Docker IP scanned when hostname container matches

[stayallive]

When running latest depending on the hostname of the docker container it sometimes adds the internal IP address to the list of IPs to scan even with --nodns none and a --ip supplied, example:

docker run --rm --hostname cert-chief-app -it ghcr.io/testssl/testssl.sh:latest --assume-http --nodns none --hints --ip '[2606:4700:20::ac43:4b0f]' -6 cert.chief.app:443

#####################################################################
  testssl.sh version 3.3dev from https://testssl.sh/dev/

  This program is free software. Distribution and modification under
  GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

  Please file bugs @ https://testssl.sh/bugs/
#####################################################################

  Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~179 ciphers]
  on cert-chief-app:/home/testssl/bin/openssl.Linux.x86_64

Testing all IP addresses (port 443): 172.17.0.24 2606:4700:20::ac43:4b0f
--------------------------------------------------------------------------------------------------------------
 Start 2025-07-22 21:31:12        -->> 172.17.0.24:443 (cert.chief.app) <<--

 Further IP addresses:   2606:4700:20::ac43:4b0f
 A record via:           /etc/hosts
 rDNS (172.17.0.24):     (instructed to skip DNS queries)bash: connect: Connection refused
bash: line 1: /dev/tcp/172.17.0.24/443: Connection refused
 Oops: TCP connect problem

Unable to open a socket to 172.17.0.24:443.
Fatal error: Couldn't connect to 172.17.0.24:443, proceeding with next IP (if any)
...

It will continue with the correct IP and finish a scan, but it first tries to connect to the Docker IP anyway. This is only if the hostname of the container "matches" the domain name.

I am guessing there is probably a very logical networking explanation for this but this behaviour seems really interesting and it took a while before I found the cause for this 🤣

This also mentions a v6 address when doing a IPv4 scan:

docker run --rm --hostname cert-chief-app -it ghcr.io/testssl/testssl.sh:latest --assume-http --nodns none --hints --ip '104.26.3.199' cert.chief.app:443

#####################################################################
  testssl.sh version 3.3dev from https://testssl.sh/dev/

  This program is free software. Distribution and modification under
  GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

  Please file bugs @ https://testssl.sh/bugs/
#####################################################################

  Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~179 ciphers]
  on cert-chief-app:/home/testssl/bin/openssl.Linux.x86_64

Testing all IPv4 addresses (port 443): 104.26.3.199
--------------------------------------------------------------------------------------------------------------
 Start 2025-07-22 21:40:12        -->> 104.26.3.199:443 (cert.chief.app) <<--

 Further IP addresses:   (fd00::3)
 A record via:           /etc/hosts
 rDNS (104.26.3.199):    (instructed to skip DNS queries)
...

However, it won't scan it (even with -6 provided) so that is less of an issue but still odd.

This is all not happening on 3.2.

[drwetter]

Thanks, @stayallive . Will take a while . Vaguely looks like some pattern matching is not as strict as it should be.

[stayallive]

Ah. Interesting. No worries, I can work around this pretty easily so not a major blocker at all here, just figured it was worth a report.

Although I could appreciate some combination of flags that would allow me to force the IP(s) scanned and force it to assume HTTP (still checks as far as I can tell with --assume-http) without any processing. But this might be better in another issue since it's a little offtopic.

Anyway; appreciate the work as always 🙏