This PR will enable IPv6 fully if available.
It was not enabled before as users were confronted with an error message when
testssl.sh wanted (also) to scan IPv6 before but routing/configuration or
whatsoever issues prevented that. This has been solved by introducing the function
`shouldwedo_ipv6()` which checks whether we can reach the target via IPv6 --
tracked be the global IPv6_OK.
The change is in line with tools like wget or curl in a sense that if IPv6 works
it is just being used. Formally testssl.sh had to be instructed via -6 cmdline
option, like nmap.
* \-6 is now the switch to do IPv6 scans only
* \-4 is now the switch to do IPv4 scans only
The latter is a *breaking change*, as the cmdline option meant before to check
for RC4 ciphers.
Also HAS_IPv6, synonymous to -6 before, does not exist anymore.
As the command line option `--connect-timeout` seemed rather unspecific,
it has been replaced by `--socket-timeout, also all internal variables.
Todo:
* man pages
* dashed lines appear too long
This fixes#2847 .
It was falsely assumed that the http head command blocks when port 80 is not available but
actucally the exec for the socket is the culprit.
This PR changes that so that the exec is put in the background.
Another change is that $node is still used but the port is stripped of which
lead to the problem raised in #2847. We use $node instead of $NODE has we
can recycle the `http_head[er]_printf()` later.
`http_header_printf()`was renamed to `http_head_printf()` as there's also an `http_head()`
and an `http_get()`
This commit adds an improvement so that e.g. under MacOS
/opt/homebrew/bin/openssl is automatically taken as
$OPENSSL so that also QUIC works out of the box for MacOS.
Formally for at least MacOS with silicon CPUs OPENSSL was
equal to OPENSSL2 and LibreSSL in /usr/bin/openssl doesn't
have QUIC support (up to version 15.5 of MacoOS at least).
Fixes#2833
This does a check for the opossum vulnerability, see https://opossum-attack.com/ .
It uses a separate function to send the payload and retrieve the result via `http_header_printf()`. It doesn't use curl or wget. The latter wouldn't work anyway as according to the manpage as the HTTP header which needs to be sent must not contain LFs. This function was introduced because `http_get_header()` -- which was renamed to `http_head()` -- could use wget if curl is not available. On the way to this PR `http_head()` was improved, so that timeouts were used for curl and wget for better maturity.
`http_header_printf()` now uses bach sockets , strips the URI so that a plaintext request is made. This will be done in the background because not every host will answer.
Done also:
- handling when PROXY is requested (try anyway directly as the payload is not "proxyable")
- print a message when no HTTP service is present
- try hard to use plaintext HTTP when auth is required for HTTPS and service HTTP would not be defined otherwise
- manpages
- help
Also when pwnedkeys are checked a not pwned certificate is labled not neutral but OK=green.
... so that we have a comparison between OpenSSL and LibreSSL. Otherwise this test would be completely futile for MacOS.
Also change the displayed text.
See #2832 (which was for 3.2)
Before:
```
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
QUIC not offered or timed out
NPN/SPDY not offered
ALPN/HTTP2 h2, http/1.1 (offered)
```
After:
```
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
QUIC not offered or timed out
NPN/SPDY not offered
ALPN/HTTP2 h2, http/1.1 (offered)
```
The logic was wrong when calling set_rating_state() in parse_cmd_line() as do_rating was set before to true through set_scanning_defaults().
This PR fixes#2825 by querying ${SKIP_TESTS[@]} instead and then calling set_rating_state() when no --disable-rating was supplied .
This is an implementation for QUIC (RFC 9000, RFC 9114). It's purely
OpenSSL based for now. As some distros support newer (>= 3.2) versions
this works on some distros now and will work on more as time goes by.
It has been tested with MacOS and Linux. If there's an OpenSSL version
in /usr/bin/ it will automagically use that version.
A new short sub function named sub_quic() was introduced for handling this as
run_protocols() is already "full".
It appears below TLS 1.3. A check against HTTPS RR #2484 is planned but
not implemented yet. PR #2484 has to be worked on and merged before.
New variables were introduces (HAS_QUIC/ +HAS2_QUIC). Also there's
QUIC_WAIT as we run the connect in the background and we need a wait time.
HAS_UDS2 was renamed to HAS2_UDS as HAS2 should signal this is for OPENSSL2
and UDS2 doesn't make sense.
To clarify:
- check for a proxy and then don't do the check?
- short unit test (t/31_isJSON_valid.t cjecks cloudflare but ...)
