Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2026-06-23 08:47:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare QUIC section with DNS HTTPS RR

Browse Source 
Also: make "A(AAA) record via:" bold, to be in line with the other keys
This commit is contained in:
Dirk Wetter
2026-06-22 16:20:13 +02:00
parent 7e97b243d1
commit dca6434604
1 changed files with 42 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
testssl.sh
+38 -6
View File
@@ -6293,12 +6293,17 @@ sub_quic() {
local sclient_outfile="$TEMPDIR/$NODEIP.quic_connect.txt" local sclient_outfile="$TEMPDIR/$NODEIP.quic_connect.txt"
local sclient_errfile="$TEMPDIR/$NODEIP.quic_connect_err.txt" local sclient_errfile="$TEMPDIR/$NODEIP.quic_connect_err.txt"
local jsonID="QUIC" local jsonID="QUIC"
local has_https_rr_h3=false
[[ $DEBUG -ne 0 ]] && sclient_errfile=/dev/null [[ $DEBUG -ne 0 ]] && sclient_errfile=/dev/null
[[ "$SERVICE" != HTTP ]] && return 0 [[ "$SERVICE" != HTTP ]] && return 0
pr_bold " QUIC "; pr_bold " QUIC ";
if [[ "$HTTPS_RR" == *"h3"* ]]; then
has_https_rr_h3=true
fi
if "$HAS2_QUIC" || "$HAS_QUIC"; then if "$HAS2_QUIC" || "$HAS_QUIC"; then
# Proxying QUIC seems not supported # Proxying QUIC seems not supported
# The s_client call would block if either the remote side doesn't support QUIC or outbound traffic is blocked # The s_client call would block if either the remote side doesn't support QUIC or outbound traffic is blocked
@@ -6307,6 +6312,12 @@ sub_quic() {
else else
use_openssl="$OPENSSL" use_openssl="$OPENSSL"
fi fi
if "$has_https_rr_h3"; then
if [[ $QUIC_WAIT -eq 3 ]]; then
# change the default for QUIC testing to be a bit more conservative --unless not default value wasn't changed
QUIC_WAIT=5
fi
fi
OPENSSL_CONF='' $use_openssl s_client -quic -alpn h3 -connect $NODEIP:$PORT -servername $NODE </dev/null \ OPENSSL_CONF='' $use_openssl s_client -quic -alpn h3 -connect $NODEIP:$PORT -servername $NODE </dev/null \
2>$sclient_errfile >$sclient_outfile & 2>$sclient_errfile >$sclient_outfile &
wait_kill $! $((QUIC_WAIT * 10)) wait_kill $! $((QUIC_WAIT * 10))
@@ -6322,19 +6333,36 @@ sub_quic() {
# 0 would be process terminated before be killed. Now find out what happened... # 0 would be process terminated before be killed. Now find out what happened...
filter_printable $sclient_outfile filter_printable $sclient_outfile
if [[ $(< $sclient_outfile) =~ CERTIFICATE----- ]]; then if [[ $(< $sclient_outfile) =~ CERTIFICATE----- ]]; then
"$has_https_rr_h3" || \
fileout "$jsonID" "OK" "offered" && \
fileout "$jsonID" "OK" "offered, as advertised in DNS HTTPS RR"
pr_svrty_best "offered (OK)" pr_svrty_best "offered (OK)"
fileout "$jsonID" "OK" "offered"
alpn="$(awk -F':' '/^ALPN protocol/ { print $2 }' < $sclient_outfile)" alpn="$(awk -F':' '/^ALPN protocol/ { print $2 }' < $sclient_outfile)"
alpn="$(strip_spaces $alpn)" alpn="$(strip_spaces $alpn)"
outln ": $(awk '/^Protocol:/ { print $2 }' 2>/dev/null < $sclient_outfile) ($alpn)" out ": $(awk '/^Protocol:/ { print $2 }' 2>/dev/null < $sclient_outfile) ($alpn)"
"$has_https_rr_h3" && \
out ", as advertised in DNS HTTPS RR"
outln
elif [[ $(< $sclient_outfile) =~ ^CONNECTED\( ]]; then elif [[ $(< $sclient_outfile) =~ ^CONNECTED\( ]]; then
if [[ "$has_https_rr_h3" ]]; then
out "not offered (but UDP connection succeeded), "
prln_svrty_low "double check wrt HTTPS DNS RR entry"
fileout "$jsonID" "LOW" "not offered (but UDP connection succeeded) but contradicts HTTPS DNS RR entry"
else
outln "not offered (but UDP connection succeeded)" outln "not offered (but UDP connection succeeded)"
fileout "$jsonID" "INFO" "not offered (but UDP connection succeeded)" fileout "$jsonID" "INFO" "not offered (but UDP connection succeeded)"
fi
else
if [[ "$has_https_rr_h3" ]]; then
out "not offered, "
prln_svrty_low "double check wrt HTTPS DNS RR entry"
fileout "$jsonID" "INFO" "not offered but contradicts HTTPS DNS RR entry"
else else
outln "not offered" outln "not offered"
fileout "$jsonID" "INFO" "not offered" fileout "$jsonID" "INFO" "not offered"
fi fi
fi fi
fi
else else
prln_local_problem "No OpenSSL QUIC support" prln_local_problem "No OpenSSL QUIC support"
fileout "$jsonID" "WARN" "not tested due to lack of local OpenSSL support" fileout "$jsonID" "WARN" "not tested due to lack of local OpenSSL support"
@@ -24027,14 +24055,18 @@ display_rdns_etc() {
outln "$(out_row_aligned_max_width "$further_ip_addrs" " $CORRECT_SPACES" $TERM_WIDTH)" outln "$(out_row_aligned_max_width "$further_ip_addrs" " $CORRECT_SPACES" $TERM_WIDTH)"
fi fi
if "$LOCAL_A"; then if "$LOCAL_A"; then
outln " A record via: $CORRECT_SPACES /etc/hosts " pr_bold " A record via:"
outln " $CORRECT_SPACES /etc/hosts "
elif "$LOCAL_AAAA"; then elif "$LOCAL_AAAA"; then
outln " AAAA record via: $CORRECT_SPACES /etc/hosts " pr_bold " AAAA record via:"
outln " $CORRECT_SPACES /etc/hosts "
elif [[ -n "$CMDLINE_IP" ]]; then elif [[ -n "$CMDLINE_IP" ]]; then
if is_ipv6addr $"$CMDLINE_IP"; then if is_ipv6addr $"$CMDLINE_IP"; then
outln " AAAA record via: $CORRECT_SPACES supplied IP \"$CMDLINE_IP\"" pr_bold " AAAA record via:"
outln " $CORRECT_SPACES supplied IP \"$CMDLINE_IP\""
else else
outln " A record via: $CORRECT_SPACES supplied IP \"$CMDLINE_IP\"" pr_bold " A record via:"
outln " $CORRECT_SPACES supplied IP \"$CMDLINE_IP\""
fi fi
fi fi
pr_bold " rDNS " pr_bold " rDNS "