Fatal error: No IPv4 address for "ipv6.google.com" available

[sanderjo]

With an IPv6-only site (like ipv6.google.com), I get Fatal error: No IPv4 address for "ipv6.google.com" available Full log below.

It seems open_ssl does not support IPv6, so it seems reaonable testssl.sh refuses it. But still a pity. There is an interesting work around with socat on konklone/shaaaaaaaaaaaaa#67 (comment)

listenport=$(shuf -i 10000-65000 -n 1)
socat tcp-listen:"$listenport" tcp-connect:"$host":"$port" 2>/dev/null &
echo -n | openssl s_client -connect localhost:$listenport

which I put into this script:

$ cat openssl-ipv6-via-socat.sh

#!/bin/sh
host=$1
port=$2
listenport=$(shuf -i 10000-65000 -n 1)
socat tcp-listen:"$listenport" tcp-connect:"$host":"$port" 2>/dev/null &
echo -n | openssl s_client -connect localhost:$listenport

with the result included below.

So ... can this workaround be used by/in testssl.c so that it can test ipv6-only sites?

$ ./openssl-ipv6-via-socat.sh ipv6.google.com 443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0

---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHjTCCBnWgAwIBAgIIUAagBcYW6/kwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwOTA5MjIzOTQ3WhcNMTUxMjA4MDAwMDAw
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5HhXLi+q
QB0eX8Wz4gkYC3Tv/5fdrshyDCCt2IQJScpKZ9LmBiw28Ciu2TgBPwOAYTUP5yG5
Bn/Nju6RzBCMN9K7voXGK/40Bczp2UIQYMofmm/JOq3gY6kBfH8/R72A93uguBKh
EsPxD4mPp9ZmnZkgpuw7kKra+zJEPQbQYDKa70gdngkMuPjCMfUF7zJxAsK9dcLu
ycNFrHwc+ZJQJh3Tfz0IV7eaKTaQU3sETLzEyo81za6tThbwo56dYmZF3n9b+GZH
rZKC04V3qszdVDvmYLicdObpL2oKdl44cZhnGRaVDDfIAWbGYKIonGd2bnOLVaC4
c8jmi8PgRZDPTQIDAQABo4IEWjCCBFYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMIIDJgYDVR0RBIIDHTCCAxmCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lk
LmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29t
ghYqLmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUu
Y2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28u
dWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5j
b20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2ds
ZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xl
LmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdv
b2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0ghIqLmdvb2dsZWFkYXBp
cy5jb22CDyouZ29vZ2xlYXBpcy5jboIUKi5nb29nbGVjb21tZXJjZS5jb22CESou
Z29vZ2xldmlkZW8uY29tggwqLmdzdGF0aWMuY26CDSouZ3N0YXRpYy5jb22CCiou
Z3Z0MS5jb22CCiouZ3Z0Mi5jb22CFCoubWV0cmljLmdzdGF0aWMuY29tggwqLnVy
Y2hpbi5jb22CECoudXJsLmdvb2dsZS5jb22CFioueW91dHViZS1ub2Nvb2tpZS5j
b22CDSoueW91dHViZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CCyoueXRp
bWcuY29tggthbmRyb2lkLmNvbYIEZy5jb4IGZ29vLmdsghRnb29nbGUtYW5hbHl0
aWNzLmNvbYIKZ29vZ2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29tggp1cmNoaW4u
Y29tggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29t
MGgGCCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUu
Y29tL0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2ds
ZS5jb20vb2NzcDAdBgNVHQ4EFgQUAXD1r2448aOm1KaXExRXX45cSqswDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAhBgNVHSAE
GjAYMAwGCisGAQQB1nkCBQEwCAYGZ4EMAQICMDAGA1UdHwQpMCcwJaAjoCGGH2h0
dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQELBQADggEB
AHdnM3j2RZ3ReNh0luWnO63RHYBRXHEKc91xZx1tk+SvZUlzH7dnzOfpsSEjATzf
a+OSZ38WoPttempwJCKpDEAf07ek9NCKUxLu2KjrkVaU+irKsZgLiPzafU+E9qci
sZaii7qPQ4o2qdJNwVxufEjIKsk3myq7xJQ42jKZY0UmXpxagrE/bvp4gFpQXU7J
pp8pvrUs/4upwx3LUtWEEX5B9Pqh1SMxTZ9mL+oh1ooEk1S/DfpiyyWyggNI5CS+
+BLzNPvHpx8jga8jSXI7XZXGvN8qYVVJMFSdZErmidAkVw1a65CVCJlOTbd/PiWn
0sLTlY6QbTXsXQOtSRLSIYg=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2

---
No client certificate CA names sent

---
SSL handshake has read 4510 bytes and written 421 bytes

---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 4A3ADD518BFF23097AE6B94E77B8F93995145E89FCA8CE22286F3E97994BA6C7
    Session-ID-ctx:
    Master-Key: A8D73CBB6AD80DB06C4A6D7AB4DFAEDE2D3952A652B5F602ADC2AE9229CC9E5359021D084815BEE9963FB0E1F10B288E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - ca d9 c2 56 17 db a3 c4-40 fa 69 40 b7 cb 7b 79   [email protected]@..{y
    0010 - a6 f0 28 e1 ad 90 8c 37-05 ac 00 f5 bb 50 ba 2e   ..(....7.....P..
    0020 - cb 3f b5 74 64 46 e4 14-f9 41 a1 0e 06 6b 8a b0   .?.tdF...A...k..
    0030 - 43 bf eb cc 12 63 51 f1-32 fc fc 15 f7 67 c2 2b   C....cQ.2....g.+
    0040 - ee e1 12 1c 9e 08 73 f9-b8 09 30 03 d8 48 73 d6   ......s...0..Hs.
    0050 - 9a c1 03 a7 36 82 e5 75-bb 7a bf a2 46 a2 8d 8c   ....6..u.z..F...
    0060 - 7d c1 f6 ad 68 97 36 34-8b 87 50 d6 a8 15 fd fe   }...h.64..P.....
    0070 - 3d 00 0b 25 29 a7 ea b1-0a ed 2e c2 ea 28 b7 4b   =..%)........(.K
    0080 - 3c 14 9e 4b 83 02 52 dc-21 ed 82 6f bc 1e 3a 8c   <..K..R.!..o..:.
    0090 - b8 3a 6a 58 45 15 59 ac-7e 05 b7 d6 e8 81 7c 4d   .:jXE.Y.~.....|M
    00a0 - 83 12 94 43                                       ...C

    Start Time: 1442488396
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

---
DONE

sander@haring:~/git/testssl.sh$ ./testssl.sh ipv6.google.com

###########################################################
    testssl.sh       2.6 from https://testssl.sh/
    (4cee5c2 2015-09-16 14:58:28 -- 1.379)

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2d-dev)" [~181 ciphers] on
 haring:./bin/openssl.Linux.i686
 (built: "Jul  6 18:16:02 2015", platform: "linux-elf")


Fatal error: No IPv4 address for "ipv6.google.com" available

[drwetter]

Hey @sanderjo,

sounds a great possibility to work around #11. Have you tried the proxy option of testssl.sh together with socat?

Cheers, Dirk

[sanderjo]

sander@haring:~/git/testssl.sh$ ps -ef | grep -i socat
sander   18694 18349  0 15:40 pts/0    00:00:00 socat tcp-listen:11234 tcp-connect:ipv6.google.com:443
sander   18856 18349  0 15:41 pts/0    00:00:00 grep --color=auto -i socat
sander@haring:~/git/testssl.sh$
sander@haring:~/git/testssl.sh$
sander@haring:~/git/testssl.sh$ ./testssl.sh --proxy 127.0.0.1:11234 ipv6.google.com:https

###########################################################
    testssl.sh       2.6 from https://testssl.sh/
    (4cee5c2 2015-09-16 14:58:28 -- 1.379)

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2d-dev)" [~181 ciphers] on
 haring:./bin/openssl.Linux.i686
 (built: "Jul  6 18:16:02 2015", platform: "linux-elf")

Fatal error: Proxy IP cannot be determined from "127.0.0.1"

Source says:

          PROXYIP=$(get_a_record $PROXYNODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
          LOCAL_A=$save_LOCAL_A
          LOCAL_AAAA=$save_LOCAL_AAAA
          # no RFC 1918:
          #if ! is_ipv4addr $PROXYIP ; then
          [[ -z "$PROXYIP" ]] && fatal "Proxy IP cannot be determined from \"$PROXYNODE\"" "-3"

So no $PROXYIP determined? I'll check that.

[drwetter]

Am 09/17/2015 um 03:59 PM schrieb Sander:

So no $PROXYIP determined? I'll check that.

have you tried localhost?

Cheers, Dirk

[sanderjo]

Yeah, I had tried a few things, among which 'localhost'

sander@haring:~/git/testssl.sh$ ps -ef | grep -i socat
sander   18694 18349  0 15:40 pts/0    00:00:00 socat tcp-listen:11234 tcp-connect:ipv6.google.com:443
sander   19831 18349  0 16:12 pts/0    00:00:00 grep --color=auto -i socat

sander@haring:~/git/testssl.sh$ ./testssl.sh --proxy localhost:11234 ipv6.google.com:https

###########################################################
    testssl.sh       2.6 from https://testssl.sh/
    (4cee5c2 2015-09-16 14:58:28 -- 1.379)

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2d-dev)" [~181 ciphers] on
 haring:./bin/openssl.Linux.i686
 (built: "Jul  6 18:16:02 2015", platform: "linux-elf")

Fatal error: Proxy IP cannot be determined from "localhost"

Let's try FQDN ... ah, different error:

sander@haring:~/git/testssl.sh$ ./testssl.sh --proxy haring.myFQDNremoved:11234 ipv6.google.com:https

###########################################################
    testssl.sh       2.6 from https://testssl.sh/
    (4cee5c2 2015-09-16 14:58:28 -- 1.379)

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2d-dev)" [~181 ciphers] on
 haring:./bin/openssl.Linux.i686
 (built: "Jul  6 18:16:02 2015", platform: "linux-elf")


Fatal error: No IPv4 address for "ipv6.google.com" available

sander@haring:~/git/testssl.sh$ 

So the same error ... testssl still does a IPv4 lookup, even when via a proxy?

[drwetter]

Nah, need to redo the name resolution there for the proxy

[drwetter]

Enhancement for your issue follows. Reopen it if the proxy still makes problems.

[drwetter]

see 413b64c

[sanderjo]

No, doesn't work for me; still Fatal error: No IPv4 address for "ipv6.google.com" available. Maybe I use the wrong command?

Full log:
After a git pull:

sander@haring:~/git/testssl.sh$ grep -i '$id:' testssl.sh
#  $Id: testssl.sh,v 1.381 2015/09/18 13:12:00 dirkw Exp $

... so, yes, new version.
Checking that socat is running:

sander@haring:~/git/testssl.sh$ !ps
ps -ef | grep socat
sander    4100  4031  0 15:36 pts/0    00:00:00 socat tcp-listen:11234 tcp-connect:ipv6.google.com:443
sander    4102  4031  0 15:36 pts/0    00:00:00 grep --color=auto socat

sander@haring:~/git/testssl.sh$ ./testssl.sh --proxy haring.MyDomain.com:11234 ipv6.google.com:https

###########################################################
    testssl.sh       2.7dev from https://testssl.sh/dev/
    (413b64c 2015-09-18 15:12:01 -- 1.381)

      This program is free software. Distribution and 
             modification under GPLv2 permitted. 
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2d-dev)" [~181 ciphers] on
 haring:./bin/openssl.Linux.i686
 (built: "Jul  6 18:16:02 2015", platform: "linux-elf")


Fatal error: No IPv4 address for "ipv6.google.com" available

sander@haring:~/git/testssl.sh$ ps -ef | grep socat
sander    4100  4031  0 15:36 pts/0    00:00:00 socat tcp-listen:11234 tcp-connect:ipv6.google.com:443
sander    4335  4031  0 15:36 pts/0    00:00:00 grep --color=auto socat
sander@haring:~/git/testssl.sh$ 

[sanderjo]

@drwetter I can't re-open as:

you can re-open your own issues *if you closed them yourself
you cannot re-open your own issues if a repo collaborator closed them

You closed my issue, so I can't re-open ... :-(

[drwetter]

sorry.

Meanwhile i figured it doesn't work. To make it work would cause not only a few lines of changes.

I could make openssl commands work b byypassing the DNS lookups. The thing I don't have an idea right now is how to handle is the sockets.

[sanderjo]

OK, clear. Thanks your analysis and answer.

[drwetter]

I like that cool hack and that would be great to have at least this bit of IPv6 support -- next year basically IPv6 is 20 years old and still openssl s_client doesn't support it -- but I personally have higher priorities for testssl.sh. Maybe some other dude jumps ins

[drwetter]

Good news: With the IPv6 patch from Fedora and a few minor changes to testssl.sh I got a complete check of ipv6.google.com working natively.

Details: #11 (comment)

[drwetter]

as native IPv6 is the way to do it, this issue won't be fixed. With the next commit you can try however whether HAS_IPv6=true ./testssl.sh <cmdline> accidentally works.