From 110d1aa73c005ee0ea98c68ee03fcc5858b70765 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Wed, 20 Oct 2021 19:26:23 +0200
Subject: [PATCH] Add browser requirement for the entropy of cert serial

---
 testssl.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 6f9e3c7..e7df37f 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -8905,8 +8905,9 @@ certificate_info() {
           outln
           prln_svrty_low "${spaces}NOT ok: length must not exceed 20 bytes (is: $len_cert_serial bytes)"
           fileout "cert_serialNumberLen${json_postfix}" "LOW" "$len_cert_serial is too long"
-     elif [[ $len_cert_serial -lt 8 ]]; then
-          # Wording is from https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.0.pdf
+     elif [[ $len_cert_serial -lt 8 ]] && [[ $SERVICE == HTTP ]]; then
+          # We only want this check for browsers as this requirement comes from the CA browser forum,
+          # see e.g. https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.0.pdf
           prln_svrty_low "   NOT ok: length should be >= 64 bits entropy (is: $len_cert_serial bytes)"
           fileout "cert_serialNumberLen${json_postfix}" "LOW" "$len_cert_serial is not enough entropy"
      else