From 903eeec97b3c6e0fcc85a83957c4996dc773df38 Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 14 Jul 2020 22:23:11 +0200 Subject: [PATCH 1/3] Start of implementing of hanno's bad OCSP intermediate CA detector see https://github.com/hannob/badocspcert --- testssl.sh | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/testssl.sh b/testssl.sh index 425f17b..dbfd4ef 100755 --- a/testssl.sh +++ b/testssl.sh @@ -8965,6 +8965,30 @@ certificate_info() { # https://certs.opera.com/03/ev-oids.xml # see #967 + # courtesy Hanno Boeck (see https://github.com/hannob/badocspcert) + out "$indent"; pr_bold " Bad OCSP intermediate" + out " (exp.) " + jsonID="cert_bad_ocsp" + badocspcerts="${TESTSSL_INSTALL_DIR}/etc/bad_ocsp_certs.txt" + +#FIXME: there might be >1 certificate. We parse the file intermediatecerts.pem +# but just raise the flag saying the chain is bad w/o naming the intermediate +# cert to blame. We should have split intermediatecerts.pem e.g. into +# intermediatecert1.pem, intermediatecert2.pem before + badocsp=1 + for pem in "$TEMPDIR/intermediatecerts.pem"; do + hash=$($OPENSSL x509 -in "$pem" -outform der 2>/dev/null | $OPENSSL dgst -sha256 -binary | $OPENSSL base64) + grep -q "$hash" "$badocspcerts" + badocsp=$? + [[ $badocsp -eq 0 ]] && break + done + if [[ $badocsp -eq 0 ]]; then + prln_svrty_medium "NOT ok" + fileout "${jsonID}${json_postfix}" "MEDIUM" "NOT ok is/are intermediate certificate(s)" + else + fileout "${jsonID}${json_postfix}" "OK" "intermediate certificate(s) is/are ok" + fi + out "$indent"; pr_bold " ETS/\"eTLS\"" out ", visibility info " jsonID="cert_eTLS" From eb7b0c96444d1197a4d36cde68c4eeac8d95a71c Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 14 Jul 2020 22:26:23 +0200 Subject: [PATCH 2/3] add hash file --- etc/bad_ocsp_certs.txt | 293 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 293 insertions(+) create mode 100644 etc/bad_ocsp_certs.txt diff --git a/etc/bad_ocsp_certs.txt b/etc/bad_ocsp_certs.txt new file mode 100644 index 0000000..e3b84f5 --- /dev/null +++ b/etc/bad_ocsp_certs.txt @@ -0,0 +1,293 @@ +wXYR23sxE2HiDXuCMarfR4vLf/oL5YXAbeIwkiPC74o= +/bNF0mk3ftnTQwi7eIVjKzDmH46vt+tedfgCTV/U4Yc= +16BtRir8gNcRg9lKOYstzIJYNefGbaXkVAVXLwSwWl0= +gptouX8R3uNEhXrBLrQM5QLuUmARIwFv3r8UIAkaQEg= +VEULJ4BS+pGRFgDLmPMQCg+1gVKNj+q5i2/++KSMmY4= +c50MOnG2w3fL0cQIrnzBlzLCy++GINY7Fsn9AYXfmnE= +VQdJ/141xAfVFdmLMnUEvEhP2q4opxOv5OIoKYa+BOg= +Qavo+alRqJkPvc0+FM9HnUJkAbEV8BcBibZl6UDDYyw= +iKuWH2T5No9MTRMH9Z1OWcXlcPhSpsUROo/yjgQxUVc= +zXQZjUwj5HAd6leYkjIbnk9HoIvYN0cQuJmq0UlaSzU= +vEicbcK94lP1hto0E01mQLi1g6MSCJzhCTPEvAP8XzM= +89kW0bcyAfBJ7afll/4KXM1XEaaVj7wLem9/pk96/kc= +h6rZeKX+LulB5AaPmWPqKb2qWIeNJBIkmoLNIvgSbYI= +REzv7dg/YxXF7Iay8c1jsdvyOHz6K+sPtAAVPyr5QI8= +6keT4uuBTUMmH4Borv3ng7g358AhrBnI6bCFUfLWyD8= +DLZoT2AcQW+ZKolAmRSjKgwgmXFodfX3jsDEaxtXCZw= +fTW/BMhXKCtCLoUeqKYit10uzLq2XVumJZjB2koR1QI= +TefMrLUJmUJkSVDyzIYTQBJWXGFNUap9MIf6wZaVihQ= +kO5UjrrKyrQCB6YaN4zhhrlNJK58Vb/IMGXqlgcuKzg= +EaJ2cYciZURctyWOsoRO5hTRR3e59vc76VMhIvIfrQ0= +HLRwcoz1bzAgA7sOTrBiQU+hHU+X4/BhFwyWyIBx1xE= +ysBfTwUIEJkybc8nxNlwqKPqkU5nkq2swQSWEcntQ7o= +7AICWhoVeywCrEn1Wai2zwchJvg3lJn658Uu0YPakBI= +VvMhZ/AD2PLLc4qzhsNcoVJlzCmpjuEGbNPhrFVsoVw= +7r7fhG8dug6Iqba5qw/2Xwl/KEwGpkqTnujFyebzE/Q= +U1cNBeQNxi+d+R0Vr7AVtWqqaAwgzBaObVfZRsnOJoQ= +9kDlZDxAwfMp4QBDjijJV2ka+opT5AWjJvev63DCO8E= +GwRlNTeOB9EKzaok7vziBCC7mllhFOtHXKaWNXdT6SU= +fTOuYYzWJVM3fSU9LryihdhOmKkk2J+Y1L5P7jH5Kqg= +wC2KMO1psvhk7Y+xpjo+clUoiSDKKUvcow9jiY+5GVw= +BOy6j5K/90WMSl58aSYfx+LvUtWvVPvdkrFxQbvgZR8= +48UkTRX44LA09QCQO32hHFfBZWF1uGYIx/zcVh0IG/Y= +lA0vISoqOcyEvULQ9txPe6TEd+elqZIslrn17BTkpsg= +WXK5vUcQF9XzJwW+6RVwNiZXX4snCjnBwxLH+SRsENQ= +q/OAPNKTniaAPlIoCoH2fEbD4O51/Nux4w+wOjIaz60= +N9IgpsdSJ5kCEZE0nBg/kXvhvoYmz5JrD9bgqGge4DE= +QqtNnxgJRU6+wkXY2wb/YaqCibBaJj3+6WYtrJFmYEM= +Bb+2YF1IUWpXG6+af/dTdhMEcNpe5/9oTCZy6qDAyK0= +/UwrmT4DVukNT5+9I2He8aSYN4zuzrkt12/grX4sexY= +k5BxSx2Qn6PXDdx2gbOPB+1OY1bLXHGRXRvc1I/jNfg= +MafFefJNVWLNsgP6Fanyw/9dwfLmv3wL2V+8sBFMjSE= +jlzqHRASUhwnpOEScHArx8mhFW8TUHPWyk5C7ugmJJ4= +Irbr3umwptpcn6ztJ7+dzgmAPCr8EfdrXAvPR7f31WA= +gP3kKCEq8MoKxTHu5u0t89PCpFV9/OhXBw/JR5IumyQ= +P+i+OSoIaEuZ9JfmGMfd9aAqQom/nQjllQRZMb+6gU8= +3Ist7lDdR4qxNcrCac6miFFVepEpq82Y31ITsj2/s80= +UCx6hwNB175n2ybb+s+WR6/YmoVL+IEvpO9ww1bsE+U= +vzmkJB9C1SI2iUSz3FPtnqpax3NeJC4GJ8DdW7pxRIQ= +OuaZ2U6P69rLhtT5DUCQMzNHjmXgZVxDJFEZfjP6B/I= +oloZVGgZ0EgADvnGV3xLzY0hVbHkNGpFmdbIt5eZ1KE= +8YRCvt9wtNFSETVscrZZMyvtA//Tu6evqqvm3p1yMAI= +2IiPSoT3TJdN/7Vzob9bu6zRcTuQUJb46wFQYr85bE0= +BkNqyNDI4SCltfqMK83LLx+AWF55x3t+D40PYWjZxF4= +Uk5bOlWNX/AafEYCahS1jHfPne+6aR6sjkoX+sKjo7Y= +1B0jxRVZ9l5cIlA9enq/XNll7DnGHGmKfZjXl69we0g= +XIDlafzuk/FaK8BDUQKyagT1qh7JkSwToFiBwarVAtI= +3gqS5UNbYTII3ENezHFYvyj0IKk+CpHVlllyBT9SNUk= +IcrbfNgi6hO0luJau4FRx/sA77se5FijtKTzwWvDwW8= +7T23SNbXju/wuUUrxqAuA5A5xVB1pDkyO4uoX7Ibndo= +SyTFIcR2AOg4AKP/DC1Y3ALIF3732ml8WoDB1IZ6Zt0= +XbHSLXBmhPBxnokC+4azRrP8nk0aH5IoOkiLw9GgSEs= +P3hQJbzPrKRwGhc0zg97MM5BBpQsjZL0G3CwZ+1l01Q= +FQc8a73HRpmohRjCelfJVuXiPWypYZ5SGkaMeHPeT4o= +qbVpjFJjvv89YHINwYRMuV0W8G4EJovOO+TWAoKwHvk= +o38cCp3HIpi2H5M8tUxlQ4Y3sm2+29HmuAgnnz2tMOU= +Pq1PcvBvEFSIHSco3gM6jhP63mvRZQhAGOuUPBc3jao= +2FU6KIDpa3qkx0E92QOv09WAUEaV3SahaP1IzOexR0o= +UH22DSY9PQnSg94uOqQ139h3XlK8M1cC44Mru1fsHL0= +Uz/pfrRfztJASeQe/p2yVKXdnZDf1TyVEsYgftsh2Cw= +0o20NeMSEqO9zPh2IPZUS5mpwCMov5g+iC/QYnodEw8= +X2yqRKRmPEQd2SyLZlX7+Xz24daTTbj1+Nl633Az+qw= +X79u1PD4etpl+ueqq0rZ4bWlhpOa7fs5pJJr5/ZcZQw= +hTY6JMsbZubPYkTofSQ9u4MG9gc1fGFMucTCJKDgQ1g= +fggrvFaXaxWdRpZUCpa2AUhhS6m14psgNfeJvs+/Blc= +vs/eEkzt00TZJctV7dpmLZqcBoj6mghwzj27baQxPk4= +T/QE8C4s0AGI8V0cAPS20eOLWjlc+FMU6uuoVbamS3U= +8i22V6GpKYQavKxSZxpc7op9BpWGr4XOFt4rBd2iIlI= +ON7T/2gnV5AIr0iH65aYo8+pJ/qO1Z8GugkPuaY+LXc= +cFYQcjyWE/ZBMYHK33PVEHG9dh/aSRQj4avQAVAbZPM= +lylXMEAxI07Rdnn9y5dVbWFz1fK/Dm5m1hJoDKbndoU= +VnmkMeedTrnulnxg2HA8fHj0Q/cduXFX5DBZ3kLYUN8= +ziMyOQIIdCoaymUTl0xMnbJpHq9FaLUz5KF+1d2pc+Y= +x0It4hzryS7K5r6dzX5xHuZQ0wrtcR+7Dfayx4S2xPs= +OUzLvAs1lcoN7UAHL6+YY27QIWma0olFZIeRZbW11Mk= +xhkwd8YYnR37v4E7h9x8vwSYrPcniHvH7FQyCQbem8g= +ApN5EY5XdSJsVNcYKjZ6JAtRdw9QEbs1F3z9F9myRFo= +ThB8mBtCrL5BwBBn4W1E22SBTUGT5XIxfqBLh8ecR18= +1Ia/o/ANFl7iz2Jw/afQCBfljNot9Polbg8usSLPjwI= +6+h7tBiFAnCfREBVJZq7IrxRuIyQhBmhNVnfyO9mMNE= +rxiY1/Bjh1HAddAULU4qDqcx/GIjJPFT/hvztq/ZrxM= +LgGRdRygy6gcOmM43uGgK41rzE8fgmG4CbzOerrxpD0= +TCQc/j0/+2DKiNawalUqsc8O99jS4I2hUoK1UZLrvSk= +Yy/Wl7rK8e0jJRfsm3Yit8JeFEiwzGJrMyhnGeNRzoo= +OALkJFFveO6sMpqumx9gpBLb4dWwldesncDc3ePB9fs= +8DdiFAXg81ZQfiOfrdZHhC07UIV8PP+ECFkXT3L2/Rg= +OTuLFcq8OIb7LkFkldY8i63Y3K+HVSB2yKCpY3wk3kc= +d+rEdkU8tzIlf/FmpevRZWyx9nO2jijfQXdBM5efoqQ= +X/rEPg3cW0rytpb2vE236R3zFLuP4NBxOgsaetKmj6w= +FHxEf+64YgK1AzFPyvADa+qu9DfDm1azWOxEap0gOH8= +Qs/dpvZguOW0wcQRllpFGTElWeMmL422nS2uF7JrO6M= +e0ZNw4T9saUlwswnntDHz60kvs9yxGp9cJPRV8IXYH4= +rgO5rRcQaih4WDCx3NY2eXxMZNgcuNFhWV26+DQz5kw= +rkGVTarL/T5bn9cHj3tvquYbVZ7Oee+O2FitjAIqejw= +Fmz4lA9HJR1VUo7Z5Z4melkqToo43T1on43LpknpS3M= +0Dnu/3EIjMDxagWo/zxhYQ4UHR6FCsfhH3cT7uiMuVE= +gxB49+Ifpx/iT5HXGOSlcynv5vSHGxJhFdXSc7+tn3Y= +YmQD4Ho5PnB8iKRwRQSRcEsSK2TRGDI5F91NQfwGPDg= +V0k5vjI5lVaapElYqzCJ9jmpyG45ezg+9g6ZRGSbQwo= +8O5ZFO2UxyUtBYtOOYCK7m+o9izwl0+31tKp3xbjqH8= +2/EmjBPmRa31jRYmxDNr0/qFoaTRAyDDHqDn0KZgiJY= +zYmOTBarGJLzY6Rh4RAzPHTp3Us+Z+IjZMzAMOu1718= +5UEx8Tn8I8Kcm9MiLhrnEVYZTK3SgXIt3mEwOXl46GE= +EcYS0zK0wSJCUqb+L4o5bbr0A9+cy2IFbeOZWIBKuC8= +nHyngZxD4CplRlj7NmUL2KPyKpuFNe81fiu8i5IakOI= +v1SpOD9EZi517KIusOR/LCNeXRGKfoluyLZFkWy6aOk= +AaBwYTqusQLERGiiMVWeO2bRmC7GQ1iRkJqeazZkI9I= +prt/LZfwpe6H5EaWrtD6IQWjOw73Dc9ocygcbroIE84= +lu8zwkqLHxbPFw9DIh4X5ir/aQqLAU8kUpv+s49AoNo= +YOh1YzkH5QH7JqEK+9lzAhxTri9gGHFFhxYOg9UuGaI= +3YcG9HnxHbxsapDBI1j/oAo3MfC+0rG2UpBIMI3MEuM= +nk5sCNP756rPK3o/wrrD1swblHU/PJYVIj1qj2txcj4= +JTTsG9dMPBt2YaDnzCjxvfKoLM05Q+6q3Nj+2VBV6tE= +z2TrVpvtIKtWfKZcicZOoeeIxmBHoO8exeS9LlbKwnE= +rUcj6rVaV0U6X1W/W/dvygi1p/I5tCabOqm44Uk1MB0= +nM3gEf9hnDId/o1kkM2N4Thn0ZOpte5qb1rED2HXEcU= +gFp7gGAab/tKveY170dwXq4XYg3vnPr2FGK2LXxLiGo= +cWCg2EGxxcEgoIyS3iMmSD2Q2b/OGYS91v9KtrfSc8M= +qQ+X1rXHYS4CDLvPB0YgDJZ24YKMWoUL5ryIjDRfpLU= +nACcovl+osvygXNgDe9velTFZkWZuKtQDuGIWlbk8nA= +rJWg/X4L9eG+bwKgQvDwmmV6euEnLt7FBatrmmEWeCw= +ZAF9eLXwwExBlzXWpKbVLsHSARUkOw18dFB+JX/6SkA= +OGTWwQAfAMSqgdzbN14qC0348ooaqZ+h84t0vOgtWxg= +Yv3R3U29JpQAZqoDD82kUbK8IUP+zmWoqgP8C9MR8P0= +vL0E1K7ZYsnSWv4M+vhjjOFDFlKYjsUhcynnVZrDxnE= +z4mkHf7l9xdA3vYCc13b8d6+DLgW1zmA2aWDxYgc53g= +OoglMMA+phXl702tvXyGYJEvqT+vUIhxb7Rqjh/6khg= +HJJmkCoxw5QbUG1E0NTQbsnbdlXmX5VXZZ+rdospCxs= +fLiI73QNy/wMIL2kTywmGfbQ1FmPuTLQN9ryeAd3c6U= +WONo7k1hW4iOEcVSsss7Rp8wrEv0jYs3m1EAnAgmQ+w= +yXgWNowrekYIszRNvmhI2L0SEmDC952siskMrhfI5Xw= +O/HkFQPH8CPQ1Mr/vo5RJiwscxC8bZbozI0UOmAK7oA= +PoS6Q0KQhRbndXPAmS8JecoITkaFaB/xlcy6iiKbinY= +jZz9mPUrHCxvTpztPR2ZWSfvsNVjj73wiDTQ9yyikRg= +s5YnQBRBzrQv9sf5g+DyqSMNGHdAPJ9AllyHV86/19Y= +ePE8SR4TAgaDfDqu2lXFby1dYN0NGXkQhD9G1freNek= +4qtqY+hkbg8jKCDtBH29RICWdFYhFJHJGvonr1qVVbk= +AFHJiSTyOb1Jq4yPaAL4uc9K1B6zJy8aNMDNbWHcs9Q= +j0FFvUjMm/ciklkj59LQnMy+mXOlODjKNvlWH3TownE= +LAlx85e6hzewM1hFVpBllJNqzhdTpaS+Xi8RtCukt1k= +UVh8hnv2bzXs5VSgjgpBwTuLvZtZ0mLSBKcDCaZyvuY= +VbDNLMrRjiWXfZBtrJ+ouGQ9eiWOezg38RV6E6wZ0Yc= +/T5EKAyNy+jPjPVVEeBmnIU3lF2h+nRowOpStobdW2g= +dNmS05ELz340uLXNKPkerrT0Hz2mOU14uMQ2ctQ/Tw8= +CrEV3p0Saj1OoQ3fCGPMnYlWdE63tMzat+V9agblhRg= +e4X20IWbJAozYzdKEYHgEgIQR9ztI1KoQfblW10HfqU= +QlIC1Lv9qbeZ0Peqkn2UT0LMpCN8L8GYdbkHXes1piE= +D3UQNcGOHTkunMVXxX6UpV0S+7CG8mpFKeJhNiW/0Tw= +yErgHs0gLa++7h8OZ5ZG3ozNZT14RnGKO19OEpMkKYo= +UrY9G9COg73HI9ex/pYs7BgG5/U/dvLHCFjKNSk6HcE= +4KZw9PEFfpF56dtF4zPON+PuMcNJnxxYSlh72aX1NkA= +oBmBHkNpykxiqqgKFUlhPmD2xc7Tg6+ded+Pjxk/Hf4= +Af1hSHk5SzrhSSUvwVaYZ0FZzlVQZp/5EokuGYNaHkw= +gyJm1rqMv8vyjgYUoB2fTDm45B98h9IHfbtsA4QMqcI= +5z8fGaRFmmBnpF6E21hdbB348SpznXM/WyiZZUbxh1o= +jAFyH2+p0h38KDZvUkNOqLRL+IQ/HEM7llv2WTNE6zY= ++Hiz3yE7CBe/8eXvTozXybV8gP/J+KcwnqRqr1QLrhg= +tA1oOJ/QQcVuKT+j1X19t5LdALYuvf8ZCw4mRAcsk0o= +Q9tljdTkAg+LXGvXEH4V4jNFmiJs0Nd++PcrKxzCmv4= +oK8UGM0U9rJBXsYxbH1Yi7JdQwo9bQJvV94g+WXqvdw= +weRTSNcUy0fbssC5uvm6HyfkIAR82nqLaTVkMATKq5c= +jmkw14oTnzgnFGpZRu+f46dzmbL9DOuwsu0I7hih11g= +2FLeXQmAht/ppvPXKNUmGGVYfEid5nV1PScjdKXW6fw= +6Mpy7LmIXCTqKd4OrJdwQnjSoeWbZmZtMn+wzGvdkS8= +SHR1jWVj4EM7HtzufMxdnCqtjroSvLBwRFS7Tvjq95k= +tc/msLKqhhoLNnwMBTlaU4rUk6nfARVEqO/EaH/bLMg= +uWj7/D7KKFqtw40jZ3JyQf99NzPxJ4+KT1DsyMDvHoA= +/x3SHxpdC0Us2WnPSqVTg1yr4Ck8bHsAnxRaogLALIs= +gGoqp37b08dtj9Bm37XMMxDzWbAQLOksD67BaqQ//wo= +M81TfgCducdYpWhDXAZwb58BE4BU4gud3JPgOXE4qms= +jZkhf/gtYOTfWb6KESFiXN/8TyLyHhJjod8G0twLVA4= +xrclJq9F1orhZnHp8cJFMECNk4+PBEfhEG4vKnDTrSE= +YPBm3Hik4ukpocjtEC7bcH3wMYH4L99Q1TpS2sNVxls= +dkoNhNVVLNWHLHNGTzfwIXXNpwWIECsTraKgGZ/EA+k= +Ko2+vTr9uXK8H3fP576FBoiM/tNe38VMuqY446WrPv8= +W9DA1XmAFWfzOI/mRO95CrMeLbIkbq9MiB5aV9mgpYI= +xbZ5EGlYFS+D+1iG3cQfB4UZPvZ8aXW+PlCfF/KbeoY= +kFjVBl+PPppjqv5c6Jp2RHCw3vnc87nsfQWH+riP66A= +1WAk8MXZI31+CyOFBn2O+I7dro7BmZafXKoszClp2YI= +rCiRmOxpliiAP4hD3WPHZOhWuCdM957bjtjpmXlpf5U= +x0eO33MQG6Eu7N3zSMd0f/94nvtAHMjcrfrglClUPlQ= +4P+T6QVsSO3ca2jpTzFcOiIp6c4krzNjTTTV7wMjMok= +Qf2VNoVpPOZ9DSPMkcoXkmHWuZSLIdO75fet++U5gt4= +3oPj/CRfawSJMeHIE06qypb6p7HvHROV86Ys4BSwUYI= +BmTx7u7RpzVXACAdL0Qx3EOwvOqxKajKv9Tth9BDQe8= +cbPtjO7MwGOM0gIrQm6SF2YnHeYjZ8fNhS7C8eERHnY= +zgJQ8qnxj2jV/5RKTGWfZpL3PgNpzswhX18lfjIlmHg= +t3h0inkrj5HwSwG6/DGjHtfvanEq/4C2YQ2are4get8= +iGWwLhQDkWdWEyLIwewud8R89763MdL+HLusv3LRdyw= +6Va4oVaHH3HUNMrHjr0j1Q79GrkHYc5DbnnQOu0TZkw= +wXOXph2a+dKiKczyYqsdMrSph6E0rlvZ3k/BVfAN0W4= +TzBNg2b/kJHt121TO+1Vko5zt6qtUuNbhudip38EaU4= +DzMgaSsXqRbOVPfk2nv+Ui+zGxrCHgiHdrN8B6NO4qg= +4MJ6zLmueGBbYeeCbAIdkczS92mljEvW2lRgC5njVDg= +FslKjMwVyYOCW1vT8txo1pTIoyDyMo7NjJylfeUdoOU= +AfiXESH0ED0wvkI1zX3A7ubGrhL8p3UISOoOLhP8JCg= +JbrMQKU5K4Kq3qBJA5BaRnEh8oIg5vL34P6YKq/BT6Y= ++5U8T8AEWEbQJJHI7M84e6NDR8F6uw6m1Z9t5NLx6gQ= ++1Tuqbzo6eqXghVPPUFCd/twn0m5R9c5eKwnhUbCzgM= +yKk01qjoRfemX1yPcf5E9Si4XjJldaDWeTnHTYDNF9g= +HJQqIqAWoeVVna537FzoZx+YrgukrC3CWUGOjh6flK0= +z3O1LQQbcwm0OdFiR0FLkMnSbkTjh0ijZQDVgptRh/k= +v17fvuuFmZxRacvz9NtjtnmtLh4icvw3lfn5kh5tBIc= +oBM75bFOAjEKLUvqtgEJTxGU7ovW/Snd/nuTR0Z8Luw= +ygBap14zWUvR3txYTh505RmOux3oiSntTz4un/zjhzs= +I6dHBNd6A8/T/xnmLFAISCFObGD9Kq733Oeo+e6fkjI= +O5Zo9Z9V+jg4/Co7gLf5tbE9Gkbx6qbgvP8ExUGYBWw= +WkBVNcESoKga8NKsyjw/m8Gmd1hs28Yzy09fd44aNVA= +kVPkQg3cfrTm6GSqA3fa30CC7NNQUhE2OOBdPClrwAY= +3QOOh+C00sNpaA0954Y4qzn8HX5QYymWkhEBdo241Ng= +TmPxQkAahPikc9bd7jQaFh+tqG00MMjCxTRTZBPZ25c= +cW824XTQWVrowV39agxJjpe2plWz8g/lSIyo+exgktY= +mk45jSqmA/7RCGPANi4TkNl+wS+gJ4/XgqqzzdV9wh0= +O7YMQ5NGQUpA4twtHW9WYiV40rHygyR2fBSQFaY/80o= +9dLSumgXp6mqDiE1S78Ob5XF4ofuiM8vJ58P/sTtrBU= +cBtDKsDN1NnPlbS4hMMr9cypDUTgFhq9E7k01o44BHI= +xMfENr2I6OaNsAKX34OsyBnhmGOboAUiyOMkWHaJhSM= +XN2AnPRPX4Zl6sFQVVBMWwa3h6wYKUUFvbq0p35Q13Y= +RgOPYyYijNtWYZxSJmYT2gTIykmeDQOw7c/8EQ1c/HA= +7cc0xQFQHceidEj6AsdJMfhXi/KXsXPzS4QegsZpGSY= +J9b9r4ApeEbf7/guf1i5pIrJ4+6ToRKxu+JD7hqXRHw= +yBksMve0nH8yocoAFZWn+eNsnnIFjW6qG6t3UqjBZxg= +vkCBOGmrJ6Bx0SrWqIMFg+vDthjj8jRjWfSxGhyUNO4= +HoZCeMIIgbZxwMbS4UthFQrR8Tz5LG7BS1UNy8R+FUE= +VMN6joU/0dY3jTeLk5MH7DIaMcwaWonnGAYzvBPxh2I= +nomO0D+kaWlpDa1zxylmdQRf+bWgEAo5m+uENamPUYU= +Sw0TktORVzUyB6ZMyxRoPd6dLO0ftYsW4Di+VwfCeBM= +eqRdb1sU2rHGhEwZwoBOFLWBHm7eHwKwrvBlp7NZxo8= +lMZj6epcJ+5PZBJ/m0JYY+mRqeFWwH3xoAgDrjF2QWI= +Logg3A6vrj1tKFwFfs4URws3dDiwAs7dTHK080OlT0M= +TnB4Z5RqwFNDxrqP8SHqZqdYA3kTJXqO5JdDUNOaEDQ= +wlxO28NuP7fD2Te+6fLSnjavsHz6MYgmLg1f3JGeDXc= +Xn/LnJe9pWmTsWWNEgIydh1mWjZEU0MA+mpb7F4NV5U= +ETE43XshZyWEAjji1+7ss3ONsTkGSyTLhT/CcKSeYFc= +vjPRxX693ZJ7V722BL5Fe1Uv5Wjn89y6CTw57Rwwojk= +g/yJGzUNng1+vm3Spr/j0LD0ZT/KBIYVpd7rvAOaP2Y= +VyZLgqhk26HBHvP4CruUysNmBmKwwi9XH/mTs/vPdvs= +dKvl5czrdUkf9yxM8yVAXYrb/jkOGJz0MLpg5ieYh44= +wv6s1nSHjHsMIyWi7O0KMz23eAqG3+w3WBAO/AEBxmU= +ndwuDVW0YeDHMigoLfVrK+8iTKI4VoHRe26MB3hSVzw= +MG6XOeNFj/RUaHe3BLLjkF5YsjXWTjL08CaskbcpXRU= +/ToPPdRIAJK21FBHPeuSAaCzCKiAeDOjxzj4oH64HtM= +Cqny59lccYt9HrfM29AWToYFeunWaSK8YPmQP5Sg8O8= +9XCaLS9otTv29kW7F4rflTRvif2lxjv94IBComSSqrI= +66NMexCWcWFMNn4d4HUSTDlUzhn4X6z2EJDsMZ9/Gn8= +Eo3tGorWDCS0JU4x25T8Q5K/k+1UNEcqpDoLmFYQYGg= +txawif5OU9Gi73ulesheaOxyLPYQUsJaWWJq07FcX0A= +al9MFnjKZeWfBg1Xzf9mUGUxSGHVOo59FFDKktlsoQI= +q8hnBsmNa/ZzcvkI7AGt9jGxkdczron4ND6wR7EIFEs= +QEfJ1pJgwHITvLhgin7F4oOKVrefZ4R4EurAd40NJ/E= +kl7n1aIq1/vpurVNfI0LmnT341qK9q9kXi6MNRmnCS8= +8GjeqhjMAtWovjXLgzgyeRApH25i5yFqk0dkoaukqAA= +sf466/ljp4gOdLCwVWaB6osczOPmmn07EKaKy+huSKE= +//4HdQP9cvDlM4sKe04hjn0f+C5JPn6FKuUaocdYXRc= +lcanR90Lx1WhlBgn6JS4CDWSJBt5JUHi6xsw+5sT9X8= +DTF2xY8yGqNMV8jffBfR9OdseX7BFsnx1pd0jtH859k= +DW5GeE87aU6cdQZ4ZBe8b4f50vc9GbXoCBYSshE3t2Y= +l4vPOcPDqs7+EEj6A2AoPcLr+lFQAkxeN4UU0+decpU= +LYGa85fiidxBcJxKr22jsZBHScN6mVhgdFgDcW19VpA= +oaBOTPxW/RkX60gfxGYpouRmVnVvoI4iSH9Utk4co+c= +Zj/elPiDah/r2DvoMQl5MS1l/4wbcWOU5o9B2COWwfg= +SDlfccwm9kJ0vQbH6xWR+dTsYrZPpsFlMfPLcsJGnYI= ++AhlYjZyW1ZvByHFGBWKZ1bJaQPLcetI3dqO3f6g8mw= +TngnF2hJQIjtH5uycSUxq10TjGxZtGZQ0oWzWFjmexM= +QqIfNyhYBPLnNgdctUh0Nozw4hEAiLPxOEEu7IhZCVQ= +RnFuv2oirqHfH5fmKl73CVEnzkVQtiQuumkHr8XEgs8= +iH1/Het/BxLIWvq/UMrfib8C6xPlUsv1LXtd8/IdsNo= +VbgN72B/iOMcWEBn0J1DNE2UEXuvZINlhHsc5bZ2d8k= +/DqYk44u07024NQfGFF2STIpBrLmszaQiRMlquzRlkQ= +UjV1BHNxu6iCY+WrXe2PawaVxdKhkqbdEUBsR2ujxy8= +KlCKX+YXPE6PASZpShpqcdkABFH6MdsDO4cFiQRB7MU= +/S8zJI85ZFZGh5gCNaXwvLOrVi5H9AT3QuUzQsU3UoA= +U4pFqvkAPU05iLv8+fhZsyXOX3ddwGASBQWFF/m8FeU= +50rUSw1W7r45uxhcUqub7+T3WJm2qBQW6RA9XCm/J/s= +53rALbbqoOmmtXOpmHDG3029uDOd2jvEB4b3DivX9/Y= +HpU+FRI6leRwRL+vBrGXT7mXa4T0Nx69d/itge/QXAA= +5Xu/UHn5gpO0FC80iXLmjjUeUrkDc/BfRvCcyzCvW/A= +vUQgxZKm9/JSromBJOAC8bnP4fJTiGTVazSntN+zH8g= +CE7KcKm0Dk4VY+NXdrcW5BCpcrsn7VHCSMSNMkL6ja8= +bsjTVRvQRUsMxLnbh2Nmrgh2TF/PFbAPlBG94w1TNq4= +qONS2wyOJ7rlg9AVFG6Led7gkdVjj1g6DEQvO/Vd7rM= +LRskT6zq+tlHVbXpmqv3rJHFmdpzv6Rh7uuvtLlptck= +6tyA999jBWDMGzU/aOpmAVnOlm4i1ARYh4B4fAR20OQ= +IuXm21yuQo7alq7QVk4rl3DsoswCUVjjep3e7eMfReU= From d07d1f102ed233e76e697beba4d4114f3e1b234c Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 14 Jul 2020 23:42:06 +0200 Subject: [PATCH 3/3] Works now * open: generation of intermediate certificate files. We do that at several places. But for some reasons I do not understand currently we remove those files. * we don't name the offending certificate --- testssl.sh | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/testssl.sh b/testssl.sh index dbfd4ef..6bd0294 100755 --- a/testssl.sh +++ b/testssl.sh @@ -8314,13 +8314,14 @@ certificate_info() { local certificate_list_ordering_problem="${12}" local cert_sig_algo cert_sig_hash_algo cert_key_algo cert_spki_info local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt" + local badocspcerts="${TESTSSL_INSTALL_DIR}/etc/bad_ocsp_certs.txt" local -i lineno_matched=0 local cert_keyusage cert_ext_keyusage short_keyAlgo local outok=true local expire days2expire secs2warn ocsp_uri crl local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn local issuer_DC issuerfinding cn_nosni="" - local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial + local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial cert local policy_oid local spaces="" local -i trust_sni=0 trust_nosni=0 diffseconds=0 @@ -8342,6 +8343,7 @@ certificate_info() { local response="" local yearstart yearend clockstart clockend y m d local gt_825=false gt_825warn=false + local badocsp=1 if [[ $number_of_certificates -gt 1 ]]; then [[ $certificate_number -eq 1 ]] && outln @@ -8969,15 +8971,22 @@ certificate_info() { out "$indent"; pr_bold " Bad OCSP intermediate" out " (exp.) " jsonID="cert_bad_ocsp" - badocspcerts="${TESTSSL_INSTALL_DIR}/etc/bad_ocsp_certs.txt" -#FIXME: there might be >1 certificate. We parse the file intermediatecerts.pem -# but just raise the flag saying the chain is bad w/o naming the intermediate -# cert to blame. We should have split intermediatecerts.pem e.g. into -# intermediatecert1.pem, intermediatecert2.pem before - badocsp=1 - for pem in "$TEMPDIR/intermediatecerts.pem"; do - hash=$($OPENSSL x509 -in "$pem" -outform der 2>/dev/null | $OPENSSL dgst -sha256 -binary | $OPENSSL base64) +# There might be >1 certificate, so we split intermediatecerts.pem e.g. into +# intermediatecert1.crt, intermediatecert2.cert. +#FIXME: This is redundant code. We do that elsewhere, e.g. before in extract_certificates() +# and run_hpkp() at least but didn't keep the result +# +#FIXME: We just raise the flag saying the chain is bad w/o naming the intermediate +# cert to blame. + + awk -v n=-1 "{start=1} + /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } + inc { print > (\"$TEMPDIR/intermediatecert\" n \".crt\") } + /---END CERTIFICATE-----/{ inc=0 }" "$TEMPDIR/intermediatecerts.pem" + + for cert in $TEMPDIR/intermediatecert?.crt; do + hash=$($OPENSSL x509 -in "$cert" -outform der 2>/dev/null | $OPENSSL dgst -sha256 -binary | $OPENSSL base64) grep -q "$hash" "$badocspcerts" badocsp=$? [[ $badocsp -eq 0 ]] && break @@ -8986,6 +8995,7 @@ certificate_info() { prln_svrty_medium "NOT ok" fileout "${jsonID}${json_postfix}" "MEDIUM" "NOT ok is/are intermediate certificate(s)" else + prln_svrty_good "Ok" fileout "${jsonID}${json_postfix}" "OK" "intermediate certificate(s) is/are ok" fi