- IPv6 #11 is 80% working (whohoo!). Needed is an openssl capable IPv6 and HAS_IPv6=true in the environment

- FIX #191
This commit is contained in:
Dirk 2015-09-26 22:44:33 +02:00
parent cc81642ee3
commit feaef680aa
1 changed files with 36 additions and 15 deletions

View File

@ -154,6 +154,7 @@ OSSL_VER_APPENDIX="none"
HAS_DH_BITS=${HAS_DH_BITS:-false} HAS_DH_BITS=${HAS_DH_BITS:-false}
HAS_SSL2=true #TODO: in the future we'll do the fastest possible test (openssl s_client -ssl2 is currently faster than sockets) HAS_SSL2=true #TODO: in the future we'll do the fastest possible test (openssl s_client -ssl2 is currently faster than sockets)
HAS_SSL3=true HAS_SSL3=true
HAS_IPv6=${HAS_IPv6:-false} # if you have OPENSSL with IPv6 support AND IPv6 networking set it to yes and testssl.sh works!
PORT=443 # unless otherwise auto-determined, see below PORT=443 # unless otherwise auto-determined, see below
NODE="" NODE=""
NODEIP="" NODEIP=""
@ -1579,7 +1580,7 @@ run_server_preference() {
local -i ret=0 local -i ret=0
local list_fwd="DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256" local list_fwd="DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256"
# now reversed offline via tac, see https://github.com/thomassa/testssl.sh/commit/7a4106e839b8c3033259d66697893765fc468393 : # now reversed offline via tac, see https://github.com/thomassa/testssl.sh/commit/7a4106e839b8c3033259d66697893765fc468393 :
local list_reverse="AES256-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384DHE-DSS-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA256:AES128-SHA:RC4-SHA:DES-CBC-SHA:RC4-MD5:DES-CBC3-SHA" local list_reverse="AES256-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA256:AES128-SHA:RC4-SHA:DES-CBC-SHA:RC4-MD5:DES-CBC3-SHA"
local has_cipher_order=true local has_cipher_order=true
outln; outln;
@ -2376,14 +2377,15 @@ starttls_just_read(){
fd_socket() { fd_socket() {
local jabber="" local jabber=""
local proyxline="" local proyxline=""
local nodeip="$(tr -d '[]' <<< $NODEIP)" # sockets do not need the square brackets we have of IPv6 addresses
# we just need do it here, that's all!
if [[ -n "$PROXY" ]]; then if [[ -n "$PROXY" ]]; then
if ! exec 5<> /dev/tcp/${PROXYIP}/${PROXYPORT}; then if ! exec 5<> /dev/tcp/${PROXYIP}/${PROXYPORT}; then
outln outln
pr_magenta "$PROG_NAME: unable to open a socket to proxy $PROXYIP:$PROXYPORT" pr_magenta "$PROG_NAME: unable to open a socket to proxy $PROXYIP:$PROXYPORT"
return 6 return 6
fi fi
echo "CONNECT $NODEIP:$PORT" >&5 echo "CONNECT $nodeip:$PORT" >&5
while true ; do while true ; do
read proyxline <&5 read proyxline <&5
if [[ "${proyxline%/*}" == "HTTP" ]]; then if [[ "${proyxline%/*}" == "HTTP" ]]; then
@ -2398,7 +2400,7 @@ fd_socket() {
break break
fi fi
done done
elif ! exec 5<>/dev/tcp/$NODEIP/$PORT; then # 2>/dev/null would remove an error message, but disables debugging elif ! exec 5<>/dev/tcp/$nodeip/$PORT; then # 2>/dev/null would remove an error message, but disables debugging
outln outln
pr_magenta "Unable to open a socket to $NODEIP:$PORT. " pr_magenta "Unable to open a socket to $NODEIP:$PORT. "
# It can last ~2 minutes but for for those rare occasions we don't do a timeout handler here, KISS # It can last ~2 minutes but for for those rare occasions we don't do a timeout handler here, KISS
@ -4277,23 +4279,34 @@ determine_ip_addresses() {
check_resolver_bins check_resolver_bins
ip4=$(get_a_record $NODE) ip4=$(get_a_record $NODE)
else else
LOCAL_A=true # we have the ip4 from local host entry and need to set this LOCAL_A=true # we have the ip4 from local host entry and need to signal this to testssl
fi fi
# same now for ipv6 (though not supported) <-- can't do this yet as it shows up under "further IP addresses" # same now for ipv6
# and we didn't bother to show the fact that it is local there
ip6=$(get_local_aaaa $NODE) ip6=$(get_local_aaaa $NODE)
#if [[ -z $ip6 ]]; then if [[ -z $ip6 ]]; then
check_resolver_bins
ip6=$(get_aaaa_record $NODE) ip6=$(get_aaaa_record $NODE)
#else else
# LOCAL_AAAA=true # we have the ip4 from local host entry and need to set this LOCAL_AAAA=true # we have a local ipv6 entry and need to signal this to testssl
#fi fi
fi
if [[ -z "$ip4" ]]; then # IPv6 only address
if $HAS_IPv6; then
IPADDRs=$(newline_to_spaces "$ip6")
IP46ADDRs="$IPADDRs" # IP46ADDRs are the ones to display, IPADDRs the ones to test
fi
else
if $HAS_IPv6 && [[ -n "$ip6" ]]; then
IPADDRs=$(newline_to_spaces "$ip4 $ip6")
IP46ADDRs="$IPADDRs"
else
IPADDRs=$(newline_to_spaces "$ip4")
IP46ADDRs=$(newline_to_spaces "$ip4 $ip6")
fi
fi fi
IPADDRs=$(newline_to_spaces "$ip4")
if [[ -z "$IPADDRs" ]] && [[ -z "$CMDLINE_IP" ]]; then if [[ -z "$IPADDRs" ]] && [[ -z "$CMDLINE_IP" ]]; then
fatal "No IPv4 address for \"$NODE\" available" -1 fatal "No IPv4 address for \"$NODE\" available" -1
fi fi
[[ -z "$ip6" ]] && IP46ADDRs="$IPADDRs" || IP46ADDRs="$ip4 $ip6"
IP46ADDRs=$(newline_to_spaces "$IP46ADDRs")
return 0 # IPADDR and IP46ADDR is set now return 0 # IPADDR and IP46ADDR is set now
} }
@ -4345,6 +4358,7 @@ check_proxy(){
#if is_ipv4addr "$PROXYNODE" || is_ipv6addr "$PROXYNODE" ; then #if is_ipv4addr "$PROXYNODE" || is_ipv6addr "$PROXYNODE" ; then
# IPv6 via openssl -proxy: that doesn't work. Sockets does # IPv6 via openssl -proxy: that doesn't work. Sockets does
#FIXME: try whether it works with the IPv6 patch
if is_ipv4addr "$PROXYNODE"; then if is_ipv4addr "$PROXYNODE"; then
PROXYIP="$PROXYNODE" PROXYIP="$PROXYNODE"
else else
@ -4876,10 +4890,17 @@ parse_cmd_line() {
} }
# connect call from openssl needs ipv6 in square brackets
nodeip_to_proper_ip6() {
is_ipv6addr $NODEIP && NODEIP="[$NODEIP]"
}
lets_roll() { lets_roll() {
local ret local ret
[[ -z "$NODEIP" ]] && fatal "$NODE doesn't resolve to an IP address" -1 [[ -z "$NODEIP" ]] && fatal "$NODE doesn't resolve to an IP address" -1
nodeip_to_proper_ip6
determine_rdns determine_rdns
determine_service "$1" # any starttls service goes here determine_service "$1" # any starttls service goes here
@ -5013,4 +5034,4 @@ fi
exit $? exit $?
# $Id: testssl.sh,v 1.392 2015/09/25 12:35:41 dirkw Exp $ # $Id: testssl.sh,v 1.393 2015/09/26 20:44:32 dirkw Exp $