mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-11-03 23:35:26 +01:00
Changing JSON objects in server defaults ATTENTION: breaking change!!
The server default run had several JSON objects which weren't, looking at just
the ID, either clear or contained a redundant explanation in "finding". Purely
certificate related JSON objects are now having the id "cert_<object>" like
cert_CN or cert_SAN.
This commit changes all this, also it avoids another colon in finding (see #830).
Also the implicit strategy "output for the screen s followed by only one output with
fileout" has been relaxed -- which results on more, better parsable JSON objects.
Some example of the changes:
Old:
----
{
"id" : "Server Certificate #1 fingerprint",
"severity" : "INFO",
"finding" : "Fingerprints / Serial: SHA1 2940BC13ECF7DAF30B9084CC734C3B971D73B3BB / 01BFD1DC15006E0ABBA7C670FF5E1101, SHA256 30BA61012FFE7CEAAF9A148A0CB0C5C852A9C04F4B1C27DB6
EFA9919C7F49CCF"
}
[..]
{
"id" : "Server Certificate #2 ocsp_stapling",
"severity" : "OK",
"finding" : "OCSP stapling : offered"
}
New:
----
{
"id" : "cert_key_size <cert#1>",
"severity" : "INFO",
"finding" : "Server keys 2048 bits"
},{
"id" : "cert_fingerprint_SHA1 <cert#1>",
"severity" : "INFO",
"finding" : "2940BC13ECF7DAF30B9084CC734C3B971D73B3BB"
},{
"id" : "cert_fingerprint_SHA256 <cert#1>",
"severity" : "INFO",
"finding" : "30BA61012FFE7CEAAF9A148A0CB0C5C852A9C04F4B1C27DB6EFA9919C7F49CCF"
},{
"id" : "cert_serial <cert#1>",
"severity" : "INFO",
"finding" : "01BFD1DC15006E0ABBA7C670FF5E1101"
}
[..]
{
"id" : "OCSP_stapling <cert#2>",
"severity" : "OK",
"finding" : "offered"
}
This PR also fixes the JSON output where for "OCSP must staple" the id was just
'id" : "OCSP must staple: ocsp_must_staple",' for multiple server
certificates without the certificate number.
As far as the code is concerned: $json_prefix should be a variable which is
used for the id object. If there was more then one certificates for a single
host detected, $json_postfix carries the certificate number.
Unit tests need to be fixed -- if possible.
This commit is contained in:
Dirk
256
testssl.sh
256
testssl.sh
@@ -1462,31 +1462,32 @@ service_detection() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
out " Service detected: $CORRECT_SPACES"
|
out " Service detected: $CORRECT_SPACES"
|
||||||
|
json_prefix="service"
|
||||||
case $SERVICE in
|
case $SERVICE in
|
||||||
HTTP)
|
HTTP)
|
||||||
out " $SERVICE"
|
out " $SERVICE"
|
||||||
fileout "service" "INFO" "Service detected: $SERVICE"
|
fileout "${json_prefix}" "INFO" "$SERVICE"
|
||||||
ret=0
|
ret=0
|
||||||
;;
|
;;
|
||||||
IMAP|POP|SMTP|NNTP|MongoDB)
|
IMAP|POP|SMTP|NNTP|MongoDB)
|
||||||
out " $SERVICE, thus skipping HTTP specific checks"
|
out " $SERVICE, thus skipping HTTP specific checks"
|
||||||
fileout "service" "INFO" "Service detected: $SERVICE, thus skipping HTTP specific checks"
|
fileout "${json_prefix}" "INFO" "$SERVICE, thus skipping HTTP specific checks"
|
||||||
ret=0
|
ret=0
|
||||||
;;
|
;;
|
||||||
*) if "$CLIENT_AUTH"; then
|
*) if "$CLIENT_AUTH"; then
|
||||||
out " certificate-based authentication => skipping all HTTP checks"
|
out " certificate-based authentication => skipping all HTTP checks"
|
||||||
echo "certificate-based authentication => skipping all HTTP checks" >$TMPFILE
|
echo "certificate-based authentication => skipping all HTTP checks" >$TMPFILE
|
||||||
fileout "service" "INFO" "certificate-based authentication => skipping all HTTP checks"
|
fileout "${json_prefix}" "INFO" "certificate-based authentication => skipping all HTTP checks"
|
||||||
else
|
else
|
||||||
out " Couldn't determine what's running on port $PORT"
|
out " Couldn't determine what's running on port $PORT"
|
||||||
if "$ASSUME_HTTP"; then
|
if "$ASSUME_HTTP"; then
|
||||||
SERVICE=HTTP
|
SERVICE=HTTP
|
||||||
out " -- ASSUME_HTTP set though"
|
out " -- ASSUME_HTTP set though"
|
||||||
fileout "service" "DEBUG" "Couldn't determine service, --ASSUME_HTTP set"
|
fileout "${json_prefix}" "DEBUG" "Couldn't determine service -- ASSUME_HTTP set"
|
||||||
ret=0
|
ret=0
|
||||||
else
|
else
|
||||||
out ", assuming no HTTP service => skipping all HTTP checks"
|
out ", assuming no HTTP service => skipping all HTTP checks"
|
||||||
fileout "service" "DEBUG" "Couldn't determine service, skipping all HTTP checks"
|
fileout "${json_prefix}" "DEBUG" "Couldn't determine service, skipping all HTTP checks"
|
||||||
ret=1
|
ret=1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@@ -5715,7 +5716,8 @@ verify_retcode_helper() {
|
|||||||
|
|
||||||
# arg1: number of certificate if provided >1
|
# arg1: number of certificate if provided >1
|
||||||
determine_trust() {
|
determine_trust() {
|
||||||
local json_prefix=$1
|
local json_prefix="$1"
|
||||||
|
local json_postfix="$2"
|
||||||
local -i i=1
|
local -i i=1
|
||||||
local -i num_ca_bundles=0
|
local -i num_ca_bundles=0
|
||||||
local bundle_fname=""
|
local bundle_fname=""
|
||||||
@@ -5730,16 +5732,17 @@ determine_trust() {
|
|||||||
local -i certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
local -i certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
||||||
local addtl_warning
|
local addtl_warning
|
||||||
|
|
||||||
# If $json_prefix is not empty, then there is more than one certificate
|
# If $json_postfix is not empty, then there is more than one certificate
|
||||||
# and the output should should be indented by two more spaces.
|
# and the output should should be indented by two more spaces.
|
||||||
[[ -n $json_prefix ]] && spaces=" "
|
[[ -n $json_postfix ]] && spaces=" "
|
||||||
|
|
||||||
case $OSSL_VER_MAJOR.$OSSL_VER_MINOR in
|
case $OSSL_VER_MAJOR.$OSSL_VER_MINOR in
|
||||||
1.0.2|1.1.0|1.1.1|2.3.*|2.2.*|2.1.*) # 2.x is LibreSSL. 2.1.1 was tested to work, below is not sure
|
1.0.2|1.1.0|1.1.1|2.3.*|2.2.*|2.1.*) # 2.x is LibreSSL. 2.1.1 was tested to work, below is not sure
|
||||||
:
|
:
|
||||||
;;
|
;;
|
||||||
*) addtl_warning="(Your $OPENSSL <= 1.0.2 might be too unreliable to determine trust)"
|
*) addtl_warning="Your $OPENSSL <= 1.0.2 might be too unreliable to determine trust"
|
||||||
fileout "${json_prefix}chain_of_trust_Problem" "WARN" "$addtl_warning"
|
fileout "${json_prefix}${json_postfix}" "WARN" "$addtl_warning"
|
||||||
|
addtl_warning="(${addtl_warning})"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
debugme tmln_out
|
debugme tmln_out
|
||||||
@@ -5784,8 +5787,11 @@ determine_trust() {
|
|||||||
if "$all_ok"; then
|
if "$all_ok"; then
|
||||||
# all stores ok
|
# all stores ok
|
||||||
pr_done_good "Ok "; pr_warning "$addtl_warning"
|
pr_done_good "Ok "; pr_warning "$addtl_warning"
|
||||||
# we did to stdout the warning above already, so we could stay here with INFO:
|
# we did to stdout the warning above already, so we could stay here with OK:
|
||||||
fileout "${json_prefix}chain_of_trust" "OK" "All certificate trust checks passed. $addtl_warning"
|
[[ -z "$addtl_warning" ]] && \
|
||||||
|
fileout "${json_prefix}${json_postfix}" "OK" "All certificate trust checks passed" || \
|
||||||
|
fileout "${json_prefix}${json_postfix}" "OK" "All certificate trust checks passed. $addtl_warning"
|
||||||
|
# The "." is otherwise confusing
|
||||||
else
|
else
|
||||||
# at least one failed
|
# at least one failed
|
||||||
pr_svrty_critical "NOT ok"
|
pr_svrty_critical "NOT ok"
|
||||||
@@ -5798,7 +5804,7 @@ determine_trust() {
|
|||||||
else
|
else
|
||||||
out "$code"
|
out "$code"
|
||||||
fi
|
fi
|
||||||
fileout "${json_prefix}chain_of_trust" "CRITICAL" "All certificate trust checks failed: $code. $addtl_warning"
|
fileout "${json_prefix}${json_postfix}" "CRITICAL" "All certificate trust checks failed: $code. $addtl_warning"
|
||||||
else
|
else
|
||||||
# is one ok and the others not ==> display the culprit store
|
# is one ok and the others not ==> display the culprit store
|
||||||
if "$some_ok"; then
|
if "$some_ok"; then
|
||||||
@@ -5826,7 +5832,7 @@ determine_trust() {
|
|||||||
[[ "$DEBUG" -eq 0 ]] && tm_out "$spaces"
|
[[ "$DEBUG" -eq 0 ]] && tm_out "$spaces"
|
||||||
pr_done_good "OK: $ok_was"
|
pr_done_good "OK: $ok_was"
|
||||||
fi
|
fi
|
||||||
fileout "${json_prefix}chain_of_trust" "CRITICAL" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning"
|
fileout "${json_prefix}${json_postfix}" "CRITICAL" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning"
|
||||||
fi
|
fi
|
||||||
[[ -n "$addtl_warning" ]] && out "\n$spaces" && pr_warning "$addtl_warning"
|
[[ -n "$addtl_warning" ]] && out "\n$spaces" && pr_warning "$addtl_warning"
|
||||||
fi
|
fi
|
||||||
@@ -5834,11 +5840,12 @@ determine_trust() {
|
|||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
# not handled: Root CA supplied (contains anchor)
|
# not handled: Root CA supplied ("contains anchor" in SSLlabs terminology)
|
||||||
|
|
||||||
tls_time() {
|
tls_time() {
|
||||||
local now difftime
|
local now difftime
|
||||||
local spaces=" "
|
local spaces=" "
|
||||||
|
local json_prefix="TLS_time"
|
||||||
|
|
||||||
pr_bold " TLS clock skew" ; out "$spaces"
|
pr_bold " TLS clock skew" ; out "$spaces"
|
||||||
TLS_DIFFTIME_SET=true # this is a switch whether we want to measure the remote TLS_TIME
|
TLS_DIFFTIME_SET=true # this is a switch whether we want to measure the remote TLS_TIME
|
||||||
@@ -5852,17 +5859,17 @@ tls_time() {
|
|||||||
if [[ "${#difftime}" -gt 5 ]]; then
|
if [[ "${#difftime}" -gt 5 ]]; then
|
||||||
# openssl >= 1.0.1f fills this field with random values! --> good for possible fingerprint
|
# openssl >= 1.0.1f fills this field with random values! --> good for possible fingerprint
|
||||||
out "Random values, no fingerprinting possible "
|
out "Random values, no fingerprinting possible "
|
||||||
fileout "tls_time" "INFO" "Your TLS time seems to be filled with random values to prevent fingerprinting"
|
fileout "${json_prefix}" "INFO" "The server's TLS time seems to be filled with random values to prevent fingerprinting"
|
||||||
else
|
else
|
||||||
[[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime"
|
[[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime"
|
||||||
out "$difftime"; out " sec from localtime";
|
out "$difftime"; out " sec from localtime";
|
||||||
fileout "tls_time" "INFO" "Your TLS time is skewed from your localtime by $difftime seconds"
|
fileout "${json_prefix}" "INFO" "The server's TLS time is skewed from your localtime by $difftime seconds"
|
||||||
fi
|
fi
|
||||||
debugme tm_out "$TLS_TIME"
|
debugme tm_out "$TLS_TIME"
|
||||||
outln
|
outln
|
||||||
else
|
else
|
||||||
outln "SSLv3 through TLS 1.2 didn't return a timestamp"
|
outln "SSLv3 through TLS 1.2 didn't return a timestamp"
|
||||||
fileout "tls_time" "INFO" "No TLS timestamp returned by SSLv3 through TLSv1.2"
|
fileout "${json_prefix}" "INFO" "No TLS timestamp returned by SSLv3 through TLSv1.2"
|
||||||
fi
|
fi
|
||||||
TLS_DIFFTIME_SET=false # reset the switch to save calls to date and friend in tls_sockets()
|
TLS_DIFFTIME_SET=false # reset the switch to save calls to date and friend in tls_sockets()
|
||||||
return 0
|
return 0
|
||||||
@@ -6230,7 +6237,8 @@ compare_server_name_to_cert()
|
|||||||
}
|
}
|
||||||
|
|
||||||
must_staple() {
|
must_staple() {
|
||||||
local json_prefix="OCSP must staple: "
|
local json_prefix="OCSP_must_staple"
|
||||||
|
local json_postfix="$1"
|
||||||
local provides_stapling="$2"
|
local provides_stapling="$2"
|
||||||
local cert extn
|
local cert extn
|
||||||
local -i extn_len
|
local -i extn_len
|
||||||
@@ -6266,14 +6274,14 @@ must_staple() {
|
|||||||
if "$supported"; then
|
if "$supported"; then
|
||||||
if "$provides_stapling"; then
|
if "$provides_stapling"; then
|
||||||
prln_done_good "supported"
|
prln_done_good "supported"
|
||||||
fileout "${json_prefix}ocsp_must_staple" "OK" "OCSP must staple : supported"
|
fileout "${json_prefix}${json_postfix}" "OK" "supported"
|
||||||
else
|
else
|
||||||
prln_svrty_high "requires OCSP stapling (NOT ok)"
|
prln_svrty_high "requires OCSP stapling (NOT ok)"
|
||||||
fileout "${json_prefix}" "HIGH" "must staple extension detected but no OCSP stapling provided"
|
fileout "${json_prefix}${json_postfix}" "HIGH" "must staple extension detected but no OCSP stapling provided"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
outln "no"
|
outln "no"
|
||||||
fileout "${json_prefix}ocsp_must_staple" "INFO" "OCSP must staple : no"
|
fileout "${json_prefix}${json_postfix}" "INFO" "no"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -6354,7 +6362,7 @@ certificate_info() {
|
|||||||
local expire days2expire secs2warn ocsp_uri crl
|
local expire days2expire secs2warn ocsp_uri crl
|
||||||
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
|
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
|
||||||
local issuer_DC issuerfinding cn_nosni=""
|
local issuer_DC issuerfinding cn_nosni=""
|
||||||
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial
|
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial
|
||||||
local policy_oid
|
local policy_oid
|
||||||
local spaces=""
|
local spaces=""
|
||||||
local -i trust_sni=0 trust_nosni=0
|
local -i trust_sni=0 trust_nosni=0
|
||||||
@@ -6364,7 +6372,8 @@ certificate_info() {
|
|||||||
local cnfinding trustfinding trustfinding_nosni
|
local cnfinding trustfinding trustfinding_nosni
|
||||||
local cnok="OK"
|
local cnok="OK"
|
||||||
local expfinding expok="OK"
|
local expfinding expok="OK"
|
||||||
local json_prefix="" # string to place at beginng of JSON IDs when there is more than one certificate
|
local json_postfix="" # string to place at the end of JSON IDs when there is more than one certificate
|
||||||
|
local json_prefix="" # string to place at beginning of JSON IDs
|
||||||
local indent=""
|
local indent=""
|
||||||
local days2warn2=$DAYS2WARN2
|
local days2warn2=$DAYS2WARN2
|
||||||
local days2warn1=$DAYS2WARN1
|
local days2warn1=$DAYS2WARN1
|
||||||
@@ -6378,7 +6387,7 @@ certificate_info() {
|
|||||||
pr_headline "Server Certificate #$certificate_number"
|
pr_headline "Server Certificate #$certificate_number"
|
||||||
[[ -z "$sni_used" ]] && pr_underline " (in response to request w/o SNI)"
|
[[ -z "$sni_used" ]] && pr_underline " (in response to request w/o SNI)"
|
||||||
outln
|
outln
|
||||||
json_prefix="Server Certificate #$certificate_number "
|
json_postfix=" <cert#${certificate_number}>"
|
||||||
spaces=" "
|
spaces=" "
|
||||||
else
|
else
|
||||||
spaces=" "
|
spaces=" "
|
||||||
@@ -6390,6 +6399,7 @@ certificate_info() {
|
|||||||
cert_key_algo="${cert_key_algo// /}"
|
cert_key_algo="${cert_key_algo// /}"
|
||||||
|
|
||||||
out "$indent" ; pr_bold " Signature Algorithm "
|
out "$indent" ; pr_bold " Signature Algorithm "
|
||||||
|
json_prefix="cert_sig_algorithm"
|
||||||
case $cert_sig_algo in
|
case $cert_sig_algo in
|
||||||
sha1WithRSAEncryption)
|
sha1WithRSAEncryption)
|
||||||
pr_svrty_medium "SHA1 with RSA"
|
pr_svrty_medium "SHA1 with RSA"
|
||||||
@@ -6397,110 +6407,111 @@ certificate_info() {
|
|||||||
out " -- besides: users will receive a "; pr_svrty_high "strong browser WARNING"
|
out " -- besides: users will receive a "; pr_svrty_high "strong browser WARNING"
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: SHA1 with RSA"
|
fileout "${json_prefix}${json_postfix}" "MEDIUM" "SHA1 with RSA"
|
||||||
;;
|
;;
|
||||||
sha224WithRSAEncryption)
|
sha224WithRSAEncryption)
|
||||||
outln "SHA224 with RSA"
|
outln "SHA224 with RSA"
|
||||||
fileout "${json_prefix}algorithm" "INFO" "Signature Algorithm: SHA224 with RSA"
|
fileout "${json_prefix}${json_postfix}" "INFO" "SHA224 with RSA"
|
||||||
;;
|
;;
|
||||||
sha256WithRSAEncryption)
|
sha256WithRSAEncryption)
|
||||||
prln_done_good "SHA256 with RSA"
|
prln_done_good "SHA256 with RSA"
|
||||||
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA256 with RSA"
|
fileout "${json_prefix}${json_postfix}" "OK" "SHA256 with RSA"
|
||||||
;;
|
;;
|
||||||
sha384WithRSAEncryption)
|
sha384WithRSAEncryption)
|
||||||
prln_done_good "SHA384 with RSA"
|
prln_done_good "SHA384 with RSA"
|
||||||
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA384 with RSA"
|
fileout "${json_prefix}${json_postfix}" "OK" "SHA384 with RSA"
|
||||||
;;
|
;;
|
||||||
sha512WithRSAEncryption)
|
sha512WithRSAEncryption)
|
||||||
prln_done_good "SHA512 with RSA"
|
prln_done_good "SHA512 with RSA"
|
||||||
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA512 with RSA"
|
fileout "${json_prefix}${json_postfix}" "OK" "SHA512 with RSA"
|
||||||
;;
|
;;
|
||||||
ecdsa-with-SHA1)
|
ecdsa-with-SHA1)
|
||||||
prln_svrty_medium "ECDSA with SHA1"
|
prln_svrty_medium "ECDSA with SHA1"
|
||||||
fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: ECDSA with SHA1"
|
fileout "${json_prefix}${json_postfix}" "MEDIUM" "ECDSA with SHA1"
|
||||||
;;
|
;;
|
||||||
ecdsa-with-SHA224)
|
ecdsa-with-SHA224)
|
||||||
outln "ECDSA with SHA224"
|
outln "ECDSA with SHA224"
|
||||||
fileout "${json_prefix}algorithm" "INFO" "Signature Algorithm: ECDSA with SHA224"
|
fileout "${json_prefix}${json_postfix}" "INFO" "ECDSA with SHA224"
|
||||||
;;
|
;;
|
||||||
ecdsa-with-SHA256)
|
ecdsa-with-SHA256)
|
||||||
prln_done_good "ECDSA with SHA256"
|
prln_done_good "ECDSA with SHA256"
|
||||||
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA256"
|
fileout "${json_prefix}${json_postfix}" "OK" "ECDSA with SHA256"
|
||||||
;;
|
;;
|
||||||
ecdsa-with-SHA384)
|
ecdsa-with-SHA384)
|
||||||
prln_done_good "ECDSA with SHA384"
|
prln_done_good "ECDSA with SHA384"
|
||||||
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA384"
|
fileout "${json_prefix}${json_postfix}" "OK" "ECDSA with SHA384"
|
||||||
;;
|
;;
|
||||||
ecdsa-with-SHA512)
|
ecdsa-with-SHA512)
|
||||||
prln_done_good "ECDSA with SHA512"
|
prln_done_good "ECDSA with SHA512"
|
||||||
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA512"
|
fileout "${json_prefix}${json_postfix}" "OK" "ECDSA with SHA512"
|
||||||
;;
|
;;
|
||||||
dsaWithSHA1)
|
dsaWithSHA1)
|
||||||
prln_svrty_medium "DSA with SHA1"
|
prln_svrty_medium "DSA with SHA1"
|
||||||
fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: DSA with SHA1"
|
fileout "${json_prefix}${json_postfix}" "MEDIUM" "DSA with SHA1"
|
||||||
;;
|
;;
|
||||||
dsa_with_SHA224)
|
dsa_with_SHA224)
|
||||||
outln "DSA with SHA224"
|
outln "DSA with SHA224"
|
||||||
fileout "${json_prefix}algorithm" "INFO" "Signature Algorithm: DSA with SHA224"
|
fileout "${json_prefix}${json_postfix}" "INFO" "DSA with SHA224"
|
||||||
;;
|
;;
|
||||||
dsa_with_SHA256)
|
dsa_with_SHA256)
|
||||||
prln_done_good "DSA with SHA256"
|
prln_done_good "DSA with SHA256"
|
||||||
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: DSA with SHA256"
|
fileout "${json_prefix}${json_postfix}" "OK" "DSA with SHA256"
|
||||||
;;
|
;;
|
||||||
rsassaPss)
|
rsassaPss)
|
||||||
cert_sig_hash_algo="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 1 "Signature Algorithm" | head -2 | tail -1 | sed 's/^.*Hash Algorithm: //')"
|
cert_sig_hash_algo="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 1 "Signature Algorithm" | head -2 | tail -1 | sed 's/^.*Hash Algorithm: //')"
|
||||||
case $cert_sig_hash_algo in
|
case $cert_sig_hash_algo in
|
||||||
sha1)
|
sha1)
|
||||||
prln_svrty_medium "RSASSA-PSS with SHA1"
|
prln_svrty_medium "RSASSA-PSS with SHA1"
|
||||||
fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: RSASSA-PSS with SHA1"
|
fileout "${json_prefix}${json_postfix}" "MEDIUM" "RSASSA-PSS with SHA1"
|
||||||
;;
|
;;
|
||||||
sha224)
|
sha224)
|
||||||
outln "RSASSA-PSS with SHA224"
|
outln "RSASSA-PSS with SHA224"
|
||||||
fileout "${json_prefix}algorithm" "INFO" "Signature Algorithm: RSASSA-PSS with SHA224"
|
fileout "${json_prefix}${json_postfix}" "INFO" "RSASSA-PSS with SHA224"
|
||||||
;;
|
;;
|
||||||
sha256)
|
sha256)
|
||||||
prln_done_good "RSASSA-PSS with SHA256"
|
prln_done_good "RSASSA-PSS with SHA256"
|
||||||
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: RSASSA-PSS with SHA256"
|
fileout "${json_prefix}${json_postfix}" "OK" "RSASSA-PSS with SHA256"
|
||||||
;;
|
;;
|
||||||
sha384)
|
sha384)
|
||||||
prln_done_good "RSASSA-PSS with SHA384"
|
prln_done_good "RSASSA-PSS with SHA384"
|
||||||
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: RSASSA-PSS with SHA384"
|
fileout "${json_prefix}${json_postfix}" "OK" "RSASSA-PSS with SHA384"
|
||||||
;;
|
;;
|
||||||
sha512)
|
sha512)
|
||||||
prln_done_good "RSASSA-PSS with SHA512"
|
prln_done_good "RSASSA-PSS with SHA512"
|
||||||
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: RSASSA-PSS with SHA512"
|
fileout "${json_prefix}${json_postfix}" "OK" "RSASSA-PSS with SHA512"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
out "RSASSA-PSS with $cert_sig_hash_algo"
|
out "RSASSA-PSS with $cert_sig_hash_algo"
|
||||||
prln_warning " (Unknown hash algorithm)"
|
prln_warning " (Unknown hash algorithm)"
|
||||||
fileout "${json_prefix}algorithm" "DEBUG" "Signature Algorithm: RSASSA-PSS with $cert_sig_hash_algo"
|
fileout "${json_prefix}${json_postfix}" "DEBUG" "RSASSA-PSS with $cert_sig_hash_algo"
|
||||||
esac
|
esac
|
||||||
;;
|
;;
|
||||||
md2*)
|
md2*)
|
||||||
prln_svrty_critical "MD2"
|
prln_svrty_critical "MD2"
|
||||||
fileout "${json_prefix}algorithm" "CRITICAL" "Signature Algorithm: MD2"
|
fileout "${json_prefix}${json_postfix}" "CRITICAL" "MD2"
|
||||||
;;
|
;;
|
||||||
md4*)
|
md4*)
|
||||||
prln_svrty_critical "MD4"
|
prln_svrty_critical "MD4"
|
||||||
fileout "${json_prefix}algorithm" "CRITICAL" "Signature Algorithm: MD4"
|
fileout "${json_prefix}${json_postfix}" "CRITICAL" "MD4"
|
||||||
;;
|
;;
|
||||||
md5*)
|
md5*)
|
||||||
prln_svrty_critical "MD5"
|
prln_svrty_critical "MD5"
|
||||||
fileout "${json_prefix}algorithm" "CRITICAL" "Signature Algorithm: MD5"
|
fileout "${json_prefix}${json_postfix}" "CRITICAL" "MD5"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
out "$cert_sig_algo ("
|
out "$cert_sig_algo ("
|
||||||
pr_warning "FIXME: can't tell whether this is good or not"
|
pr_warning "FIXME: can't tell whether this is good or not"
|
||||||
outln ")"
|
outln ")"
|
||||||
fileout "${json_prefix}algorithm" "DEBUG" "Signature Algorithm: $cert_sig_algo"
|
fileout "${json_prefix}${json_postfix}" "DEBUG" "$cert_sig_algo"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
|
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
|
||||||
|
|
||||||
out "$indent"; pr_bold " Server key size "
|
out "$indent"; pr_bold " Server key size "
|
||||||
|
json_prefix="cert_key_size"
|
||||||
if [[ -z "$cert_keysize" ]]; then
|
if [[ -z "$cert_keysize" ]]; then
|
||||||
outln "(couldn't determine)"
|
outln "(couldn't determine)"
|
||||||
fileout "${json_prefix}key_size" "WARN" "Server keys size cannot be determined"
|
fileout "${json_prefix}${json_postfix}" "Server keys size cannot be determined"
|
||||||
else
|
else
|
||||||
case $cert_key_algo in
|
case $cert_key_algo in
|
||||||
*RSA*|*rsa*) out "RSA ";;
|
*RSA*|*rsa*) out "RSA ";;
|
||||||
@@ -6517,22 +6528,22 @@ certificate_info() {
|
|||||||
if [[ $cert_key_algo =~ ecdsa ]] || [[ $cert_key_algo =~ ecPublicKey ]]; then
|
if [[ $cert_key_algo =~ ecdsa ]] || [[ $cert_key_algo =~ ecPublicKey ]]; then
|
||||||
if [[ "$cert_keysize" -le 110 ]]; then # a guess
|
if [[ "$cert_keysize" -le 110 ]]; then # a guess
|
||||||
pr_svrty_critical "$cert_keysize"
|
pr_svrty_critical "$cert_keysize"
|
||||||
fileout "${json_prefix}key_size" "CRITICAL" "Server keys $cert_keysize EC bits"
|
fileout "${json_prefix}${json_postfix}" "CRITICAL" "Server keys $cert_keysize EC bits"
|
||||||
elif [[ "$cert_keysize" -le 123 ]]; then # a guess
|
elif [[ "$cert_keysize" -le 123 ]]; then # a guess
|
||||||
pr_svrty_high "$cert_keysize"
|
pr_svrty_high "$cert_keysize"
|
||||||
fileout "${json_prefix}key_size" "HIGH" "Server keys $cert_keysize EC bits"
|
fileout "${json_prefix}${json_postfix}" "HIGH" "Server keys $cert_keysize EC bits"
|
||||||
elif [[ "$cert_keysize" -le 163 ]]; then
|
elif [[ "$cert_keysize" -le 163 ]]; then
|
||||||
pr_svrty_medium "$cert_keysize"
|
pr_svrty_medium "$cert_keysize"
|
||||||
fileout "${json_prefix}key_size" "MEDIUM" "Server keys $cert_keysize EC bits"
|
fileout "${json_prefix}${json_postfix}" "MEDIUM" "Server keys $cert_keysize EC bits"
|
||||||
elif [[ "$cert_keysize" -le 224 ]]; then
|
elif [[ "$cert_keysize" -le 224 ]]; then
|
||||||
out "$cert_keysize"
|
out "$cert_keysize"
|
||||||
fileout "${json_prefix}key_size" "INFO" "Server keys $cert_keysize EC bits"
|
fileout "${json_prefix}${json_postfix}" "INFO" "Server keys $cert_keysize EC bits"
|
||||||
elif [[ "$cert_keysize" -le 533 ]]; then
|
elif [[ "$cert_keysize" -le 533 ]]; then
|
||||||
pr_done_good "$cert_keysize"
|
pr_done_good "$cert_keysize"
|
||||||
fileout "${json_prefix}key_size" "OK" "Server keys $cert_keysize EC bits"
|
fileout "${json_prefix}${json_postfix}" "OK" "Server keys $cert_keysize EC bits"
|
||||||
else
|
else
|
||||||
out "keysize: $cert_keysize (not expected, FIXME)"
|
out "keysize: $cert_keysize (not expected, FIXME)"
|
||||||
fileout "${json_prefix}key_size" "DEBUG" "Server keys $cert_keysize bits (not expected)"
|
fileout "${json_prefix}${json_postfix}" "DEBUG" "Server keys $cert_keysize bits (not expected)"
|
||||||
fi
|
fi
|
||||||
outln " bits"
|
outln " bits"
|
||||||
elif [[ $cert_key_algo = *RSA* ]] || [[ $cert_key_algo = *rsa* ]] || [[ $cert_key_algo = *dsa* ]] || \
|
elif [[ $cert_key_algo = *RSA* ]] || [[ $cert_key_algo = *rsa* ]] || [[ $cert_key_algo = *dsa* ]] || \
|
||||||
@@ -6540,41 +6551,46 @@ certificate_info() {
|
|||||||
if [[ "$cert_keysize" -le 512 ]]; then
|
if [[ "$cert_keysize" -le 512 ]]; then
|
||||||
pr_svrty_critical "$cert_keysize"
|
pr_svrty_critical "$cert_keysize"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
fileout "${json_prefix}key_size" "CRITICAL" "Server keys $cert_keysize bits"
|
fileout "${json_prefix}${json_postfix}" "CRITICAL" "Server keys $cert_keysize bits"
|
||||||
elif [[ "$cert_keysize" -le 768 ]]; then
|
elif [[ "$cert_keysize" -le 768 ]]; then
|
||||||
pr_svrty_high "$cert_keysize"
|
pr_svrty_high "$cert_keysize"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
fileout "${json_prefix}key_size" "HIGH" "Server keys $cert_keysize bits"
|
fileout "${json_prefix}${json_postfix}" "HIGH" "Server keys $cert_keysize bits"
|
||||||
elif [[ "$cert_keysize" -le 1024 ]]; then
|
elif [[ "$cert_keysize" -le 1024 ]]; then
|
||||||
pr_svrty_medium "$cert_keysize"
|
pr_svrty_medium "$cert_keysize"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
fileout "${json_prefix}key_size" "MEDIUM" "Server keys $cert_keysize bits"
|
fileout "${json_prefix}${json_postfix}" "MEDIUM" "Server keys $cert_keysize bits"
|
||||||
elif [[ "$cert_keysize" -le 2048 ]]; then
|
elif [[ "$cert_keysize" -le 2048 ]]; then
|
||||||
outln "$cert_keysize bits"
|
outln "$cert_keysize bits"
|
||||||
fileout "${json_prefix}key_size" "INFO" "Server keys $cert_keysize bits"
|
fileout "${json_prefix}${json_postfix}" "INFO" "Server keys $cert_keysize bits"
|
||||||
elif [[ "$cert_keysize" -le 4096 ]]; then
|
elif [[ "$cert_keysize" -le 4096 ]]; then
|
||||||
pr_done_good "$cert_keysize"
|
pr_done_good "$cert_keysize"
|
||||||
fileout "${json_prefix}key_size" "OK" "Server keys $cert_keysize bits"
|
fileout "${json_prefix}${json_postfix}" "OK" "Server keys $cert_keysize bits"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
else
|
else
|
||||||
pr_warning "weird key size: $cert_keysize bits"; outln " (could cause compatibility problems)"
|
pr_warning "weird key size: $cert_keysize bits"; outln " (could cause compatibility problems)"
|
||||||
fileout "${json_prefix}key_size" "WARN" "Server keys $cert_keysize bits (Odd)"
|
fileout "${json_prefix}${json_postfix}" "WARN" "Server keys $cert_keysize bits (Odd)"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
out "$cert_keysize bits ("
|
out "$cert_keysize bits ("
|
||||||
pr_warning "FIXME: can't tell whether this is good or not"
|
pr_warning "FIXME: can't tell whether this is good or not"
|
||||||
outln ")"
|
outln ")"
|
||||||
fileout "${json_prefix}key_size" "WARN" "Server keys $cert_keysize bits (unknown signature algorithm)"
|
fileout "${json_prefix}${json_postfix}" "WARN" "Server keys $cert_keysize bits (unknown signature algorithm)"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
out "$indent"; pr_bold " Fingerprint / Serial "
|
out "$indent"; pr_bold " Fingerprint / Serial "
|
||||||
cert_fingerprint_sha1="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha1 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g')"
|
cert_fingerprint_sha1="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha1 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g')"
|
||||||
cert_fingerprint_serial="$($OPENSSL x509 -noout -in $HOSTCERT -serial 2>>$ERRFILE | sed 's/serial=//')"
|
fileout "cert_fingerprint_SHA1${json_postfix}" "INFO" "${cert_fingerprint_sha1//SHA1 /}"
|
||||||
|
|
||||||
cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g' )"
|
cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g' )"
|
||||||
outln "$cert_fingerprint_sha1 / $cert_fingerprint_serial"
|
fileout "cert_fingerprint_SHA256${json_postfix}" "INFO" "${cert_fingerprint_sha2//SHA256 /}"
|
||||||
|
|
||||||
|
cert_serial="$($OPENSSL x509 -noout -in $HOSTCERT -serial 2>>$ERRFILE | sed 's/serial=//')"
|
||||||
|
outln "$cert_fingerprint_sha1 / $cert_serial"
|
||||||
outln "$spaces$cert_fingerprint_sha2"
|
outln "$spaces$cert_fingerprint_sha2"
|
||||||
fileout "${json_prefix}fingerprint" "INFO" "Fingerprints / Serial: $cert_fingerprint_sha1 / $cert_fingerprint_serial, $cert_fingerprint_sha2"
|
|
||||||
|
fileout "cert_serial${json_postfix}" "INFO" "$cert_serial"
|
||||||
[[ -z $CERT_FINGERPRINT_SHA2 ]] && \
|
[[ -z $CERT_FINGERPRINT_SHA2 ]] && \
|
||||||
CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2" ||
|
CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2" ||
|
||||||
CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2 $CERT_FINGERPRINT_SHA2"
|
CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2 $CERT_FINGERPRINT_SHA2"
|
||||||
@@ -6594,6 +6610,8 @@ certificate_info() {
|
|||||||
cnfinding="$cn"
|
cnfinding="$cn"
|
||||||
cnok="INFO"
|
cnok="INFO"
|
||||||
fi
|
fi
|
||||||
|
fileout "cert_CN${json_postfix}" "$cnok" "$cnfinding"
|
||||||
|
cnfinding=""
|
||||||
|
|
||||||
if [[ -n "$sni_used" ]]; then
|
if [[ -n "$sni_used" ]]; then
|
||||||
if grep -q "\-\-\-\-\-BEGIN" "$HOSTCERT.nosni"; then
|
if grep -q "\-\-\-\-\-BEGIN" "$HOSTCERT.nosni"; then
|
||||||
@@ -6605,27 +6623,26 @@ certificate_info() {
|
|||||||
debugme tm_out "\"$NODE\" | \"$cn\""
|
debugme tm_out "\"$NODE\" | \"$cn\""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#FIXME: check for SSLv3/v2 and look whether it goes to a different CN (probably not polite)
|
|
||||||
|
|
||||||
if [[ -z "$sni_used" ]] || [[ "$(toupper "$cn_nosni")" == "$(toupper "$cn")" ]]; then
|
if [[ -z "$sni_used" ]] || [[ "$(toupper "$cn_nosni")" == "$(toupper "$cn")" ]]; then
|
||||||
outln
|
outln
|
||||||
|
cnfinding="$cn"
|
||||||
elif [[ -z "$cn_nosni" ]]; then
|
elif [[ -z "$cn_nosni" ]]; then
|
||||||
out " (request w/o SNI didn't succeed";
|
out " (request w/o SNI didn't succeed";
|
||||||
cnfinding+=" (request w/o SNI didn't succeed"
|
cnfinding+="request w/o SNI didn't succeed"
|
||||||
if [[ $cert_sig_algo =~ ecdsa ]]; then
|
if [[ $cert_sig_algo =~ ecdsa ]]; then
|
||||||
out ", usual for EC certificates"
|
out ", usual for EC certificates"
|
||||||
cnfinding+=", usual for EC certificates"
|
cnfinding+=", usual for EC certificates"
|
||||||
fi
|
fi
|
||||||
outln ")"
|
outln ")"
|
||||||
cnfinding+=")"
|
cnfinding+=""
|
||||||
elif [[ "$cn_nosni" == *"no CN field"* ]]; then
|
elif [[ "$cn_nosni" == *"no CN field"* ]]; then
|
||||||
outln ", (request w/o SNI: $cn_nosni)"
|
outln ", (request w/o SNI: $cn_nosni)"
|
||||||
cnfinding+=", (request w/o SNI: $cn_nosni)"
|
cnfinding="$cn_nosni"
|
||||||
else
|
else
|
||||||
out " (CN in response to request w/o SNI: "; pr_italic "$cn_nosni"; outln ")"
|
out " (CN in response to request w/o SNI: "; pr_italic "$cn_nosni"; outln ")"
|
||||||
cnfinding+=" (CN in response to request w/o SNI: \"$cn_nosni\")"
|
cnfinding="$cn_nosni"
|
||||||
fi
|
fi
|
||||||
fileout "${json_prefix}cn" "$cnok" "$cnfinding"
|
fileout "cert_CN_without_SNI${json_postfix}" "INFO" "$cnfinding"
|
||||||
|
|
||||||
sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
|
||||||
egrep "DNS:|IP Address:|email:|URI:|DirName:|Registered ID:" | tr ',' '\n' | \
|
egrep "DNS:|IP Address:|email:|URI:|DirName:|Registered ID:" | tr ',' '\n' | \
|
||||||
@@ -6633,23 +6650,27 @@ certificate_info() {
|
|||||||
-e 's/ *Registered ID://g' \
|
-e 's/ *Registered ID://g' \
|
||||||
-e 's/ *othername:<unsupported>//g' -e 's/ *X400Name:<unsupported>//g' -e 's/ *EdiPartyName:<unsupported>//g')
|
-e 's/ *othername:<unsupported>//g' -e 's/ *X400Name:<unsupported>//g' -e 's/ *EdiPartyName:<unsupported>//g')
|
||||||
# ^^^ CACert
|
# ^^^ CACert
|
||||||
|
|
||||||
out "$indent"; pr_bold " subjectAltName (SAN) "
|
out "$indent"; pr_bold " subjectAltName (SAN) "
|
||||||
|
json_prefix="cert_SAN"
|
||||||
if [[ -n "$sans" ]]; then
|
if [[ -n "$sans" ]]; then
|
||||||
while read san; do
|
while read san; do
|
||||||
[[ -n "$san" ]] && all_san+="$san "
|
[[ -n "$san" ]] && all_san+="$san "
|
||||||
done <<< "$sans"
|
done <<< "$sans"
|
||||||
prln_italic "$(out_row_aligned_max_width "$all_san" "$indent " $TERM_WIDTH)"
|
prln_italic "$(out_row_aligned_max_width "$all_san" "$indent " $TERM_WIDTH)"
|
||||||
fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : $all_san"
|
fileout "${json_prefix}${json_postfix}" "INFO" "$all_san"
|
||||||
else
|
else
|
||||||
if [[ $SERVICE == "HTTP" ]] || "$ASSUME_HTTP"; then
|
if [[ $SERVICE == "HTTP" ]] || "$ASSUME_HTTP"; then
|
||||||
pr_svrty_high "missing (NOT ok)"; outln " -- Browsers are complaining"
|
pr_svrty_high "missing (NOT ok)"; outln " -- Browsers are complaining"
|
||||||
fileout "${json_prefix}san" "HIGH" "subjectAltName (SAN) : -- Browsers are complaining"
|
fileout "${json_prefix}${json_postfix}" "HIGH" "No SAN, browsers are complaining"
|
||||||
else
|
else
|
||||||
pr_svrty_medium "missing"; outln " -- no SAN is deprecated"
|
pr_svrty_medium "missing"; outln " -- no SAN is deprecated"
|
||||||
fileout "${json_prefix}san" "MEDIUM" "subjectAltName (SAN) : -- no SAN is deprecated"
|
fileout "${json_prefix}${json_postfix}" "MEDIUM" "Providing no SAN is deprecated"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
out "$indent"; pr_bold " Issuer "
|
out "$indent"; pr_bold " Issuer "
|
||||||
|
json_prefix="cert_issuer"
|
||||||
#FIXME: oid would be better maybe (see above)
|
#FIXME: oid would be better maybe (see above)
|
||||||
issuer="$($OPENSSL x509 -in $HOSTCERT -noout -issuer -nameopt multiline,-align,sname,-esc_msb,utf8,-space_eq 2>>$ERRFILE)"
|
issuer="$($OPENSSL x509 -in $HOSTCERT -noout -issuer -nameopt multiline,-align,sname,-esc_msb,utf8,-space_eq 2>>$ERRFILE)"
|
||||||
issuer_CN="$(awk -F'=' '/CN=/ { print $2 }' <<< "$issuer")"
|
issuer_CN="$(awk -F'=' '/CN=/ { print $2 }' <<< "$issuer")"
|
||||||
@@ -6659,7 +6680,7 @@ certificate_info() {
|
|||||||
|
|
||||||
if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$cn" ]]; then
|
if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$cn" ]]; then
|
||||||
prln_svrty_critical "self-signed (NOT ok)"
|
prln_svrty_critical "self-signed (NOT ok)"
|
||||||
fileout "${json_prefix}issuer" "CRITICAL" "Issuer: selfsigned"
|
fileout "${json_prefix}${json_postfix}" "CRITICAL" "selfsigned"
|
||||||
else
|
else
|
||||||
issuerfinding="$issuer_CN"
|
issuerfinding="$issuer_CN"
|
||||||
pr_italic "$issuer_CN"
|
pr_italic "$issuer_CN"
|
||||||
@@ -6687,7 +6708,7 @@ certificate_info() {
|
|||||||
out ")"
|
out ")"
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
fileout "${json_prefix}issuer" "INFO" "Issuer: $issuerfinding"
|
fileout "${json_prefix}${json_postfix}" "INFO" "$issuerfinding"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
out "$indent"; pr_bold " Trust (hostname) "
|
out "$indent"; pr_bold " Trust (hostname) "
|
||||||
@@ -6804,19 +6825,21 @@ certificate_info() {
|
|||||||
prln_svrty_medium "$trustfinding_nosni"
|
prln_svrty_medium "$trustfinding_nosni"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
fileout "${json_prefix}trust" "$trust_sni_finding" "${trustfinding}${trustfinding_nosni}"
|
fileout "cert_trust${json_postfix}" "$trust_sni_finding" "${trustfinding}${trustfinding_nosni}"
|
||||||
|
|
||||||
out "$indent"; pr_bold " Chain of trust"; out " "
|
out "$indent"; pr_bold " Chain of trust"; out " "
|
||||||
|
json_prefix="cert_chain_of_trust"
|
||||||
if [[ "$issuer_O" =~ StartCom ]] || [[ "$issuer_O" =~ WoSign ]] || [[ "$issuer_CN" =~ StartCom ]] || [[ "$issuer_CN" =~ WoSign ]]; then
|
if [[ "$issuer_O" =~ StartCom ]] || [[ "$issuer_O" =~ WoSign ]] || [[ "$issuer_CN" =~ StartCom ]] || [[ "$issuer_CN" =~ WoSign ]]; then
|
||||||
# Shortcut for this special case here.
|
# Shortcut for this special case here.
|
||||||
pr_italic "WoSign/StartCom"; out " are " ; prln_svrty_critical "not trusted anymore (NOT ok)"
|
pr_italic "WoSign/StartCom"; out " are " ; prln_svrty_critical "not trusted anymore (NOT ok)"
|
||||||
fileout "${json_prefix}issuer" "CRITICAL" "Issuer: not trusted anymore (WoSign/StartCom)"
|
fileout "${json_prefix}${json_postfix}" "CRITICAL" "Issuer not trusted anymore (WoSign/StartCom)"
|
||||||
else
|
else
|
||||||
determine_trust "$json_prefix" # Also handles fileout
|
determine_trust "$json_prefix" "$json_postfix" # Also handles fileout
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse-a-safe-place.pdf, see page 40pp
|
# http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse-a-safe-place.pdf, see page 40pp
|
||||||
out "$indent"; pr_bold " EV cert"; out " (experimental) "
|
out "$indent"; pr_bold " EV cert"; out " (experimental) "
|
||||||
|
json_prefix="cert_EV"
|
||||||
# only the first one, seldom we have two
|
# only the first one, seldom we have two
|
||||||
policy_oid=$($OPENSSL x509 -in $HOSTCERT -text 2>>$ERRFILE | awk '/ .Policy: / { print $2 }' | awk 'NR < 2')
|
policy_oid=$($OPENSSL x509 -in $HOSTCERT -text 2>>$ERRFILE | awk '/ .Policy: / { print $2 }' | awk 'NR < 2')
|
||||||
if echo "$issuer" | egrep -q 'Extended Validation|Extended Validated|EV SSL|EV CA' || \
|
if echo "$issuer" | egrep -q 'Extended Validation|Extended Validated|EV SSL|EV CA' || \
|
||||||
@@ -6828,17 +6851,18 @@ certificate_info() {
|
|||||||
[[ 1.3.6.1.4.1.17326.10.8.12.1.2 == "$policy_oid" ]] || \
|
[[ 1.3.6.1.4.1.17326.10.8.12.1.2 == "$policy_oid" ]] || \
|
||||||
[[ 1.3.6.1.4.1.13177.10.1.3.10 == "$policy_oid" ]] ; then
|
[[ 1.3.6.1.4.1.13177.10.1.3.10 == "$policy_oid" ]] ; then
|
||||||
out "yes "
|
out "yes "
|
||||||
fileout "${json_prefix}ev" "OK" "Extended Validation (EV) (experimental) : yes"
|
fileout "${json_prefix}${json_postfix}" "OK" "yes"
|
||||||
else
|
else
|
||||||
out "no "
|
out "no "
|
||||||
fileout "${json_prefix}ev" "INFO" "Extended Validation (EV) (experimental) : no"
|
fileout "${json_prefix}${json_postfix}" "INFO" "no"
|
||||||
fi
|
fi
|
||||||
debugme echo "($(newline_to_spaces "$policy_oid"))"
|
debugme echo "($(newline_to_spaces "$policy_oid"))"
|
||||||
outln
|
outln
|
||||||
#TODO: use browser OIDs:
|
#TODO: check browser OIDs:
|
||||||
# https://mxr.mozilla.org/mozilla-central/source/security/certverifier/ExtendedValidation.cpp
|
# https://mxr.mozilla.org/mozilla-central/source/security/certverifier/ExtendedValidation.cpp
|
||||||
# http://src.chromium.org/chrome/trunk/src/net/cert/ev_root_ca_metadata.cc
|
# http://src.chromium.org/chrome/trunk/src/net/cert/ev_root_ca_metadata.cc
|
||||||
# https://certs.opera.com/03/ev-oids.xml
|
# https://certs.opera.com/03/ev-oids.xml
|
||||||
|
# see #967
|
||||||
|
|
||||||
out "$indent"; pr_bold " Certificate Expiration "
|
out "$indent"; pr_bold " Certificate Expiration "
|
||||||
|
|
||||||
@@ -6854,8 +6878,8 @@ certificate_info() {
|
|||||||
|
|
||||||
expire=$($OPENSSL x509 -in $HOSTCERT -checkend 1 2>>$ERRFILE)
|
expire=$($OPENSSL x509 -in $HOSTCERT -checkend 1 2>>$ERRFILE)
|
||||||
if ! grep -qw not <<< "$expire" ; then
|
if ! grep -qw not <<< "$expire" ; then
|
||||||
pr_svrty_critical "expired!"
|
pr_svrty_critical "expired"
|
||||||
expfinding="expired!"
|
expfinding="expired"
|
||||||
expok="CRITICAL"
|
expok="CRITICAL"
|
||||||
else
|
else
|
||||||
secs2warn=$((24 * 60 * 60 * days2warn2)) # low threshold first
|
secs2warn=$((24 * 60 * 60 * days2warn2)) # low threshold first
|
||||||
@@ -6872,17 +6896,18 @@ certificate_info() {
|
|||||||
expok="MEDIUM"
|
expok="MEDIUM"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
pr_svrty_high "expires < $days2warn2 days ($days2expire) !"
|
pr_svrty_high "expires < $days2warn2 days ($days2expire)"
|
||||||
expfinding+="expires < $days2warn2 days ($days2expire) !"
|
expfinding+="expires < $days2warn2 days ($days2expire)"
|
||||||
expok="HIGH"
|
expok="HIGH"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
outln " ($startdate --> $enddate)"
|
outln " ($startdate --> $enddate)"
|
||||||
fileout "${json_prefix}expiration" "$expok" "Certificate Expiration : $expfinding ($startdate --> $enddate)"
|
fileout "cert_expiration_status${json_postfix}" "$expok" "$expfinding"
|
||||||
|
fileout "cert_expiration_startend${json_postfix}" "$expok" "$startdate --> $enddate"
|
||||||
|
|
||||||
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
||||||
out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided"
|
out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided"
|
||||||
fileout "${json_prefix}certcount" "INFO" "# of certificates provided : $certificates_provided"
|
fileout "certchain_count${json_postfix}" "INFO" "${certificates_provided} certificates provided"
|
||||||
|
|
||||||
# Get both CRL and OCSP URI upfront. If there's none, this is not good. And we need to penalize this in the output
|
# Get both CRL and OCSP URI upfront. If there's none, this is not good. And we need to penalize this in the output
|
||||||
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | \
|
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | \
|
||||||
@@ -6890,60 +6915,62 @@ certificate_info() {
|
|||||||
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
|
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
|
||||||
|
|
||||||
out "$indent"; pr_bold " Certificate Revocation List "
|
out "$indent"; pr_bold " Certificate Revocation List "
|
||||||
|
json_prefix="cert_CRL"
|
||||||
if [[ -z "$crl" ]] ; then
|
if [[ -z "$crl" ]] ; then
|
||||||
if [[ -n "$ocsp_uri" ]]; then
|
if [[ -n "$ocsp_uri" ]]; then
|
||||||
outln "--"
|
outln "--"
|
||||||
fileout "${json_prefix}crl" "INFO" "No CRL provided"
|
fileout "${json_prefix}${json_postfix}" "INFO" "none"
|
||||||
else
|
else
|
||||||
pr_svrty_high "NOT ok --"
|
pr_svrty_high "NOT ok --"
|
||||||
outln " neither CRL nor OCSP URI provided"
|
outln " neither CRL nor OCSP URI provided"
|
||||||
fileout "${json_prefix}crl" "HIGH" "Neither CRL nor OCSP URI provided"
|
fileout "${json_prefix}${json_postfix}" "HIGH" "Neither CRL nor OCSP URI provided"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [[ $(count_lines "$crl") -eq 1 ]]; then
|
if [[ $(count_lines "$crl") -eq 1 ]]; then
|
||||||
outln "$crl"
|
outln "$crl"
|
||||||
fileout "${json_prefix}crl" "INFO" "Certificate Revocation List : $crl"
|
|
||||||
else # more than one CRL
|
else # more than one CRL
|
||||||
out_row_aligned "$crl" "$spaces"
|
out_row_aligned "$crl" "$spaces"
|
||||||
fileout "${json_prefix}crl" "INFO" "Certificate Revocation List : $crl"
|
|
||||||
fi
|
fi
|
||||||
|
fileout "${json_prefix}${json_postfix}" "INFO" "$crl"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
out "$indent"; pr_bold " OCSP URI "
|
out "$indent"; pr_bold " OCSP URI "
|
||||||
|
json_prefix="cert_OCSP_URI"
|
||||||
if [[ -z "$ocsp_uri" ]]; then
|
if [[ -z "$ocsp_uri" ]]; then
|
||||||
outln "--"
|
outln "--"
|
||||||
fileout "${json_prefix}ocsp_uri" "INFO" "OCSP URI : --"
|
fileout "${json_prefix}${json_postfix}" "INFO" "--"
|
||||||
else
|
else
|
||||||
if [[ $(count_lines "$ocsp_uri") -eq 1 ]]; then
|
if [[ $(count_lines "$ocsp_uri") -eq 1 ]]; then
|
||||||
outln "$ocsp_uri"
|
outln "$ocsp_uri"
|
||||||
else
|
else
|
||||||
out_row_aligned "$ocsp_uri" "$spaces"
|
out_row_aligned "$ocsp_uri" "$spaces"
|
||||||
fi
|
fi
|
||||||
fileout "${json_prefix}ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
|
fileout "${json_prefix}${json_postfix}" "INFO" "$ocsp_uri"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
out "$indent"; pr_bold " OCSP stapling "
|
out "$indent"; pr_bold " OCSP stapling "
|
||||||
|
json_prefix="OCSP_stapling"
|
||||||
if grep -a "OCSP response" <<< "$ocsp_response" | grep -q "no response sent" ; then
|
if grep -a "OCSP response" <<< "$ocsp_response" | grep -q "no response sent" ; then
|
||||||
if [[ -n "$ocsp_uri" ]]; then
|
if [[ -n "$ocsp_uri" ]]; then
|
||||||
pr_svrty_low "not offered"
|
pr_svrty_low "not offered"
|
||||||
fileout "${json_prefix}ocsp_stapling" "LOW" "OCSP stapling : not offered"
|
fileout "${json_prefix}${json_postfix}" "LOW" "not offered"
|
||||||
else
|
else
|
||||||
out "not offered"
|
out "not offered"
|
||||||
fileout "${json_prefix}ocsp_stapling" "INFO" "OCSP stapling : not offered"
|
fileout "${json_prefix}${json_postfix}" "INFO" "not offered"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
||||||
pr_done_good "offered"
|
pr_done_good "offered"
|
||||||
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : offered"
|
fileout "${json_prefix}${json_postfix}" "OK" "offered"
|
||||||
provides_stapling=true
|
provides_stapling=true
|
||||||
else
|
else
|
||||||
if $GOST_STATUS_PROBLEM; then
|
if $GOST_STATUS_PROBLEM; then
|
||||||
pr_warning "(GOST servers make problems here, sorry)"
|
pr_warning "(GOST servers make problems here, sorry)"
|
||||||
fileout "${json_prefix}ocsp_stapling" "WARN" "OCSP stapling : (GOST servers make problems here, sorry)"
|
fileout "${json_prefix}${json_postfix}" "WARN" "(The GOST server made a problem here, sorry)"
|
||||||
ret=0
|
ret=0
|
||||||
else
|
else
|
||||||
out "(response status unknown)"
|
out "(response status unknown)"
|
||||||
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : not sure what's going on here, debug: $ocsp_response"
|
fileout "${json_prefix}${json_postfix}" "OK" " not sure what's going on here, \'$ocsp_response\'"
|
||||||
debugme grep -a -A20 -B2 "OCSP response" <<<"$ocsp_response"
|
debugme grep -a -A20 -B2 "OCSP response" <<<"$ocsp_response"
|
||||||
ret=2
|
ret=2
|
||||||
fi
|
fi
|
||||||
@@ -6952,10 +6979,10 @@ certificate_info() {
|
|||||||
outln
|
outln
|
||||||
|
|
||||||
out "$indent"; pr_bold " OCSP must staple ";
|
out "$indent"; pr_bold " OCSP must staple ";
|
||||||
must_staple "$json_prefix" "$provides_stapling"
|
must_staple "$json_postfix" "$provides_stapling"
|
||||||
|
|
||||||
out "$indent"; pr_bold " DNS CAA RR"; out " (experimental) "
|
out "$indent"; pr_bold " DNS CAA RR"; out " (experimental) "
|
||||||
|
json_prefix="CAA_record"
|
||||||
caa_node="$NODE"
|
caa_node="$NODE"
|
||||||
caa=""
|
caa=""
|
||||||
while ( [[ -z "$caa" ]] && [[ ! -z "$caa_node" ]] ); do
|
while ( [[ -z "$caa" ]] && [[ ! -z "$caa_node" ]] ); do
|
||||||
@@ -6977,23 +7004,23 @@ certificate_info() {
|
|||||||
done <<< "$caa"
|
done <<< "$caa"
|
||||||
all_caa=${all_caa%, } # strip trailing comma
|
all_caa=${all_caa%, } # strip trailing comma
|
||||||
pr_italic "$(out_row_aligned_max_width "$all_caa" "$indent " $TERM_WIDTH)"
|
pr_italic "$(out_row_aligned_max_width "$all_caa" "$indent " $TERM_WIDTH)"
|
||||||
fileout "${json_prefix}CAA_record" "OK" "DNS Certification Authority Authorization (CAA) Resource Record / RFC6844 (check for match): \"$all_caa\" "
|
fileout "${json_prefix}${json_postfix}" "OK" "'DNS Certification Authority Authorization (CAA) Resource Record / RFC6844' \'$all_caa\' "
|
||||||
elif "$NODNS"; then
|
elif "$NODNS"; then
|
||||||
pr_warning "(was instructed to not use DNS)"
|
pr_warning "(was instructed to not use DNS)"
|
||||||
fileout "${json_prefix}CAA_record" "WARN" "DNS Certification Authority Authorization (CAA) Resource Record / RFC6844 : test skipped as instructed"
|
fileout "${json_prefix}${json_postfix}" "WARN" "check skipped as instructed"
|
||||||
else
|
else
|
||||||
pr_svrty_low "not offered"
|
pr_svrty_low "not offered"
|
||||||
fileout "${json_prefix}CAA_record" "LOW" "DNS Certification Authority Authorization (CAA) Resource Record / RFC6844 : not offered"
|
fileout "${json_prefix}${json_postfix}" "LOW" "'DNS Certification Authority Authorization (CAA) Resource Record / RFC6844' not offered"
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
|
|
||||||
out "$indent"; pr_bold " Certificate Transparency ";
|
out "$indent"; pr_bold " Certificate Transparency ";
|
||||||
if [[ "$ct" =~ extension ]]; then
|
if [[ "$ct" =~ extension ]]; then
|
||||||
pr_done_good "yes"; outln " ($ct)"
|
pr_done_good "yes"; outln " ($ct)"
|
||||||
fileout "${json_prefix}certificate_transparency" "OK" "Certificate Transparency: yes ($ct)"
|
fileout "certificate_transparency${json_postfix}" "OK" "yes ($ct)"
|
||||||
else
|
else
|
||||||
outln "$ct"
|
outln "$ct"
|
||||||
fileout "${json_prefix}certificate_transparency" "INFO" "Certificate Transparency: $ct"
|
fileout "certificate_transparency${json_postfix}" "INFO" "$ct"
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
return $ret
|
return $ret
|
||||||
@@ -7157,7 +7184,7 @@ run_server_defaults() {
|
|||||||
pr_bold " TLS extensions (standard) "
|
pr_bold " TLS extensions (standard) "
|
||||||
if [[ -z "$TLS_EXTENSIONS" ]]; then
|
if [[ -z "$TLS_EXTENSIONS" ]]; then
|
||||||
outln "(none)"
|
outln "(none)"
|
||||||
fileout "tls_extensions" "INFO" "TLS server extensions (std): (none)"
|
fileout "TLS_extensions" "INFO" "(none)"
|
||||||
else
|
else
|
||||||
#FIXME: we rather want to have the chance to print each ext in italics or another format.
|
#FIXME: we rather want to have the chance to print each ext in italics or another format.
|
||||||
# Atm is a string of quoted strings -- that needs to be fixed at the root then
|
# Atm is a string of quoted strings -- that needs to be fixed at the root then
|
||||||
@@ -7171,13 +7198,14 @@ run_server_defaults() {
|
|||||||
tls_extensions="$(out_row_aligned_max_width "$tls_extensions" " " $TERM_WIDTH)"
|
tls_extensions="$(out_row_aligned_max_width "$tls_extensions" " " $TERM_WIDTH)"
|
||||||
tls_extensions="${tls_extensions//{/ }"
|
tls_extensions="${tls_extensions//{/ }"
|
||||||
outln "$tls_extensions"
|
outln "$tls_extensions"
|
||||||
fileout "tls_extensions" "INFO" "TLS server extensions (std): $TLS_EXTENSIONS"
|
fileout "TLS_extensions" "INFO" "$TLS_EXTENSIONS"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pr_bold " Session Ticket RFC 5077 hint "
|
pr_bold " Session Ticket RFC 5077 hint "
|
||||||
|
json_prefix="session_ticket"
|
||||||
if [[ -z "$sessticket_lifetime_hint" ]]; then
|
if [[ -z "$sessticket_lifetime_hint" ]]; then
|
||||||
outln "(no lifetime advertised)"
|
outln "(no lifetime advertised)"
|
||||||
fileout "session_ticket" "INFO" "TLS session ticket RFC 5077 lifetime: none advertised"
|
fileout "${json_prefix}" "INFO" "No TLS session ticket RFC 5077 lifetime advertised"
|
||||||
# it MAY be given a hint of the lifetime of the ticket, see https://tools.ietf.org/html/rfc5077#section-5.6 .
|
# it MAY be given a hint of the lifetime of the ticket, see https://tools.ietf.org/html/rfc5077#section-5.6 .
|
||||||
# Sometimes it just does not -- but it then may also support TLS session tickets reuse
|
# Sometimes it just does not -- but it then may also support TLS session tickets reuse
|
||||||
else
|
else
|
||||||
@@ -7186,20 +7214,20 @@ run_server_defaults() {
|
|||||||
out "$lifetime $unit"
|
out "$lifetime $unit"
|
||||||
if [[ $((3600 * 24)) -lt $lifetime ]]; then
|
if [[ $((3600 * 24)) -lt $lifetime ]]; then
|
||||||
prln_svrty_low " but: PFS requires session ticket keys to be rotated < daily !"
|
prln_svrty_low " but: PFS requires session ticket keys to be rotated < daily !"
|
||||||
fileout "session_ticket" "LOW" "TLS session ticket RFC 5077 valid for $lifetime $unit but PFS requires session ticket keys to be rotated at least daily!"
|
fileout "${json_prefix}" "LOW" "TLS session ticket RFC 5077 valid for $lifetime $unit but PFS requires session ticket keys to be rotated at least daily!"
|
||||||
else
|
else
|
||||||
outln ", session tickets keys seems to be rotated < daily"
|
outln ", session tickets keys seems to be rotated < daily"
|
||||||
fileout "session_ticket" "INFO" "TLS session ticket RFC 5077 valid for $lifetime $unit only (PFS requires session ticket keys are rotated at least daily)"
|
fileout "${json_prefix}" "INFO" "TLS session ticket RFC 5077 valid for $lifetime $unit only (PFS requires session ticket keys are rotated at least daily)"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pr_bold " SSL Session ID support "
|
pr_bold " SSL Session ID support "
|
||||||
if "$NO_SSL_SESSIONID"; then
|
if "$NO_SSL_SESSIONID"; then
|
||||||
outln "no"
|
outln "no"
|
||||||
fileout "session_id" "INFO" "SSL session ID support: no"
|
fileout "SSL_session_id_support" "INFO" "no"
|
||||||
else
|
else
|
||||||
outln "yes"
|
outln "yes"
|
||||||
fileout "session_id" "INFO" "SSL session ID support: yes"
|
fileout "SSL_session_id_support" "INFO" "yes"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pr_bold " Session Resumption "
|
pr_bold " Session Resumption "
|
||||||
|
|||||||
Reference in New Issue
Block a user