Cleaner and more straightforward version when using proxy server

[w4ntun]

Describe your changes

Please refer to an issue here or describe the change thoroughly in your PR: #2719

What is your pull request about?

• Bug fix
• Improvement
• New feature (adds functionality)
• Breaking change (bug fix, feature or improvement that would cause existing functionality to not work as expected)
• Typo fix
• Documentation update
• Update of other files

If it's a code change please check the boxes which are applicable

• For the main program: My edits contain no tabs, indentation is five spaces and any line endings do not contain any blank chars
• I've read CONTRIBUTING.md and Coding_Convention.md
• I have tested this fix or improvement against >=2 hosts and I couldn't spot a problem
• I have tested this new feature against >=2 hosts which show this feature and >=2 host which does not (in order to avoid side effects) . I couldn't spot a problem
• For the new feature I have made corresponding changes to the documentation and / or to help()
• If it's a bigger change: I added myself to CREDITS.md (alphabetical order) and the change to CHANGELOG.md

[drwetter]

Hi @w4tun,

thanks. Actually I was only wondering why we didn't set it to true.

Can you comment on the other changes please other than "cleaner and more straightforward approach"?

FYI: It might not be the right time yet to merge this PR as this point of time I don't know yet whether want a breaking change.

[w4ntun]

Thanks @drwetter . PR rebased and commented on #2719. Let me know if you need more info from my side. Cheers.

[drwetter]

Thanks! Some days after Easter

[michael-o]

I have tried:

osipovmi@deblndw011x:/tmp/testssl.sh (3.1dev =)
$ git remote -v
origin  https://github.com/w4ntun/testssl.sh.git (fetch)
origin  https://github.com/w4ntun/testssl.sh.git (push)
osipovmi@deblndw011x:/tmp/testssl.sh (3.1dev =)
$  ./testssl.sh  --proxy=de.coia.siemens.net:9400 "--ip=proxy"  https://sykatec.de

#####################################################################
  testssl.sh version 3.2rc4 from https://testssl.sh/dev/
  (e454d48 2025-04-12 20:12:47)

  This program is free software. Distribution and modification under
  GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

  Please file bugs @ https://testssl.sh/bugs/
#####################################################################

  Using OpenSSL 1.0.2-bad (Mar 31 2025)  [~183 ciphers]
  on deblndw011x:./bin/openssl.FreeBSD.amd64


Fatal error: No IPv4/IPv6 address(es) for "sykatec.de" available

Don't know what I did wrong.

[drwetter]

Did you try this PR? Because it says "3.1dev" which is a branch from the past

[michael-o]

Did you try this PR? Because it says "3.1dev" which is a branch from the past
Look at the remote, I have cloned from @w4ntun

[w4ntun]

Hi @drwetter and @michael-o . The main branch in my repo is called "3.1dev" because that was the name in the past when I forked it, but it is currently up to date with 3.2 branch. I will rename my branch to avoid confusion.

@michael-o Please try the following command and let me know if it works:

./testssl.sh --proxy=de.coia.siemens.net:9400 https://sykatec.de

With this new PR, the --ip option is not needed if you want DNS resolution via proxy. I saw that I forgot to update the --help section regarding the --ip switch. I will do it ASAP.

Please note that this is a breaking change and that's why Dirk needs to review it, but let me know if it works for your test case.

Cheers.

[michael-o]

Hi @drwetter and @michael-o . The main branch in my repo is called "3.1dev" because that was the name in the past when I forked it, but it is currently up to date with 3.2 branch. I will rename my branch to avoid confusion.

@michael-o Please try the following command and let me know if it works:

./testssl.sh --proxy=de.coia.siemens.net:9400 https://sykatec.de

With this new PR, the --ip option is not needed if you want DNS resolution via proxy. I saw that I forgot to update the --help section regarding the --ip switch. I will do it ASAP.

Please note that this is a breaking change and that's why Dirk needs to review it, but let me know if it works for your test case.

Cheers.

Unfortunately not:

osipovmi@deblndw011x:/tmp/testssl.sh (3.1dev =)
$ ./testssl.sh --proxy=de.coia.siemens.net:9400 https://sykatec.de

#####################################################################
  testssl.sh version 3.2rc4 from https://testssl.sh/dev/
  (e454d48 2025-04-12 20:12:47)

  This program is free software. Distribution and modification under
  GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

  Please file bugs @ https://testssl.sh/bugs/
#####################################################################

  Using OpenSSL 1.0.2-bad (Mar 31 2025)  [~183 ciphers]
  on deblndw011x:./bin/openssl.FreeBSD.amd64


Fatal error: No IPv4/IPv6 address(es) for "sykatec.de" available

[w4ntun]

Hi @michael-o . I have just sent a new commit to my repo. I must have messed something up when I rebased the PR and there was a bug in determine_ip_addresses(). If you can pull the updated version and run again the command, I would really appreciate it:

./testssl.sh --proxy=de.coia.siemens.net:9400 https://sykatec.de

[michael-o]

Hi @michael-o . I have just sent a new commit to my repo. I must have messed something up when I rebased the PR and there was a bug in determine_ip_addresses(). If you can pull the updated version and run again the command, I would really appreciate it:

./testssl.sh --proxy=de.coia.siemens.net:9400 https://sykatec.de

This one is still off:

osipovmi@deblndw011x:/tmp/testssl.sh (3.1dev =)
$ ./testssl.sh --proxy=de.coia.siemens.net:9400 https://sykatec.de                                                                                                                                                 
#####################################################################
  testssl.sh version 3.2rc4 from https://testssl.sh/dev/
  (9b8c91b 2025-04-22 19:59:40)

  This program is free software. Distribution and modification under
  GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

  Please file bugs @ https://testssl.sh/bugs/
#####################################################################

  Using OpenSSL 1.0.2-bad (Mar 31 2025)  [~183 ciphers]
  on deblndw011x:./bin/openssl.FreeBSD.amd64

 Start 2025-04-22 20:13:43        -->> sykatec.de:443 <<--

 Via Proxy:              185.46.212.91
185.46.212.98:9400
 rDNS (sykatec.de):      --
 Your OpenSSL cannot connect to sykatec.de:443
 The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) --> yes
 Service detected:       Couldn't determine what's running on port 443, assuming no HTTP service => skipping all HTTP checks

 Testing protocols via sockets except NPN+ALPN

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    not offered and downgraded to a weaker protocol
 NPN/SPDY   not tested as proxies do not support proxying it
 ALPN/HTTP2 not tested as proxies do not support proxying it

 Testing cipher categories

 NULL ciphers (no encryption)                      not offered (OK)
 Anonymous NULL Ciphers (no authentication)        not offered (OK)
 Export ciphers (w/o ADH+NULL)                     not offered (OK)
 LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export)      not offered (OK)
 Triple DES Ciphers / IDEA                         not offered
 Obsoleted CBC ciphers (AES, ARIA etc.)            offered
 Strong encryption (AEAD ciphers) with no FS       offered (OK)
 Forward Secrecy strong encryption (AEAD ciphers)  offered (OK)


 Testing server's cipher preferences

 Oops: openssl s_client connect problem

Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue
Consider increasing MAX_OSSL_FAIL (currently: 2)

"Via Proxy" looks mangled and the OpenSSL-related output as well.
While:

$ openssl s_client -proxy de.coia.siemens.net:9400 -connect sykatec.de:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = DE, ST = Bavaria, L = Nuremberg, O = Innomotics GmbH, CN = www.sykatec.de
verify return:1
---
Certificate chain
 0 s:C = DE, ST = Bavaria, L = Nuremberg, O = Innomotics GmbH, CN = www.sykatec.de
   i:C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
 1 s:C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
   i:C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
 2 s:C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3
   i:C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIH1TCCBr2gAwIBAgIQCA4nGXsrBDHVJ1DvZuC17zANBgkqhkiG9w0BAQsFADBZ
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypE
aWdpQ2VydCBHbG9iYWwgRzIgVExTIFJTQSBTSEEyNTYgMjAyMCBDQTEwHhcNMjQw
...

and

$ host de.coia.siemens.net
de.coia.siemens.net has address 185.46.212.98
de.coia.siemens.net has address 185.46.212.91

[w4ntun]

@michael-o It seems there was an issue in the code when the proxy hostname resolved to multiple IP addresses. I have created a new commit which chooses the first IP from the DNS result. Let me know if that solves the problem.

[michael-o]

@michael-o It seems there was an issue in the code when the proxy hostname resolved to multiple IP addresses. I have created a new commit which chooses the first IP from the DNS result. Let me know if that solves the problem.

But what if that first IP isn't reachable, shouldn't you try the next one?

[michael-o]

@michael-o It seems there was an issue in the code when the proxy hostname resolved to multiple IP addresses. I have created a new commit which chooses the first IP from the DNS result. Let me know if that solves the problem.

Checked the last commit. It looks much better now. It shows "Via Proxy" for the first address only, but the rest of the test does work as expected.

[michael-o]

Well: "arg1: a host name. Returned will be 0-n IPv4 addresses"
If you really want to use the first IP, one should issue a warning, that only the first IP address is taken into account...

[w4ntun]

You are right, I definitely need to review this part. I need to do more tests.

[drwetter]

Looks like there's some work left.

I'd rather do the release and then I can look into this. @w4ntun please tick the boxes accordingly. Formally I should not merge this.

[w4ntun]

@drwetter We definitely need to review this because there are still some issues left and we need to do more testing.

I have marked the PR as breaking change in the checkboxes.