diff --git a/doc/testssl.1 b/doc/testssl.1 index ac47cad..d76f662 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -131,7 +131,7 @@ Please note that the content of \fBfname\fR has to be in Unix format\. DOS carri \fB\-\-ip \fR tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in \fB\fR\. IPv6 addresses needs to be in square brackets\. \fB\-\-ip=one\fR means: just test the first DNS returns (useful for multiple IPs)\. If \fB\-6\fR was supplied too, an IPv6 address is being picked if available and supported by the openssl binary\. It might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit \fB/etc/hosts\fR or \fB/c/Windows/System32/drivers/etc/hosts\fR\. \fB\-\-ip=proxy\fR tries a DNS resolution via proxy\. . .P -\fB\-\-proxy :\fR does the whole check via the specified HTTP proxy\. \fB\-\-proxy=auto\fR inherits the proxy setting from the environment\. Proxying via IPv6 addresses is not possible\. The hostname supplied will only be resolved to the first A record\. Authentication to the proxy is not supported\. In addition if you want lookups via proxy you can specify \fBDNS_VIA_PROXY=true\fR\. +\fB\-\-proxy :\fR does ANY check via the specified proxy\. \fB\-\-proxy=auto\fR inherits the proxy setting from the environment\. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported\. The hostname supplied will be resolved to the first A record\. Authentication to the proxy is not supported\. In addition if you want lookups via proxy you can specify \fBDNS_VIA_PROXY=true\fR\. OCSP revocation checking (\fB\-S \-\-phone\-out\fR) is not supported by OpenSSL via proxy\. As supplying a proxy is an indicator for port 80 and 443 being blocked outgoing this check won\'t be performed\. However if \fBIGN_OCSP_PROXY=true\fR has been supplied it will be tried directly\. . .P \fB\-6\fR does (also) IPv6 checks\. Please note if a supplied URI resolves (also) to an IPv6 address that testssl\.sh doesn\'t do checks on an IPv6 address automatically\. This is because testssl\.sh does no connectivity checks for IPv6\. It also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support\. \fB\-6\fR assumes both is the case\. If both conditions are met and you want in general enable IPv6 tests you might as well add \fBHAS_IPv6\fR to your shell environment\. diff --git a/doc/testssl.1.html b/doc/testssl.1.html index cf38f32..bd2ee92 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -183,7 +183,7 @@ host.example.com:631

--ip <ip> tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in <URI>. IPv6 addresses needs to be in square brackets. --ip=one means: just test the first DNS returns (useful for multiple IPs). If -6 was supplied too, an IPv6 address is being picked if available and supported by the openssl binary. It might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit /etc/hosts or /c/Windows/System32/drivers/etc/hosts. --ip=proxy tries a DNS resolution via proxy.

-

--proxy <host>:<port> does the whole check via the specified HTTP proxy. --proxy=auto inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible. The hostname supplied will only be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify DNS_VIA_PROXY=true.

+

--proxy <host>:<port> does ANY check via the specified proxy. --proxy=auto inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported. The hostname supplied will be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify DNS_VIA_PROXY=true. OCSP revocation checking (-S --phone-out) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 being blocked outgoing this check won't be performed. However if IGN_OCSP_PROXY=true has been supplied it will be tried directly.

-6 does (also) IPv6 checks. Please note if a supplied URI resolves (also) to an IPv6 address that testssl.sh doesn't do checks on an IPv6 address automatically. This is because testssl.sh does no connectivity checks for IPv6. It also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. -6 assumes both is the case. If both conditions are met and you want in general enable IPv6 tests you might as well add HAS_IPv6 to your shell environment.

diff --git a/doc/testssl.1.md b/doc/testssl.1.md index b362d54..d92486a 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -106,7 +106,7 @@ Please note that the content of `fname` has to be in Unix format. DOS carriage r `--ip ` tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in ``. IPv6 addresses needs to be in square brackets. `--ip=one` means: just test the first DNS returns (useful for multiple IPs). If `-6` was supplied too, an IPv6 address is being picked if available and supported by the openssl binary. It might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit `/etc/hosts` or `/c/Windows/System32/drivers/etc/hosts`. `--ip=proxy` tries a DNS resolution via proxy. -`--proxy :` does the whole check via the specified HTTP proxy. `--proxy=auto` inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible. The hostname supplied will only be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify `DNS_VIA_PROXY=true`. +`--proxy :` does ANY check via the specified proxy. `--proxy=auto` inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported. The hostname supplied will be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify `DNS_VIA_PROXY=true`. OCSP revocation checking (`-S --phone-out`) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 being blocked outgoing this check won't be performed. However if `IGN_OCSP_PROXY=true` has been supplied it will be tried directly. `-6` does (also) IPv6 checks. Please note if a supplied URI resolves (also) to an IPv6 address that testssl.sh doesn't do checks on an IPv6 address automatically. This is because testssl.sh does no connectivity checks for IPv6. It also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. `-6` assumes both is the case. If both conditions are met and you want in general enable IPv6 tests you might as well add `HAS_IPv6` to your shell environment. diff --git a/testssl.sh b/testssl.sh index 6e885b6..0daa41a 100755 --- a/testssl.sh +++ b/testssl.sh @@ -226,6 +226,8 @@ OFFENSIVE=${OFFENSIVE:-true} # do you want to include offensive vulne # EXPERIMENTAL=${EXPERIMENTAL:-false} PROXY_WAIT=${PROXY_WAIT:-20} # waiting at max 20 seconds for socket reply through proxy +DNS_VIA_PROXY=${DNS_VIA_PROXY:-true} # do DNS lookups via proxy. --ip=proxy reverses this +IGN_OCSP_PROXY=${IGN_OCSP_PROXY:-false} # Also when --proxy is supplied it is ignored when testing for revocation via OCSP via --phone-out HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2} # If this many failures for TCP socket connects are reached we terminate MAX_OSSL_FAIL=${MAX_OSSL_FAIL:-2} # If this many failures for s_client connects are reached we terminate @@ -243,8 +245,7 @@ HPKP_MIN=${HPKP_MIN:-30} # >=30 days should be ok for HPKP_MIN, p HPKP_MIN=$((HPKP_MIN * 86400)) # correct to seconds DAYS2WARN1=${DAYS2WARN1:-60} # days to warn before cert expires, threshold 1 DAYS2WARN2=${DAYS2WARN2:-30} # days to warn before cert expires, threshold 2 -pVULN_THRESHLD=${VULN_THRESHLD:-1} # if vulnerabilities to check >$VULN_THRESHLD we DON'T show a separate header line in the output each vuln. check -DNS_VIA_PROXY=${DNS_VIA_PROXY:-true} # do DNS lookups via proxy. --ip=proxy reverses this +VULN_THRESHLD=${VULN_THRESHLD:-1} # if vulnerabilities to check >$VULN_THRESHLD we DON'T show a separate header line in the output each vuln. check UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses NO_ENGINE=${NO_ENGINE:-false} # if there are problems finding the (external) openssl engine set this to true declare -r CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS @@ -1573,6 +1574,13 @@ check_revocation_ocsp() { "$PHONE_OUT" || [[ -n "$stapled_response" ]] || return 0 [[ -n "$GOOD_CA_BUNDLE" ]] || return 0 + if [[ -n "$PROXY" ]] && ! "$IGN_OCSP_PROXY"; then + # see #1106 and https://github.com/openssl/openssl/issues/6965 + out ", " + pr_warning "revocation not tested as \"openssl ocsp\" doesn't support a proxy" + fileout "$jsonID" "WARN" "Revocation not tested as openssl ocsp doesn't support a proxy" + return 0 + fi grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem || return 0 tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE if [[ -n "$stapled_response" ]]; then