mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-01 06:19:44 +01:00
commit
a3ab6cd887
29
testssl.sh
29
testssl.sh
@ -351,6 +351,8 @@ HAS_ZLIB=false
|
|||||||
HAS_UDS=false
|
HAS_UDS=false
|
||||||
HAS_UDS2=false
|
HAS_UDS2=false
|
||||||
HAS_DIG=false
|
HAS_DIG=false
|
||||||
|
HAS_DIG_R=true
|
||||||
|
DIG_R="-r"
|
||||||
HAS_HOST=false
|
HAS_HOST=false
|
||||||
HAS_DRILL=false
|
HAS_DRILL=false
|
||||||
HAS_NSLOOKUP=false
|
HAS_NSLOOKUP=false
|
||||||
@ -19564,6 +19566,7 @@ HAS_IDN: $HAS_IDN
|
|||||||
HAS_IDN2: $HAS_IDN2
|
HAS_IDN2: $HAS_IDN2
|
||||||
HAS_AVAHIRESOLVE: $HAS_AVAHIRESOLVE
|
HAS_AVAHIRESOLVE: $HAS_AVAHIRESOLVE
|
||||||
HAS_DIG_NOIDNOUT: $HAS_DIG_NOIDNOUT
|
HAS_DIG_NOIDNOUT: $HAS_DIG_NOIDNOUT
|
||||||
|
HAS_DIG_R: $HAS_DIG_R
|
||||||
HAS_XXD: $HAS_XXD
|
HAS_XXD: $HAS_XXD
|
||||||
|
|
||||||
PATH: $PATH
|
PATH: $PATH
|
||||||
@ -20026,12 +20029,18 @@ check_resolver_bins() {
|
|||||||
type -p idn &>/dev/null && HAS_IDN=true
|
type -p idn &>/dev/null && HAS_IDN=true
|
||||||
type -p idn2 &>/dev/null && HAS_IDN2=true
|
type -p idn2 &>/dev/null && HAS_IDN2=true
|
||||||
|
|
||||||
|
# Old dig versions don't have an option to ignore $HOME/.digrc
|
||||||
|
if dig -r 2>&1 | grep -qiE 'invalid|usage'; then
|
||||||
|
HAS_DIG_R=false
|
||||||
|
DIG_R=""
|
||||||
|
fi
|
||||||
|
|
||||||
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
|
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
|
||||||
if ! "$HAS_DIG" && ! "$HAS_HOST" && ! "$HAS_DRILL" && ! "$HAS_NSLOOKUP"; then
|
if ! "$HAS_DIG" && ! "$HAS_HOST" && ! "$HAS_DRILL" && ! "$HAS_NSLOOKUP"; then
|
||||||
fatal "Neither \"dig\", \"host\", \"drill\" or \"nslookup\" is present" $ERR_DNSBIN
|
fatal "Neither \"dig\", \"host\", \"drill\" or \"nslookup\" is present" $ERR_DNSBIN
|
||||||
fi
|
fi
|
||||||
if "$HAS_DIG"; then
|
if "$HAS_DIG"; then
|
||||||
if dig +noidnout -t a 2>&1 | grep -Eq 'Invalid option: \+noidnout|IDN support not enabled'; then
|
if dig $DIG_R +noidnout -t a 2>&1 | grep -Eq 'Invalid option: \+noidnout|IDN support not enabled'; then
|
||||||
:
|
:
|
||||||
else
|
else
|
||||||
HAS_DIG_NOIDNOUT=true
|
HAS_DIG_NOIDNOUT=true
|
||||||
@ -20065,13 +20074,13 @@ get_a_record() {
|
|||||||
if "$HAS_AVAHIRESOLVE"; then
|
if "$HAS_AVAHIRESOLVE"; then
|
||||||
ip4=$(filter_ip4_address $(avahi-resolve -4 -n "$1" 2>/dev/null | awk '{ print $2 }'))
|
ip4=$(filter_ip4_address $(avahi-resolve -4 -n "$1" 2>/dev/null | awk '{ print $2 }'))
|
||||||
elif "$HAS_DIG"; then
|
elif "$HAS_DIG"; then
|
||||||
ip4=$(filter_ip4_address $(dig @224.0.0.251 -p 5353 +short -t a +notcp "$1" 2>/dev/null | sed '/^;;/d'))
|
ip4=$(filter_ip4_address $(dig $DIG_R @224.0.0.251 -p 5353 +short -t a +notcp "$1" 2>/dev/null | sed '/^;;/d'))
|
||||||
else
|
else
|
||||||
fatal "Local hostname given but no 'avahi-resolve' or 'dig' available." $ERR_DNSBIN
|
fatal "Local hostname given but no 'avahi-resolve' or 'dig' available." $ERR_DNSBIN
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [[ -z "$ip4" ]] && "$HAS_DIG"; then
|
if [[ -z "$ip4" ]] && "$HAS_DIG"; then
|
||||||
ip4=$(filter_ip4_address $(dig +short +timeout=2 +tries=2 $noidnout -t a "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }'))
|
ip4=$(filter_ip4_address $(dig $DIG_R +short +timeout=2 +tries=2 $noidnout -t a "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }'))
|
||||||
fi
|
fi
|
||||||
if [[ -z "$ip4" ]] && "$HAS_HOST"; then
|
if [[ -z "$ip4" ]] && "$HAS_HOST"; then
|
||||||
ip4=$(filter_ip4_address $(host -t a "$1" 2>/dev/null | awk '/address/ { print $NF }'))
|
ip4=$(filter_ip4_address $(host -t a "$1" 2>/dev/null | awk '/address/ { print $NF }'))
|
||||||
@ -20109,12 +20118,12 @@ get_aaaa_record() {
|
|||||||
if "$HAS_AVAHIRESOLVE"; then
|
if "$HAS_AVAHIRESOLVE"; then
|
||||||
ip6=$(filter_ip6_address $(avahi-resolve -6 -n "$1" 2>/dev/null | awk '{ print $2 }'))
|
ip6=$(filter_ip6_address $(avahi-resolve -6 -n "$1" 2>/dev/null | awk '{ print $2 }'))
|
||||||
elif "$HAS_DIG"; then
|
elif "$HAS_DIG"; then
|
||||||
ip6=$(filter_ip6_address $(dig @ff02::fb -p 5353 -t aaaa +short +notcp "$NODE"))
|
ip6=$(filter_ip6_address $(dig $DIG_R @ff02::fb -p 5353 -t aaaa +short +notcp "$NODE"))
|
||||||
else
|
else
|
||||||
fatal "Local hostname given but no 'avahi-resolve' or 'dig' available." $ERR_DNSBIN
|
fatal "Local hostname given but no 'avahi-resolve' or 'dig' available." $ERR_DNSBIN
|
||||||
fi
|
fi
|
||||||
elif "$HAS_DIG"; then
|
elif "$HAS_DIG"; then
|
||||||
ip6=$(filter_ip6_address $(dig +short +timeout=2 +tries=2 $noidnout -t aaaa "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }'))
|
ip6=$(filter_ip6_address $(dig $DIG_R +short +timeout=2 +tries=2 $noidnout -t aaaa "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }'))
|
||||||
elif "$HAS_HOST"; then
|
elif "$HAS_HOST"; then
|
||||||
ip6=$(filter_ip6_address $(host -t aaaa "$1" | awk '/address/ { print $NF }'))
|
ip6=$(filter_ip6_address $(host -t aaaa "$1" | awk '/address/ { print $NF }'))
|
||||||
elif "$HAS_DRILL"; then
|
elif "$HAS_DRILL"; then
|
||||||
@ -20150,7 +20159,7 @@ get_caa_rr_record() {
|
|||||||
# caa_property then has key/value pairs, see https://tools.ietf.org/html/rfc6844#section-3
|
# caa_property then has key/value pairs, see https://tools.ietf.org/html/rfc6844#section-3
|
||||||
OPENSSL_CONF=""
|
OPENSSL_CONF=""
|
||||||
if "$HAS_DIG"; then
|
if "$HAS_DIG"; then
|
||||||
raw_caa="$(dig +short +timeout=3 +tries=3 $noidnout type257 "$1" 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
|
raw_caa="$(dig $DIG_R +short +timeout=3 +tries=3 $noidnout type257 "$1" 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
|
||||||
# empty if no CAA record
|
# empty if no CAA record
|
||||||
elif "$HAS_DRILL"; then
|
elif "$HAS_DRILL"; then
|
||||||
raw_caa="$(drill $1 type257 | awk '/'"^${1}"'.*CAA/ { print $5,$6,$7 }')"
|
raw_caa="$(drill $1 type257 | awk '/'"^${1}"'.*CAA/ { print $5,$6,$7 }')"
|
||||||
@ -20221,7 +20230,7 @@ get_mx_record() {
|
|||||||
if "$HAS_HOST"; then
|
if "$HAS_HOST"; then
|
||||||
mx="$(host -t MX "$1" 2>/dev/null | awk '/is handled by/ { print $(NF-1), $NF }')"
|
mx="$(host -t MX "$1" 2>/dev/null | awk '/is handled by/ { print $(NF-1), $NF }')"
|
||||||
elif "$HAS_DIG"; then
|
elif "$HAS_DIG"; then
|
||||||
mx="$(dig +short $noidnout -t MX "$1" 2>/dev/null | awk '/^[0-9]/ { print $1" "$2 }')"
|
mx="$(dig $DIG_R +short $noidnout -t MX "$1" 2>/dev/null | awk '/^[0-9]/ { print $1" "$2 }')"
|
||||||
elif "$HAS_DRILL"; then
|
elif "$HAS_DRILL"; then
|
||||||
mx="$(drill mx $1 | awk '/IN[ \t]MX[ \t]+/ { print $(NF-1), $NF }')"
|
mx="$(drill mx $1 | awk '/IN[ \t]MX[ \t]+/ { print $(NF-1), $NF }')"
|
||||||
elif "$HAS_NSLOOKUP"; then
|
elif "$HAS_NSLOOKUP"; then
|
||||||
@ -20248,7 +20257,7 @@ get_txt_record() {
|
|||||||
if "$HAS_HOST"; then
|
if "$HAS_HOST"; then
|
||||||
record="$(host -t TXT "$1" 2>/dev/null | awk -F\" '/descriptive text/ { print $(NF-1) }')"
|
record="$(host -t TXT "$1" 2>/dev/null | awk -F\" '/descriptive text/ { print $(NF-1) }')"
|
||||||
elif "$HAS_DIG"; then
|
elif "$HAS_DIG"; then
|
||||||
record="$(dig +short $noidnout -t TXT "$1" 2>/dev/null)"
|
record="$(dig $DIG_R +short $noidnout -t TXT "$1" 2>/dev/null)"
|
||||||
elif "$HAS_DRILL"; then
|
elif "$HAS_DRILL"; then
|
||||||
record="$(drill txt $1 | awk -F\" '/^[a-z0-9].*TXT/ { print $(NF-1) }')"
|
record="$(drill txt $1 | awk -F\" '/^[a-z0-9].*TXT/ { print $(NF-1) }')"
|
||||||
elif "$HAS_NSLOOKUP"; then
|
elif "$HAS_NSLOOKUP"; then
|
||||||
@ -20348,11 +20357,11 @@ determine_rdns() {
|
|||||||
if "$HAS_AVAHIRESOLVE"; then
|
if "$HAS_AVAHIRESOLVE"; then
|
||||||
rDNS=$(avahi-resolve -a $nodeip 2>/dev/null | awk '{ print $2 }')
|
rDNS=$(avahi-resolve -a $nodeip 2>/dev/null | awk '{ print $2 }')
|
||||||
elif "$HAS_DIG"; then
|
elif "$HAS_DIG"; then
|
||||||
rDNS=$(dig -x $nodeip @224.0.0.251 -p 5353 +notcp +noall +answer +short | awk '{ print $1 }')
|
rDNS=$(dig $DIG_R -x $nodeip @224.0.0.251 -p 5353 +notcp +noall +answer +short | awk '{ print $1 }')
|
||||||
fi
|
fi
|
||||||
elif "$HAS_DIG"; then
|
elif "$HAS_DIG"; then
|
||||||
# 1+2 should suffice. It's a compromise for if e.g. network is down but we have a docker/localhost server
|
# 1+2 should suffice. It's a compromise for if e.g. network is down but we have a docker/localhost server
|
||||||
rDNS=$(dig -x $nodeip +timeout=1 +tries=2 +noall +answer +short | awk '{ print $1 }') # +short returns also CNAME, e.g. openssl.org
|
rDNS=$(dig $DIG_R -x $nodeip +timeout=1 +tries=2 +noall +answer +short | awk '{ print $1 }') # +short returns also CNAME, e.g. openssl.org
|
||||||
elif "$HAS_HOST"; then
|
elif "$HAS_HOST"; then
|
||||||
rDNS=$(host -t PTR $nodeip 2>/dev/null | awk '/pointer/ { print $NF }')
|
rDNS=$(host -t PTR $nodeip 2>/dev/null | awk '/pointer/ { print $NF }')
|
||||||
elif "$HAS_DRILL"; then
|
elif "$HAS_DRILL"; then
|
||||||
|
Loading…
Reference in New Issue
Block a user