Consider another argument for --ip to test both 1xIPv4 and IPv6

[sanderjo]

Please make sure that you provide enough information so that we understand what your issue is about.

If you combine " --ip one" with "-6", testssl tests one IPv4 (as expected), but all IPv6s. I had expected just one IP tested.

./testssl.sh --protocols --ip one -6 nl.sslusenet.com:nntps

$ host nl.sslusenet.com
nl.sslusenet.com has address 81.171.92.220
nl.sslusenet.com has address 81.171.92.234
nl.sslusenet.com has IPv6 address 2001:4de0:1::234
nl.sslusenet.com has IPv6 address 2001:4de0:1::220

So 2 IPv4 (of which 1 is tested) plus 2 IPv6 (of which 2 are tested) addresses. I would have expected one IP tested, based on the documentation:

     --ip <ip>                     a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
                                   b) arg "one" means: just test the first DNS returns (useful for multiple IPs)

     -6                            also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity

Leaving out the "-6" is not an option, because I also test IPv6 only servers.

1. testssl version from the banner (testssl.sh -b 2>/dev/null | head -4 | tail -2)

    testssl.sh       2.9dev from https://testssl.sh/dev/
    (9915219 2018-03-28 11:46:53 -- )

2. what exactly was happening, output is needed

See below

3. what did you expect instead?

Just one IP tested, be it IPv4 or IPv6.

4. steps to reproduce

   1. testssl.sh command line

./testssl.sh --protocols --ip one -6 nl.sslusenet.com:nntps

1. if possible: target IP

1. openssl version used (testssl.sh -b 2>/dev/null | head -16 | tail -3)

 Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
 on haring:./bin/openssl.Linux.i686
 (built: "Jun 22 19:48:51 2016", platform: "linux-elf")

1. your operating system (uname -a)

Linux haring 3.13.0-143-generic #192-Ubuntu SMP Tue Feb 27 10:46:44 UTC 2018 i686 i686 i686 GNU/Linux

Full output

sander@haring:~/git/testssl.sh$ ./testssl.sh --protocols --ip one -6 nl.sslusenet.com:nntps

###########################################################
    testssl.sh       2.9dev from https://testssl.sh/dev/
    (9915219 2018-03-28 11:46:53 -- )

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
 on haring:./bin/openssl.Linux.i686
 (built: "Jun 22 19:48:51 2016", platform: "linux-elf")


Testing all IPv4 addresses (port nntps): 81.171.92.220 2001:4de0:1::220 2001:4de0:1::234
--------------------------------------------------------------------------------------------------------
 Start 2018-03-29 05:40:45        -->> 81.171.92.220:nntps (nl.sslusenet.com) <<--

 further IP addresses:   81.171.92.234 2001:4de0:1::220 2001:4de0:1::234
 A record via            supplied IP "81.171.92.220"
 rDNS (81.171.92.220):   --
 Service detected:       Couldn't determine what's running on port nntps, assuming no HTTP service => skipping all HTTP checks


 Testing protocols via sockets except NPN+ALPN

 SSLv2      not offered (OK)
 SSLv3      offered (NOT ok)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 TLS 1.3    not offered
 NPN/SPDY   not offered
 ALPN/HTTP2 not offered

 Done 2018-03-29 05:40:56 [  16s] -->> 81.171.92.220:nntps (nl.sslusenet.com) <<--

--------------------------------------------------------------------------------------------------------
 Start 2018-03-29 05:40:56        -->> [2001:4de0:1::220]:nntps (nl.sslusenet.com) <<--

 further IP addresses:    81.171.92.220 81.171.92.234 2001:4de0:1::234
 A record via             supplied IP "81.171.92.220"
 rDNS (2001:4de0:1::220): --
 Service detected:        Couldn't determine what's running on port nntps, assuming no HTTP service => skipping all HTTP checks


 Testing protocols via sockets except NPN+ALPN

 SSLv2      not offered (OK)
 SSLv3      offered (NOT ok)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 TLS 1.3    not offered
 NPN/SPDY   not offered
 ALPN/HTTP2 not offered

 Done 2018-03-29 05:41:06 [  26s] -->> [2001:4de0:1::220]:nntps (nl.sslusenet.com) <<--

--------------------------------------------------------------------------------------------------------
 Start 2018-03-29 05:41:06        -->> [2001:4de0:1::234]:nntps (nl.sslusenet.com) <<--

 further IP addresses:    81.171.92.220 81.171.92.234 2001:4de0:1::220
 A record via             supplied IP "81.171.92.220"
 rDNS (2001:4de0:1::234): --
 Service detected:        Couldn't determine what's running on port nntps, assuming no HTTP service => skipping all HTTP checks


 Testing protocols via sockets except NPN+ALPN

 SSLv2      not offered (OK)
 SSLv3      offered (NOT ok)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 TLS 1.3    not offered
 NPN/SPDY   not offered
 ALPN/HTTP2 not offered

 Done 2018-03-29 05:41:17 [  37s] -->> [2001:4de0:1::234]:nntps (nl.sslusenet.com) <<--

--------------------------------------------------------------------------------------------------------
Done testing now all IP addresses (on port nntps): 81.171.92.220 2001:4de0:1::220 2001:4de0:1::234

sander@haring:~/git/testssl.sh$

[drwetter]

Thanks!

what did you expect instead?

Just one IP tested, be it IPv4 or IPv6.

I think one random IP per protocol sounds more appropriate, right? Need to adjust the documentation too.

[sanderjo]

I think one random IP per protocol sounds more appropriate, right? Need to adjust the documentation too.

... or stick to the documentation:

arg "one" means: just test the first DNS returns (useful for multiple IPs)

So just the first IP given by the DNS.

Reason: IPv4 or IPv6 should not matter to TLS security (transport layer ...)

[drwetter]

Reason: IPv4 or IPv6 should not matter to TLS security (transport layer ...)

Basically one can configure every IP address -- i.e. any v4 and any v6 -- differently. For dev.testssl.sh (one IP address per protocol). I have a completely different vhost setup for v6 and v4.

... or stick to the documentation: [..] So just the first IP given by the DNS.

The point is in your command line you're explicitly saying you want IPv6. So if I'ld follow this, next time a dude comes around and complains "hey, I said I want IPv6 and that freaking tool returns IPv4" ;-) -- just because IPv4 it was randomly picked.

Following this idea --ip=one -6 would mean scan 1x IPv6 only, if available. If not use 1x IPv4.

The reason why I mentioned before "check one of each" was because I liked the idea to include "the other" address for a sanity check to find out whether Mr. smarty pants has configured v4 and v6 differently. :-) But maybe --ip=each or --ip=both is clearer for this..

Opinions?

[drwetter]

The original issue is solved, see #1100 and linked commits. Please let me know if you see a problem here.

The ideas I brought up in my last comment seems --looking at it now-- a feature for the future.

[drwetter]

See last commit. Open remains the feature --ip=each.