[BUG] Supplying a IP address without allowing DNS lookups results in no scan performed
Closed this issue · 5 comments
I am running the "latest" docker container (sha256:fb2b2947544eb7eb0c9bbd591e6705d5f35b184199bfca12fbcb23a98180f1fd) indicated as 3.3dev.
Before you open an issue please whether this is a known problem by searching the issues
I couldn't find anything directly but #2852 seems like a likely candidate.
Command line / docker command to reproduce
docker run --rm -it ghcr.io/testssl/testssl.sh:latest --nodns none --ip '172.67.75.15' cert.chief.app
This results in the following output:
#####################################################################
testssl.sh version 3.3dev from https://testssl.sh/dev/
This program is free software. Distribution and modification under
GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
#####################################################################
Using OpenSSL 3.3.4 (Jul 9 2025) [~94 ciphers]
on 408cf71c702f:/usr/bin/openssl
Testing all IP addresses (port 443):
--------------------------------------------------------------------------------------------------------------
Done testing now all IP addresses (on port 443):
Expected behavior
A full test to be ran against the supplied IP for the given hostname without performing DNS lookups.
This works in 3.2 and previous dev builds, you can see this by running:
docker run --rm -it ghcr.io/testssl/testssl.sh:3.2 --nodns none --ip '172.67.75.15' cert.chief.app
Thanks, can reproduce it.
That was a quick fix, I however found another case for IPv6 specifically where the following commands are broken:
docker run --rm -it ghcr.io/testssl/testssl.sh:latest --nodns none --ip '2606:4700:20::681a:3c7' cert.chief.app
docker run --rm -it ghcr.io/testssl/testssl.sh:latest --nodns none --ip '2606:4700:20::681a:3c7' -6 cert.chief.app
As expected (given the -6 flag is provided) it works with 3.2:
docker run --rm -it ghcr.io/testssl/testssl.sh:3.2 --nodns none --ip '2606:4700:20::681a:3c7' -6 cert.chief.app
There’s a another bug , at least when using not a docker container.
For your setup there’s the question whether your container works using IPv6. I suppose it does, right?
Yes, it does:
user@cert-chief-network:~# docker run --rm -it ghcr.io/testssl/testssl.sh:3.2 --nodns none --ip '2606:4700:20::681a:3c7' -6 cert.chief.app
#####################################################################
testssl.sh version 3.2.1 from https://testssl.sh/
This program is free software. Distribution and modification under
GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
#####################################################################
Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers]
on ef7671a72f7a:/home/testssl/bin/openssl.Linux.x86_64
Start 2025-07-22 07:52:38 -->> [2606:4700:20::681a:3c7]:443 (cert.chief.app) <<--
AAAA record via: supplied IP "2606:4700:20::681a:3c7"
rDNS (2606:4700:20::681a:3c7): (instructed to skip DNS queries)
...
And with latest (no tests performed), passing -6 or not makes no difference:
user@cert-chief-network:~# docker run --rm -it ghcr.io/testssl/testssl.sh:latest --nodns none --ip '2606:4700:20::681a:3c7' cert.chief.app
#####################################################################
testssl.sh version 3.3dev from https://testssl.sh/dev/
This program is free software. Distribution and modification under
GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
#####################################################################
Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers]
on f00a3919a770:/home/testssl/bin/openssl.Linux.x86_64
Testing all IP addresses (port 443):
--------------------------------------------------------------------------------------------------------------
Done testing now all IP addresses (on port 443):
Personally I would like it to try the IP I give it regardless of what it thinks is supported. I also tried 3.2 on a host that doesn't support IPv6 and it fails with an error (as expected ofcourse) instead of not trying to scan anything like "latest" is doing now.
(I did a fresh pull from the registry before running these tests to be extra sure)
Thanks @drwetter, works like a charm now!