FNAME_PREFIX=${FNAME_PREFIX:-""} # output filename prefix, see --outprefi
|
||||
APPEND=${APPEND:-false} # append to csv/json/html/log file
|
||||
OVERWRITE=${OVERWRITE:-false} # overwriting csv/json/html/log file
|
||||
[[ -z "$NODNS" ]] && declare NODNS # If unset it does all DNS lookups per default. "min" only for hosts or "none" at all
|
||||
HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
|
||||
HAS_IPv6=${HAS_IPv6:-true} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
|
||||
HAS_IPv4=${HAS_IPv4:-true} # if IPv4 networking is present, set to false eg on NAT64 or IPv6-only networks
|
||||
ALL_CLIENTS=${ALL_CLIENTS:-false} # do you want to run all client simulation form all clients supplied by SSLlabs?
|
||||
OFFENSIVE=${OFFENSIVE:-true} # do you want to include offensive vulnerability tests which may cause blocking by an IDS?
|
||||
ADDTL_CA_FILES="${ADDTL_CA_FILES:-""}" # single file with a CA in PEM format or comma separated lists of them
|
||||
@ -19417,7 +19418,8 @@ tuning / connect options (most also can be preset via environment variables):
|
||||
--ssl-native fallback to checks with OpenSSL where sockets are normally used
|
||||
--openssl <PATH> use this openssl binary (default: look in \$PATH, \$RUN_DIR of $PROG_NAME)
|
||||
--proxy <host:port|auto> (experimental) proxy connects via <host:port>, auto: values from \$env (\$http(s)_proxy)
|
||||
-6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity
|
||||
-only6 only test IPv6, even if IPv4 is also present
|
||||
-only4 only test IPv4, even if IPv6 is also present
|
||||
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
|
||||
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
|
||||
-n, --nodns <min|none> if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records
|
||||
@ -19526,6 +19528,7 @@ HAS_CURVES: $HAS_CURVES
|
||||
OSSL_SUPPORTED_CURVES: $OSSL_SUPPORTED_CURVES
|
||||
|
||||
HAS_IPv6: $HAS_IPv6
|
||||
HAS_IPv4: $HAS_IPv4
|
||||
HAS_SSL2: $HAS_SSL2
|
||||
HAS_SSL3: $HAS_SSL3
|
||||
HAS_TLS13: $HAS_TLS13
|
||||
@ -20308,29 +20311,36 @@ determine_ip_addresses() {
|
||||
fi
|
||||
fi
|
||||
|
||||
# IPv6 only address
|
||||
if [[ -z "$ip4" ]]; then
|
||||
# construct IPADDRs
|
||||
if "$HAS_IPv6"; then
|
||||
IPADDRs=$(newline_to_spaces "$ip6")
|
||||
IP46ADDRs="$IPADDRs" # IP46ADDRs are the ones to display, IPADDRs the ones to test
|
||||
fi
|
||||
else
|
||||
if "$HAS_IPv6" && [[ -n "$ip6" ]]; then
|
||||
if is_ipv6addr "$CMDLINE_IP"; then
|
||||
IPADDRs=$(newline_to_spaces "$ip6")
|
||||
else
|
||||
IPADDRs=$(newline_to_spaces "$ip4 $ip6")
|
||||
fi
|
||||
else
|
||||
IPADDRs=$(newline_to_spaces "$ip4")
|
||||
fi
|
||||
fi
|
||||
if [[ -z "$IPADDRs" ]]; then
|
||||
if [[ -n "$ip6" ]]; then
|
||||
fatal "Only IPv6 address(es) for \"$NODE\" available, maybe add \"-6\" to $0" $ERR_DNSLOOKUP
|
||||
else
|
||||
if ! [[ -z "$IPADDRs" ]]; then
|
||||
IPADDRs+=" "
|
||||
fi
|
||||
IPADDRs+=$(newline_to_spaces "$ip6")
|
||||
fi
|
||||
fi
|
||||
if "$HAS_IPv4"; then
|
||||
if [[ -n "$ip4" ]]; then
|
||||
if ! [[ -z "$IPADDRs" ]]; then
|
||||
IPADDRs+=" "
|
||||
fi
|
||||
IPADDRs+=$(newline_to_spaces "$ip4")
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ -z "$IPADDRs" ]]; then
|
||||
if [[ -z "$IP46ADDRs" ]]; then
|
||||
fatal "No IPv4/IPv6 address(es) for \"$NODE\" available" $ERR_DNSLOOKUP
|
||||
fi
|
||||
|
||||
if [[ -n "$ip6" ]]; then
|
||||
fatal "Only IPv6 address(es) for \"$NODE\" available but IPv4-only mode specified" $ERR_DNSLOOKUP
|
||||
fi
|
||||
if [[ -n "$ip4" ]]; then
|
||||
fatal "Only IPv4 address(es) for \"$NODE\" available but IPv6-only mode specified" $ERR_DNSLOOKUP
|
||||
fi
|
||||
|
||||
fi
|
||||
return 0 # IPADDR and IP46ADDR is set now
|
||||
}
|
||||
@ -22601,6 +22611,18 @@ parse_cmd_line() {
|
||||
-6) # doesn't work automagically. My versions have -DOPENSSL_USE_IPV6, CentOS/RHEL/FC do not
|
||||
HAS_IPv6=true
|
||||
;;
|
||||
-only6)
|
||||
HAS_IPv4=false
|
||||
if ! "$HAS_IPv6"; then
|
||||
fatal "Options -only6 and -only4 are mutually exclusive"
|
||||
fi
|
||||
;;
|
||||
-only4)
|
||||
if ! "$HAS_IPv4"; then
|
||||
fatal "Options -only6 and -only4 are mutually exclusive"
|
||||
fi
|
||||
HAS_IPv6=false
|
||||
;;
|
||||
--has[-_]dhbits|--has[_-]dh[-_]bits)
|
||||
# Should work automagically. Helper switch for CentOS,RHEL+FC w openssl server temp key backport (version 1.0.1), see #190
|
||||
HAS_DH_BITS=true
|
||||
@ -22931,9 +22953,9 @@ lets_roll() {
|
||||
if ! determine_ip_addresses; then
|
||||
fatal "No IP address could be determined" $ERR_DNSLOOKUP
|
||||
fi
|
||||
if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check
|
||||
if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ip address to check
|
||||
MULTIPLE_CHECKS=true
|
||||
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
|
||||
pr_bold "Testing all IP addresses (port $PORT): "; outln "$IPADDRs"
|
||||
for ip in $IPADDRs; do
|
||||
draw_line "-" $((TERM_WIDTH * 2 / 3))
|
||||
outln
|
||||
|
Loading…
Reference in New Issue
Block a user