Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 05:45:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1079 from dcooper16/bad_certificate_list

Browse Source 
Handle incorrectly populated certificate_list
This commit is contained in:
Dirk Wetter
2018-07-05 09:54:58 +02:00
committed by GitHub
parent 488cb03c60 72ef69aeae
commit 09182cb196
1 changed files with 23 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
testssl.sh
View File

@@ -6555,7 +6555,8 @@ determine_tls_extensions() {
extract_certificates() { extract_certificates() {
local version="$1" local version="$1"
local savedir local savedir
local -i success nrsaved=0 local -i i success nrsaved=0
local issuerDN CAsubjectDN
# Place the server's certificate in $HOSTCERT and any intermediate # Place the server's certificate in $HOSTCERT and any intermediate
# certificates that were provided in $TEMPDIR/intermediatecerts.pem # certificates that were provided in $TEMPDIR/intermediatecerts.pem
@@ -6582,7 +6583,26 @@ extract_certificates() {
echo "" > $TEMPDIR/intermediatecerts.pem echo "" > $TEMPDIR/intermediatecerts.pem
else else
cat level?.crt > $TEMPDIR/intermediatecerts.pem cat level?.crt > $TEMPDIR/intermediatecerts.pem
cp level1.crt $TEMPDIR/hostcert_issuer.pem issuerDN="$($OPENSSL x509 -in $HOSTCERT -noout -issuer 2>/dev/null)"
issuerDN="${issuerDN:8}"
# The second certficate (level1.crt) SHOULD be issued to the CA
# that issued the server's certificate. But, according to RFC 8446
# clients SHOULD be prepared to handle cases in which the server
# does not order the certificates correctly.
for (( i=1; i < nrsaved; i++ )); do
CAsubjectDN="$($OPENSSL x509 -in "level$i.crt" -noout -subject 2>/dev/null)"
if [[ "${CAsubjectDN:9}" == "$issuerDN" ]]; then
cp "level$i.crt" $TEMPDIR/hostcert_issuer.pem
break
fi
done
# This should never happen, but if more than one certificate was
# provided and none of them belong to the CA that issued the
# server's certificate, then the extra certificates should just
# be deleted. There is code elsewhere that assumes that if
# $TEMPDIR/intermediatecerts.pem is non-empty, then
# $TEMPDIR/hostcert_issuer.pem is also present.
[[ $i -eq $nrsaved ]] && echo "" > $TEMPDIR/intermediatecerts.pem
rm level?.crt rm level?.crt
fi fi
fi fi
@@ -11097,7 +11117,7 @@ parse_tls_serverhello() {
echo " i:${CAissuerDN:8}" >> $TMPFILE echo " i:${CAissuerDN:8}" >> $TMPFILE
echo "$pem_certificate" >> $TMPFILE echo "$pem_certificate" >> $TMPFILE
echo "$pem_certificate" >> "$TEMPDIR/intermediatecerts.pem" echo "$pem_certificate" >> "$TEMPDIR/intermediatecerts.pem"
if [[ -z "$hostcert_issuer" ]]; then if [[ -z "$hostcert_issuer" ]] && [[ "${CAsubjectDN:9}" == "${issuerDN:8}" ]]; then
# The issuer's certificate is needed if there is a stapled OCSP response, # The issuer's certificate is needed if there is a stapled OCSP response,
# and it may be needed if check_revocation_ocsp() will later be called # and it may be needed if check_revocation_ocsp() will later be called
# with the OCSP URI in the server's certificate. # with the OCSP URI in the server's certificate.