Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-09-17 17:32:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Reflect IPv6 changes

Browse Source
This commit is contained in:
Dirk Wetter
2025-07-20 13:06:23 +02:00
parent bfb84a9320
commit d0505e5006
3 changed files with 529 additions and 485 deletions
Download Patch File Download Diff File Expand all files Collapse all files

972
doc/testssl.1
View File

File diff suppressed because it is too large Load Diff

32
doc/testssl.1.html
View File

@ -216,15 +216,16 @@
will be made in the future as a best guess by testssl.sh. The
same can be achieved by setting the environment variable
<code>WARNINGS</code>.</p>
<p><code>--connect-timeout &lt;seconds&gt;</code> This is useful
<p><code>--socket-timeout &lt;seconds&gt;</code> This is useful
for socket TCP connections to a node. If the node does not
complete a TCP handshake (e.g. because it is down or behind a
firewall or theres an IDS or a tarpit) testssl.sh may usually
hang for around 2 minutes or even much more. This parameter
instructs testssl.sh to wait at most <code>seconds</code> for
the handshake to complete before giving up. This option only
works if your OS has a timeout binary installed. CONNECT_TIMEOUT
is the corresponding environment variable.</p>
works if your OS has a timeout binary installed. SOCKET_TIMEOUT
is the corresponding environment variable. This doesnt work on
Macs out of the box.</p>
<p><code>--openssl-timeout &lt;seconds&gt;</code> This is
especially useful for all connects using openssl and practically
useful for mass testing. It avoids the openssl connect to hang
@ -234,7 +235,8 @@
timeout binary installed. As there are different implementations
of <code>timeout</code>: It automatically calls the binary with
the right parameters. OPENSSL_TIMEOUT is the equivalent
environment variable.</p>
environment variable. This doesnt work on Macs out of the
box.</p>
<p><code>--basicauth &lt;user:pass&gt;</code> This can be set to
provide HTTP basic auth credentials which are used during checks
for security headers. BASICAUTH is the ENV variable you can use
@ -301,17 +303,15 @@
<code>IGN_OCSP_PROXY=true</code> has been supplied it will be
tried directly. Authentication to the proxy is not supported,
also no HTTPS or SOCKS proxy.</p>
<p><code>-6</code> does (also) IPv6 checks. Please note that
testssl.sh doesnt perform checks on an IPv6 address
automatically, because of two reasons: testssl.sh does no
connectivity checks for IPv6 and it cannot determine reliably
whether the OpenSSL binary youre using has IPv6 s_client
support. <code>-6</code> assumes both is the case. If both
conditions are met and you in general prefer to test for IPv6
branches as well you can add <code>HAS_IPv6</code> to your shell
environment. Besides the OpenSSL binary supplied IPv6 is known
to work with vanilla OpenSSL &gt;= 1.1.0 and older versions
&gt;=1.0.2 in RHEL/CentOS/FC and Gentoo.</p>
<p><code>-6</code> scans only IPv6 addresses of the target.
Besides the OpenSSL binary supplied IPv6 is known to work with
vanilla OpenSSL &gt;= 1.1.0 and older versions &gt;=1.0.2 in
RHEL/CentOS/FC and Gentoo. Scans are somewhat in line with tools
like curl or wget, i.e. if theres an IPv6 address of the target
which can be reached, it just uses them. If you dont want this
behavior, you need to supply <code>-4.</code></p>
<p><code>-4</code> scans only IPv4 addresses of the target, IPv6
addresses of the target wont be scanned.</p>
<p><code>--ssl-native</code> Instead of using a mixture of bash
sockets and a few openssl s_client connects, testssl.sh uses the
latter (almost) only. This is faster but provides less accurate
@ -649,7 +649,7 @@
vulnerability. It tests for the absence of a lot of ciphers,
some TLS extensions and ec curves which were introduced later in
Windows. In the end the server banner is being looked at.</p>
<p><code>-4, --rc4, --appelbaum</code> Checks which RC4 stream
<p><code>--rc4, --appelbaum</code> Checks which RC4 stream
ciphers are being offered.</p>
<h3 id="output-options">OUTPUT OPTIONS</h3>
<p><code>-q, --quiet</code> Normally testssl.sh displays a

10
doc/testssl.1.md
View File

@ -105,9 +105,9 @@ Please note that `fname` has to be in Unix format. DOS carriage returns won't be
`--warnings <batch|off>`. The warnings parameter determines how testssl.sh will deal with situations where user input normally will be necessary. There are two options. `batch` doesn't wait for a confirming keypress when a client- or server-side problem is encountered. As of 3.0 it just then terminates the particular scan. This is automatically chosen for mass testing (`--file`). `off` just skips the warning, the confirmation but continues the scan, independent whether it makes sense or not. Please note that there are conflicts where testssl.sh will still ask for confirmation which are the ones which otherwise would have a drastic impact on the results. Almost any other decision will be made in the future as a best guess by testssl.sh.
The same can be achieved by setting the environment variable `WARNINGS`.
`--connect-timeout <seconds>` This is useful for socket TCP connections to a node. If the node does not complete a TCP handshake (e.g. because it is down or behind a firewall or there's an IDS or a tarpit) testssl.sh may usually hang for around 2 minutes or even much more. This parameter instructs testssl.sh to wait at most `seconds` for the handshake to complete before giving up. This option only works if your OS has a timeout binary installed. CONNECT_TIMEOUT is the corresponding environment variable.
`--socket-timeout <seconds>` This is useful for socket TCP connections to a node. If the node does not complete a TCP handshake (e.g. because it is down or behind a firewall or there's an IDS or a tarpit) testssl.sh may usually hang for around 2 minutes or even much more. This parameter instructs testssl.sh to wait at most `seconds` for the handshake to complete before giving up. This option only works if your OS has a timeout binary installed. SOCKET_TIMEOUT is the corresponding environment variable. This doesn't work on Macs out of the box.
`--openssl-timeout <seconds>` This is especially useful for all connects using openssl and practically useful for mass testing. It avoids the openssl connect to hang for ~2 minutes. The expected parameter `seconds` instructs testssl.sh to wait before the openssl connect will be terminated. The option is only available if your OS has a timeout binary installed. As there are different implementations of `timeout`: It automatically calls the binary with the right parameters. OPENSSL_TIMEOUT is the equivalent environment variable.
`--openssl-timeout <seconds>` This is especially useful for all connects using openssl and practically useful for mass testing. It avoids the openssl connect to hang for ~2 minutes. The expected parameter `seconds` instructs testssl.sh to wait before the openssl connect will be terminated. The option is only available if your OS has a timeout binary installed. As there are different implementations of `timeout`: It automatically calls the binary with the right parameters. OPENSSL_TIMEOUT is the equivalent environment variable. This doesn't work on Macs out of the box.
`--basicauth <user:pass>` This can be set to provide HTTP basic auth credentials which are used during checks for security headers. BASICAUTH is the ENV variable you can use instead.
@ -128,7 +128,9 @@ The same can be achieved by setting the environment variable `WARNINGS`.
`--proxy <host>:<port>` does ANY check via the specified proxy. `--proxy=auto` inherits the proxy setting from the environment. Any hostname supplied will be resolved to the first A record, if it does not exist the AAAA record is used. IPv4 and IPv6 addresses can be passed too, the latter *also* with square bracket notation. Please note that you need a newer OpenSSL or LibreSSL version for IPv6 proxy functionality. In addition if you want lookups via proxy you can specify `DNS_VIA_PROXY=true`. OCSP revocation checking (`-S --phone-out`) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 outgoing being blocked in your network an OCSP revocation check won't be performed. However if `IGN_OCSP_PROXY=true` has been supplied it will be tried directly. Authentication to the proxy is not supported, also no HTTPS or SOCKS proxy.
`-6` does (also) IPv6 checks. Please note that testssl.sh doesn't perform checks on an IPv6 address automatically, because of two reasons: testssl.sh does no connectivity checks for IPv6 and it cannot determine reliably whether the OpenSSL binary you're using has IPv6 s_client support. `-6` assumes both is the case. If both conditions are met and you in general prefer to test for IPv6 branches as well you can add `HAS_IPv6` to your shell environment. Besides the OpenSSL binary supplied IPv6 is known to work with vanilla OpenSSL >= 1.1.0 and older versions >=1.0.2 in RHEL/CentOS/FC and Gentoo.
`-6` scans only IPv6 addresses of the target. Besides the OpenSSL binary supplied IPv6 is known to work with vanilla OpenSSL >= 1.1.0 and older versions >=1.0.2 in RHEL/CentOS/FC and Gentoo. Scans are somewhat in line with tools like curl or wget, i.e. if there's an IPv6 address of the target which can be reached, it just uses them. If you don't want this behavior, you need to supply `-4.`
`-4` scans only IPv4 addresses of the target, IPv6 addresses of the target won't be scanned.
`--ssl-native` Instead of using a mixture of bash sockets and a few openssl s_client connects, testssl.sh uses the latter (almost) only. This is faster but provides less accurate results, especially for the client simulation and for cipher support. For all checks you will see a warning if testssl.sh cannot tell if a particular check cannot be performed. For some checks however you might end up getting false negatives without a warning. Thus it is not recommended to use. It should only be used if you prefer speed over accuracy or you know that your target has sufficient overlap with the protocols and cipher provided by your openssl binary.
@ -266,7 +268,7 @@ Also for multiple server certificates are being checked for as well as for the c
`-WS, --winshock` Checks for Winshock vulnerability. It tests for the absence of a lot of ciphers, some TLS extensions and ec curves which were introduced later in Windows. In the end the server banner is being looked at.
`-4, --rc4, --appelbaum` Checks which RC4 stream ciphers are being offered.
`--rc4, --appelbaum` Checks which RC4 stream ciphers are being offered.
### OUTPUT OPTIONS