As a quick hack this PR enables *basically* the IPv6 proxy which results that testssl.sh
will use an IPv6 proxy when
* the binary supports that
* the binary is used an not tls_sockets()
* there's no A record but an AAAA record of the proxy or an IPv6 address as proxy address was specified.
The latter should guarantee that it doesn't break anything.
However tls_sockets() still uses IPv4 for the connection to the proxy.
See #1105
On MacOS `run_http_header()` hiccuped when in any place of the web site unprintable chars were returned, see https://github.com/testssl/testssl.sh/issues/2708#issuecomment-2738347784 .
This PR fixes that by moving the sanitization to a separate function and run it earlier before any processing of the returned content (header plus body) takes place.
Output was:
```
'HTTP Status Code awk: towc: multibyte conversion failure on: '� disabilitato");
input record number 36, file /tmp/testssl.FHu8E0/AAA.BBB.CCC.DDD.http_header.txt
source line number 1
'wk: towc: multibyte conversion failure on: '� disabilitato");
input record number 36, file /tmp/testssl.FHu8E0/AAA.BBB.CCC.DDD.http_header.txt
source line number 1
200 OK
```
When parsing the intermediate cerificates there was a parser problem when using
LibreSSL and not OpenSSL.
This PR fixes the issue #2705 and addresses the problem by using the -nameopt multiline command
of LibreSSL/OpenSSL .
The current code for setting $host_header in check_revocation_ocsp() will not work for LibreSSL 3.* or for upcoming versions of OpenSSL (version 4 or greater). The check will also not work correctly if $OPENSSL2 is used and $OPENSSL2 is not /usr/bin/openssl. This commit fixes these issues.
Previously in 4f1a91f92e there was a
double header sent to the server to check whether the certificate
was revoked.
This PR addresses that and fixes#2667 .
Before version 3.0.0, OpenSSL versions includes letters (e.g., 1.1.1w). Such version numbers confuse [[ ${OSSL_VER//./} -ge 210 ]]. Since this check is only needed for LibreSSL, this commit adds a conditional so that the check is only performed for LibreSSL.
As `--phone-out` sometimes doesn't work with our binary we switch transparently/automagically
to the vendor support openssl binary -- if available.
This fixes at least #2516 where the issue has been explained/debugged in detail.
See also #2667 and #1275.
