Problem
When you scan TLS-servers in a IP-subnet, you can accidentally build a chain of Reality servers that reduces the reliability of our proxy-server.
Proposal
We can filter only those TLS-servers which are in IP-addresses of cert-domain.
The first option should be like -resolve-cert-domains. It splits multiple (?) domains in cert-domains field, removes *. in the beginning of them, resolves them through DNS-queries and outputs to logs and CSV-file.
The second option should be like `-filter-by-cert-domains-ips'. It makes results infeasible when the IP-addresses of cert-domains does not belong to the scanning IP-subnet.
Usage example
Command line:
./RealiTLScanner -addr 1.2.3.0/24 -resolve-cert-domains -filter-by-cert-domains-ips -out file.csv -v
Output:
2024/02/08 20:51:10 INFO Connected to target feasible=true host=1.2.3.4 tls=1.3 alpn=h2 domain=domain-with-ip-1-2-3-4-in-dns.com issuer="Let's Encrypt"
CSV-file content:
IP,ORIGIN,CERT_DOMAIN,CERT_DOMAINS_IPS,CERT_ISSUER,GEO_CODE
1.2.3.4,domain-with-ip-1-2-3-4-in-dns.com,"domain-with-ip-1-2-3-4-in-dns.com: 1.2.3.4, 1.2.3.5; domain2.com: 4.3.2.1","Let's Encrypt",US
Problem
When you scan TLS-servers in a IP-subnet, you can accidentally build a chain of Reality servers that reduces the reliability of our proxy-server.
Proposal
We can filter only those TLS-servers which are in IP-addresses of cert-domain.
The first option should be like
-resolve-cert-domains. It splits multiple (?) domains in cert-domains field, removes*.in the beginning of them, resolves them through DNS-queries and outputs to logs and CSV-file.The second option should be like `-filter-by-cert-domains-ips'. It makes results infeasible when the IP-addresses of cert-domains does not belong to the scanning IP-subnet.
Usage example
Command line:
Output:
CSV-file content: