From 61c2be8f156fdc3f1c81e0265707b665886291d6 Mon Sep 17 00:00:00 2001 From: w4ntun Date: Sat, 12 Apr 2025 19:58:10 +0200 Subject: [PATCH 1/4] PR properly rebased --- testssl.sh | 44 +++++++++++++++++++------------------------- 1 file changed, 19 insertions(+), 25 deletions(-) diff --git a/testssl.sh b/testssl.sh index ed4449fde..dd499f49a 100755 --- a/testssl.sh +++ b/testssl.sh @@ -197,7 +197,7 @@ TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # If you run testssl.sh and it CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}" # You can have your CA stores some place else EXPERIMENTAL=${EXPERIMENTAL:-false} # a development hook which allows us to disable code PROXY_WAIT=${PROXY_WAIT:-20} # waiting at max 20 seconds for socket reply through proxy -DNS_VIA_PROXY=${DNS_VIA_PROXY:-false} # do DNS lookups via proxy. --ip=proxy reverses this +DNS_VIA_PROXY=${DNS_VIA_PROXY:-true} # do DNS lookups via proxy. --ip=* reverses this IGN_OCSP_PROXY=${IGN_OCSP_PROXY:-false} # Also when --proxy is supplied it is ignored when testing for revocation via OCSP via --phone-out HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2} # If this many failures for TCP socket connects are reached we terminate @@ -22982,10 +22982,10 @@ datebanner() { local scan_time_f="" local node_banner="" - if [[ -n "$PROXY" ]] && "$DNS_VIA_PROXY"; then - node_banner="$NODE:$PORT" + if [[ -n "PROXY" ]] && $DNS_VIA_PROXY;then + node_banner="$NODE:$PORT" else - node_banner="$NODEIP:$PORT ($NODE)" + node_banner="$NODEIP:$PORT ($NODE)" fi if [[ "$1" =~ Done ]] ; then @@ -24950,30 +24950,24 @@ lets_roll() { [[ -z "$NODE" ]] && parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDRs and IP46ADDR is set now prepare_logging - if [[ -n "$PROXY" ]] && $DNS_VIA_PROXY; then - NODEIP="$NODE" - lets_roll "${STARTTLS_PROTOCOL}" - RET=$? - else - determine_ip_addresses - if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check - MULTIPLE_CHECKS=true - pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs" - for ip in $IPADDRs; do - draw_line "-" $((TERM_WIDTH * 2 / 3)) - outln - NODEIP="$ip" - lets_roll "${STARTTLS_PROTOCOL}" - RET=$((RET + $?)) # RET value per IP address - done + determine_ip_addresses + if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check + MULTIPLE_CHECKS=true + pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs" + for ip in $IPADDRs; do draw_line "-" $((TERM_WIDTH * 2 / 3)) outln - pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs" - else # Just 1x ip4v to check, applies also if CMDLINE_IP was supplied - NODEIP="$IPADDRs" + NODEIP="$ip" lets_roll "${STARTTLS_PROTOCOL}" - RET=$? - fi + RET=$((RET + $?)) # RET value per IP address + done + draw_line "-" $((TERM_WIDTH * 2 / 3)) + outln + pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs" + else # Just 1x ip4v to check, applies also if CMDLINE_IP was supplied + NODEIP="$IPADDRs" + lets_roll "${STARTTLS_PROTOCOL}" + RET=$? fi exit $RET From e454d48e7c759e1111ebe9a72658f9631ece4f78 Mon Sep 17 00:00:00 2001 From: w4ntun Date: Sat, 12 Apr 2025 20:06:30 +0200 Subject: [PATCH 2/4] Fixing bash variables --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index dd499f49a..6054e1c13 100755 --- a/testssl.sh +++ b/testssl.sh @@ -22982,7 +22982,7 @@ datebanner() { local scan_time_f="" local node_banner="" - if [[ -n "PROXY" ]] && $DNS_VIA_PROXY;then + if [[ -n "$PROXY" ]] && "$DNS_VIA_PROXY";then node_banner="$NODE:$PORT" else node_banner="$NODEIP:$PORT ($NODE)" From 9b8c91bc34b61322c9945d6d2b9e2f167c4644b5 Mon Sep 17 00:00:00 2001 From: w4ntun Date: Tue, 22 Apr 2025 19:59:40 +0200 Subject: [PATCH 3/4] Fix on determine_ip_addresses() to check DNS_VIA_PROXY --- testssl.sh | 113 +++++++++++++++++++++++++++-------------------------- 1 file changed, 57 insertions(+), 56 deletions(-) diff --git a/testssl.sh b/testssl.sh index 4126024de..e0c486573 100755 --- a/testssl.sh +++ b/testssl.sh @@ -197,7 +197,7 @@ TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # If you run testssl.sh and it CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}" # You can have your CA stores some place else EXPERIMENTAL=${EXPERIMENTAL:-false} # a development hook which allows us to disable code PROXY_WAIT=${PROXY_WAIT:-20} # waiting at max 20 seconds for socket reply through proxy -DNS_VIA_PROXY=${DNS_VIA_PROXY:-true} # do DNS lookups via proxy. --ip=* reverses this +DNS_VIA_PROXY=${DNS_VIA_PROXY:-true} # do DNS lookups via proxy. --ip reverses this IGN_OCSP_PROXY=${IGN_OCSP_PROXY:-false} # Also when --proxy is supplied it is ignored when testing for revocation via OCSP via --phone-out HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2} # If this many failures for TCP socket connects are reached we terminate @@ -21182,7 +21182,6 @@ tuning / connect options (most also can be preset via environment variables): -6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity --ip a) tests the supplied v4 or v6 address instead of resolving host(s) in URI b) "one" means: just test the first DNS returns (useful for multiple IPs) - c) "proxy" means: dns resolution via proxy. Needed when host has no DNS. -n, --nodns if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records --sneaky leave less traces in target logs: user agent, referer --user-agent set a custom user agent instead of the standard user agent @@ -22084,63 +22083,67 @@ get_txt_record() { determine_ip_addresses() { local ip4="" local ip6="" - - ip4="$(get_a_record "$NODE")" - ip6="$(get_aaaa_record "$NODE")" - IP46ADDRs=$(newline_to_spaces "$ip4 $ip6") - - if [[ -n "$CMDLINE_IP" ]]; then - # command line has supplied an IP address or "one" - if [[ "$CMDLINE_IP" == one ]]; then - # use first IPv6 or IPv4 address - if "$HAS_IPv6" && [[ -n "$ip6" ]]; then - CMDLINE_IP="$(head -1 <<< "$ip6")" + + if [[ -n "$PROXY" ]] && "$DNS_VIA_PROXY";then + IPADDRs=$NODE + else + ip4="$(get_a_record "$NODE")" + ip6="$(get_aaaa_record "$NODE")" + IP46ADDRs=$(newline_to_spaces "$ip4 $ip6") + + if [[ -n "$CMDLINE_IP" ]]; then + # command line has supplied an IP address or "one" + if [[ "$CMDLINE_IP" == one ]]; then + # use first IPv6 or IPv4 address + if "$HAS_IPv6" && [[ -n "$ip6" ]]; then + CMDLINE_IP="$(head -1 <<< "$ip6")" + else + CMDLINE_IP="$(head -1 <<< "$ip4")" + fi + fi + NODEIP="$CMDLINE_IP" + if is_ipv4addr "$NODEIP"; then + ip4="$NODEIP" + elif is_ipv6addr "$NODEIP"; then + ip6="$NODEIP" else - CMDLINE_IP="$(head -1 <<< "$ip4")" + fatal "couldn't identify supplied \"CMDLINE_IP\"" $ERR_DNSLOOKUP fi - fi - NODEIP="$CMDLINE_IP" - if is_ipv4addr "$NODEIP"; then - ip4="$NODEIP" - elif is_ipv6addr "$NODEIP"; then - ip6="$NODEIP" - else - fatal "couldn't identify supplied \"CMDLINE_IP\"" $ERR_DNSLOOKUP - fi - elif is_ipv4addr "$NODE"; then - ip4="$NODE" # only an IPv4 address was supplied as an argument, no hostname - SNI="" # override Server Name Indication as we test the IP only - else - ip4=$(get_local_a "$NODE") # is there a local host entry? - if [[ -z "$ip4" ]]; then # empty: no (LOCAL_A is predefined as false) - ip4=$(get_a_record "$NODE") - else - LOCAL_A=true # we have the ip4 from local host entry and need to signal this to testssl - fi - # same now for ipv6 - ip6=$(get_local_aaaa "$NODE") - if [[ -z "$ip6" ]]; then - ip6=$(get_aaaa_record "$NODE") + elif is_ipv4addr "$NODE"; then + ip4="$NODE" # only an IPv4 address was supplied as an argument, no hostname + SNI="" # override Server Name Indication as we test the IP only else - LOCAL_AAAA=true # we have a local ipv6 entry and need to signal this to testssl + ip4=$(get_local_a "$NODE") # is there a local host entry? + if [[ -z "$ip4" ]]; then # empty: no (LOCAL_A is predefined as false) + ip4=$(get_a_record "$NODE") + else + LOCAL_A=true # we have the ip4 from local host entry and need to signal this to testssl + fi + # same now for ipv6 + ip6=$(get_local_aaaa "$NODE") + if [[ -z "$ip6" ]]; then + ip6=$(get_aaaa_record "$NODE") + else + LOCAL_AAAA=true # we have a local ipv6 entry and need to signal this to testssl + fi fi - fi - # IPv6 only address - if [[ -z "$ip4" ]]; then - if "$HAS_IPv6"; then - IPADDRs=$(newline_to_spaces "$ip6") - IP46ADDRs="$IPADDRs" # IP46ADDRs are the ones to display, IPADDRs the ones to test - fi - else - if "$HAS_IPv6" && [[ -n "$ip6" ]]; then - if is_ipv6addr "$CMDLINE_IP"; then + # IPv6 only address + if [[ -z "$ip4" ]]; then + if "$HAS_IPv6"; then IPADDRs=$(newline_to_spaces "$ip6") - else - IPADDRs=$(newline_to_spaces "$ip4 $ip6") + IP46ADDRs="$IPADDRs" # IP46ADDRs are the ones to display, IPADDRs the ones to test fi else - IPADDRs=$(newline_to_spaces "$ip4") + if "$HAS_IPv6" && [[ -n "$ip6" ]]; then + if is_ipv6addr "$CMDLINE_IP"; then + IPADDRs=$(newline_to_spaces "$ip6") + else + IPADDRs=$(newline_to_spaces "$ip4 $ip6") + fi + else + IPADDRs=$(newline_to_spaces "$ip4") + fi fi fi if [[ -z "$IPADDRs" ]]; then @@ -22150,7 +22153,7 @@ determine_ip_addresses() { fatal "No IPv4/IPv6 address(es) for \"$NODE\" available" $ERR_DNSLOOKUP fi fi - return 0 # IPADDR and IP46ADDR is set now + return 0 # IPADDRs and IP46ADDR is set now } determine_rdns() { @@ -24083,10 +24086,8 @@ parse_cmd_line() { --ip|--ip=*) CMDLINE_IP="$(parse_opt_equal_sign "$1" "$2")" [[ $? -eq 0 ]] && shift - if [[ "$CMDLINE_IP" == proxy ]]; then - DNS_VIA_PROXY=true - unset CMDLINE_IP - fi + DNS_VIA_PROXY=false + # normalize any IPv6 address CMDLINE_IP="${CMDLINE_IP//[/}" # fix vim syntax highlighting "] CMDLINE_IP="${CMDLINE_IP//]/}" From bf1a6de9bd0d62766b25544957f1fdb5400683a9 Mon Sep 17 00:00:00 2001 From: w4ntun Date: Tue, 22 Apr 2025 21:34:24 +0200 Subject: [PATCH 4/4] Fix on check_proxy() to choose the first IP addr when proxy hostname resolves to multiple addresses --- testssl.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index e0c486573..981d1531d 100755 --- a/testssl.sh +++ b/testssl.sh @@ -22235,9 +22235,9 @@ check_proxy() { else # We check now preferred whether there was an IPv4 proxy via DNS specified # If it fails it could be an IPv6 only proxy via DNS or we just can't reach the proxy - PROXYIP="$(get_a_record "$PROXYNODE" 2>/dev/null | grep -v alias | sed 's/^.*address //')" + PROXYIP="$(get_a_record "$PROXYNODE" 2>/dev/null | grep -v alias | sed 's/^.*address //' | head -n1)" if [[ -z "$PROXYIP" ]]; then - PROXYIP="$(get_aaaa_record "$PROXYNODE" 2>/dev/null | grep -v alias | sed 's/^.*address //')" + PROXYIP="$(get_aaaa_record "$PROXYNODE" 2>/dev/null | grep -v alias | sed 's/^.*address //' | head -n1)" if [[ -n "$PROXYIP" ]]; then if [[ ${OSSL_VER_MAJOR$}${OSSL_VER_MINOR} -lt 11 ]]; then fatal_cmd_line "OpenSSL version >= 1.1.0 required for IPv6 proxy support" $ERR_OSSLBIN