From 851cd564e625c595412c34fdf3c7c7489962aa6f Mon Sep 17 00:00:00 2001 From: David Cooper Date: Wed, 15 Jul 2020 11:52:19 -0400 Subject: [PATCH 1/3] Check for bad OCSP intermediate certificates This commit checks whether any intermediate certificates provided by the server include an extended key usage extension that asserts the OCSP Signing key purpose. This commit replaces #1680, which checks for such certificates by comparing the server's intermediate certificates against a fixed list of known bad certificates. --- etc/bad_ocsp_certs.txt | 293 ----------------------------------------- testssl.sh | 7 +- 2 files changed, 2 insertions(+), 298 deletions(-) delete mode 100644 etc/bad_ocsp_certs.txt diff --git a/etc/bad_ocsp_certs.txt b/etc/bad_ocsp_certs.txt deleted file mode 100644 index e3b84f5..0000000 --- a/etc/bad_ocsp_certs.txt +++ /dev/null @@ -1,293 +0,0 @@ -wXYR23sxE2HiDXuCMarfR4vLf/oL5YXAbeIwkiPC74o= -/bNF0mk3ftnTQwi7eIVjKzDmH46vt+tedfgCTV/U4Yc= -16BtRir8gNcRg9lKOYstzIJYNefGbaXkVAVXLwSwWl0= -gptouX8R3uNEhXrBLrQM5QLuUmARIwFv3r8UIAkaQEg= -VEULJ4BS+pGRFgDLmPMQCg+1gVKNj+q5i2/++KSMmY4= -c50MOnG2w3fL0cQIrnzBlzLCy++GINY7Fsn9AYXfmnE= -VQdJ/141xAfVFdmLMnUEvEhP2q4opxOv5OIoKYa+BOg= -Qavo+alRqJkPvc0+FM9HnUJkAbEV8BcBibZl6UDDYyw= -iKuWH2T5No9MTRMH9Z1OWcXlcPhSpsUROo/yjgQxUVc= -zXQZjUwj5HAd6leYkjIbnk9HoIvYN0cQuJmq0UlaSzU= -vEicbcK94lP1hto0E01mQLi1g6MSCJzhCTPEvAP8XzM= -89kW0bcyAfBJ7afll/4KXM1XEaaVj7wLem9/pk96/kc= -h6rZeKX+LulB5AaPmWPqKb2qWIeNJBIkmoLNIvgSbYI= -REzv7dg/YxXF7Iay8c1jsdvyOHz6K+sPtAAVPyr5QI8= -6keT4uuBTUMmH4Borv3ng7g358AhrBnI6bCFUfLWyD8= -DLZoT2AcQW+ZKolAmRSjKgwgmXFodfX3jsDEaxtXCZw= -fTW/BMhXKCtCLoUeqKYit10uzLq2XVumJZjB2koR1QI= -TefMrLUJmUJkSVDyzIYTQBJWXGFNUap9MIf6wZaVihQ= -kO5UjrrKyrQCB6YaN4zhhrlNJK58Vb/IMGXqlgcuKzg= -EaJ2cYciZURctyWOsoRO5hTRR3e59vc76VMhIvIfrQ0= -HLRwcoz1bzAgA7sOTrBiQU+hHU+X4/BhFwyWyIBx1xE= -ysBfTwUIEJkybc8nxNlwqKPqkU5nkq2swQSWEcntQ7o= -7AICWhoVeywCrEn1Wai2zwchJvg3lJn658Uu0YPakBI= -VvMhZ/AD2PLLc4qzhsNcoVJlzCmpjuEGbNPhrFVsoVw= -7r7fhG8dug6Iqba5qw/2Xwl/KEwGpkqTnujFyebzE/Q= -U1cNBeQNxi+d+R0Vr7AVtWqqaAwgzBaObVfZRsnOJoQ= -9kDlZDxAwfMp4QBDjijJV2ka+opT5AWjJvev63DCO8E= -GwRlNTeOB9EKzaok7vziBCC7mllhFOtHXKaWNXdT6SU= -fTOuYYzWJVM3fSU9LryihdhOmKkk2J+Y1L5P7jH5Kqg= -wC2KMO1psvhk7Y+xpjo+clUoiSDKKUvcow9jiY+5GVw= -BOy6j5K/90WMSl58aSYfx+LvUtWvVPvdkrFxQbvgZR8= -48UkTRX44LA09QCQO32hHFfBZWF1uGYIx/zcVh0IG/Y= -lA0vISoqOcyEvULQ9txPe6TEd+elqZIslrn17BTkpsg= -WXK5vUcQF9XzJwW+6RVwNiZXX4snCjnBwxLH+SRsENQ= -q/OAPNKTniaAPlIoCoH2fEbD4O51/Nux4w+wOjIaz60= -N9IgpsdSJ5kCEZE0nBg/kXvhvoYmz5JrD9bgqGge4DE= -QqtNnxgJRU6+wkXY2wb/YaqCibBaJj3+6WYtrJFmYEM= -Bb+2YF1IUWpXG6+af/dTdhMEcNpe5/9oTCZy6qDAyK0= -/UwrmT4DVukNT5+9I2He8aSYN4zuzrkt12/grX4sexY= -k5BxSx2Qn6PXDdx2gbOPB+1OY1bLXHGRXRvc1I/jNfg= -MafFefJNVWLNsgP6Fanyw/9dwfLmv3wL2V+8sBFMjSE= -jlzqHRASUhwnpOEScHArx8mhFW8TUHPWyk5C7ugmJJ4= -Irbr3umwptpcn6ztJ7+dzgmAPCr8EfdrXAvPR7f31WA= -gP3kKCEq8MoKxTHu5u0t89PCpFV9/OhXBw/JR5IumyQ= -P+i+OSoIaEuZ9JfmGMfd9aAqQom/nQjllQRZMb+6gU8= -3Ist7lDdR4qxNcrCac6miFFVepEpq82Y31ITsj2/s80= -UCx6hwNB175n2ybb+s+WR6/YmoVL+IEvpO9ww1bsE+U= -vzmkJB9C1SI2iUSz3FPtnqpax3NeJC4GJ8DdW7pxRIQ= -OuaZ2U6P69rLhtT5DUCQMzNHjmXgZVxDJFEZfjP6B/I= -oloZVGgZ0EgADvnGV3xLzY0hVbHkNGpFmdbIt5eZ1KE= -8YRCvt9wtNFSETVscrZZMyvtA//Tu6evqqvm3p1yMAI= -2IiPSoT3TJdN/7Vzob9bu6zRcTuQUJb46wFQYr85bE0= -BkNqyNDI4SCltfqMK83LLx+AWF55x3t+D40PYWjZxF4= -Uk5bOlWNX/AafEYCahS1jHfPne+6aR6sjkoX+sKjo7Y= -1B0jxRVZ9l5cIlA9enq/XNll7DnGHGmKfZjXl69we0g= -XIDlafzuk/FaK8BDUQKyagT1qh7JkSwToFiBwarVAtI= -3gqS5UNbYTII3ENezHFYvyj0IKk+CpHVlllyBT9SNUk= -IcrbfNgi6hO0luJau4FRx/sA77se5FijtKTzwWvDwW8= -7T23SNbXju/wuUUrxqAuA5A5xVB1pDkyO4uoX7Ibndo= -SyTFIcR2AOg4AKP/DC1Y3ALIF3732ml8WoDB1IZ6Zt0= -XbHSLXBmhPBxnokC+4azRrP8nk0aH5IoOkiLw9GgSEs= -P3hQJbzPrKRwGhc0zg97MM5BBpQsjZL0G3CwZ+1l01Q= -FQc8a73HRpmohRjCelfJVuXiPWypYZ5SGkaMeHPeT4o= -qbVpjFJjvv89YHINwYRMuV0W8G4EJovOO+TWAoKwHvk= -o38cCp3HIpi2H5M8tUxlQ4Y3sm2+29HmuAgnnz2tMOU= -Pq1PcvBvEFSIHSco3gM6jhP63mvRZQhAGOuUPBc3jao= -2FU6KIDpa3qkx0E92QOv09WAUEaV3SahaP1IzOexR0o= -UH22DSY9PQnSg94uOqQ139h3XlK8M1cC44Mru1fsHL0= -Uz/pfrRfztJASeQe/p2yVKXdnZDf1TyVEsYgftsh2Cw= -0o20NeMSEqO9zPh2IPZUS5mpwCMov5g+iC/QYnodEw8= -X2yqRKRmPEQd2SyLZlX7+Xz24daTTbj1+Nl633Az+qw= -X79u1PD4etpl+ueqq0rZ4bWlhpOa7fs5pJJr5/ZcZQw= -hTY6JMsbZubPYkTofSQ9u4MG9gc1fGFMucTCJKDgQ1g= -fggrvFaXaxWdRpZUCpa2AUhhS6m14psgNfeJvs+/Blc= -vs/eEkzt00TZJctV7dpmLZqcBoj6mghwzj27baQxPk4= -T/QE8C4s0AGI8V0cAPS20eOLWjlc+FMU6uuoVbamS3U= -8i22V6GpKYQavKxSZxpc7op9BpWGr4XOFt4rBd2iIlI= -ON7T/2gnV5AIr0iH65aYo8+pJ/qO1Z8GugkPuaY+LXc= -cFYQcjyWE/ZBMYHK33PVEHG9dh/aSRQj4avQAVAbZPM= -lylXMEAxI07Rdnn9y5dVbWFz1fK/Dm5m1hJoDKbndoU= -VnmkMeedTrnulnxg2HA8fHj0Q/cduXFX5DBZ3kLYUN8= -ziMyOQIIdCoaymUTl0xMnbJpHq9FaLUz5KF+1d2pc+Y= -x0It4hzryS7K5r6dzX5xHuZQ0wrtcR+7Dfayx4S2xPs= -OUzLvAs1lcoN7UAHL6+YY27QIWma0olFZIeRZbW11Mk= -xhkwd8YYnR37v4E7h9x8vwSYrPcniHvH7FQyCQbem8g= -ApN5EY5XdSJsVNcYKjZ6JAtRdw9QEbs1F3z9F9myRFo= -ThB8mBtCrL5BwBBn4W1E22SBTUGT5XIxfqBLh8ecR18= -1Ia/o/ANFl7iz2Jw/afQCBfljNot9Polbg8usSLPjwI= -6+h7tBiFAnCfREBVJZq7IrxRuIyQhBmhNVnfyO9mMNE= -rxiY1/Bjh1HAddAULU4qDqcx/GIjJPFT/hvztq/ZrxM= -LgGRdRygy6gcOmM43uGgK41rzE8fgmG4CbzOerrxpD0= -TCQc/j0/+2DKiNawalUqsc8O99jS4I2hUoK1UZLrvSk= -Yy/Wl7rK8e0jJRfsm3Yit8JeFEiwzGJrMyhnGeNRzoo= -OALkJFFveO6sMpqumx9gpBLb4dWwldesncDc3ePB9fs= -8DdiFAXg81ZQfiOfrdZHhC07UIV8PP+ECFkXT3L2/Rg= -OTuLFcq8OIb7LkFkldY8i63Y3K+HVSB2yKCpY3wk3kc= -d+rEdkU8tzIlf/FmpevRZWyx9nO2jijfQXdBM5efoqQ= -X/rEPg3cW0rytpb2vE236R3zFLuP4NBxOgsaetKmj6w= -FHxEf+64YgK1AzFPyvADa+qu9DfDm1azWOxEap0gOH8= -Qs/dpvZguOW0wcQRllpFGTElWeMmL422nS2uF7JrO6M= -e0ZNw4T9saUlwswnntDHz60kvs9yxGp9cJPRV8IXYH4= -rgO5rRcQaih4WDCx3NY2eXxMZNgcuNFhWV26+DQz5kw= -rkGVTarL/T5bn9cHj3tvquYbVZ7Oee+O2FitjAIqejw= -Fmz4lA9HJR1VUo7Z5Z4melkqToo43T1on43LpknpS3M= -0Dnu/3EIjMDxagWo/zxhYQ4UHR6FCsfhH3cT7uiMuVE= -gxB49+Ifpx/iT5HXGOSlcynv5vSHGxJhFdXSc7+tn3Y= -YmQD4Ho5PnB8iKRwRQSRcEsSK2TRGDI5F91NQfwGPDg= -V0k5vjI5lVaapElYqzCJ9jmpyG45ezg+9g6ZRGSbQwo= -8O5ZFO2UxyUtBYtOOYCK7m+o9izwl0+31tKp3xbjqH8= -2/EmjBPmRa31jRYmxDNr0/qFoaTRAyDDHqDn0KZgiJY= -zYmOTBarGJLzY6Rh4RAzPHTp3Us+Z+IjZMzAMOu1718= -5UEx8Tn8I8Kcm9MiLhrnEVYZTK3SgXIt3mEwOXl46GE= -EcYS0zK0wSJCUqb+L4o5bbr0A9+cy2IFbeOZWIBKuC8= -nHyngZxD4CplRlj7NmUL2KPyKpuFNe81fiu8i5IakOI= -v1SpOD9EZi517KIusOR/LCNeXRGKfoluyLZFkWy6aOk= -AaBwYTqusQLERGiiMVWeO2bRmC7GQ1iRkJqeazZkI9I= -prt/LZfwpe6H5EaWrtD6IQWjOw73Dc9ocygcbroIE84= -lu8zwkqLHxbPFw9DIh4X5ir/aQqLAU8kUpv+s49AoNo= -YOh1YzkH5QH7JqEK+9lzAhxTri9gGHFFhxYOg9UuGaI= -3YcG9HnxHbxsapDBI1j/oAo3MfC+0rG2UpBIMI3MEuM= -nk5sCNP756rPK3o/wrrD1swblHU/PJYVIj1qj2txcj4= -JTTsG9dMPBt2YaDnzCjxvfKoLM05Q+6q3Nj+2VBV6tE= -z2TrVpvtIKtWfKZcicZOoeeIxmBHoO8exeS9LlbKwnE= -rUcj6rVaV0U6X1W/W/dvygi1p/I5tCabOqm44Uk1MB0= -nM3gEf9hnDId/o1kkM2N4Thn0ZOpte5qb1rED2HXEcU= -gFp7gGAab/tKveY170dwXq4XYg3vnPr2FGK2LXxLiGo= -cWCg2EGxxcEgoIyS3iMmSD2Q2b/OGYS91v9KtrfSc8M= -qQ+X1rXHYS4CDLvPB0YgDJZ24YKMWoUL5ryIjDRfpLU= -nACcovl+osvygXNgDe9velTFZkWZuKtQDuGIWlbk8nA= -rJWg/X4L9eG+bwKgQvDwmmV6euEnLt7FBatrmmEWeCw= -ZAF9eLXwwExBlzXWpKbVLsHSARUkOw18dFB+JX/6SkA= -OGTWwQAfAMSqgdzbN14qC0348ooaqZ+h84t0vOgtWxg= -Yv3R3U29JpQAZqoDD82kUbK8IUP+zmWoqgP8C9MR8P0= -vL0E1K7ZYsnSWv4M+vhjjOFDFlKYjsUhcynnVZrDxnE= -z4mkHf7l9xdA3vYCc13b8d6+DLgW1zmA2aWDxYgc53g= -OoglMMA+phXl702tvXyGYJEvqT+vUIhxb7Rqjh/6khg= -HJJmkCoxw5QbUG1E0NTQbsnbdlXmX5VXZZ+rdospCxs= -fLiI73QNy/wMIL2kTywmGfbQ1FmPuTLQN9ryeAd3c6U= -WONo7k1hW4iOEcVSsss7Rp8wrEv0jYs3m1EAnAgmQ+w= -yXgWNowrekYIszRNvmhI2L0SEmDC952siskMrhfI5Xw= -O/HkFQPH8CPQ1Mr/vo5RJiwscxC8bZbozI0UOmAK7oA= -PoS6Q0KQhRbndXPAmS8JecoITkaFaB/xlcy6iiKbinY= -jZz9mPUrHCxvTpztPR2ZWSfvsNVjj73wiDTQ9yyikRg= -s5YnQBRBzrQv9sf5g+DyqSMNGHdAPJ9AllyHV86/19Y= -ePE8SR4TAgaDfDqu2lXFby1dYN0NGXkQhD9G1freNek= -4qtqY+hkbg8jKCDtBH29RICWdFYhFJHJGvonr1qVVbk= -AFHJiSTyOb1Jq4yPaAL4uc9K1B6zJy8aNMDNbWHcs9Q= -j0FFvUjMm/ciklkj59LQnMy+mXOlODjKNvlWH3TownE= -LAlx85e6hzewM1hFVpBllJNqzhdTpaS+Xi8RtCukt1k= -UVh8hnv2bzXs5VSgjgpBwTuLvZtZ0mLSBKcDCaZyvuY= -VbDNLMrRjiWXfZBtrJ+ouGQ9eiWOezg38RV6E6wZ0Yc= -/T5EKAyNy+jPjPVVEeBmnIU3lF2h+nRowOpStobdW2g= -dNmS05ELz340uLXNKPkerrT0Hz2mOU14uMQ2ctQ/Tw8= -CrEV3p0Saj1OoQ3fCGPMnYlWdE63tMzat+V9agblhRg= -e4X20IWbJAozYzdKEYHgEgIQR9ztI1KoQfblW10HfqU= -QlIC1Lv9qbeZ0Peqkn2UT0LMpCN8L8GYdbkHXes1piE= -D3UQNcGOHTkunMVXxX6UpV0S+7CG8mpFKeJhNiW/0Tw= -yErgHs0gLa++7h8OZ5ZG3ozNZT14RnGKO19OEpMkKYo= -UrY9G9COg73HI9ex/pYs7BgG5/U/dvLHCFjKNSk6HcE= -4KZw9PEFfpF56dtF4zPON+PuMcNJnxxYSlh72aX1NkA= -oBmBHkNpykxiqqgKFUlhPmD2xc7Tg6+ded+Pjxk/Hf4= -Af1hSHk5SzrhSSUvwVaYZ0FZzlVQZp/5EokuGYNaHkw= -gyJm1rqMv8vyjgYUoB2fTDm45B98h9IHfbtsA4QMqcI= -5z8fGaRFmmBnpF6E21hdbB348SpznXM/WyiZZUbxh1o= -jAFyH2+p0h38KDZvUkNOqLRL+IQ/HEM7llv2WTNE6zY= -+Hiz3yE7CBe/8eXvTozXybV8gP/J+KcwnqRqr1QLrhg= -tA1oOJ/QQcVuKT+j1X19t5LdALYuvf8ZCw4mRAcsk0o= -Q9tljdTkAg+LXGvXEH4V4jNFmiJs0Nd++PcrKxzCmv4= -oK8UGM0U9rJBXsYxbH1Yi7JdQwo9bQJvV94g+WXqvdw= -weRTSNcUy0fbssC5uvm6HyfkIAR82nqLaTVkMATKq5c= -jmkw14oTnzgnFGpZRu+f46dzmbL9DOuwsu0I7hih11g= -2FLeXQmAht/ppvPXKNUmGGVYfEid5nV1PScjdKXW6fw= -6Mpy7LmIXCTqKd4OrJdwQnjSoeWbZmZtMn+wzGvdkS8= -SHR1jWVj4EM7HtzufMxdnCqtjroSvLBwRFS7Tvjq95k= -tc/msLKqhhoLNnwMBTlaU4rUk6nfARVEqO/EaH/bLMg= -uWj7/D7KKFqtw40jZ3JyQf99NzPxJ4+KT1DsyMDvHoA= -/x3SHxpdC0Us2WnPSqVTg1yr4Ck8bHsAnxRaogLALIs= -gGoqp37b08dtj9Bm37XMMxDzWbAQLOksD67BaqQ//wo= -M81TfgCducdYpWhDXAZwb58BE4BU4gud3JPgOXE4qms= -jZkhf/gtYOTfWb6KESFiXN/8TyLyHhJjod8G0twLVA4= -xrclJq9F1orhZnHp8cJFMECNk4+PBEfhEG4vKnDTrSE= -YPBm3Hik4ukpocjtEC7bcH3wMYH4L99Q1TpS2sNVxls= -dkoNhNVVLNWHLHNGTzfwIXXNpwWIECsTraKgGZ/EA+k= -Ko2+vTr9uXK8H3fP576FBoiM/tNe38VMuqY446WrPv8= -W9DA1XmAFWfzOI/mRO95CrMeLbIkbq9MiB5aV9mgpYI= -xbZ5EGlYFS+D+1iG3cQfB4UZPvZ8aXW+PlCfF/KbeoY= -kFjVBl+PPppjqv5c6Jp2RHCw3vnc87nsfQWH+riP66A= -1WAk8MXZI31+CyOFBn2O+I7dro7BmZafXKoszClp2YI= -rCiRmOxpliiAP4hD3WPHZOhWuCdM957bjtjpmXlpf5U= -x0eO33MQG6Eu7N3zSMd0f/94nvtAHMjcrfrglClUPlQ= -4P+T6QVsSO3ca2jpTzFcOiIp6c4krzNjTTTV7wMjMok= -Qf2VNoVpPOZ9DSPMkcoXkmHWuZSLIdO75fet++U5gt4= -3oPj/CRfawSJMeHIE06qypb6p7HvHROV86Ys4BSwUYI= -BmTx7u7RpzVXACAdL0Qx3EOwvOqxKajKv9Tth9BDQe8= -cbPtjO7MwGOM0gIrQm6SF2YnHeYjZ8fNhS7C8eERHnY= -zgJQ8qnxj2jV/5RKTGWfZpL3PgNpzswhX18lfjIlmHg= -t3h0inkrj5HwSwG6/DGjHtfvanEq/4C2YQ2are4get8= -iGWwLhQDkWdWEyLIwewud8R89763MdL+HLusv3LRdyw= -6Va4oVaHH3HUNMrHjr0j1Q79GrkHYc5DbnnQOu0TZkw= -wXOXph2a+dKiKczyYqsdMrSph6E0rlvZ3k/BVfAN0W4= -TzBNg2b/kJHt121TO+1Vko5zt6qtUuNbhudip38EaU4= -DzMgaSsXqRbOVPfk2nv+Ui+zGxrCHgiHdrN8B6NO4qg= -4MJ6zLmueGBbYeeCbAIdkczS92mljEvW2lRgC5njVDg= -FslKjMwVyYOCW1vT8txo1pTIoyDyMo7NjJylfeUdoOU= -AfiXESH0ED0wvkI1zX3A7ubGrhL8p3UISOoOLhP8JCg= -JbrMQKU5K4Kq3qBJA5BaRnEh8oIg5vL34P6YKq/BT6Y= -+5U8T8AEWEbQJJHI7M84e6NDR8F6uw6m1Z9t5NLx6gQ= -+1Tuqbzo6eqXghVPPUFCd/twn0m5R9c5eKwnhUbCzgM= -yKk01qjoRfemX1yPcf5E9Si4XjJldaDWeTnHTYDNF9g= -HJQqIqAWoeVVna537FzoZx+YrgukrC3CWUGOjh6flK0= -z3O1LQQbcwm0OdFiR0FLkMnSbkTjh0ijZQDVgptRh/k= -v17fvuuFmZxRacvz9NtjtnmtLh4icvw3lfn5kh5tBIc= -oBM75bFOAjEKLUvqtgEJTxGU7ovW/Snd/nuTR0Z8Luw= -ygBap14zWUvR3txYTh505RmOux3oiSntTz4un/zjhzs= -I6dHBNd6A8/T/xnmLFAISCFObGD9Kq733Oeo+e6fkjI= -O5Zo9Z9V+jg4/Co7gLf5tbE9Gkbx6qbgvP8ExUGYBWw= -WkBVNcESoKga8NKsyjw/m8Gmd1hs28Yzy09fd44aNVA= -kVPkQg3cfrTm6GSqA3fa30CC7NNQUhE2OOBdPClrwAY= -3QOOh+C00sNpaA0954Y4qzn8HX5QYymWkhEBdo241Ng= -TmPxQkAahPikc9bd7jQaFh+tqG00MMjCxTRTZBPZ25c= -cW824XTQWVrowV39agxJjpe2plWz8g/lSIyo+exgktY= -mk45jSqmA/7RCGPANi4TkNl+wS+gJ4/XgqqzzdV9wh0= -O7YMQ5NGQUpA4twtHW9WYiV40rHygyR2fBSQFaY/80o= -9dLSumgXp6mqDiE1S78Ob5XF4ofuiM8vJ58P/sTtrBU= -cBtDKsDN1NnPlbS4hMMr9cypDUTgFhq9E7k01o44BHI= -xMfENr2I6OaNsAKX34OsyBnhmGOboAUiyOMkWHaJhSM= -XN2AnPRPX4Zl6sFQVVBMWwa3h6wYKUUFvbq0p35Q13Y= -RgOPYyYijNtWYZxSJmYT2gTIykmeDQOw7c/8EQ1c/HA= -7cc0xQFQHceidEj6AsdJMfhXi/KXsXPzS4QegsZpGSY= -J9b9r4ApeEbf7/guf1i5pIrJ4+6ToRKxu+JD7hqXRHw= -yBksMve0nH8yocoAFZWn+eNsnnIFjW6qG6t3UqjBZxg= -vkCBOGmrJ6Bx0SrWqIMFg+vDthjj8jRjWfSxGhyUNO4= -HoZCeMIIgbZxwMbS4UthFQrR8Tz5LG7BS1UNy8R+FUE= -VMN6joU/0dY3jTeLk5MH7DIaMcwaWonnGAYzvBPxh2I= -nomO0D+kaWlpDa1zxylmdQRf+bWgEAo5m+uENamPUYU= -Sw0TktORVzUyB6ZMyxRoPd6dLO0ftYsW4Di+VwfCeBM= -eqRdb1sU2rHGhEwZwoBOFLWBHm7eHwKwrvBlp7NZxo8= -lMZj6epcJ+5PZBJ/m0JYY+mRqeFWwH3xoAgDrjF2QWI= -Logg3A6vrj1tKFwFfs4URws3dDiwAs7dTHK080OlT0M= -TnB4Z5RqwFNDxrqP8SHqZqdYA3kTJXqO5JdDUNOaEDQ= -wlxO28NuP7fD2Te+6fLSnjavsHz6MYgmLg1f3JGeDXc= -Xn/LnJe9pWmTsWWNEgIydh1mWjZEU0MA+mpb7F4NV5U= -ETE43XshZyWEAjji1+7ss3ONsTkGSyTLhT/CcKSeYFc= -vjPRxX693ZJ7V722BL5Fe1Uv5Wjn89y6CTw57Rwwojk= -g/yJGzUNng1+vm3Spr/j0LD0ZT/KBIYVpd7rvAOaP2Y= -VyZLgqhk26HBHvP4CruUysNmBmKwwi9XH/mTs/vPdvs= -dKvl5czrdUkf9yxM8yVAXYrb/jkOGJz0MLpg5ieYh44= -wv6s1nSHjHsMIyWi7O0KMz23eAqG3+w3WBAO/AEBxmU= -ndwuDVW0YeDHMigoLfVrK+8iTKI4VoHRe26MB3hSVzw= -MG6XOeNFj/RUaHe3BLLjkF5YsjXWTjL08CaskbcpXRU= -/ToPPdRIAJK21FBHPeuSAaCzCKiAeDOjxzj4oH64HtM= -Cqny59lccYt9HrfM29AWToYFeunWaSK8YPmQP5Sg8O8= -9XCaLS9otTv29kW7F4rflTRvif2lxjv94IBComSSqrI= -66NMexCWcWFMNn4d4HUSTDlUzhn4X6z2EJDsMZ9/Gn8= -Eo3tGorWDCS0JU4x25T8Q5K/k+1UNEcqpDoLmFYQYGg= -txawif5OU9Gi73ulesheaOxyLPYQUsJaWWJq07FcX0A= -al9MFnjKZeWfBg1Xzf9mUGUxSGHVOo59FFDKktlsoQI= -q8hnBsmNa/ZzcvkI7AGt9jGxkdczron4ND6wR7EIFEs= -QEfJ1pJgwHITvLhgin7F4oOKVrefZ4R4EurAd40NJ/E= -kl7n1aIq1/vpurVNfI0LmnT341qK9q9kXi6MNRmnCS8= -8GjeqhjMAtWovjXLgzgyeRApH25i5yFqk0dkoaukqAA= -sf466/ljp4gOdLCwVWaB6osczOPmmn07EKaKy+huSKE= -//4HdQP9cvDlM4sKe04hjn0f+C5JPn6FKuUaocdYXRc= -lcanR90Lx1WhlBgn6JS4CDWSJBt5JUHi6xsw+5sT9X8= -DTF2xY8yGqNMV8jffBfR9OdseX7BFsnx1pd0jtH859k= -DW5GeE87aU6cdQZ4ZBe8b4f50vc9GbXoCBYSshE3t2Y= -l4vPOcPDqs7+EEj6A2AoPcLr+lFQAkxeN4UU0+decpU= -LYGa85fiidxBcJxKr22jsZBHScN6mVhgdFgDcW19VpA= -oaBOTPxW/RkX60gfxGYpouRmVnVvoI4iSH9Utk4co+c= -Zj/elPiDah/r2DvoMQl5MS1l/4wbcWOU5o9B2COWwfg= -SDlfccwm9kJ0vQbH6xWR+dTsYrZPpsFlMfPLcsJGnYI= -+AhlYjZyW1ZvByHFGBWKZ1bJaQPLcetI3dqO3f6g8mw= -TngnF2hJQIjtH5uycSUxq10TjGxZtGZQ0oWzWFjmexM= -QqIfNyhYBPLnNgdctUh0Nozw4hEAiLPxOEEu7IhZCVQ= -RnFuv2oirqHfH5fmKl73CVEnzkVQtiQuumkHr8XEgs8= -iH1/Het/BxLIWvq/UMrfib8C6xPlUsv1LXtd8/IdsNo= -VbgN72B/iOMcWEBn0J1DNE2UEXuvZINlhHsc5bZ2d8k= -/DqYk44u07024NQfGFF2STIpBrLmszaQiRMlquzRlkQ= -UjV1BHNxu6iCY+WrXe2PawaVxdKhkqbdEUBsR2ujxy8= -KlCKX+YXPE6PASZpShpqcdkABFH6MdsDO4cFiQRB7MU= -/S8zJI85ZFZGh5gCNaXwvLOrVi5H9AT3QuUzQsU3UoA= -U4pFqvkAPU05iLv8+fhZsyXOX3ddwGASBQWFF/m8FeU= -50rUSw1W7r45uxhcUqub7+T3WJm2qBQW6RA9XCm/J/s= -53rALbbqoOmmtXOpmHDG3029uDOd2jvEB4b3DivX9/Y= -HpU+FRI6leRwRL+vBrGXT7mXa4T0Nx69d/itge/QXAA= -5Xu/UHn5gpO0FC80iXLmjjUeUrkDc/BfRvCcyzCvW/A= -vUQgxZKm9/JSromBJOAC8bnP4fJTiGTVazSntN+zH8g= -CE7KcKm0Dk4VY+NXdrcW5BCpcrsn7VHCSMSNMkL6ja8= -bsjTVRvQRUsMxLnbh2Nmrgh2TF/PFbAPlBG94w1TNq4= -qONS2wyOJ7rlg9AVFG6Led7gkdVjj1g6DEQvO/Vd7rM= -LRskT6zq+tlHVbXpmqv3rJHFmdpzv6Rh7uuvtLlptck= -6tyA999jBWDMGzU/aOpmAVnOlm4i1ARYh4B4fAR20OQ= -IuXm21yuQo7alq7QVk4rl3DsoswCUVjjep3e7eMfReU= diff --git a/testssl.sh b/testssl.sh index 6bd0294..f78de7b 100755 --- a/testssl.sh +++ b/testssl.sh @@ -8314,7 +8314,6 @@ certificate_info() { local certificate_list_ordering_problem="${12}" local cert_sig_algo cert_sig_hash_algo cert_key_algo cert_spki_info local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt" - local badocspcerts="${TESTSSL_INSTALL_DIR}/etc/bad_ocsp_certs.txt" local -i lineno_matched=0 local cert_keyusage cert_ext_keyusage short_keyAlgo local outok=true @@ -8986,10 +8985,8 @@ certificate_info() { /---END CERTIFICATE-----/{ inc=0 }" "$TEMPDIR/intermediatecerts.pem" for cert in $TEMPDIR/intermediatecert?.crt; do - hash=$($OPENSSL x509 -in "$cert" -outform der 2>/dev/null | $OPENSSL dgst -sha256 -binary | $OPENSSL base64) - grep -q "$hash" "$badocspcerts" - badocsp=$? - [[ $badocsp -eq 0 ]] && break + cert_ext_keyusage="$($OPENSSL x509 -in "$cert" -text -noout 2>/dev/null | awk '/X509v3 Extended Key Usage:/ { getline; print $0 }')" + [[ "$cert_ext_keyusage" =~ OCSP\ Signing ]] && badocsp=0 && break done if [[ $badocsp -eq 0 ]]; then prln_svrty_medium "NOT ok" From 17ee0245b5f4eb34ef13759773ce741e3a00a9ce Mon Sep 17 00:00:00 2001 From: David Cooper Date: Wed, 15 Jul 2020 11:53:49 -0400 Subject: [PATCH 2/3] Speed up intermediate certificate extraction This commit speeds up extraction of intermediate certificates by using Bash commands rather than awk. --- testssl.sh | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/testssl.sh b/testssl.sh index f78de7b..2ac1f95 100755 --- a/testssl.sh +++ b/testssl.sh @@ -8303,15 +8303,16 @@ certificate_info() { local -i certificate_number=$1 local -i number_of_certificates=$2 local cert_txt="$3" - local cipher=$4 - local cert_keysize=$5 - local cert_type="$6" - local ocsp_response_binary="$7" - local ocsp_response=$8 - local ocsp_response_status=$9 - local sni_used="${10}" - local ct="${11}" - local certificate_list_ordering_problem="${12}" + local intermediate_certs="$4" + local cipher=$5 + local cert_keysize=$6 + local cert_type="$7" + local ocsp_response_binary="$8" + local ocsp_response=$9 + local ocsp_response_status=${10} + local sni_used="${11}" + local ct="${12}" + local certificate_list_ordering_problem="${13}" local cert_sig_algo cert_sig_hash_algo cert_key_algo cert_spki_info local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt" local -i lineno_matched=0 @@ -8320,7 +8321,7 @@ certificate_info() { local expire days2expire secs2warn ocsp_uri crl local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn local issuer_DC issuerfinding cn_nosni="" - local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial cert + local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial intermediates cert local policy_oid local spaces="" local -i trust_sni=0 trust_nosni=0 diffseconds=0 @@ -8979,13 +8980,14 @@ certificate_info() { #FIXME: We just raise the flag saying the chain is bad w/o naming the intermediate # cert to blame. - awk -v n=-1 "{start=1} - /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } - inc { print > (\"$TEMPDIR/intermediatecert\" n \".crt\") } - /---END CERTIFICATE-----/{ inc=0 }" "$TEMPDIR/intermediatecerts.pem" - - for cert in $TEMPDIR/intermediatecert?.crt; do - cert_ext_keyusage="$($OPENSSL x509 -in "$cert" -text -noout 2>/dev/null | awk '/X509v3 Extended Key Usage:/ { getline; print $0 }')" + intermediates="$intermediate_certs" + while true; do + [[ "$intermediates" =~ \-\-\-\-\-\BEGIN\ CERTIFICATE\-\-\-\-\- ]] || break + intermediates="${intermediates#*-----BEGIN CERTIFICATE-----}" + cert="${intermediates%%-----END CERTIFICATE-----*}" + intermediates="${intermediates#${cert}-----END CERTIFICATE-----}" + cert="-----BEGIN CERTIFICATE-----${cert}-----END CERTIFICATE-----" + cert_ext_keyusage="$($OPENSSL x509 -text -noout 2>/dev/null <<< "$cert" | awk '/X509v3 Extended Key Usage:/ { getline; print $0 }')" [[ "$cert_ext_keyusage" =~ OCSP\ Signing ]] && badocsp=0 && break done if [[ $badocsp -eq 0 ]]; then @@ -9712,7 +9714,7 @@ run_server_defaults() { echo "${previous_hostcert[i]}" > $HOSTCERT echo "${previous_intermediates[i]}" > $TEMPDIR/intermediatecerts.pem echo "${previous_hostcert_issuer[i]}" > $TEMPDIR/hostcert_issuer.pem - certificate_info "$i" "$certs_found" "${previous_hostcert_txt[i]}" \ + certificate_info "$i" "$certs_found" "${previous_hostcert_txt[i]}" "${previous_intermediates[i]}" \ "${tested_cipher[i]}" "${keysize[i]}" "${previous_hostcert_type[i]}" \ "${ocsp_response_binary[i]}" "${ocsp_response[i]}" \ "${ocsp_response_status[i]}" "${sni_used[i]}" "${ct[i]}" \ From bd856e2adaf31f7063173052368b3123a1688290 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Thu, 16 Jul 2020 07:57:27 -0400 Subject: [PATCH 3/3] Save intermediate certificates for more use As there as suggestions to check intermediate certificates for things such as expiration date, this commit saves the text versions of each of the intermediate certificates so that they are available to extract additional information. --- testssl.sh | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/testssl.sh b/testssl.sh index 2ac1f95..beb479d 100755 --- a/testssl.sh +++ b/testssl.sh @@ -8303,7 +8303,7 @@ certificate_info() { local -i certificate_number=$1 local -i number_of_certificates=$2 local cert_txt="$3" - local intermediate_certs="$4" + local intermediates="$4" local cipher=$5 local cert_keysize=$6 local cert_type="$7" @@ -8321,13 +8321,14 @@ certificate_info() { local expire days2expire secs2warn ocsp_uri crl local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn local issuer_DC issuerfinding cn_nosni="" - local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial intermediates cert + local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial cert + local -a intermediate_certs=() local policy_oid local spaces="" local -i trust_sni=0 trust_nosni=0 diffseconds=0 local has_dns_sans has_dns_sans_nosni local trust_sni_finding - local -i certificates_provided + local -i i certificates_provided=0 local cnfinding trustfinding trustfinding_nosni local cnok="OK" local expfinding expok="OK" @@ -8980,14 +8981,20 @@ certificate_info() { #FIXME: We just raise the flag saying the chain is bad w/o naming the intermediate # cert to blame. - intermediates="$intermediate_certs" + # Store all of the intermediate certificates in an array so that they can + # be used later (e.g., to check their expiration dates). while true; do [[ "$intermediates" =~ \-\-\-\-\-\BEGIN\ CERTIFICATE\-\-\-\-\- ]] || break intermediates="${intermediates#*-----BEGIN CERTIFICATE-----}" cert="${intermediates%%-----END CERTIFICATE-----*}" intermediates="${intermediates#${cert}-----END CERTIFICATE-----}" cert="-----BEGIN CERTIFICATE-----${cert}-----END CERTIFICATE-----" - cert_ext_keyusage="$($OPENSSL x509 -text -noout 2>/dev/null <<< "$cert" | awk '/X509v3 Extended Key Usage:/ { getline; print $0 }')" + intermediate_certs[certificates_provided]="$($OPENSSL x509 -text -noout 2>/dev/null <<< "$cert")" + certificates_provided+=1 + done + certificates_provided+=1 + for (( i=0; i < certificates_provided-1; i++ )); do + cert_ext_keyusage="$(awk '/X509v3 Extended Key Usage:/ { getline; print $0 }' <<< "${intermediate_certs[i]}")" [[ "$cert_ext_keyusage" =~ OCSP\ Signing ]] && badocsp=0 && break done if [[ $badocsp -eq 0 ]]; then @@ -9121,7 +9128,6 @@ certificate_info() { fileout "cert_validityPeriod${json_postfix}" "INFO" "No finding" fi - certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem) out "$indent"; pr_bold " # of certificates provided"; out " $certificates_provided" fileout "certs_countServer${json_postfix}" "INFO" "${certificates_provided}" if "$certificate_list_ordering_problem"; then