Merge pull request #2852 from testssl/full_ipv6

Enable IPv6 automagically
2025-09-15 10:41:13 +02:00 · 2025-07-20 20:56:34 +02:00 · 2025-07-20 20:56:34 +02:00 · a549acd86d
commit a549acd86d
parent 274a9ca5d6 1fff5226af
5 changed files with 709 additions and 593 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,8 +4,9 @@
 ### Features implemented / improvements in 3.3dev
 * QUIC protocol check
-* bump SSLlabs rating guide to 2009r
+* Bump SSLlabs rating guide to 2009r
 * Check for Opossum vulnerability
 * Enable IPv6 automagically, i.e. if target via IPv6 is reachable just (also) scan it
 ### Features implemented / improvements in 3.2
--- a/doc/testssl.1
+++ b/doc/testssl.1
--- a/doc/testssl.1.html
+++ b/doc/testssl.1.html
@ -99,6 +99,14 @@
        <li><p>client simulation</p></li>
        <li><p>rating</p></li>
        </ol>
        <p>If a target FQDN has multiple IPv4 and/or multiple IPv6
        addresses, it scans all IPs with the specified options or using
        the default run - unless specified otherwise, see
        <code>--ip</code>, <code>-4</code> and <code>-6</code>. IPv6
        connectivity is automagically checked. If there’s noch such
        thing you will see a banner <em>Testing all
        <strong>IPv4</strong> addresses</em> and all IPv6 addresses will
        appear in round brackets.</p>
        <h2 id="options-and-parameters">OPTIONS AND PARAMETERS</h2>
        <p>Options are either short or long options. Any long or short
        option requiring a value can be called with or without an equal
@ -216,15 +224,16 @@
        will be made in the future as a best guess by testssl.sh. The
        same can be achieved by setting the environment variable
        <code>WARNINGS</code>.</p>
-        <p><code>--connect-timeout &lt;seconds&gt;</code> This is useful
+        <p><code>--socket-timeout &lt;seconds&gt;</code> This is useful
        for socket TCP connections to a node. If the node does not
        complete a TCP handshake (e.g. because it is down or behind a
        firewall or there’s an IDS or a tarpit) testssl.sh may usually
        hang for around 2 minutes or even much more. This parameter
        instructs testssl.sh to wait at most <code>seconds</code> for
        the handshake to complete before giving up. This option only
-        works if your OS has a timeout binary installed. CONNECT_TIMEOUT
+        works if your OS has a timeout binary installed. SOCKET_TIMEOUT
-        is the corresponding environment variable.</p>
+        is the corresponding environment variable. This doesn’t work on
        Macs out of the box.</p>
        <p><code>--openssl-timeout &lt;seconds&gt;</code> This is
        especially useful for all connects using openssl and practically
        useful for mass testing. It avoids the openssl connect to hang
@ -234,7 +243,8 @@
        timeout binary installed. As there are different implementations
        of <code>timeout</code>: It automatically calls the binary with
        the right parameters. OPENSSL_TIMEOUT is the equivalent
-        environment variable.</p>
+        environment variable. This doesn’t work on Macs out of the
        box.</p>
        <p><code>--basicauth &lt;user:pass&gt;</code> This can be set to
        provide HTTP basic auth credentials which are used during checks
        for security headers. BASICAUTH is the ENV variable you can use
@ -301,17 +311,15 @@
        <code>IGN_OCSP_PROXY=true</code> has been supplied it will be
        tried directly. Authentication to the proxy is not supported,
        also no HTTPS or SOCKS proxy.</p>
-        <p><code>-6</code> does (also) IPv6 checks. Please note that
+        <p><code>-6</code> scans only IPv6 addresses of the target.
-        testssl.sh doesn’t perform checks on an IPv6 address
+        Besides the OpenSSL binary supplied IPv6 is known to work with
-        automatically, because of two reasons: testssl.sh does no
+        vanilla OpenSSL &gt;= 1.1.0 and older versions &gt;=1.0.2 in
-        connectivity checks for IPv6 and it cannot determine reliably
+        RHEL/CentOS/FC and Gentoo. Scans are somewhat in line with tools
-        whether the OpenSSL binary you’re using has IPv6 s_client
+        like curl or wget, i.e. if there’s an IPv6 address of the target
-        support. <code>-6</code> assumes both is the case. If both
+        which can be reached, it just uses them. If you don’t want this
-        conditions are met and you in general prefer to test for IPv6
+        behavior, you need to supply <code>-4.</code></p>
-        branches as well you can add <code>HAS_IPv6</code> to your shell
+        <p><code>-4</code> scans only IPv4 addresses of the target, IPv6
-        environment. Besides the OpenSSL binary supplied IPv6 is known
+        addresses of the target won’t be scanned.</p>
        to work with vanilla OpenSSL &gt;= 1.1.0 and older versions
        &gt;=1.0.2 in RHEL/CentOS/FC and Gentoo.</p>
        <p><code>--ssl-native</code> Instead of using a mixture of bash
        sockets and a few openssl s_client connects, testssl.sh uses the
        latter (almost) only. This is faster but provides less accurate
@ -649,7 +657,7 @@
        vulnerability. It tests for the absence of a lot of ciphers,
        some TLS extensions and ec curves which were introduced later in
        Windows. In the end the server banner is being looked at.</p>
-        <p><code>-4, --rc4, --appelbaum</code> Checks which RC4 stream
+        <p><code>--rc4, --appelbaum</code> Checks which RC4 stream
        ciphers are being offered.</p>
        <h3 id="output-options">OUTPUT OPTIONS</h3>
        <p><code>-q, --quiet</code> Normally testssl.sh displays a
--- a/doc/testssl.1.md
+++ b/doc/testssl.1.md
@ -58,6 +58,7 @@ linked OpenSSL binaries for major operating systems are supplied in `./bin/`.
 10) rating
 If a target FQDN has multiple IPv4 and/or multiple IPv6 addresses, it scans all IPs with the specified options or using the default run - unless specified otherwise, see `--ip`, `-4` and `-6`. IPv6 connectivity is automagically checked. If there's noch such thing you will see a banner *Testing all **IPv4** addresses* and all IPv6 addresses will appear in round brackets.
 ## OPTIONS AND PARAMETERS
@ -105,9 +106,9 @@ Please note that `fname` has to be in Unix format. DOS carriage returns won't be
 `--warnings <batch|off>`.  The warnings parameter determines how testssl.sh will deal with situations where user input normally will be necessary. There are two options. `batch` doesn't wait for a confirming keypress when a client- or server-side problem is encountered. As of 3.0 it just then terminates the particular scan.  This is automatically chosen for mass testing (`--file`). `off` just skips the warning, the confirmation but continues the scan, independent whether it makes sense or not. Please note that there are conflicts where testssl.sh will still ask for confirmation which are the ones which otherwise would have a drastic impact on the results. Almost any other decision will be made in the future as a best guess by testssl.sh.
 The same can be achieved by setting the environment variable `WARNINGS`.
-`--connect-timeout <seconds>`  This is useful for socket TCP connections to a node. If the node does not complete a TCP handshake (e.g. because it is down or behind a firewall or there's an IDS or a tarpit) testssl.sh may usually hang for around 2 minutes or even much more. This parameter instructs testssl.sh to wait at most `seconds` for the handshake to complete before giving up. This option only works if your OS has a timeout binary installed. CONNECT_TIMEOUT is the corresponding environment variable.
+`--socket-timeout <seconds>`  This is useful for socket TCP connections to a node. If the node does not complete a TCP handshake (e.g. because it is down or behind a firewall or there's an IDS or a tarpit) testssl.sh may usually hang for around 2 minutes or even much more. This parameter instructs testssl.sh to wait at most `seconds` for the handshake to complete before giving up. This option only works if your OS has a timeout binary installed. SOCKET_TIMEOUT is the corresponding environment variable. This doesn't work on Macs out of the box.
-`--openssl-timeout <seconds>` This is especially useful for all connects using openssl and practically useful for mass testing. It avoids the openssl connect to hang for ~2 minutes. The expected parameter `seconds` instructs testssl.sh to wait before the openssl connect will be terminated. The option is only available if your OS has a timeout binary installed. As there are different implementations of `timeout`: It automatically calls the binary with the right parameters. OPENSSL_TIMEOUT is the equivalent environment variable.
+`--openssl-timeout <seconds>` This is especially useful for all connects using openssl and practically useful for mass testing. It avoids the openssl connect to hang for ~2 minutes. The expected parameter `seconds` instructs testssl.sh to wait before the openssl connect will be terminated. The option is only available if your OS has a timeout binary installed. As there are different implementations of `timeout`: It automatically calls the binary with the right parameters. OPENSSL_TIMEOUT is the equivalent environment variable. This doesn't work on Macs out of the box.
 `--basicauth <user:pass>` This can be set to provide HTTP basic auth credentials which are used during checks for security headers. BASICAUTH is the ENV variable you can use instead.
@ -124,11 +125,13 @@ The same can be achieved by setting the environment variable `WARNINGS`.
 `--mx <domain|host>` tests all MX records (STARTTLS on port 25) from high to low priority, one after the other.
-`--ip <ip>` tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in `<URI>`. IPv6 addresses need to be supplied in square brackets. `--ip=one` means: just test the first A record DNS returns (useful for multiple IPs). If `-6` and  `--ip=one` was supplied an AAAA record will be picked if available. The ``--ip`` option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit `/etc/hosts` or `/c/Windows/System32/drivers/etc/hosts`. `--ip=proxy` tries a DNS resolution via proxy. `--ip=proxy` plus `--nodns=min` is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records.
+`--ip <ip>` tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in `<URI>`. IPv6 addresses need to be supplied in square brackets. `--ip=one` means: just test the first A record DNS returns (useful for multiple IPs). If `-6` and  `--ip=one` was supplied an AAAA record will be picked if available. The `--ip` option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit `/etc/hosts` or `/c/Windows/System32/drivers/etc/hosts`. `--ip=proxy` tries a DNS resolution via proxy. `--ip=proxy` plus `--nodns=min` is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records.
 `--proxy <host>:<port>`  does ANY check via the specified proxy. `--proxy=auto` inherits the proxy setting from the environment. Any hostname supplied will be resolved to the first A record, if it does not exist the AAAA record is used. IPv4 and IPv6 addresses can be passed too, the latter *also* with square bracket notation. Please note that you need a newer OpenSSL or LibreSSL version for IPv6 proxy functionality. In addition if you want lookups via proxy you can specify `DNS_VIA_PROXY=true`. OCSP revocation checking (`-S --phone-out`) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 outgoing being blocked in your network an OCSP revocation check won't be performed. However if `IGN_OCSP_PROXY=true` has been supplied it will be tried directly. Authentication to the proxy is not supported, also no HTTPS or SOCKS proxy.
-`-6` does (also) IPv6 checks. Please note that testssl.sh doesn't perform checks on an IPv6 address automatically, because of two reasons: testssl.sh does no connectivity checks for IPv6 and it cannot determine reliably whether the OpenSSL binary you're using has IPv6 s_client support. `-6` assumes both is the case. If both conditions are met and you in general prefer to test for IPv6 branches as well you can add `HAS_IPv6` to your shell environment. Besides the OpenSSL binary supplied IPv6 is known to work with vanilla OpenSSL >= 1.1.0 and older versions >=1.0.2 in RHEL/CentOS/FC and Gentoo.
+`-6` scans only IPv6 addresses of the target. Besides the OpenSSL binary supplied IPv6 is known to work with vanilla OpenSSL >= 1.1.0 and older versions >=1.0.2 in RHEL/CentOS/FC and Gentoo. Scans are somewhat in line with tools like curl or wget, i.e. if there's an IPv6 address of the target which can be reached, it just uses them. If you don't want this behavior, you need to supply `-4.`
 `-4` scans only IPv4 addresses of the target, IPv6 addresses of the target won't be scanned.
 `--ssl-native`  Instead of using a mixture of bash sockets and a few openssl s_client connects, testssl.sh uses the latter (almost) only. This is faster but provides less accurate results, especially for the client simulation and for cipher support. For all checks you will see a warning if testssl.sh cannot tell if a particular check cannot be performed. For some checks however you might end up getting false negatives without a warning. Thus it is not recommended to use. It should only be used if you prefer speed over accuracy or you know that your target has sufficient overlap with the protocols and cipher provided by your openssl binary.
@ -266,7 +269,7 @@ Also for multiple server certificates are being checked for as well as for the c
 `-WS, --winshock`               Checks for Winshock vulnerability. It tests for the absence of a lot of ciphers, some TLS extensions and ec curves which were introduced later in Windows. In the end the server banner is being looked at.
-`-4, --rc4, --appelbaum`        Checks which RC4 stream ciphers are being offered.
+`--rc4, --appelbaum`        Checks which RC4 stream ciphers are being offered.
 ### OUTPUT OPTIONS
--- a/testssl.sh
+++ b/testssl.sh
@ -151,7 +151,7 @@ declare -a SKIP_TESTS=()                          # This array hold the checks t
 # Following variables make use of $ENV and can also be used like "<VAR>=<value> ./testssl.sh <URI>"
 declare -x OPENSSL
 OPENSSL_TIMEOUT=${OPENSSL_TIMEOUT:-""}  # Default connect timeout with openssl before we call the server side unreachable
-CONNECT_TIMEOUT=${CONNECT_TIMEOUT:-""}  # Default connect timeout with sockets before we call the server side unreachable
+SOCKET_TIMEOUT=${SOCKET_TIMEOUT:-""}    # Default connect timeout with sockets before we call the server side unreachable
 PHONE_OUT=${PHONE_OUT:-false}           # Whether testssl can retrieve CRLs and OCSP
 FAST_SOCKET=${FAST_SOCKET:-false}       # EXPERIMENTAL feature to accelerate sockets -- DO NOT USE it for production
 COLOR=${COLOR:-2}                       # 3: Extra color (ciphers, curves), 2: Full color, 1: B/W only 0: No ESC at all
@ -186,7 +186,7 @@ OVERWRITE=${OVERWRITE:-false}           # overwriting csv/json/html/log file
 [[ -z "$NODNS" ]] && declare NODNS      # If unset it does all DNS lookups per default. "min" only for hosts or "none" at all
 NXDNS=${NXDNS:-invalid.}                # For WSL this helps avoiding DNS requests to "invalid." which windows seem to handle delayed
 NXCONNECT=""                            # needed when when need to test capabilities of the openssl binary
-HAS_IPv6=${HAS_IPv6:-false}             # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
+IPv6_OK=false                           # Determines later whether there's IPv6 connectivity for the user or not
 ALL_CLIENTS=${ALL_CLIENTS:-false}       # do you want to run all client simulation form all clients supplied by SSLlabs?
 OFFENSIVE=${OFFENSIVE:-true}            # do you want to include offensive vulnerability tests which may cause blocking by an IDS?
 ADDTL_CA_FILES="${ADDTL_CA_FILES:-""}"  # single file with a CA in PEM format or comma separated lists of them
@ -391,8 +391,8 @@ NODE=""
 NODEIP=""
 rDNS=""
 CORRECT_SPACES=""                       # Used for IPv6 and proper output formatting
-IPADDRs=""
+IPADDRs2CHECK=""                        # Contains all IP addresses to test
-IP46ADDRs=""
+IPADDRs2SHOW=""                         # ... those are the ones to be displayed
 LOCAL_A=false                           # Does the $NODEIP come from /etc/hosts?
 LOCAL_AAAA=false                        # Does the IPv6 IP come from /etc/hosts?
 XMPP_HOST=""
@ -1339,7 +1339,7 @@ fileout_pretty_json_banner() {
     if ! "$do_mass_testing"; then
          [[ -z "$NODE" ]] && parse_hn_port "${URI}"
-          # NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now  --> wrong place
+          # NODE, URL_PATH, PORT, IPADDR and IPADDRs2SHOW is set now  --> wrong place
          target="$NODE"
          $do_mx_all_ips && target="$URI"
     fi
@ -1470,7 +1470,7 @@ json_header() {
     elif "$do_mx_all_ips"; then
          fname_prefix="${FNAME_PREFIX}mx-${URI}"
     else
-          # ensure NODE, URL_PATH, PORT, IPADDR and IP46ADDR are set
+          # ensure NODE, URL_PATH, PORT, IPADDR and IPADDRs2SHOW are set
          ! "$filename_provided" && [[ -z "$NODE" ]] && parse_hn_port "${URI}"
          fname_prefix="${FNAME_PREFIX}${NODE}_p${PORT}"
     fi
@ -1518,7 +1518,7 @@ csv_header() {
     elif "$do_mx_all_ips"; then
          fname_prefix="${FNAME_PREFIX}mx-${URI}"
     else
-          # ensure NODE, URL_PATH, PORT, IPADDR and IP46ADDR are set
+          # ensure NODE, URL_PATH, PORT, IPADDR and IPADDRs2SHOW are set
          ! "$filename_provided" && [[ -z "$NODE" ]] && parse_hn_port "${URI}"
          fname_prefix="${FNAME_PREFIX}${NODE}_p${PORT}"
     fi
@ -1575,7 +1575,7 @@ html_header() {
     elif "$do_mx_all_ips"; then
          fname_prefix="${FNAME_PREFIX}mx-${URI}"
     else
-          # ensure NODE, URL_PATH, PORT, IPADDR and IP46ADDR are set
+          # ensure NODE, URL_PATH, PORT, IPADDR and IPADDRs2SHOW are set
          ! "$filename_provided" && [[ -z "$NODE" ]] && parse_hn_port "${URI}"
          fname_prefix="${FNAME_PREFIX}${NODE}_p${PORT}"
     fi
@ -12153,12 +12153,14 @@ fd_socket() {
                    break
               fi
          done
-     # For the following execs: 2>/dev/null would remove a potential error message, but disables debugging.
+     # For the following exec commands: 2>/dev/null would remove a potential error message, but would disable
-     # First we check whether a socket connect timeout was specified. We exec the connect in a subshell,
+     # debugging.
-     # then we'll see whether we can connect. If not we take the emergency exit. If we're still alive we'll
+     # First we check whether a socket timeout was specified. We exec the connect in a subshell,
     # and see whether. If not we take the emergency exit: fatal() in connectivity_problem.
     # Otherwise (no socket timeout) OR when we survived that we do that without subshell.
     # proceed with the "usual case", see below.
-     elif [[ -n "$CONNECT_TIMEOUT" ]]; then
+     elif [[ -n "$SOCKET_TIMEOUT" ]]; then
-          if ! $TIMEOUT_CMD $CONNECT_TIMEOUT bash -c "exec 5<>/dev/tcp/$nodeip/$PORT"; then
+          if ! $TIMEOUT_CMD $SOCKET_TIMEOUT bash -c "exec 5<>/dev/tcp/$nodeip/$PORT"; then
               ((NR_SOCKET_FAIL++))
               connectivity_problem $NR_SOCKET_FAIL $MAX_SOCKET_FAIL "TCP connect problem" "repeated TCP connect problems (connect timeout), giving up"
               outln
@ -21190,7 +21192,7 @@ find_openssl_binary() {
     $OPENSSL verify -trusted_first </dev/null 2>&1 | grep -q '^usage' || TRUSTED1ST="-trusted_first"
-     if [[ -n "$CONNECT_TIMEOUT" ]] || [[ -n "$OPENSSL_TIMEOUT" ]]; then
+     if [[ -n "$SOCKET_TIMEOUT" ]] || [[ -n "$OPENSSL_TIMEOUT" ]]; then
          # We don't set a general timeout as we might not have "timeout" installed and we only
          # do what is instructed. Thus we check first what the command line params were,
          # then we proceed
@ -21203,8 +21205,7 @@ find_openssl_binary() {
               fi
          else
               TIMEOUT_CMD=""
-               outln
+               fatal "You specified a socket or openssl timeout but the binary \"timeout\" couldn't be found " $ERR_RESOURCE
               fatal "You specified a connect or openssl timeout but the binary \"timeout\" couldn't be found " $ERR_RESOURCE
          fi
     fi
@ -21366,7 +21367,7 @@ help() {
                                   Text format 2: nmap output in greppable format (-oG), 1 port per line allowed
     --mode <serial|parallel>      Mass testing to be done serial (default) or parallel (--parallel is shortcut for the latter)
     --warnings <batch|off>        "batch" doesn't continue when a testing error is encountered, off continues and skips warnings
-     --connect-timeout <seconds>   useful to avoid hangers. Max <seconds> to wait for the TCP socket connect to return
+     --socket-timeout <seconds>    useful to avoid hangers. Max <seconds> to wait for the TCP connect to get ACKed
     --openssl-timeout <seconds>   useful to avoid hangers. Max <seconds> to wait before openssl connect will be terminated
 single check as <options>  ("$PROG_NAME URI" does everything except -E and -g):
@ -21402,7 +21403,7 @@ single check as <options>  ("$PROG_NAME URI" does everything except -E and -g):
     -F, --freak                   tests for FREAK vulnerability
     -J, --logjam                  tests for LOGJAM vulnerability
     -D, --drown                   tests for DROWN vulnerability
-     -4, --rc4, --appelbaum        which RC4 ciphers are being offered?
+     --rc4, --appelbaum            which RC4 ciphers are being offered?
 tuning / connect options (most also can be preset via environment variables):
     -9, --full                    includes tests for implementation bugs and cipher per protocol (could disappear)
@ -21411,7 +21412,8 @@ tuning / connect options (most also can be preset via environment variables):
     --ssl-native                  use OpenSSL where sockets are normally used. Faster but inaccurate, avoid it if possible
     --openssl <PATH>              use this openssl binary (default: look in \$PATH, \$RUN_DIR of $PROG_NAME)
     --proxy <host:port|auto>      (experimental) proxy connects via <host:port>, auto: values from \$env (\$http(s)_proxy)
-     -6                            also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity
+     -4                            Scan IPv4 only
     -6                            Scan IPv6 only. Works only with supporting OpenSSL version and IPv6 connectivity
     --ip <ip>                     a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
                                   b) "one" means: just test the first DNS returns (useful for multiple IPs)
                                   c) "proxy" means: dns resolution via proxy. Needed when host has no DNS.
@ -21528,7 +21530,6 @@ OPENSSL2_HAS_CHACHA20: $OPENSSL2_HAS_CHACHA20
 OPENSSL2_HAS_AES128_GCM: $OPENSSL2_HAS_AES128_GCM
 OPENSSL2_HAS_AES256_GCM: $OPENSSL2_HAS_AES256_GCM
 HAS_IPv6: $HAS_IPv6
 HAS_SSL2: $HAS_SSL2
 HAS_SSL3: $HAS_SSL3
 HAS_TLS1: $HAS_TLS1
@ -21610,12 +21611,13 @@ CLIENT_MIN_FS: $CLIENT_MIN_FS
 DAYS2WARN1: $DAYS2WARN1
 DAYS2WARN2: $DAYS2WARN2
-HEADER_MAXSLEEP: $HEADER_MAXSLEEP
+IPv6_OK: $IPv6_OK
 MAX_WAITSOCK: $MAX_WAITSOCK
 HEARTBLEED_MAX_WAITSOCK: $HEARTBLEED_MAX_WAITSOCK
 CCS_MAX_WAITSOCK: $CCS_MAX_WAITSOCK
 USLEEP_SND $USLEEP_SND
 USLEEP_REC $USLEEP_REC
 HEADER_MAXSLEEP: $HEADER_MAXSLEEP
 SOCAT: $SOCAT
@ -22305,6 +22307,7 @@ get_mx_record() {
 # arg1: domain / hostname. Returned will be the TXT record as a string which can be multilined
 # (one entry per line), for e.g. non-MTA-STS records.
 # Is supposed to be used by MTA STS in the future like get_txt_record _mta-sts.DOMAIN.TLD
 #
 get_txt_record() {
     local record=""
     local saved_openssl_conf="$OPENSSL_CONF"
@ -22330,27 +22333,75 @@ get_txt_record() {
 }
 # This is to check whether we have IPv6 connectivity
 # arg1: IPv6 address to check
 #
 #  sets IPv6_OK if it works -- or not
 #
 shouldwedo_ipv6() {
     local i=0
-# set IPADDRs and IP46ADDRs
+     "$do_ipv4_only" && return 0
     while true; do
          bash -c "exec 5<>/dev/tcp/$1/$PORT" &>/dev/null
          if [[ $? -eq 0 ]]; then
               IPv6_OK=true
               break
          fi
          sleep 1
          ((i++))
          [[ $i -ge $MAX_SOCKET_FAIL ]] && break
     done
     if ! "$IPv6_OK"; then
          if "$do_ipv6_only"; then
               connectivity_problem $i $MAX_SOCKET_FAIL "IPv6 connect problem" "repeated IPv6 connect problems when IPv6-only scan requested"
          else
               IPv6_OK=false
          fi
     fi
 }
 # set IPADDRs2CHECK and IPADDRs2SHOW
 #
 determine_ip_addresses() {
     local ip4=""
     local ip6=""
     # first, try to get IP addresses from /etc/hosts
     # Local_A[AAA] is for our UI
     ip4=$(get_local_a "$NODE")
     if [[ -n "$ip4" ]]; then
          LOCAL_A=true
     else
          ip4="$(get_a_record "$NODE")"
-     ip6="$(get_aaaa_record "$NODE")"
+     fi
-     IP46ADDRs=$(newline_to_spaces "$ip4 $ip6")
+     ip6=$(get_local_aaaa "$NODE")
     if [[ -n "$ip6" ]]; then
          LOCAL_AAAA=true
     else
          ip6=$(get_aaaa_record "$NODE")
     fi
     IPADDRs2SHOW=$(newline_to_spaces "$ip4 $ip6")
     if [[ -n "$ip6" ]]; then
          # sets IPv6_OK
          shouldwedo_ipv6 $(head -1 <<< "$ip6")
     fi
     if [[ -n "$CMDLINE_IP" ]]; then
          # command line has supplied an IP address or "one"
          if [[ "$CMDLINE_IP" == one ]]; then
-               # use first IPv6 or IPv4 address
+               # use first IPv6 or IPv4 address when --ip=one
-               if "$HAS_IPv6" && [[ -n "$ip6" ]]; then
+               if "$do_ipv4_only"; then
                    CMDLINE_IP="$(head -1 <<< "$ip4")"
               elif "$do_ipv6_only"; then
                    CMDLINE_IP="$(head -1 <<< "$ip6")"
               else
                    CMDLINE_IP="$(head -1 <<< "$ip4")"
               fi
          fi
          # otherwise check what was specified with --ip=
          NODEIP="$CMDLINE_IP"
          if is_ipv4addr "$NODEIP"; then
               ip4="$NODEIP"
@ -22360,49 +22411,42 @@ determine_ip_addresses() {
               fatal "couldn't identify supplied \"CMDLINE_IP\"" $ERR_DNSLOOKUP
          fi
     elif is_ipv4addr "$NODE"; then
-          ip4="$NODE"                        # only an IPv4 address was supplied as an argument, no hostname
+          ip4="$NODE"                        # only a single IPv4 address was supplied as an argument, no hostname
          SNI=""                             # override Server Name Indication as we test the IP only
     elif is_ipv6addr "$NODE"; then
          ip6="$NODE"
          SNI=""
     else
-          ip4=$(get_local_a "$NODE")         # is there a local host entry?
+          :                                  # standard case
          if [[ -z "$ip4" ]]; then           # empty: no (LOCAL_A is predefined as false)
               ip4=$(get_a_record "$NODE")
          else
               LOCAL_A=true                  # we have the ip4 from local host entry and need to signal this to testssl
          fi
          # same now for ipv6
          ip6=$(get_local_aaaa "$NODE")
          if [[ -z "$ip6" ]]; then
               ip6=$(get_aaaa_record "$NODE")
          else
               LOCAL_AAAA=true               # we have a local ipv6 entry and need to signal this to testssl
          fi
     fi
-     # IPv6 only address
+     if "$do_ipv4_only"; then
          if [[ -z "$ip4" ]]; then
-          if "$HAS_IPv6"; then
+                fatal_cmd_line "No IPv4 addresses available, but IPv4-only scan requested" $ERR_CMDLINE
               IPADDRs=$(newline_to_spaces "$ip6")
               IP46ADDRs="$IPADDRs"          # IP46ADDRs are the ones to display, IPADDRs the ones to test
          fi
          IPADDRs2CHECK=$(newline_to_spaces "$ip4")
     elif "$do_ipv6_only"; then
          if [[ -z "$ip6" ]]; then
                fatal_cmd_line "No IPv6 addresses available, but IPv6-only scan requested" $ERR_CMDLINE
          fi
          if ! "$IPv6_OK"; then
               fatal_cmd_line "IPv6 address cannot be reached" $ERR_RESOURCE
          fi
          IPADDRs2CHECK=$(newline_to_spaces "$ip6")
     else
-          if "$HAS_IPv6" && [[ -n "$ip6" ]]; then
+          for addr in $IPADDRs2SHOW; do
-               if is_ipv6addr "$CMDLINE_IP"; then
+               is_ipv6addr $addr && ! "$IPv6_OK" && continue
-                    IPADDRs=$(newline_to_spaces "$ip6")
+               [[ -z $IPADDRs2CHECK ]] && IPADDRs2CHECK="${addr}" || IPADDRs2CHECK="${IPADDRs2CHECK} ${addr}"
-               else
+          done
                    IPADDRs=$(newline_to_spaces "$ip4 $ip6")
     fi
-          else
+     # If scanning IPV6 doesn't work, put the address to show in round brackets to
-               IPADDRs=$(newline_to_spaces "$ip4")
+     # signal the user / UI that those won't be scanned. We don't do that for IPv4, yet
     for addr in $IPADDRs2SHOW; do
          if is_ipv6addr $addr && ! "$IPv6_OK" ; then
               IPADDRs2SHOW=${IPADDRs2SHOW/$addr/($addr)}
          fi
-     fi
+     done
-     if [[ -z "$IPADDRs" ]]; then
+     return 0
          if [[ -n "$ip6" ]]; then
               fatal "Only IPv6 address(es) for \"$NODE\" available, maybe add \"-6\" to $0" $ERR_DNSLOOKUP
          else
               fatal "No IPv4/IPv6 address(es) for \"$NODE\" available" $ERR_DNSLOOKUP
          fi
     fi
     return 0                                # IPADDR and IP46ADDR is set now
 }
 determine_rdns() {
@ -22411,7 +22455,7 @@ determine_rdns() {
     [[ "$NODNS" == none ]] && rDNS="(instructed to skip DNS queries)" && return 0        # No DNS lookups at all
     [[ "$NODNS" == min ]] && rDNS="(instructed to minimize DNS queries)" && return 0     # PTR records were not asked for
-     local nodeip="$(tr -d '[]' <<< $NODEIP)"               # for DNS we do not need the square brackets of IPv6 addresses
+     nodeip="$(tr -d '[]' <<< $NODEIP)"                     # for DNS we do not need the square brackets of IPv6 addresses
     OPENSSL_CONF=""                                        # see https://github.com/testssl/testssl.sh/issues/134
     if [[ "$NODE" == *.local ]]; then
          if "$HAS_DSCACHEUTIL"; then
@ -23001,7 +23045,7 @@ determine_optimal_proto() {
          fi
     elif "$all_failed"; then
          outln
-          if "$HAS_IPv6"; then
+          if "$IPv6_OK"; then
               pr_bold " Your $OPENSSL is not IPv6 aware, or $NODEIP:$PORT "
               fileout "$jsonID" "WARN" "Your $OPENSSL is not IPv6 aware, or $NODEIP:$PORT doesn't seem to be a TLS/SSL enabled server."
          else
@ -23231,10 +23275,10 @@ display_rdns_etc() {
          out " Via Proxy:              $CORRECT_SPACES"
          outln "$PROXYIP:$PROXYPORT "
     fi
-     if [[ $(count_words "$IP46ADDRs") -gt 1 ]]; then
+     if [[ $(count_words "$IPADDRs2SHOW") -gt 1 ]]; then
          out " Further IP addresses:   $CORRECT_SPACES"
-          for ip in $IP46ADDRs; do
+          for ip in $IPADDRs2SHOW; do
-               if [[ "$ip" == "$NODEIP" ]] || [[ "[$ip]" == "$NODEIP" ]]; then
+               if [[ "$ip" == $NODEIP ]] || [[ "[$ip]" == $NODEIP ]]; then
                    continue
               else
                    further_ip_addrs+="$ip "
@ -23323,22 +23367,21 @@ run_mx_all_ips() {
               outln
               parse_hn_port "$mx:$mxport"
               determine_ip_addresses || continue
-               if [[ $(count_words "$IPADDRs") -gt 1 ]]; then    # we have more than one ipv4 address to check
+               if [[ $(count_words "$IPADDRs2CHECK") -gt 1 ]]; then   # we have more than one ipv4 address to check
                    MULTIPLE_CHECKS=true
                    if [[ "$HAS_IPv6" ]]; then
                    pr_bold "Testing all IP addresses (port $PORT): "
               else
                    pr_bold "Testing all IPv4 addresses (port $PORT): "
               fi
-               outln "$IPADDRs"
+               if "$do_ipv4_only"; then
-                    for ip in $IPADDRs; do
+                    pr_bold "Testing all IPv4 addresses (port $PORT): "
               elif "$do_ipv6_only"; then
                    pr_bold "Testing all IPv6 addresses (port $PORT): "
               else
                    pr_bold "Testing all IP addresses (port $PORT): "
               fi
               outln "$IPADDRs2CHECK"
               for ip in $IPADDRs2CHECK; do
                    NODEIP="$ip"
                    lets_roll "${STARTTLS_PROTOCOL}"
               done
               else
                    NODEIP="$IPADDRs"
                    lets_roll "${STARTTLS_PROTOCOL}"
               fi
               ret=$(($? + ret))
          done
          draw_line "-" $((TERM_WIDTH * 2 / 3))
@ -24166,6 +24209,9 @@ initialize_globals() {
     do_display_only=false
     do_starttls=false
     do_rating=false
     do_ipv6_only=false
     do_ipv4_only=false
 }
@ -24200,12 +24246,16 @@ set_scanning_defaults() {
     do_server_preference=true
     do_tls_fallback_scsv=true
     do_client_simulation=true
     if "$OFFENSIVE"; then
          VULN_COUNT=18
     else
          VULN_COUNT=14
     fi
     do_rating=true
     do_ipv6_only=false
     do_ipv4_only=false
 }
 # returns number of $do variables set = number of run_funcs() to perform
@ -24529,7 +24579,7 @@ parse_cmd_line() {
                    do_winshock=true
                    ((VULN_COUNT++))
                    ;;
-               -4|--rc4|--appelbaum)
+               --rc4|--appelbaum)
                    do_rc4=true
                    ((VULN_COUNT++))
                    ;;
@ -24855,8 +24905,8 @@ parse_cmd_line() {
                    MTLS="$(parse_opt_equal_sign "$1" "$2")"
                    [[ $? -eq 0 ]] && shift
                    ;;
-               --connect-timeout|--connect-timeout=*)
+               --socket-timeout|--socket-timeout=*--connect-timeout|--connect-timeout=*)
-                    CONNECT_TIMEOUT="$(parse_opt_equal_sign "$1" "$2")"
+                    SOCKET_TIMEOUT="$(parse_opt_equal_sign "$1" "$2")"
                    [[ $? -eq 0 ]] && shift
                    ;;
               --mapping|--mapping=*)
@ -24878,8 +24928,9 @@ parse_cmd_line() {
               --phone-out)
                    PHONE_OUT=true
                    ;;
-               -6)  # doesn't work automagically. My versions have -DOPENSSL_USE_IPV6, CentOS/RHEL/FC do not
+               -4) do_ipv4_only=true
-                    HAS_IPv6=true
+                    ;;
               -6) do_ipv6_only=true
                    ;;
               --has[-_]dhbits|--has[_-]dh[-_]bits)
                    # Should work automagically. Helper switch for CentOS,RHEL+FC w openssl server temp key backport (version 1.0.1), see #190
@ -24954,6 +25005,8 @@ parse_cmd_line() {
          ((VULN_COUNT++))
     fi
     "$do_ipv4_only" && "$do_ipv6_only" && fatal_cmd_line "-4 and -6 exclude each other" $ERR_CMDLINE
     count_do_variables
     [[ $? -eq 0 ]] && set_scanning_defaults
     set_skip_tests
@ -24970,6 +25023,7 @@ parse_cmd_line() {
 # connect call from openssl needs ipv6 in square brackets
 #
 nodeip_to_proper_ip6() {
     local len_nodeip=0
@ -25035,6 +25089,7 @@ stopwatch() {
 # arg1(optional): "init" --> just initializing. Or: STARTTLS protocol
 #
 lets_roll() {
     local -i ret=0
     local section_number=0
@ -25248,7 +25303,7 @@ lets_roll() {
          exit $?
     fi
-     [[ -z "$NODE" ]] && parse_hn_port "${URI}"        # NODE, URL_PATH, PORT, IPADDRs and IP46ADDR is set now
+     [[ -z "$NODE" ]] && parse_hn_port "${URI}"        # NODE, URL_PATH, PORT, IPADDRs2CHECK and IPADDRs2SHOW is set now
     prepare_logging
     if [[ -n "$PROXY" ]] && $DNS_VIA_PROXY; then
@ -25257,15 +25312,18 @@ lets_roll() {
          RET=$?
     else
          determine_ip_addresses
-          if [[ $(count_words "$IPADDRs") -gt 1 ]]; then    # we have more than one ipv4 address to check
+          if [[ $(count_words "$IPADDRs2CHECK") -gt 1 ]]; then
               MULTIPLE_CHECKS=true
               if [[ "$HAS_IPv6" ]]; then
                    pr_bold "Testing all IP addresses (port $PORT): "
               else
                    pr_bold "Testing all IPv4 addresses (port $PORT): "
          fi
-               outln "$IPADDRs"
+          if "$do_ipv4_only"; then
-               for ip in $IPADDRs; do
+               pr_bold "Testing all IPv4 addresses (port $PORT): "
          elif "$do_ipv6_only"; then
               pr_bold "Testing all IPv6 addresses (port $PORT): "
          else
               pr_bold "Testing all IP addresses (port $PORT): "
          fi
          outln "$IPADDRs2CHECK"
          for ip in $IPADDRs2CHECK; do
               draw_line "-" $((TERM_WIDTH * 2 / 3))
               outln
               NODEIP="$ip"
@ -25274,12 +25332,7 @@ lets_roll() {
          done
          draw_line "-" $((TERM_WIDTH * 2 / 3))
          outln
-               pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs"
+          pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs2CHECK"
          else                                              # Just 1x ip4v to check, applies also if CMDLINE_IP was supplied
               NODEIP="$IPADDRs"
               lets_roll "${STARTTLS_PROTOCOL}"
               RET=$?
          fi
     fi
 exit $RET