Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-04-04 00:34:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2698 from testssl/fixDockerOcspCall

Browse Source 
Fix --phone-out + ocsp, also in docker container
This commit is contained in:
Dirk Wetter 2025-03-15 17:11:52 +01:00 committed by GitHub
commit 2090bdc849
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -3,7 +3,7 @@
ARG LEAP_VERSION=15.6 ARG LEAP_VERSION=15.6
ARG INSTALL_ROOT=/rootfs ARG INSTALL_ROOT=/rootfs
FROM opensuse/leap:${LEAP_VERSION} as builder FROM opensuse/leap:${LEAP_VERSION} AS builder
ARG CACHE_ZYPPER=/tmp/cache/zypper ARG CACHE_ZYPPER=/tmp/cache/zypper
ARG INSTALL_ROOT ARG INSTALL_ROOT

19
testssl.sh
View File

@ -2052,6 +2052,7 @@ check_revocation_ocsp() {
local host_header="" local host_header=""
local openssl_bin="$OPENSSL" local openssl_bin="$OPENSSL"
local addtl_warning="" local addtl_warning=""
local smartswitch=false
"$PHONE_OUT" || [[ -n "$stapled_response" ]] || return 0 "$PHONE_OUT" || [[ -n "$stapled_response" ]] || return 0
[[ -n "$GOOD_CA_BUNDLE" ]] || return 0 [[ -n "$GOOD_CA_BUNDLE" ]] || return 0
@ -2087,6 +2088,7 @@ check_revocation_ocsp() {
# See #2516 and probably also #2667 and #1275 . # See #2516 and probably also #2667 and #1275 .
if [[ -x "$OPENSSL2" ]]; then if [[ -x "$OPENSSL2" ]]; then
openssl_bin="$OPENSSL2" openssl_bin="$OPENSSL2"
smartswitch=true
[[ $DEBUG -ge 3 ]] && echo "Switching to $openssl_bin " [[ $DEBUG -ge 3 ]] && echo "Switching to $openssl_bin "
fi fi
else else
@ -2094,19 +2096,26 @@ check_revocation_ocsp() {
fi fi
host_header=${uri##http://} host_header=${uri##http://}
host_header=${host_header%%/*} host_header=${host_header%%/*}
if [[ "$OSSL_NAME" =~ LibreSSL ]]; then
# This the follwomg is the default (like "-header Host r11.o.lencr.org")
host_header="-header Host ${host_header}" host_header="-header Host ${host_header}"
elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.0* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* ]] || \
[[ $OSSL_VER_MAJOR -ge 3 ]]; then if "$smartswitch" ; then
host_header="-header Host=${host_header}" case $(openssl version -v | awk -F' ' '{ print $2 }') in
# for those versions it's "-header Host=r11.o.lencr.org"
3.*|1.1*) host_header=${host_header/Host /Host=} ;;
esac
else else
host_header="-header Host ${host_header}" case $OSSL_VER_MAJOR.$OSSL_VER_MINOR in
3.*|1.1*) host_header=${host_header/Host /Host=} ;;
esac
fi fi
$openssl_bin ocsp -no_nonce ${host_header} -url "$uri" \ $openssl_bin ocsp -no_nonce ${host_header} -url "$uri" \
-issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \ -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
-CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile" -CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile"
success=$? success=$?
fi fi
if [[ $success -eq 0 ]] && grep -Fq "Response verify OK" "$tmpfile"; then if [[ $success -eq 0 ]] && grep -Fq "Response verify OK" "$tmpfile"; then
response="$(grep -F "$HOSTCERT: " "$tmpfile")" response="$(grep -F "$HOSTCERT: " "$tmpfile")"
response="${response#$HOSTCERT: }" response="${response#$HOSTCERT: }"