As a quick hack this PR enables *basically* the IPv6 proxy which results that testssl.sh
will use an IPv6 proxy when
* the binary supports that
* the binary is used an not tls_sockets()
* there's no A record but an AAAA record of the proxy or an IPv6 address as proxy address was specified.
The latter should guarantee that it doesn't break anything.
However tls_sockets() still uses IPv4 for the connection to the proxy.
See #1105
On MacOS `run_http_header()` hiccuped when in any place of the web site unprintable chars were returned, see https://github.com/testssl/testssl.sh/issues/2708#issuecomment-2738347784 .
This PR fixes that by moving the sanitization to a separate function and run it earlier before any processing of the returned content (header plus body) takes place.
Output was:
```
'HTTP Status Code awk: towc: multibyte conversion failure on: '� disabilitato");
input record number 36, file /tmp/testssl.FHu8E0/AAA.BBB.CCC.DDD.http_header.txt
source line number 1
'wk: towc: multibyte conversion failure on: '� disabilitato");
input record number 36, file /tmp/testssl.FHu8E0/AAA.BBB.CCC.DDD.http_header.txt
source line number 1
200 OK
```
When parsing the intermediate cerificates there was a parser problem when using
LibreSSL and not OpenSSL.
This PR fixes the issue #2705 and addresses the problem by using the -nameopt multiline command
of LibreSSL/OpenSSL .
The current code for setting $host_header in check_revocation_ocsp() will not work for LibreSSL 3.* or for upcoming versions of OpenSSL (version 4 or greater). The check will also not work correctly if $OPENSSL2 is used and $OPENSSL2 is not /usr/bin/openssl. This commit fixes these issues.
Previously in 4f1a91f92e there was a
double header sent to the server to check whether the certificate
was revoked.
This PR addresses that and fixes#2667 .
Before version 3.0.0, OpenSSL versions includes letters (e.g., 1.1.1w). Such version numbers confuse [[ ${OSSL_VER//./} -ge 210 ]]. Since this check is only needed for LibreSSL, this commit adds a conditional so that the check is only performed for LibreSSL.
As `--phone-out` sometimes doesn't work with our binary we switch transparently/automagically
to the vendor support openssl binary -- if available.
This fixes at least #2516 where the issue has been explained/debugged in detail.
See also #2667 and #1275.
According to https://openssl-library.org/roadmap/index.html, OpenSSL 4 is scheduled to be released in April 2026. This commit modifies code that checks $OPENSSL version numbers so that versions 4 and above will be recognized.
This commit modifies testssl.sh so that run_server_defaults() prints the server's supported TLS extensions sorted by extension number rather than listing them in the order in which they were found.
In order to simplify the sorting of the extensions, this commit changes $TLS_EXTENSIONS from a string to an array. In February 2017 comments were added (925e1061b2) saying that it would be $TLS_EXTENSIONS were an array. So, this commit addresses those comments. However, it is possible that the reason for those comments no longer apply.
With the current master branch of OpenSSL (3.5.0-dev), the output that is provided by s_client has changed in the case of a cipher suite that uses an ephemeral key. Rather than preceding the ephemeral key information with "Server Temp Key: ", it is now preceded by either "Peer Temp Key:" or "Negotiated TLS1.3 group:". This commit modifies the lines that extract ephemeral key information from OpenSSL responses to accept any of these strings.
