From 0af73c2d197b5571038cf58e223273f704afcc46 Mon Sep 17 00:00:00 2001 From: Kali Date: Thu, 5 Jan 2023 14:11:44 +0100 Subject: [PATCH 1/4] fixed DNS via Proxy --- testssl.sh | 62 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 36 insertions(+), 26 deletions(-) diff --git a/testssl.sh b/testssl.sh index 28e63ca..5041fc3 100755 --- a/testssl.sh +++ b/testssl.sh @@ -196,7 +196,7 @@ TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # If you run testssl.sh and it CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}" # You can have your CA stores some place else EXPERIMENTAL=${EXPERIMENTAL:-false} # a development hook which allows us to disable code PROXY_WAIT=${PROXY_WAIT:-20} # waiting at max 20 seconds for socket reply through proxy -DNS_VIA_PROXY=${DNS_VIA_PROXY:-true} # do DNS lookups via proxy. --ip=proxy reverses this +DNS_VIA_PROXY=${DNS_VIA_PROXY:-false} # do DNS lookups via proxy. --ip=proxy reverses this IGN_OCSP_PROXY=${IGN_OCSP_PROXY:-false} # Also when --proxy is supplied it is ignored when testing for revocation via OCSP via --phone-out HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2} # If this many failures for TCP socket connects are reached we terminate @@ -22014,12 +22014,19 @@ display_rdns_etc() { datebanner() { local scan_time_f="" - + local node_banner="" + + if [[ -n "PROXY" ]] && $DNS_VIA_PROXY;then + node_banner="$NODE:$PORT" + else + node_banner="$NODEIP:$PORT ($NODE)" + fi + if [[ "$1" =~ Done ]] ; then scan_time_f="$(printf "%04ss" "$SCAN_TIME")" # 4 digits because of windows - pr_reverse "$1 $(date +%F) $(date +%T) [$scan_time_f] -->> $NODEIP:$PORT ($NODE) <<--" + pr_reverse "$1 $(date +%F) $(date +%T) [$scan_time_f] -->> $node_banner <<--" else - pr_reverse "$1 $(date +%F) $(date +%T) -->> $NODEIP:$PORT ($NODE) <<--" + pr_reverse "$1 $(date +%F) $(date +%T) -->> $node_banner <<--" fi outln "\n" [[ "$1" =~ Start ]] && display_rdns_etc @@ -23735,7 +23742,6 @@ lets_roll() { fi stopwatch initialized - [[ -z "$NODEIP" ]] && fatal "$NODE doesn't resolve to an IP address" $ERR_DNSLOOKUP nodeip_to_proper_ip6 reset_hostdepended_vars determine_rdns # Returns always zero or has already exited if fatal error occurred @@ -23938,26 +23944,30 @@ lets_roll() { [[ -z "$NODE" ]] && parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDRs and IP46ADDR is set now prepare_logging - if ! determine_ip_addresses; then - fatal "No IP address could be determined" $ERR_DNSLOOKUP - fi - if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check - MULTIPLE_CHECKS=true - pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs" - for ip in $IPADDRs; do - draw_line "-" $((TERM_WIDTH * 2 / 3)) - outln - NODEIP="$ip" - lets_roll "${STARTTLS_PROTOCOL}" - RET=$((RET + $?)) # RET value per IP address - done - draw_line "-" $((TERM_WIDTH * 2 / 3)) - outln - pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs" - else # Just 1x ip4v to check, applies also if CMDLINE_IP was supplied - NODEIP="$IPADDRs" - lets_roll "${STARTTLS_PROTOCOL}" - RET=$? - fi + if [[ -n "$PROXY" ]] && $DNS_VIA_PROXY; then + NODEIP="$NODE" + lets_roll "${STARTTLS_PROTOCOL}" + RET=$? + else + determine_ip_addresses + if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check + MULTIPLE_CHECKS=true + pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs" + for ip in $IPADDRs; do + draw_line "-" $((TERM_WIDTH * 2 / 3)) + outln + NODEIP="$ip" + lets_roll "${STARTTLS_PROTOCOL}" + RET=$((RET + $?)) # RET value per IP address + done + draw_line "-" $((TERM_WIDTH * 2 / 3)) + outln + pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs" + else # Just 1x ip4v to check, applies also if CMDLINE_IP was supplied + NODEIP="$IPADDRs" + lets_roll "${STARTTLS_PROTOCOL}" + RET=$? + fi + fi exit $RET From 2b6bd2f1dd0a83ea0ed7d4b9ccfb363fa7fc4138 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 3 Mar 2023 12:47:12 +0100 Subject: [PATCH 2/4] fix indentation --- testssl.sh | 64 +++++++++++++++++++++++++++--------------------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/testssl.sh b/testssl.sh index d8d9b63..845f40f 100755 --- a/testssl.sh +++ b/testssl.sh @@ -196,7 +196,7 @@ TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # If you run testssl.sh and it CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}" # You can have your CA stores some place else EXPERIMENTAL=${EXPERIMENTAL:-false} # a development hook which allows us to disable code PROXY_WAIT=${PROXY_WAIT:-20} # waiting at max 20 seconds for socket reply through proxy -DNS_VIA_PROXY=${DNS_VIA_PROXY:-false} # do DNS lookups via proxy. --ip=proxy reverses this +DNS_VIA_PROXY=${DNS_VIA_PROXY:-false} # do DNS lookups via proxy. --ip=proxy reverses this IGN_OCSP_PROXY=${IGN_OCSP_PROXY:-false} # Also when --proxy is supplied it is ignored when testing for revocation via OCSP via --phone-out HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2} # If this many failures for TCP socket connects are reached we terminate @@ -19986,7 +19986,7 @@ find_openssl_binary() { HAS_ZLIB=false HAS_UDS=false HAS_UDS2=false - TRUSTED1ST="" + TRUSTED1ST="" HAS_ENABLE_PHA=false $OPENSSL ciphers -s 2>&1 | grep -aiq "unknown option" || OSSL_CIPHERS_S="-s" @@ -22041,18 +22041,18 @@ display_rdns_etc() { datebanner() { local scan_time_f="" local node_banner="" - + if [[ -n "PROXY" ]] && $DNS_VIA_PROXY;then - node_banner="$NODE:$PORT" + node_banner="$NODE:$PORT" else - node_banner="$NODEIP:$PORT ($NODE)" + node_banner="$NODEIP:$PORT ($NODE)" fi - + if [[ "$1" =~ Done ]] ; then scan_time_f="$(printf "%04ss" "$SCAN_TIME")" # 4 digits because of windows pr_reverse "$1 $(date +%F) $(date +%T) [$scan_time_f] -->> $node_banner <<--" else - pr_reverse "$1 $(date +%F) $(date +%T) -->> $node_banner <<--" + pr_reverse "$1 $(date +%F) $(date +%T) -->> $node_banner <<--" fi outln "\n" [[ "$1" =~ Start ]] && display_rdns_etc @@ -23970,30 +23970,30 @@ lets_roll() { [[ -z "$NODE" ]] && parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDRs and IP46ADDR is set now prepare_logging - if [[ -n "$PROXY" ]] && $DNS_VIA_PROXY; then - NODEIP="$NODE" - lets_roll "${STARTTLS_PROTOCOL}" - RET=$? - else - determine_ip_addresses - if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check - MULTIPLE_CHECKS=true - pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs" - for ip in $IPADDRs; do - draw_line "-" $((TERM_WIDTH * 2 / 3)) - outln - NODEIP="$ip" - lets_roll "${STARTTLS_PROTOCOL}" - RET=$((RET + $?)) # RET value per IP address - done - draw_line "-" $((TERM_WIDTH * 2 / 3)) - outln - pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs" - else # Just 1x ip4v to check, applies also if CMDLINE_IP was supplied - NODEIP="$IPADDRs" - lets_roll "${STARTTLS_PROTOCOL}" - RET=$? - fi - fi + if [[ -n "$PROXY" ]] && $DNS_VIA_PROXY; then + NODEIP="$NODE" + lets_roll "${STARTTLS_PROTOCOL}" + RET=$? + else + determine_ip_addresses + if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check + MULTIPLE_CHECKS=true + pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs" + for ip in $IPADDRs; do + draw_line "-" $((TERM_WIDTH * 2 / 3)) + outln + NODEIP="$ip" + lets_roll "${STARTTLS_PROTOCOL}" + RET=$((RET + $?)) # RET value per IP address + done + draw_line "-" $((TERM_WIDTH * 2 / 3)) + outln + pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs" + else # Just 1x ip4v to check, applies also if CMDLINE_IP was supplied + NODEIP="$IPADDRs" + lets_roll "${STARTTLS_PROTOCOL}" + RET=$? + fi + fi exit $RET From 9afa277c02d36cc7223e766c5bf909bdb61e76d3 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 3 Mar 2023 12:50:02 +0100 Subject: [PATCH 3/4] another indent correction --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 845f40f..a432bdb 100755 --- a/testssl.sh +++ b/testssl.sh @@ -19986,7 +19986,7 @@ find_openssl_binary() { HAS_ZLIB=false HAS_UDS=false HAS_UDS2=false - TRUSTED1ST="" + TRUSTED1ST="" HAS_ENABLE_PHA=false $OPENSSL ciphers -s 2>&1 | grep -aiq "unknown option" || OSSL_CIPHERS_S="-s" From d001bba86bbeee07ff2ced2dc146603f71f76a53 Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 21 Mar 2023 19:40:40 +0100 Subject: [PATCH 4/4] Finalize DNS via Proxy See #2328, original PR #2295 from @w4ntun . Formally testssl.sh returned an error when it wasn't not possible to determine IP addresses through DNS resolution, even if --proxy and --ip=proxy flags are set. The main function always tried to determine IP addresses via DNS and exits with a fatal error if it cannot do it. Although the client cannot get the IP, the proxy could, so the SSL/TLS analysis is still possible. This PR allows the analysis for an HTTP service via a proxy server and the DNS traffic can be sent directly or through the proxy using the flag --ip=proxy. ATTENTION: This may be a breaking change for those who don't have a local resolver. They now have to add --ip=proxy. In addition: * help() was amended to add --ip=proxy (was only in the ~i/doc dir before) * amending ~/doc dir to document it's better to add --nodns=min when there's no local resolver --- doc/testssl.1 | 4 ++-- doc/testssl.1.html | 4 ++-- doc/testssl.1.md | 5 ++--- testssl.sh | 13 ++++++++++--- 4 files changed, 16 insertions(+), 10 deletions(-) diff --git a/doc/testssl.1 b/doc/testssl.1 index 030774a..b9fa266 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -88,7 +88,7 @@ A typical internal conversion to testssl\.sh file format from nmap's grep(p)able .P \fB\-\-mx \fR tests all MX records (STARTTLS on port 25) from high to low priority, one after the other\. .P -\fB\-\-ip \fR tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in \fB\fR\. IPv6 addresses need to be supplied in square brackets\. \fB\-\-ip=one\fR means: just test the first A record DNS returns (useful for multiple IPs)\. If \fB\-6\fR and \fB\-\-ip=one\fR was supplied an AAAA record will be picked if available\. The \fB\-\-ip\fR option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit \fB/etc/hosts\fR or \fB/c/Windows/System32/drivers/etc/hosts\fR\. \fB\-\-ip=proxy\fR tries a DNS resolution via proxy\. +\fB\-\-ip \fR tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in \fB\fR\. IPv6 addresses need to be supplied in square brackets\. \fB\-\-ip=one\fR means: just test the first A record DNS returns (useful for multiple IPs)\. If \fB\-6\fR and \fB\-\-ip=one\fR was supplied an AAAA record will be picked if available\. The \fB\-\-ip\fR option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit \fB/etc/hosts\fR or \fB/c/Windows/System32/drivers/etc/hosts\fR\. \fB\-\-ip=proxy\fR tries a DNS resolution via proxy\. \fB\-\-ip=proxy\fR plus \fB\-\-nodns=min\fR is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records\. .P \fB\-\-proxy :\fR does ANY check via the specified proxy\. \fB\-\-proxy=auto\fR inherits the proxy setting from the environment\. The hostname supplied will be resolved to the first A record\. In addition if you want lookups via proxy you can specify \fBDNS_VIA_PROXY=true\fR\. OCSP revocation checking (\fB\-S \-\-phone\-out\fR) is not supported by OpenSSL via proxy\. As supplying a proxy is an indicator for port 80 and 443 outgoing being blocked in your network an OCSP revocation check won't be performed\. However if \fBIGN_OCSP_PROXY=true\fR has been supplied it will be tried directly\. Authentication to the proxy is not supported\. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported\. .P @@ -102,7 +102,7 @@ A typical internal conversion to testssl\.sh file format from nmap's grep(p)able .P \fB\-\-assuming\-http\fR testssl\.sh normally does upfront an application protocol detection\. In cases where HTTP cannot be automatically detected you may want to use this option\. It enforces testssl\.sh not to skip HTTP specific tests (HTTP header) and to run a browser based client simulation\. Please note that sometimes also the severity depends on the application protocol, e\.g\. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server\. .P -\fB\-n, \-\-nodns \fR tells testssl\.sh which DNS lookups should be performed\. \fBmin\fR uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name\. \fBnone\fR performs no DNS lookups at all\. For the latter you either have to supply the IP address as a target, to use \fB\-\-ip\fR or have the IP address in \fB/etc/hosts\fR\. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups\. The latter can apply e\.g\. to some pentests\. In general this option could e\.g\. help you to avoid timeouts by DNS lookups\. \fBNODNS\fR is the environment variable for this\. +\fB\-n, \-\-nodns \fR tells testssl\.sh which DNS lookups should be performed\. \fBmin\fR uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name\. \fBnone\fR performs no DNS lookups at all\. For the latter you either have to supply the IP address as a target, to use \fB\-\-ip\fR or have the IP address in \fB/etc/hosts\fR\. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups\. The latter can apply e\.g\. to some pentests\. In general this option could e\.g\. help you to avoid timeouts by DNS lookups\. \fBNODNS\fR is the environment variable for this\. \fB\-\-nodns=min\fR plus \fB\-\-ip=proxy\fR is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records\. .P \fB\-\-sneaky\fR For HTTP header checks testssl\.sh uses normally the server friendly HTTP user agent \fBTLS tester from ${URL}\fR\. With this option your traces are less verbose and a Firefox user agent is being used\. Be aware that it doesn't hide your activities\. That is just not possible (environment preset via \fBSNEAKY=true\fR)\. .P diff --git a/doc/testssl.1.html b/doc/testssl.1.html index 21d35db..5b9c2cd 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -200,7 +200,7 @@ The same can be achieved by setting the environment variable WARNINGS--mx <domain|host> tests all MX records (STARTTLS on port 25) from high to low priority, one after the other.

-

--ip <ip> tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in <URI>. IPv6 addresses need to be supplied in square brackets. --ip=one means: just test the first A record DNS returns (useful for multiple IPs). If -6 and --ip=one was supplied an AAAA record will be picked if available. The --ip option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit /etc/hosts or /c/Windows/System32/drivers/etc/hosts. --ip=proxy tries a DNS resolution via proxy.

+

--ip <ip> tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in <URI>. IPv6 addresses need to be supplied in square brackets. --ip=one means: just test the first A record DNS returns (useful for multiple IPs). If -6 and --ip=one was supplied an AAAA record will be picked if available. The --ip option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit /etc/hosts or /c/Windows/System32/drivers/etc/hosts. --ip=proxy tries a DNS resolution via proxy. --ip=proxy tries a DNS resolution via proxy. --ip=proxy plus --nodns=min is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records.

--proxy <host>:<port> does ANY check via the specified proxy. --proxy=auto inherits the proxy setting from the environment. The hostname supplied will be resolved to the first A record. In addition if you want lookups via proxy you can specify DNS_VIA_PROXY=true. OCSP revocation checking (-S --phone-out) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 outgoing being blocked in your network an OCSP revocation check won't be performed. However if IGN_OCSP_PROXY=true has been supplied it will be tried directly. Authentication to the proxy is not supported. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported.

@@ -217,7 +217,7 @@ The same can be achieved by setting the environment variable WARNINGS--assuming-http testssl.sh normally does upfront an application protocol detection. In cases where HTTP cannot be automatically detected you may want to use this option. It enforces testssl.sh not to skip HTTP specific tests (HTTP header) and to run a browser based client simulation. Please note that sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.

-n, --nodns <min|none> tells testssl.sh which DNS lookups should be performed. min uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name. none performs no DNS lookups at all. For the latter you either have to supply the IP address as a target, to use --ip or have the IP address -in /etc/hosts. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentests. In general this option could e.g. help you to avoid timeouts by DNS lookups. NODNS is the environment variable for this.

+in /etc/hosts. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentests. In general this option could e.g. help you to avoid timeouts by DNS lookups. NODNS is the environment variable for this. --nodns=min plus --ip=proxy is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records.

--sneaky For HTTP header checks testssl.sh uses normally the server friendly HTTP user agent TLS tester from ${URL}. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via SNEAKY=true).

diff --git a/doc/testssl.1.md b/doc/testssl.1.md index 1795cc4..fcb90e9 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -122,7 +122,7 @@ The same can be achieved by setting the environment variable `WARNINGS`. `--mx ` tests all MX records (STARTTLS on port 25) from high to low priority, one after the other. -`--ip ` tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in ``. IPv6 addresses need to be supplied in square brackets. `--ip=one` means: just test the first A record DNS returns (useful for multiple IPs). If `-6` and `--ip=one` was supplied an AAAA record will be picked if available. The ``--ip`` option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit `/etc/hosts` or `/c/Windows/System32/drivers/etc/hosts`. `--ip=proxy` tries a DNS resolution via proxy. +`--ip ` tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in ``. IPv6 addresses need to be supplied in square brackets. `--ip=one` means: just test the first A record DNS returns (useful for multiple IPs). If `-6` and `--ip=one` was supplied an AAAA record will be picked if available. The ``--ip`` option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit `/etc/hosts` or `/c/Windows/System32/drivers/etc/hosts`. `--ip=proxy` tries a DNS resolution via proxy. `--ip=proxy` plus `--nodns=min` is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records. `--proxy :` does ANY check via the specified proxy. `--proxy=auto` inherits the proxy setting from the environment. The hostname supplied will be resolved to the first A record. In addition if you want lookups via proxy you can specify `DNS_VIA_PROXY=true`. OCSP revocation checking (`-S --phone-out`) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 outgoing being blocked in your network an OCSP revocation check won't be performed. However if `IGN_OCSP_PROXY=true` has been supplied it will be tried directly. Authentication to the proxy is not supported. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported. @@ -139,8 +139,7 @@ The same can be achieved by setting the environment variable `WARNINGS`. `--assuming-http` testssl.sh normally does upfront an application protocol detection. In cases where HTTP cannot be automatically detected you may want to use this option. It enforces testssl.sh not to skip HTTP specific tests (HTTP header) and to run a browser based client simulation. Please note that sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server. -`-n, --nodns ` tells testssl.sh which DNS lookups should be performed. `min` uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name. `none` performs no DNS lookups at all. For the latter you either have to supply the IP address as a target, to use `--ip` or have the IP address -in `/etc/hosts`. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentests. In general this option could e.g. help you to avoid timeouts by DNS lookups. `NODNS` is the environment variable for this. +`-n, --nodns ` tells testssl.sh which DNS lookups should be performed. `min` uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name. `none` performs no DNS lookups at all. For the latter you either have to supply the IP address as a target, to use `--ip` or have the IP address in `/etc/hosts`. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentests. In general this option could e.g. help you to avoid timeouts by DNS lookups. `NODNS` is the environment variable for this. `--nodns=min` plus `--ip=proxy` is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records. `--sneaky` For HTTP header checks testssl.sh uses normally the server friendly HTTP user agent `TLS tester from ${URL}`. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=true`). diff --git a/testssl.sh b/testssl.sh index a432bdb..61f9312 100755 --- a/testssl.sh +++ b/testssl.sh @@ -8828,7 +8828,7 @@ certificate_info() { local cn_finding trustfinding trustfinding_nosni local cnok="OK" local expfinding expok="OK" - local -i ret=0 + local -i ret=0 tmp=0 local json_postfix="" # string to place at the end of JSON IDs when there is more than one certificate local jsonID="" # string to place at beginning of JSON IDs local json_rating json_msg @@ -9686,6 +9686,8 @@ certificate_info() { caa="" while [[ -z "$caa" ]] && [[ -n "$caa_node" ]]; do caa="$(get_caa_rr_record $caa_node)" + tmp=${PIPESTATUS[@]} + [[ $DEBUG -ge 4 ]] && echo "get_caa_rr_record: $tmp" [[ $caa_node =~ '.'$ ]] || caa_node+="." caa_node=${caa_node#*.} done @@ -9707,6 +9709,9 @@ certificate_info() { elif [[ -n "$NODNS" ]]; then out "(instructed to minimize DNS queries)" fileout "${jsonID}${json_postfix}" "INFO" "check skipped as instructed" + elif "$DNS_VIA_PROXY"; then + out "(instructed to use the proxy for DNS only)" + fileout "${jsonID}${json_postfix}" "INFO" "check skipped as instructed (proxy)" else pr_svrty_low "not offered" fileout "${jsonID}${json_postfix}" "LOW" "--" @@ -20308,7 +20313,8 @@ tuning / connect options (most also can be preset via environment variables): --proxy (experimental) proxy connects via , auto: values from \$env (\$http(s)_proxy) -6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity --ip a) tests the supplied v4 or v6 address instead of resolving host(s) in URI - b) arg "one" means: just test the first DNS returns (useful for multiple IPs) + b) "one" means: just test the first DNS returns (useful for multiple IPs) + c) "proxy" means: dns resolution via proxy. Needed when host has no DNS. -n, --nodns if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records --sneaky leave less traces in target logs: user agent, referer --user-agent set a custom user agent instead of the standard user agent @@ -21026,7 +21032,8 @@ get_caa_rr_record() { "$HAS_DIG_NOIDNOUT" && noidnout="+noidnout" - [[ -n "$NODNS" ]] && return 0 # if minimum DNS lookup was instructed, leave here + [[ -n "$NODNS" ]] && return 2 # if minimum DNS lookup was instructed, leave here + # if there's a type257 record there are two output formats here, mostly depending on age of distribution # roughly that's the difference between text and binary format # 1) 'google.com has CAA record 0 issue "symantec.com"'