Skip to content

Enable IPv6 automagically #2852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jul 20, 2025
Merged

Enable IPv6 automagically #2852

merged 6 commits into from
Jul 20, 2025

Conversation

drwetter
Copy link
Collaborator

@drwetter drwetter commented Jul 19, 2025

This PR will enable IPv6 fully if available.

It was not enabled before as users were confronted with an error message when testssl.sh wanted (also) to scan IPv6 before but routing/configuration or whatsoever issues prevented that. This has been solved by introducing the function shouldwedo_ipv6() which checks whether we can reach the target via IPv6 -- tracked by the global IPv6_OK.

The change is in line with tools like wget or curl in a sense that if IPv6 works it is just being used. Formally testssl.sh had to be instructed via -6 cmdline option, like nmap.

  • -6 is now the switch to do IPv6 scans only
  • -4 is now the switch to do IPv4 scans only

The latter is a breaking change, as the cmdline option meant before to check for RC4 ciphers.

Also HAS_IPv6, synonymous to -6 before, does not exist anymore.

As the command line option --connect-timeout seemed rather unspecific, it has been replaced by `--socket-timeout, also all internal variables.

Fixes #2843

What is your pull request about?

  • Bug fix
  • Improvement
  • New feature (adds functionality)
  • Breaking change (bug fix, feature or improvement that would cause existing functionality to not work as expected)
  • Typo fix
  • Documentation update
  • Update of other files

If it's a code change please check the boxes which are applicable

  • For the main program: My edits contain no tabs, indentation is five spaces and any line endings do not contain any blank chars
  • I've read CONTRIBUTING.md and Coding_Convention.md
  • I have tested this fix or improvement against >=2 hosts and I couldn't spot a problem
  • I have tested this new feature against >=2 hosts which show this feature and >=2 host which does not (in order to avoid side effects) . I couldn't spot a problem
  • For the new feature I have made corresponding changes to the documentation and / or to help()
  • If it's a bigger change: I added myself to CREDITS.md (alphabetical order) and the change to CHANGELOG.md

drwetter added 3 commits July 19, 2025 15:57
This PR will enable IPv6 fully if available.

It was not enabled before as users were confronted with an error message when
testssl.sh wanted (also) to scan IPv6 before but routing/configuration or
whatsoever issues prevented that. This has been solved by introducing the function
`shouldwedo_ipv6()` which checks whether we can reach the target via IPv6 --
tracked be the global IPv6_OK.

The change is in line with tools like wget or curl in a sense that if IPv6 works
it is just being used. Formally testssl.sh had to be instructed via -6 cmdline
option, like nmap.

* \-6 is now the switch to do IPv6 scans only
* \-4 is now the switch to do IPv4 scans only

The latter is a *breaking change*, as the cmdline option meant before to check
for RC4 ciphers.

Also HAS_IPv6, synonymous to -6 before, does not exist anymore.

As the command line option `--connect-timeout` seemed rather unspecific,
it has been replaced by `--socket-timeout, also all internal variables.

Todo:
* man pages
* dashed lines appear too long
drwetter added 3 commits July 20, 2025 13:06
* IPv6 addresses which won't be scanned will be put in round brackets to feedback th UI
* logic bug fixed which always said "Testing all IPv4 addresses (port $PORT):". Simplyfied the MULTIPLE_CHECKS output
@drwetter drwetter merged commit a549acd into 3.3dev Jul 20, 2025
4 checks passed
@drwetter drwetter deleted the full_ipv6 branch July 20, 2025 18:56
drwetter added a commit that referenced this pull request Jul 21, 2025
Due to rebasing determine_ip_addresses() in #2852 it was
forgotten to add any manually specified IP address to
the IP addresses to show and to scan.

This fixes #2854 .
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[BUG / possible BUG] IPv6-only scan target should not be fatal
1 participant