From cf62353fc6d55322b927baad8467f67521a7b497 Mon Sep 17 00:00:00 2001 From: typingArtist Date: Fri, 27 May 2016 19:54:23 +0200 Subject: [PATCH 1/3] https://github.com/drwetter/testssl.sh/issues/365 ensure DNS PTR lookups use un-bracketed IPv6 address MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While standard OpenSSL requires the literal IPv6 address enclosed in [brackets], standard DNS lookup tools don’t support the additional characters. Before making reverse PTR lookups, these brackets have to be removed from the IPv6 addresses. --- testssl.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/testssl.sh b/testssl.sh index 7cc2e82..4600269 100755 --- a/testssl.sh +++ b/testssl.sh @@ -6338,21 +6338,23 @@ determine_ip_addresses() { determine_rdns() { local saved_openssl_conf="$OPENSSL_CONF" OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134 + local nodeip="$(tr -d '[]' <<< $NODEIP)" # sockets do not need the square brackets we have of IPv6 addresses + # we just need do it here, that's all! if [[ "$NODE" == *.local ]]; then if which avahi-resolve &>/dev/null; then - rDNS=$(avahi-resolve -a $NODEIP 2>/dev/null | awk '{ print $2 }') + rDNS=$(avahi-resolve -a $nodeip 2>/dev/null | awk '{ print $2 }') elif which dig &>/dev/null; then - rDNS=$(dig -x $NODEIP @224.0.0.251 -p 5353 +notcp +noall +answer | awk '/PTR/ { print $NF }') + rDNS=$(dig -x $nodeip @224.0.0.251 -p 5353 +notcp +noall +answer | awk '/PTR/ { print $NF }') fi elif which dig &> /dev/null; then - rDNS=$(dig -x $NODEIP +noall +answer | awk '/PTR/ { print $NF }') # +short returns also CNAME, e.g. openssl.org + rDNS=$(dig -x $nodeip +noall +answer | awk '/PTR/ { print $NF }') # +short returns also CNAME, e.g. openssl.org elif which host &> /dev/null; then - rDNS=$(host -t PTR $NODEIP 2>/dev/null | awk '/pointer/ { print $NF }') + rDNS=$(host -t PTR $nodeip 2>/dev/null | awk '/pointer/ { print $NF }') elif which drill &> /dev/null; then - rDNS=$(drill -x ptr $NODEIP 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d') + rDNS=$(drill -x ptr $nodeip 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d') elif which nslookup &> /dev/null; then - rDNS=$(nslookup -type=PTR $NODEIP 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//') + rDNS=$(nslookup -type=PTR $nodeip 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//') fi OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134 rDNS="$(echo $rDNS)" From 2c69e83f5b98974ffe87422fa45a30d4824ed4a9 Mon Sep 17 00:00:00 2001 From: typingArtist Date: Fri, 27 May 2016 20:11:47 +0200 Subject: [PATCH 2/3] https://github.com/drwetter/testssl.sh/issues/365 add UNBRACKETED_IPV6 quirks option MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since some OpenSSL binaries, namely Gentoo’s, don’t support bracketed IPv6 addresses but unbracketed ones, specified as the -connect option, the UNBRACKETED_IPV6 environment variable can be set to true for disabling the automatic addition of brackets around IPv6 addresses on such platforms. --- testssl.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 4600269..666afc8 100755 --- a/testssl.sh +++ b/testssl.sh @@ -167,6 +167,7 @@ readonly CLIENT_MIN_PFS=5 # number of ciphers needed to run a test DAYS2WARN1=${DAYS2WARN1:-60} # days to warn before cert expires, threshold 1 DAYS2WARN2=${DAYS2WARN2:-30} # days to warn before cert expires, threshold 2 VULN_THRESHLD=${VULN_THRESHLD:-1} # if vulnerabilities to check >$VULN_THRESHLD we DON'T show a separate header line in the output each vuln. check +UNBRACKETED_IPV6=${UNBRACKETED_IPV6:-false} # some versions of OpenSSL don't support [bracketed] IPv6 addresses as a connect parameter HAD_SLEPT=0 CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d) @@ -7112,7 +7113,7 @@ nodeip_to_proper_ip6() { local len_nodeip=0 if is_ipv6addr $NODEIP; then - NODEIP="[$NODEIP]" + ${UNBRACKETED_IPV6} || NODEIP="[$NODEIP]" len_nodeip=${#NODEIP} CORRECT_SPACES="$(draw_line " " "$((len_nodeip - 16))" )" # IPv6 addresses are longer, this varaible takes care that "further IP" and "Service" is properly aligned From 6a9b0e01fc4f370e0d1036cd0fff41c2d046513e Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Thu, 2 Jun 2016 09:59:52 +0200 Subject: [PATCH 3/3] - polishing #366 and IPv6-related --- testssl.sh | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/testssl.sh b/testssl.sh index 666afc8..dbf9dc6 100755 --- a/testssl.sh +++ b/testssl.sh @@ -149,7 +149,8 @@ WIDE=${WIDE:-false} # whether to display for some options th LOGFILE=${LOGFILE:-""} # logfile if used JSONFILE=${JSONFILE:-""} # jsonfile if used CSVFILE=${CSVFILE:-""} # csvfile if used -HAS_IPv6=${HAS_IPv6:-false} # if you have OPENSSL with IPv6 support AND IPv6 networking set it to yes and testssl.sh works! +HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes +UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses # tuning vars, can not be set by a cmd line switch EXPERIMENTAL=${EXPERIMENTAL:-false} @@ -167,7 +168,6 @@ readonly CLIENT_MIN_PFS=5 # number of ciphers needed to run a test DAYS2WARN1=${DAYS2WARN1:-60} # days to warn before cert expires, threshold 1 DAYS2WARN2=${DAYS2WARN2:-30} # days to warn before cert expires, threshold 2 VULN_THRESHLD=${VULN_THRESHLD:-1} # if vulnerabilities to check >$VULN_THRESHLD we DON'T show a separate header line in the output each vuln. check -UNBRACKETED_IPV6=${UNBRACKETED_IPV6:-false} # some versions of OpenSSL don't support [bracketed] IPv6 addresses as a connect parameter HAD_SLEPT=0 CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d) @@ -6338,9 +6338,8 @@ determine_ip_addresses() { determine_rdns() { local saved_openssl_conf="$OPENSSL_CONF" - OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134 - local nodeip="$(tr -d '[]' <<< $NODEIP)" # sockets do not need the square brackets we have of IPv6 addresses - # we just need do it here, that's all! + OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134 + local nodeip="$(tr -d '[]' <<< $NODEIP)" # for DNS we do not need the square brackets of IPv6 addresses if [[ "$NODE" == *.local ]]; then if which avahi-resolve &>/dev/null; then @@ -6359,7 +6358,7 @@ determine_rdns() { fi OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134 rDNS="$(echo $rDNS)" - [[ -z "$rDNS" ]] && rDNS=" --" + [[ -z "$rDNS" ]] && rDNS="--" return 0 } @@ -6557,6 +6556,8 @@ determine_service() { display_rdns_etc() { local ip + local nodeip="$(tr -d '[]' <<< $NODEIP)" # for displaying IPv6 addresses we don't need [] + if [[ -n "$PROXY" ]]; then out " Via Proxy: $CORRECT_SPACES" @@ -6579,11 +6580,7 @@ display_rdns_etc() { outln " A record via supplied IP \"$CMDLINE_IP\"" fi if [[ -n "$rDNS" ]]; then - if "$HAS_IPv6"; then - printf " %-23s %s" "rDNS $NODEIP:" "$rDNS" - else - printf " %-23s %s" "rDNS ($NODEIP):" "$rDNS" - fi + printf " %-23s %s" "rDNS ($nodeip):" "$rDNS" fi } @@ -7113,9 +7110,9 @@ nodeip_to_proper_ip6() { local len_nodeip=0 if is_ipv6addr $NODEIP; then - ${UNBRACKETED_IPV6} || NODEIP="[$NODEIP]" + ${UNBRACKTD_IPV6} || NODEIP="[$NODEIP]" len_nodeip=${#NODEIP} - CORRECT_SPACES="$(draw_line " " "$((len_nodeip - 16))" )" + CORRECT_SPACES="$(draw_line " " "$((len_nodeip - 17))" )" # IPv6 addresses are longer, this varaible takes care that "further IP" and "Service" is properly aligned fi } @@ -7264,4 +7261,4 @@ fi exit $? -# $Id: testssl.sh,v 1.490 2016/05/27 15:43:44 dirkw Exp $ +# $Id: testssl.sh,v 1.491 2016/06/02 07:59:51 dirkw Exp $