Skip to content

Cleaner and more straightforward version when using proxy server #2728

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: 3.2
Choose a base branch
from
Open

Cleaner and more straightforward version when using proxy server #2728

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
61c2be8
PR properly rebased
Apr 12, 2025
e454d48
Fixing bash variables
Apr 12, 2025
0d6ab6b
Merge branch 'testssl:3.2' into 3.1dev
w4ntun Apr 22, 2025
9b8c91b
Fix on determine_ip_addresses() to check DNS_VIA_PROXY
Apr 22, 2025
bf1a6de
Fix on check_proxy() to choose the first IP addr when proxy hostname …
Apr 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
159 changes: 77 additions & 82 deletions testssl.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # If you run testssl.sh and it
CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}" # You can have your CA stores some place else
EXPERIMENTAL=${EXPERIMENTAL:-false} # a development hook which allows us to disable code
PROXY_WAIT=${PROXY_WAIT:-20} # waiting at max 20 seconds for socket reply through proxy
DNS_VIA_PROXY=${DNS_VIA_PROXY:-false} # do DNS lookups via proxy. --ip=proxy reverses this
DNS_VIA_PROXY=${DNS_VIA_PROXY:-true} # do DNS lookups via proxy. --ip reverses this
IGN_OCSP_PROXY=${IGN_OCSP_PROXY:-false} # Also when --proxy is supplied it is ignored when testing for revocation via OCSP via --phone-out
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header
MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2} # If this many failures for TCP socket connects are reached we terminate
Expand Down Expand Up @@ -21182,7 +21182,6 @@ tuning / connect options (most also can be preset via environment variables):
-6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
b) "one" means: just test the first DNS returns (useful for multiple IPs)
c) "proxy" means: dns resolution via proxy. Needed when host has no DNS.
-n, --nodns <min|none> if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records
--sneaky leave less traces in target logs: user agent, referer
--user-agent <user agent> set a custom user agent instead of the standard user agent
Expand Down Expand Up @@ -22084,63 +22083,67 @@ get_txt_record() {
determine_ip_addresses() {
local ip4=""
local ip6=""

ip4="$(get_a_record "$NODE")"
ip6="$(get_aaaa_record "$NODE")"
IP46ADDRs=$(newline_to_spaces "$ip4 $ip6")

if [[ -n "$CMDLINE_IP" ]]; then
# command line has supplied an IP address or "one"
if [[ "$CMDLINE_IP" == one ]]; then
# use first IPv6 or IPv4 address
if "$HAS_IPv6" && [[ -n "$ip6" ]]; then
CMDLINE_IP="$(head -1 <<< "$ip6")"

if [[ -n "$PROXY" ]] && "$DNS_VIA_PROXY";then
IPADDRs=$NODE
else
ip4="$(get_a_record "$NODE")"
ip6="$(get_aaaa_record "$NODE")"
IP46ADDRs=$(newline_to_spaces "$ip4 $ip6")

if [[ -n "$CMDLINE_IP" ]]; then
# command line has supplied an IP address or "one"
if [[ "$CMDLINE_IP" == one ]]; then
# use first IPv6 or IPv4 address
if "$HAS_IPv6" && [[ -n "$ip6" ]]; then
CMDLINE_IP="$(head -1 <<< "$ip6")"
else
CMDLINE_IP="$(head -1 <<< "$ip4")"
fi
fi
NODEIP="$CMDLINE_IP"
if is_ipv4addr "$NODEIP"; then
ip4="$NODEIP"
elif is_ipv6addr "$NODEIP"; then
ip6="$NODEIP"
else
CMDLINE_IP="$(head -1 <<< "$ip4")"
fatal "couldn't identify supplied \"CMDLINE_IP\"" $ERR_DNSLOOKUP
fi
fi
NODEIP="$CMDLINE_IP"
if is_ipv4addr "$NODEIP"; then
ip4="$NODEIP"
elif is_ipv6addr "$NODEIP"; then
ip6="$NODEIP"
elif is_ipv4addr "$NODE"; then
ip4="$NODE" # only an IPv4 address was supplied as an argument, no hostname
SNI="" # override Server Name Indication as we test the IP only
else
fatal "couldn't identify supplied \"CMDLINE_IP\"" $ERR_DNSLOOKUP
fi
elif is_ipv4addr "$NODE"; then
ip4="$NODE" # only an IPv4 address was supplied as an argument, no hostname
SNI="" # override Server Name Indication as we test the IP only
else
ip4=$(get_local_a "$NODE") # is there a local host entry?
if [[ -z "$ip4" ]]; then # empty: no (LOCAL_A is predefined as false)
ip4=$(get_a_record "$NODE")
else
LOCAL_A=true # we have the ip4 from local host entry and need to signal this to testssl
fi
# same now for ipv6
ip6=$(get_local_aaaa "$NODE")
if [[ -z "$ip6" ]]; then
ip6=$(get_aaaa_record "$NODE")
else
LOCAL_AAAA=true # we have a local ipv6 entry and need to signal this to testssl
ip4=$(get_local_a "$NODE") # is there a local host entry?
if [[ -z "$ip4" ]]; then # empty: no (LOCAL_A is predefined as false)
ip4=$(get_a_record "$NODE")
else
LOCAL_A=true # we have the ip4 from local host entry and need to signal this to testssl
fi
# same now for ipv6
ip6=$(get_local_aaaa "$NODE")
if [[ -z "$ip6" ]]; then
ip6=$(get_aaaa_record "$NODE")
else
LOCAL_AAAA=true # we have a local ipv6 entry and need to signal this to testssl
fi
fi
fi

# IPv6 only address
if [[ -z "$ip4" ]]; then
if "$HAS_IPv6"; then
IPADDRs=$(newline_to_spaces "$ip6")
IP46ADDRs="$IPADDRs" # IP46ADDRs are the ones to display, IPADDRs the ones to test
fi
else
if "$HAS_IPv6" && [[ -n "$ip6" ]]; then
if is_ipv6addr "$CMDLINE_IP"; then
# IPv6 only address
if [[ -z "$ip4" ]]; then
if "$HAS_IPv6"; then
IPADDRs=$(newline_to_spaces "$ip6")
else
IPADDRs=$(newline_to_spaces "$ip4 $ip6")
IP46ADDRs="$IPADDRs" # IP46ADDRs are the ones to display, IPADDRs the ones to test
fi
else
IPADDRs=$(newline_to_spaces "$ip4")
if "$HAS_IPv6" && [[ -n "$ip6" ]]; then
if is_ipv6addr "$CMDLINE_IP"; then
IPADDRs=$(newline_to_spaces "$ip6")
else
IPADDRs=$(newline_to_spaces "$ip4 $ip6")
fi
else
IPADDRs=$(newline_to_spaces "$ip4")
fi
fi
fi
if [[ -z "$IPADDRs" ]]; then
Expand All @@ -22150,7 +22153,7 @@ determine_ip_addresses() {
fatal "No IPv4/IPv6 address(es) for \"$NODE\" available" $ERR_DNSLOOKUP
fi
fi
return 0 # IPADDR and IP46ADDR is set now
return 0 # IPADDRs and IP46ADDR is set now
}

determine_rdns() {
Expand Down Expand Up @@ -22232,9 +22235,9 @@ check_proxy() {
else
# We check now preferred whether there was an IPv4 proxy via DNS specified
# If it fails it could be an IPv6 only proxy via DNS or we just can't reach the proxy
PROXYIP="$(get_a_record "$PROXYNODE" 2>/dev/null | grep -v alias | sed 's/^.*address //')"
PROXYIP="$(get_a_record "$PROXYNODE" 2>/dev/null | grep -v alias | sed 's/^.*address //' | head -n1)"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well: "arg1: a host name. Returned will be 0-n IPv4 addresses"
If you really want to use the first IP, one should issue a warning, that only the first IP address is taken into account...

if [[ -z "$PROXYIP" ]]; then
PROXYIP="$(get_aaaa_record "$PROXYNODE" 2>/dev/null | grep -v alias | sed 's/^.*address //')"
PROXYIP="$(get_aaaa_record "$PROXYNODE" 2>/dev/null | grep -v alias | sed 's/^.*address //' | head -n1)"
if [[ -n "$PROXYIP" ]]; then
if [[ ${OSSL_VER_MAJOR$}${OSSL_VER_MINOR} -lt 11 ]]; then
fatal_cmd_line "OpenSSL version >= 1.1.0 required for IPv6 proxy support" $ERR_OSSLBIN
Expand Down Expand Up @@ -23004,10 +23007,10 @@ datebanner() {
local scan_time_f=""
local node_banner=""

if [[ -n "$PROXY" ]] && "$DNS_VIA_PROXY"; then
node_banner="$NODE:$PORT"
if [[ -n "$PROXY" ]] && "$DNS_VIA_PROXY";then
node_banner="$NODE:$PORT"
else
node_banner="$NODEIP:$PORT ($NODE)"
node_banner="$NODEIP:$PORT ($NODE)"
fi

if [[ "$1" =~ Done ]] ; then
Expand Down Expand Up @@ -24083,10 +24086,8 @@ parse_cmd_line() {
--ip|--ip=*)
CMDLINE_IP="$(parse_opt_equal_sign "$1" "$2")"
[[ $? -eq 0 ]] && shift
if [[ "$CMDLINE_IP" == proxy ]]; then
DNS_VIA_PROXY=true
unset CMDLINE_IP
fi
DNS_VIA_PROXY=false

# normalize any IPv6 address
CMDLINE_IP="${CMDLINE_IP//[/}" # fix vim syntax highlighting "]
CMDLINE_IP="${CMDLINE_IP//]/}"
Expand Down Expand Up @@ -24972,30 +24973,24 @@ lets_roll() {
[[ -z "$NODE" ]] && parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDRs and IP46ADDR is set now
prepare_logging

if [[ -n "$PROXY" ]] && $DNS_VIA_PROXY; then
NODEIP="$NODE"
lets_roll "${STARTTLS_PROTOCOL}"
RET=$?
else
determine_ip_addresses
if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check
MULTIPLE_CHECKS=true
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
for ip in $IPADDRs; do
draw_line "-" $((TERM_WIDTH * 2 / 3))
outln
NODEIP="$ip"
lets_roll "${STARTTLS_PROTOCOL}"
RET=$((RET + $?)) # RET value per IP address
done
determine_ip_addresses
if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check
MULTIPLE_CHECKS=true
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
for ip in $IPADDRs; do
draw_line "-" $((TERM_WIDTH * 2 / 3))
outln
pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs"
else # Just 1x ip4v to check, applies also if CMDLINE_IP was supplied
NODEIP="$IPADDRs"
NODEIP="$ip"
lets_roll "${STARTTLS_PROTOCOL}"
RET=$?
fi
RET=$((RET + $?)) # RET value per IP address
done
draw_line "-" $((TERM_WIDTH * 2 / 3))
outln
pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs"
else # Just 1x ip4v to check, applies also if CMDLINE_IP was supplied
NODEIP="$IPADDRs"
lets_roll "${STARTTLS_PROTOCOL}"
RET=$?
fi

exit $RET