Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-30 21:35:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1067 from dcooper16/revocation_checking_errors

Browse Source 
Fix false "revoked" results for CRL and OCSP checking
This commit is contained in:
Dirk Wetter
2018-06-05 10:33:42 +02:00
committed by GitHub
parent 626e0fc65a 02d1071b9c
commit 1be25f9cf7
1 changed files with 31 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
testssl.sh
View File

@@ -247,6 +247,7 @@ UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo)
NO_ENGINE=${NO_ENGINE:-false} # if there are problems finding the (external) openssl engine set this to true NO_ENGINE=${NO_ENGINE:-false} # if there are problems finding the (external) openssl engine set this to true
declare -r CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS declare -r CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS
CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d) CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d)
GOOD_CA_BUNDLE="" # A bundle of CA certificates that can be used to validate the server's certificate
MEASURE_TIME_FILE=${MEASURE_TIME_FILE:-""} MEASURE_TIME_FILE=${MEASURE_TIME_FILE:-""}
if [[ -n "$MEASURE_TIME_FILE" ]] && [[ -z "$MEASURE_TIME" ]]; then if [[ -n "$MEASURE_TIME_FILE" ]] && [[ -z "$MEASURE_TIME" ]]; then
MEASURE_TIME=true MEASURE_TIME=true
@@ -1451,10 +1452,11 @@ check_revocation_crl() {
local crl="$1" local crl="$1"
local jsonID="$2" local jsonID="$2"
local tmpfile="" local tmpfile=""
local scheme local scheme retcode
local -i success local -i success
"$PHONE_OUT" || return 0 "$PHONE_OUT" || return 0
[[ -n "$GOOD_CA_BUNDLE" ]] || return 0
scheme="$(tolower "${crl%%://*}")" scheme="$(tolower "${crl%%://*}")"
# The code for obtaining CRLs only supports LDAP, HTTP, and HTTPS URLs. # The code for obtaining CRLs only supports LDAP, HTTP, and HTTPS URLs.
[[ "$scheme" == "http" ]] || [[ "$scheme" == "https" ]] || [[ "$scheme" == "ldap" ]] || return 0 [[ "$scheme" == "http" ]] || [[ "$scheme" == "https" ]] || [[ "$scheme" == "ldap" ]] || return 0
@@ -1474,22 +1476,38 @@ check_revocation_crl() {
return 1 return 1
fi fi
# -crl_download could be more elegant but is supported from 1.0.2 onwards only # -crl_download could be more elegant but is supported from 1.0.2 onwards only
$OPENSSL crl -inform DER -in "$tmpfile" -outform PEM -out "${tmpfile%%.crl}.pem" $OPENSSL crl -inform DER -in "$tmpfile" -outform PEM -out "${tmpfile%%.crl}.pem" &>$ERRFILE
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
pr_warning "conversion of "$tmpfile" failed" pr_warning "conversion of "$tmpfile" failed"
fileout "$jsonID" "WARN" "conversion of CRL to PEM format failed" fileout "$jsonID" "WARN" "conversion of CRL to PEM format failed"
return 1 return 1
fi fi
cat $TEMPDIR/intermediatecerts.pem "${tmpfile%%.crl}.pem" >$TEMPDIR/${NODE}-${NODEIP}-CRL-chain.pem if grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem; then
$OPENSSL verify -crl_check -CAfile $TEMPDIR/${NODE}-${NODEIP}-CRL-chain.pem $TEMPDIR/host_certificate.pem &>$ERRFILE $OPENSSL verify -crl_check -CAfile <(cat $ADDITIONAL_CA_FILES "$GOOD_CA_BUNDLE" "${tmpfile%%.crl}.pem") -untrusted $TEMPDIR/intermediatecerts.pem $HOSTCERT &> "${tmpfile%%.crl}.err"
else
$OPENSSL verify -crl_check -CAfile <(cat $ADDITIONAL_CA_FILES "$GOOD_CA_BUNDLE" "${tmpfile%%.crl}.pem") $HOSTCERT &> "${tmpfile%%.crl}.err"
fi
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
out ", " out ", "
pr_svrty_good "not revoked" pr_svrty_good "not revoked"
fileout "$jsonID" "OK" "not revoked" fileout "$jsonID" "OK" "not revoked"
else else
out ", " retcode=$(awk '/error [1-9][0-9]? at [0-9]+ depth lookup:/ { if (!found) {print $2; found=1} }' "${tmpfile%%.crl}.err")
pr_svrty_critical "revoked" if [[ "$retcode" == "23" ]]; then # see verify_retcode_helper()
fileout "$jsonID" "CRITICAL" "revoked" out ", "
pr_svrty_critical "revoked"
fileout "$jsonID" "CRITICAL" "revoked"
else
retcode="$(verify_retcode_helper "$retcode")"
out " $retcode"
retcode="${retcode#(}"
retcode="${retcode%)}"
fileout "$jsonID" "WARN" "$retcode"
if [[ $DEBUG -ge 2 ]]; then
outln
cat "${tmpfile%%.crl}.err"
fi
fi
fi fi
return 0 return 0
} }
@@ -1503,6 +1521,8 @@ check_revocation_ocsp() {
local host_header="" local host_header=""
"$PHONE_OUT" || return 0 "$PHONE_OUT" || return 0
[[ -n "$GOOD_CA_BUNDLE" ]] || return 0
grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem || return 0
tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE
host_header=${uri##http://} host_header=${uri##http://}
host_header=${host_header%%/*} host_header=${host_header%%/*}
@@ -1513,7 +1533,7 @@ check_revocation_ocsp() {
fi fi
$OPENSSL ocsp -no_nonce ${host_header} -url "$uri" \ $OPENSSL ocsp -no_nonce ${host_header} -url "$uri" \
-issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \ -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
-CAfile $TEMPDIR/intermediatecerts.pem -cert $HOSTCERT -text &> "$tmpfile" -CAfile <(cat $ADDITIONAL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile"
if [[ $? -eq 0 ]] && grep -Fq "Response verify OK" "$tmpfile"; then if [[ $? -eq 0 ]] && grep -Fq "Response verify OK" "$tmpfile"; then
response="$(grep -F "$HOSTCERT: " "$tmpfile")" response="$(grep -F "$HOSTCERT: " "$tmpfile")"
response="${response#$HOSTCERT: }" response="${response#$HOSTCERT: }"
@@ -6218,6 +6238,7 @@ verify_retcode_helper() {
case $retcode in case $retcode in
# codes from ./doc/apps/verify.pod | verify(1ssl) # codes from ./doc/apps/verify.pod | verify(1ssl)
44) tm_out "(different CRL scope)" ;; # X509_V_ERR_DIFFERENT_CRL_SCOPE
26) tm_out "(unsupported certificate purpose)" ;; # X509_V_ERR_INVALID_PURPOSE 26) tm_out "(unsupported certificate purpose)" ;; # X509_V_ERR_INVALID_PURPOSE
24) tm_out "(certificate unreadable)" ;; # X509_V_ERR_INVALID_CA 24) tm_out "(certificate unreadable)" ;; # X509_V_ERR_INVALID_CA
23) tm_out "(certificate revoked)" ;; # X509_V_ERR_CERT_REVOKED 23) tm_out "(certificate revoked)" ;; # X509_V_ERR_CERT_REVOKED
@@ -6292,6 +6313,7 @@ determine_trust() {
if [[ ${verify_retcode[i]} -eq 0 ]]; then if [[ ${verify_retcode[i]} -eq 0 ]]; then
trust[i]=true trust[i]=true
some_ok=true some_ok=true
[[ -z "$GOOD_CA_BUNDLE" ]] && GOOD_CA_BUNDLE="$bundle_fname"
debugme tm_svrty_good "Ok " debugme tm_svrty_good "Ok "
debugme tmln_out "${verify_retcode[i]}" debugme tmln_out "${verify_retcode[i]}"
else else
@@ -6977,6 +6999,7 @@ certificate_info() {
spaces=" " spaces=" "
fi fi
GOOD_CA_BUNDLE=""
cert_sig_algo="$(awk -F':' '/Signature Algorithm/ { print $2; if (++Match >= 1) exit; }' <<< "$cert_txt")" cert_sig_algo="$(awk -F':' '/Signature Algorithm/ { print $2; if (++Match >= 1) exit; }' <<< "$cert_txt")"
cert_sig_algo="${cert_sig_algo// /}" cert_sig_algo="${cert_sig_algo// /}"
cert_key_algo="$(awk -F':' '/Public Key Algorithm:/ { print $2; if (++Match >= 1) exit; }' <<< "$cert_txt")" cert_key_algo="$(awk -F':' '/Public Key Algorithm:/ { print $2; if (++Match >= 1) exit; }' <<< "$cert_txt")"