Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Detect multiple certificates cleanup

Browse Source 
This corrects the indentation within determine_trust() when there are multiple certificates and the output for "Chain of trust (experim.)" takes up more than one lines.

In addition, it fixes the ID field of the JSON output for entries related to the certificate. At the moment, each ID string begins with a blank space. This changes it to remove the space if there is one certificate and to add "Server Certificate #X" at the beginning of each ID if there is more than one certificate.

Perhaps there's a better way than just using, for example, "Server Certificate #1 key_size" as a way to distinguish multiple "key_size" entries in the JSON file. This is just one idea, and it can certainly be changed if those who intend to use the JSON output prefer something else.
This commit is contained in:
David Cooper 2016-02-09 13:35:46 -05:00
parent 70cd658447
commit 02239be295
1 changed files with 56 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
testssl.sh
View File

@ -2658,7 +2658,7 @@ verify_retcode_helper() {
} }
determine_trust() { determine_trust() {
local heading=$1 local json_prefix=$1
local -i i=1 local -i i=1
local -i num_ca_bundles=0 local -i num_ca_bundles=0
local bundle_fname local bundle_fname
@ -2669,16 +2669,20 @@ determine_trust() {
local some_ok=false local some_ok=false
local code local code
local ca_bundles="$INSTALL_DIR/etc/*.pem" local ca_bundles="$INSTALL_DIR/etc/*.pem"
local spaces=" " local spaces=" "
local -i certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem) local -i certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
local addtl_warning local addtl_warning
# If $json_prefix is not empty, then there is more than one certificate
# and the output should should be indented by two more spaces.
[[ -n $json_prefix ]] && spaces=" "
if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0" ]]; then if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0" ]]; then
addtl_warning="(Your openssl 1.1.0 might be too new for a reliable check)" addtl_warning="(Your openssl 1.1.0 might be too new for a reliable check)"
fileout "$heading trust" "WARN" "Your $OPENSSL is too new, need version 1.0.2 to determine trust" fileout "${json_prefix}trust" "WARN" "Your $OPENSSL is too new, need version 1.0.2 to determine trust"
elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]]; then elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]]; then
addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)" addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)"
fileout "$heading trust_warn" "WARN" "$addtl_warning" fileout "${json_prefix}trust_warn" "WARN" "$addtl_warning"
fi fi
debugme outln debugme outln
for bundle_fname in $ca_bundles; do for bundle_fname in $ca_bundles; do
@ -2715,7 +2719,7 @@ determine_trust() {
if $all_ok; then if $all_ok; then
# all stores ok # all stores ok
pr_litegreen "Ok "; pr_litemagenta "$addtl_warning" pr_litegreen "Ok "; pr_litemagenta "$addtl_warning"
fileout "$heading trust" "OK" "All certificate trust checks passed. $addtl_warning" fileout "${json_prefix}trust" "OK" "All certificate trust checks passed. $addtl_warning"
else else
# at least one failed # at least one failed
pr_red "NOT ok" pr_red "NOT ok"
@ -2723,7 +2727,7 @@ determine_trust() {
# all failed (we assume with the same issue), we're displaying the reason # all failed (we assume with the same issue), we're displaying the reason
out " " out " "
verify_retcode_helper "${verify_retcode[2]}" verify_retcode_helper "${verify_retcode[2]}"
fileout "$heading trust" "NOT OK" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[2]}"). $addtl_warning" fileout "${json_prefix}trust" "NOT OK" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[2]}"). $addtl_warning"
else else
# is one ok and the others not ==> display the culprit store # is one ok and the others not ==> display the culprit store
if $some_ok ; then if $some_ok ; then
@ -2746,7 +2750,7 @@ determine_trust() {
[[ "$DEBUG" -eq 0 ]] && out "$spaces" [[ "$DEBUG" -eq 0 ]] && out "$spaces"
pr_litegreen "OK: $ok_was" pr_litegreen "OK: $ok_was"
fi fi
fileout "$heading trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning" fileout "${json_prefix}trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning"
fi fi
[[ -n "$addtl_warning" ]] && out "\n$spaces" && pr_litemagenta "$addtl_warning" [[ -n "$addtl_warning" ]] && out "\n$spaces" && pr_litemagenta "$addtl_warning"
fi fi
@ -2895,6 +2899,7 @@ certificate_info() {
local cnfinding local cnfinding
local cnok="OK" local cnok="OK"
local expfinding expok="OK" local expfinding expok="OK"
local json_prefix="" # string to place at begging of JSON IDs when there is more than one certificate
local indent="" local indent=""
if [[ $number_of_certificates -gt 1 ]]; then if [[ $number_of_certificates -gt 1 ]]; then
@ -2902,6 +2907,7 @@ certificate_info() {
indent=" " indent=" "
out "$indent" out "$indent"
pr_headlineln "Server Certificate #$certificate_number" pr_headlineln "Server Certificate #$certificate_number"
json_prefix="Server Certificate #$certificate_number "
spaces=" " spaces=" "
else else
spaces=" " spaces=" "
@ -2914,33 +2920,33 @@ certificate_info() {
case $sig_algo in case $sig_algo in
sha1WithRSAEncryption) sha1WithRSAEncryption)
pr_brownln "SHA1 with RSA" pr_brownln "SHA1 with RSA"
fileout "$heading algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)" fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)"
;; ;;
sha256WithRSAEncryption) sha256WithRSAEncryption)
pr_litegreenln "SHA256 with RSA" pr_litegreenln "SHA256 with RSA"
fileout "$heading algorithm" "OK" "Signature Algorithm: SHA256 with RSA (OK)" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA256 with RSA (OK)"
;; ;;
sha384WithRSAEncryption) sha384WithRSAEncryption)
pr_litegreenln "SHA384 with RSA" pr_litegreenln "SHA384 with RSA"
fileout "$heading algorithm" "OK" "Signature Algorithm: SHA384 with RSA (OK)" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA384 with RSA (OK)"
;; ;;
sha512WithRSAEncryption) sha512WithRSAEncryption)
pr_litegreenln "SHA512 with RSA" pr_litegreenln "SHA512 with RSA"
fileout "$heading algorithm" "OK" "Signature Algorithm: SHA512 with RSA (OK)" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA512 with RSA (OK)"
;; ;;
ecdsa-with-SHA256) ecdsa-with-SHA256)
pr_litegreenln "ECDSA with SHA256" pr_litegreenln "ECDSA with SHA256"
fileout "$heading algorithm" "OK" "Signature Algorithm: ECDSA with SHA256 (OK)" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA256 (OK)"
;; ;;
md5*) md5*)
pr_redln "MD5" pr_redln "MD5"
fileout "$heading algorithm" "NOT OK" "Signature Algorithm: MD5 (NOT ok)" fileout "${json_prefix}algorithm" "NOT OK" "Signature Algorithm: MD5 (NOT ok)"
;; ;;
*) *)
out "$sig_algo (" out "$sig_algo ("
pr_litemagenta "Unknown" pr_litemagenta "Unknown"
outln ")" outln ")"
fileout "$heading algorithm" "INFO" "Signature Algorithm: $sign_algo" fileout "${json_prefix}algorithm" "INFO" "Signature Algorithm: $sign_algo"
;; ;;
esac esac
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html # old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
@ -2948,7 +2954,7 @@ certificate_info() {
out "$indent"; pr_bold " Server key size " out "$indent"; pr_bold " Server key size "
if [[ -z "$keysize" ]]; then if [[ -z "$keysize" ]]; then
outln "(couldn't determine)" outln "(couldn't determine)"
fileout "$heading key_size" "WARN" "Server keys size cannot be determined" fileout "${json_prefix}key_size" "WARN" "Server keys size cannot be determined"
else else
# https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/ # https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/
# http://infoscience.epfl.ch/record/164526/files/NPDF-22.pdf # http://infoscience.epfl.ch/record/164526/files/NPDF-22.pdf
@ -2957,53 +2963,53 @@ certificate_info() {
if [[ $sig_algo =~ ecdsa ]] || [[ $key_algo =~ ecPublicKey ]]; then if [[ $sig_algo =~ ecdsa ]] || [[ $key_algo =~ ecPublicKey ]]; then
if [[ "$keysize" -le 110 ]]; then # a guess if [[ "$keysize" -le 110 ]]; then # a guess
pr_red "$keysize" pr_red "$keysize"
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
elif [[ "$keysize" -le 123 ]]; then # a guess elif [[ "$keysize" -le 123 ]]; then # a guess
pr_litered "$keysize" pr_litered "$keysize"
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
elif [[ "$keysize" -le 163 ]]; then elif [[ "$keysize" -le 163 ]]; then
pr_brown "$keysize" pr_brown "$keysize"
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
elif [[ "$keysize" -le 224 ]]; then elif [[ "$keysize" -le 224 ]]; then
out "$keysize" out "$keysize"
fileout "$heading key_size" "INFO" "Server keys $keysize EC bits" fileout "${json_prefix}key_size" "INFO" "Server keys $keysize EC bits"
elif [[ "$keysize" -le 533 ]]; then elif [[ "$keysize" -le 533 ]]; then
pr_litegreen "$keysize" pr_litegreen "$keysize"
fileout "$heading key_size" "OK" "Server keys $keysize EC bits (OK)" fileout "${json_prefix}key_size" "OK" "Server keys $keysize EC bits (OK)"
else else
out "keysize: $keysize (not expected, FIXME)" out "keysize: $keysize (not expected, FIXME)"
fileout "$heading key_size" "WARN" "Server keys $keysize bits (not expected)" fileout "${json_prefix}key_size" "WARN" "Server keys $keysize bits (not expected)"
fi fi
outln " bit" outln " bit"
elif [[ $sig_algo = *RSA* ]]; then elif [[ $sig_algo = *RSA* ]]; then
if [[ "$keysize" -le 512 ]]; then if [[ "$keysize" -le 512 ]]; then
pr_red "$keysize" pr_red "$keysize"
outln " bits" outln " bits"
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
elif [[ "$keysize" -le 768 ]]; then elif [[ "$keysize" -le 768 ]]; then
pr_litered "$keysize" pr_litered "$keysize"
outln " bits" outln " bits"
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
elif [[ "$keysize" -le 1024 ]]; then elif [[ "$keysize" -le 1024 ]]; then
pr_brown "$keysize" pr_brown "$keysize"
outln " bits" outln " bits"
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)" fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
elif [[ "$keysize" -le 2048 ]]; then elif [[ "$keysize" -le 2048 ]]; then
outln "$keysize bits" outln "$keysize bits"
fileout "$heading key_size" "INFO" "Server keys $keysize bits" fileout "${json_prefix}key_size" "INFO" "Server keys $keysize bits"
elif [[ "$keysize" -le 4096 ]]; then elif [[ "$keysize" -le 4096 ]]; then
pr_litegreen "$keysize" pr_litegreen "$keysize"
fileout "$heading key_size" "OK" "Server keys $keysize bits (OK)" fileout "${json_prefix}key_size" "OK" "Server keys $keysize bits (OK)"
outln " bits" outln " bits"
else else
pr_magenta "weird keysize: $keysize bits"; outln " (could cause compatibility problems)" pr_magenta "weird keysize: $keysize bits"; outln " (could cause compatibility problems)"
fileout "$heading key_size" "WARN" "Server keys $keysize bits (Odd)" fileout "${json_prefix}key_size" "WARN" "Server keys $keysize bits (Odd)"
fi fi
else else
out "$keysize bits (" out "$keysize bits ("
pr_litemagenta "can't tell whether $keysize bits is good or not" pr_litemagenta "can't tell whether $keysize bits is good or not"
outln ")" outln ")"
fileout "$heading key_size" "WARN" "Server keys $keysize bits (unknown signature algorithm)" fileout "${json_prefix}key_size" "WARN" "Server keys $keysize bits (unknown signature algorithm)"
fi fi
fi fi
@ -3013,7 +3019,7 @@ certificate_info() {
cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g' )" cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g' )"
outln "$cert_fingerprint_sha1 / $cert_fingerprint_serial" outln "$cert_fingerprint_sha1 / $cert_fingerprint_serial"
outln "$spaces$cert_fingerprint_sha2" outln "$spaces$cert_fingerprint_sha2"
fileout "$heading fingerprint" "INFO" "Fingerprints / Serial: $cert_fingerprint_sha1 / $cert_fingerprint_serial, $cert_fingerprint_sha2" fileout "${json_prefix}fingerprint" "INFO" "Fingerprints / Serial: $cert_fingerprint_sha1 / $cert_fingerprint_serial, $cert_fingerprint_sha2"
out "$indent"; pr_bold " Common Name (CN) " out "$indent"; pr_bold " Common Name (CN) "
cnfinding="Common Name (CN) : " cnfinding="Common Name (CN) : "
@ -3084,7 +3090,7 @@ certificate_info() {
cnfinding+=" (CN in response to request w/o SNI: \"$cn_nosni\")" cnfinding+=" (CN in response to request w/o SNI: \"$cn_nosni\")"
fi fi
fi fi
fileout "$heading cn" "$cnok" "$cnfinding" fileout "${json_prefix}cn" "$cnok" "$cnfinding"
sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \ sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \
sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername:<unsupported>//g') sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername:<unsupported>//g')
@ -3095,10 +3101,10 @@ certificate_info() {
pr_dquoted "$san" pr_dquoted "$san"
out " " out " "
done done
fileout "$heading san" "INFO" "subjectAltName (SAN) : $sans" fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : $sans"
else else
out "-- " out "-- "
fileout "$heading san" "INFO" "subjectAltName (SAN) : --" fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : --"
fi fi
outln outln
out "$indent"; pr_bold " Issuer " out "$indent"; pr_bold " Issuer "
@ -3110,7 +3116,7 @@ certificate_info() {
if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$CN" ]]; then if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$CN" ]]; then
pr_redln "self-signed (NOT ok)" pr_redln "self-signed (NOT ok)"
fileout "$heading issuer" "NOT OK" "Issuer: selfsigned (NOT ok)" fileout "${json_prefix}issuer" "NOT OK" "Issuer: selfsigned (NOT ok)"
else else
pr_dquoted "$issuer_CN" pr_dquoted "$issuer_CN"
out " (" out " ("
@ -3118,9 +3124,9 @@ certificate_info() {
if [[ -n "$issuer_C" ]]; then if [[ -n "$issuer_C" ]]; then
out " from " out " from "
pr_dquoted "$issuer_C" pr_dquoted "$issuer_C"
fileout "$heading issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" from \"$issuer_C\")" fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" from \"$issuer_C\")"
else else
fileout "$heading issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" )" fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" )"
fi fi
outln ")" outln ")"
fi fi
@ -3137,10 +3143,10 @@ certificate_info() {
[[ 1.3.6.1.4.1.17326.10.8.12.1.2 == "$policy_oid" ]] || \ [[ 1.3.6.1.4.1.17326.10.8.12.1.2 == "$policy_oid" ]] || \
[[ 1.3.6.1.4.1.13177.10.1.3.10 == "$policy_oid" ]] ; then [[ 1.3.6.1.4.1.13177.10.1.3.10 == "$policy_oid" ]] ; then
out "yes " out "yes "
fileout "$heading ev" "OK" "Extended Validation (EV) (experimental) : yes" fileout "${json_prefix}ev" "OK" "Extended Validation (EV) (experimental) : yes"
else else
out "no " out "no "
fileout "$heading ev" "INFO" "Extended Validation (EV) (experimental) : no" fileout "${json_prefix}ev" "INFO" "Extended Validation (EV) (experimental) : no"
fi fi
debugme echo "($(newline_to_spaces "$policy_oid"))" debugme echo "($(newline_to_spaces "$policy_oid"))"
outln outln
@ -3188,60 +3194,60 @@ certificate_info() {
fi fi
fi fi
outln " ($startdate --> $enddate)" outln " ($startdate --> $enddate)"
fileout "$heading expiration" "$expok" "Certificate Expiration : $expfinding ($startdate --> $enddate)" fileout "${json_prefix}expiration" "$expok" "Certificate Expiration : $expfinding ($startdate --> $enddate)"
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem) certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided" out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided"
fileout "$heading certcount" "INFO" "# of certificates provided : $certificates_provided" fileout "${json_prefix}certcount" "INFO" "# of certificates provided : $certificates_provided"
out "$indent"; pr_bold " Chain of trust"; out " (experim.) " out "$indent"; pr_bold " Chain of trust"; out " (experim.) "
determine_trust "$heading" # Also handles fileout determine_trust "$json_prefix" # Also handles fileout
out "$indent"; pr_bold " Certificate Revocation List " out "$indent"; pr_bold " Certificate Revocation List "
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')" crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')"
if [[ -z "$crl" ]]; then if [[ -z "$crl" ]]; then
pr_literedln "--" pr_literedln "--"
fileout "$heading crl" "NOT OK" "No CRL provided (NOT ok)" fileout "${json_prefix}crl" "NOT OK" "No CRL provided (NOT ok)"
elif grep -q http <<< "$crl"; then elif grep -q http <<< "$crl"; then
if [[ $(count_lines "$crl") -eq 1 ]]; then if [[ $(count_lines "$crl") -eq 1 ]]; then
outln "$crl" outln "$crl"
fileout "$heading crl" "INFO" "Certificate Revocation List : $crl" fileout "${json_prefix}crl" "INFO" "Certificate Revocation List : $crl"
else # more than one CRL else # more than one CRL
out_row_aligned "$crl" "$spaces" out_row_aligned "$crl" "$spaces"
fileout "$heading crl" "INFO" "Certificate Revocation List : $crl" fileout "${json_prefix}crl" "INFO" "Certificate Revocation List : $crl"
fi fi
else else
pr_litemagentaln "no parsable output \"$crl\", pls report" pr_litemagentaln "no parsable output \"$crl\", pls report"
fileout "$heading crl" "WARN" "Certificate Revocation List : no parsable output \"$crl\", pls report" fileout "${json_prefix}crl" "WARN" "Certificate Revocation List : no parsable output \"$crl\", pls report"
fi fi
out "$indent"; pr_bold " OCSP URI " out "$indent"; pr_bold " OCSP URI "
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE) ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
if [[ -z "$ocsp_uri" ]]; then if [[ -z "$ocsp_uri" ]]; then
pr_literedln "--" pr_literedln "--"
fileout "$heading ocsp_uri" "NOT OK" "OCSP URI : -- (NOT ok)" fileout "${json_prefix}ocsp_uri" "NOT OK" "OCSP URI : -- (NOT ok)"
else else
outln "$ocsp_uri" outln "$ocsp_uri"
fileout "$heading ocsp_uri" "INFO" "OCSP URI : $ocsp_uri" fileout "${json_prefix}ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
fi fi
out "$indent"; pr_bold " OCSP stapling " out "$indent"; pr_bold " OCSP stapling "
if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
pr_yellow "--" pr_yellow "--"
fileout "$heading ocsp_stapling" "INFO" "OCSP stapling : not offered" fileout "${json_prefix}ocsp_stapling" "INFO" "OCSP stapling : not offered"
else else
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
pr_litegreen "offered" pr_litegreen "offered"
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : offered" fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : offered"
else else
if $GOST_STATUS_PROBLEM; then if $GOST_STATUS_PROBLEM; then
outln "(GOST servers make problems here, sorry)" outln "(GOST servers make problems here, sorry)"
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : (GOST servers make problems here, sorry)" fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : (GOST servers make problems here, sorry)"
ret=0 ret=0
else else
out "(response status unknown)" out "(response status unknown)"
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : not sure what's going on here, debug: grep -aA 20 "OCSP response" <<<"$ocsp_response"" fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : not sure what's going on here, debug: grep -aA 20 "OCSP response" <<<"$ocsp_response""
debugme grep -a -A20 -B2 "OCSP response" <<<"$ocsp_response" debugme grep -a -A20 -B2 "OCSP response" <<<"$ocsp_response"
ret=2 ret=2
fi fi