Skip to content

Fix some ipv6proxy issues #2721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Apr 22, 2025
Merged

Fix some ipv6proxy issues #2721

merged 6 commits into from
Apr 22, 2025

Conversation

drwetter
Copy link
Collaborator

@drwetter drwetter commented Mar 25, 2025
edited
Loading

Describe your changes

As a quick hack this PR enables basically the IPv6 proxy which results that testssl.sh will use an IPv6 proxy when

  • the binary supports that
  • the binary is used and not tls_sockets()
  • there's no A record but an AAAA record of the proxy or an IPv6 address as proxy address was specified.

The latter should guarantee that it doesn't break anything.

Command line should be ./testssl.sh --proxy='IPV6PROXY:PORT' TARGET whereas IPV6PROXY should be an IPv6 address . A IPv6 only hostname should work too but wasn't tested.

See #1105

Done:

  • Distinguished between LibreSSL and OpenSSL IPv6 proxy (for the binaries which can deal with an IPv6 proxy: when sending an openssl s_client connect the square bracket's were missing when using LibreSSL)
  • Parser problem for IPv6 and proxy port fixed
  • Seemed like when specifying an IPv6 proxy via DNS and an IPv4 target the CONNECT method used IPv4 only (on a dual stack client) -- looks like the bash sockets are to blame
  • docu added

What is your pull request about?

  • Bug fix
  • Improvement
  • New feature (adds functionality)
  • Breaking change (bug fix, feature or improvement that would cause existing functionality to not work as expected)
  • Typo fix
  • Documentation update
  • Update of other files

If it's a code change please check the boxes which are applicable

  • For the main program: My edits contain no tabs, indentation is five spaces and any line endings do not contain any blank chars
  • I've read CONTRIBUTING.md and Coding_Convention.md
  • I have tested this fix or improvement against >=2 hosts and I couldn't spot a problem
  • I have tested this new feature against >=2 hosts which show this feature and >=2 host which does not (in order to avoid side effects) . I couldn't spot a problem
  • For the new feature I have made corresponding changes to the documentation and / or to help()
  • If it's a bigger change: I added myself to CREDITS.md (alphabetical order) and the change to CHANGELOG.md

drwetter added 4 commits March 25, 2025 19:13
@drwetter
Fix some IPv6 proxy issues
18da1b8 
As a quick hack this PR enables *basically* the IPv6 proxy which results that testssl.sh
will use an IPv6 proxy when

* the binary supports that
* the binary is used an not tls_sockets()
* there's no A record but an AAAA record of the proxy or an IPv6 address as proxy address was specified.

The latter should guarantee that it doesn't break anything.

However tls_sockets() still uses IPv4 for the connection to the proxy.

See #1105
@drwetter
Distunguish between LibreSSL and OpenSSL IPv6 proxy
e81b091 
Somehow the proxy now shows only IPv6 source addresses when specifying
--proxy=IPV6ADDRESS:PORT
@drwetter
Allow square bracket notation for IPv6 proxy
36a58e2
@drwetter
Add docu for IPv6 proxy
87edb78
@drwetter
Copy link
Collaborator Author

@dcooper16 : Do you know by any chance since when (in OpenSSL and LibreSSL) IPv6 is supported for the proxy? I'd like to add a check here. Unfortunately that probably needs to be version-based rather as testing-based as we normally do.

@dcooper16
Copy link
Collaborator

@dcooper16 : Do you know by any chance since when (in OpenSSL and LibreSSL) IPv6 is supported for the proxy? I'd like to add a check here. Unfortunately that probably needs to be version-based rather as testing-based as we normally do.

Sorry, no. I haven't really worked with IPv6 or proxies.

@drwetter
Copy link
Collaborator Author

drwetter commented Apr 1, 2025
edited
Loading

Thanks anyway. PS: The git log (of openssl) wasn't really helpful. As I didn't find even less in the git log of LibreSSL I guess it was implemented before the fork. Edit: 1.1.1 works, and 1.1.0m as well

@drwetter
Add check for proxy IPv6 support
44d9f52 
... of the binary. Testing needs to be done.
@drwetter drwetter marked this pull request as draft April 1, 2025 21:39
@drwetter drwetter marked this pull request as ready for review April 18, 2025 11:35
@drwetter drwetter self-assigned this Apr 18, 2025
@drwetter drwetter added the 3.2 stable label Apr 18, 2025
@drwetter drwetter merged commit 58da779 into 3.2 Apr 22, 2025
3 checks passed
@drwetter drwetter deleted the fix_some_ipv6proxy_issues branch April 22, 2025 13:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@drwetter drwetter

Labels
3.2 stable
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@drwetter @dcooper16