On 2/1/2024 22:50, Tim Chown wrote:
I suppose 80 being open these days is a ‘fail’ of sorts… but probably best not to rathole into non IP-specific issues (we tend to use https://www.ssllabs.com/ssltest/ <https://www.ssllabs.com/ssltest/>) and rather highlight differences in v4 and v6 behaviour that the sites may be unaware of.
I believe (and so does my script :-) that port 80 is the starting point so it should be open but it should have a 301 (Moved Permanently) redirect to port 443, where TLS is correctly implemented.
In the slightly different case where the redirect points to a location that doesn't have a AAAA the script will mark this as a failure with "redirect lacks AAAA".
We have some unusual behaviour for jisc.ac.uk, that varies for v4/v6 and whether the www is prepended. I think this is being worked on.
The typical problem child is that www.$domain has A and AAAA records and there is a "web service" listening on those addresses which has some sort of redirect to just $domain. Sadly it only has a A record and this results in my script being sad, and you get the forementioned diagnostic.
And thanks for the tools :)
You're welcome, and good luck herding the cats. Mark.