Permalink
Browse files

Tell which OpenSSL versions support IPv6 out of the box

  • Loading branch information...
drwetter committed Sep 10, 2018
1 parent 5de89ae commit 44570541c06b158c07833f8570b137f0231c7ddf
Showing with 5 additions and 5 deletions.
  1. +2 −2 doc/testssl.1
  2. +2 −2 doc/testssl.1.html
  3. +1 −1 doc/testssl.1.md
View
@@ -1,7 +1,7 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "TESTSSL" "1" "August 2018" "" ""
.TH "TESTSSL" "1" "September 2018" "" ""
.
.SH "NAME"
\fBtestssl\fR
@@ -134,7 +134,7 @@ Please note that the content of \fBfname\fR has to be in Unix format\. DOS carri
\fB\-\-proxy <host>:<port>\fR does ANY check via the specified proxy\. \fB\-\-proxy=auto\fR inherits the proxy setting from the environment\. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported\. The hostname supplied will be resolved to the first A record\. Authentication to the proxy is not supported\. In addition if you want lookups via proxy you can specify \fBDNS_VIA_PROXY=true\fR\. OCSP revocation checking (\fB\-S \-\-phone\-out\fR) is not supported by OpenSSL via proxy\. As supplying a proxy is an indicator for port 80 and 443 being blocked outgoing this check won\'t be performed\. However if \fBIGN_OCSP_PROXY=true\fR has been supplied it will be tried directly\.
.
.P
\fB\-6\fR does (also) IPv6 checks\. Please note if a supplied URI resolves (also) to an IPv6 address that testssl\.sh doesn\'t do checks on an IPv6 address automatically\. This is because testssl\.sh does no connectivity checks for IPv6\. It also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support\. \fB\-6\fR assumes both is the case\. If both conditions are met and you want in general enable IPv6 tests you might as well add \fBHAS_IPv6\fR to your shell environment\.
\fB\-6\fR does (also) IPv6 checks\. Please note if a supplied URI resolves (also) to an IPv6 address that testssl\.sh doesn\'t perform checks on an IPv6 address automatically\. This is because testssl\.sh does no connectivity checks for IPv6\. It cannot determine reliably whether the OpenSSL binary you are using has IPv6 support\. \fB\-6\fR assumes both is the case\. If both conditions are met and you want in general enable IPv6 tests you might as well add \fBHAS_IPv6\fR to your shell environment\. Besides the OpenSSL binary supplied IPv6 is known to work with vanilla OpenSSL >= 1\.1\.0, RHEL\'s, CentOS\', FC\'s and Gentoo\'s OpenSSL version 1\.0\.2\.
.
.P
\fB\-\-ssl\-native\fR instead of using a mixture of bash sockets and openssl s_client connects testssl\.sh uses the latter only\. This is at the moment faster but provides less accurate results, especially in the client simulation and if the openssl binary lacks cipher support\. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl\.sh internally can tell if one check cannot be performed or will give you inaccurate results\. For e\.g\. single cipher checks (\fB\-\-each\-cipher\fR and \fB\-\-cipher\-per\-proto\fR) you might end up getting false negatives without a warning\.
View
@@ -185,7 +185,7 @@ <h3 id="SPECIAL-INVOCATIONS">SPECIAL INVOCATIONS</h3>
<p><code>--proxy &lt;host>:&lt;port></code> does ANY check via the specified proxy. <code>--proxy=auto</code> inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported. The hostname supplied will be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify <code>DNS_VIA_PROXY=true</code>. OCSP revocation checking (<code>-S --phone-out</code>) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 being blocked outgoing this check won't be performed. However if <code>IGN_OCSP_PROXY=true</code> has been supplied it will be tried directly.</p>
<p><code>-6</code> does (also) IPv6 checks. Please note if a supplied URI resolves (also) to an IPv6 address that testssl.sh doesn't do checks on an IPv6 address automatically. This is because testssl.sh does no connectivity checks for IPv6. It also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. <code>-6</code> assumes both is the case. If both conditions are met and you want in general enable IPv6 tests you might as well add <code>HAS_IPv6</code> to your shell environment.</p>
<p><code>-6</code> does (also) IPv6 checks. Please note if a supplied URI resolves (also) to an IPv6 address that testssl.sh doesn't perform checks on an IPv6 address automatically. This is because testssl.sh does no connectivity checks for IPv6. It cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. <code>-6</code> assumes both is the case. If both conditions are met and you want in general enable IPv6 tests you might as well add <code>HAS_IPv6</code> to your shell environment. Besides the OpenSSL binary supplied IPv6 is known to work with vanilla OpenSSL >= 1.1.0, RHEL's, CentOS', FC's and Gentoo's OpenSSL version 1.0.2.</p>
<p><code>--ssl-native</code> instead of using a mixture of bash sockets and openssl s_client connects testssl.sh uses the latter only. This is at the moment faster but provides less accurate results, especially in the client
simulation and if the openssl binary lacks cipher support. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl.sh internally can tell if one check cannot be performed or will give you inaccurate results. For e.g. single cipher checks (<code>--each-cipher</code> and <code>--cipher-per-proto</code>) you might end up getting false negatives without a warning.</p>
@@ -571,7 +571,7 @@ <h2 id="SEE-ALSO">SEE ALSO</h2>
<ol class='man-decor man-foot man foot'>
<li class='tl'></li>
<li class='tc'>August 2018</li>
<li class='tc'>September 2018</li>
<li class='tr'>testssl(1)</li>
</ol>
View
@@ -108,7 +108,7 @@ Please note that the content of `fname` has to be in Unix format. DOS carriage r
`--proxy <host>:<port>` does ANY check via the specified proxy. `--proxy=auto` inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported. The hostname supplied will be resolved to the first A record. Authentication to the proxy is not supported. In addition if you want lookups via proxy you can specify `DNS_VIA_PROXY=true`. OCSP revocation checking (`-S --phone-out`) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 being blocked outgoing this check won't be performed. However if `IGN_OCSP_PROXY=true` has been supplied it will be tried directly.
`-6` does (also) IPv6 checks. Please note if a supplied URI resolves (also) to an IPv6 address that testssl.sh doesn't do checks on an IPv6 address automatically. This is because testssl.sh does no connectivity checks for IPv6. It also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. `-6` assumes both is the case. If both conditions are met and you want in general enable IPv6 tests you might as well add `HAS_IPv6` to your shell environment.
`-6` does (also) IPv6 checks. Please note if a supplied URI resolves (also) to an IPv6 address that testssl.sh doesn't perform checks on an IPv6 address automatically. This is because testssl.sh does no connectivity checks for IPv6. It cannot determine reliably whether the OpenSSL binary you are using has IPv6 support. `-6` assumes both is the case. If both conditions are met and you want in general enable IPv6 tests you might as well add `HAS_IPv6` to your shell environment. Besides the OpenSSL binary supplied IPv6 is known to work with vanilla OpenSSL >= 1.1.0, RHEL's, CentOS', FC's and Gentoo's OpenSSL version 1.0.2.
`--ssl-native` instead of using a mixture of bash sockets and openssl s_client connects testssl.sh uses the latter only. This is at the moment faster but provides less accurate results, especially in the client
simulation and if the openssl binary lacks cipher support. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl.sh internally can tell if one check cannot be performed or will give you inaccurate results. For e.g. single cipher checks (`--each-cipher` and `--cipher-per-proto`) you might end up getting false negatives without a warning.

0 comments on commit 4457054

Please sign in to comment.