mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
Merge pull request #1427 from drwetter/825_days
Check for certificates with a life time >825 days when issued after 2018/03/01
This commit is contained in:
commit
256d4d32ab
@ -4,9 +4,11 @@
|
|||||||
### Features implemented in 3.0
|
### Features implemented in 3.0
|
||||||
|
|
||||||
* Full support of TLS 1.3, shows also drafts supported
|
* Full support of TLS 1.3, shows also drafts supported
|
||||||
|
* Extended protocol downgrade checks
|
||||||
* ROBOT check
|
* ROBOT check
|
||||||
* Better TLS extension support
|
* Better TLS extension support
|
||||||
* Better OpenSSL 1.1.1 and higher versions support
|
* Better OpenSSL 1.1.1 and higher versions support as well as LibreSSL >3
|
||||||
|
* More robustness for OpenBSD
|
||||||
* DNS over Proxy and other proxy improvements
|
* DNS over Proxy and other proxy improvements
|
||||||
* Decoding of unencrypted BIG IP cookies
|
* Decoding of unencrypted BIG IP cookies
|
||||||
* Initial client certificate support
|
* Initial client certificate support
|
||||||
@ -27,7 +29,7 @@
|
|||||||
* TLS Robustness check (GREASE)
|
* TLS Robustness check (GREASE)
|
||||||
* Server preference distinguishes between TLS 1.3 and lower protocols
|
* Server preference distinguishes between TLS 1.3 and lower protocols
|
||||||
* Mark TLS 1.0 and TLS 1.1 as deprecated
|
* Mark TLS 1.0 and TLS 1.1 as deprecated
|
||||||
* Does a few startup checks which make later tests easier and faster (determine_optimal_\*() )
|
* Does a few startup checks which make later tests easier and faster (``determine_optimal_\*()``)
|
||||||
* Expect-CT Header Detection
|
* Expect-CT Header Detection
|
||||||
* `--phone-out` does certificate revocation checks via OCSP (LDAP+HTTP) and with CRL
|
* `--phone-out` does certificate revocation checks via OCSP (LDAP+HTTP) and with CRL
|
||||||
* `--phone-out` checks whether the private key has been compromised via https://pwnedkeys.com/
|
* `--phone-out` checks whether the private key has been compromised via https://pwnedkeys.com/
|
||||||
|
@ -64,7 +64,7 @@ $html =~ s/HTTP clock skew \+?-?[0-9]* /HTTP clock skew
|
|||||||
$debughtml =~ s/HTTP clock skew \+?-?[0-9]* /HTTP clock skew X /;
|
$debughtml =~ s/HTTP clock skew \+?-?[0-9]* /HTTP clock skew X /;
|
||||||
|
|
||||||
$debughtml =~ s/ Pre-test: .*\n//g;
|
$debughtml =~ s/ Pre-test: .*\n//g;
|
||||||
$debughtml =~ s/.*OK: below 5 years.*\n//g;
|
$debughtml =~ s/.*OK: below 825 days.*\n//g;
|
||||||
|
|
||||||
printf "\n%s\n", "Checking that using the --debug option doesn't affect the HTML file";
|
printf "\n%s\n", "Checking that using the --debug option doesn't affect the HTML file";
|
||||||
cmp_ok($debughtml, "eq", $html, "HTML file created with --debug 4 matches HTML file created without --debug");
|
cmp_ok($debughtml, "eq", $html, "HTML file created with --debug 4 matches HTML file created without --debug");
|
||||||
|
103
testssl.sh
103
testssl.sh
@ -150,7 +150,7 @@ declare -r -a CMDLINE_ARRAY=("$@") # When performing mass testing
|
|||||||
declare -a MASS_TESTING_CMDLINE # command line in the form of an array (see #702 and http://mywiki.wooledge.org/BashFAQ/050).
|
declare -a MASS_TESTING_CMDLINE # command line in the form of an array (see #702 and http://mywiki.wooledge.org/BashFAQ/050).
|
||||||
|
|
||||||
|
|
||||||
########### Some predefinitions: date, sed (we always use test and not try to determine
|
########### Some predefinitions: date, sed (we always use test and NOT try to determine
|
||||||
# capabilities by querying the OS)
|
# capabilities by querying the OS)
|
||||||
#
|
#
|
||||||
HAS_GNUDATE=false
|
HAS_GNUDATE=false
|
||||||
@ -158,13 +158,14 @@ HAS_FREEBSDDATE=false
|
|||||||
HAS_OPENBSDDATE=false
|
HAS_OPENBSDDATE=false
|
||||||
if date -d @735275209 >/dev/null 2>&1; then
|
if date -d @735275209 >/dev/null 2>&1; then
|
||||||
if date -r @735275209 >/dev/null 2>&1; then
|
if date -r @735275209 >/dev/null 2>&1; then
|
||||||
# it can't do any conversion from a plain date output
|
# It can't do any conversion from a plain date output.
|
||||||
HAS_OPENBSDDATE=true
|
HAS_OPENBSDDATE=true
|
||||||
else
|
else
|
||||||
HAS_GNUDATE=true
|
HAS_GNUDATE=true
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
# FreeBSD and OS X date(1) accept "-f inputformat"
|
# FreeBSD and OS X date(1) accept "-f inputformat"
|
||||||
|
# so newer OpenBSD versions >~ 6.6.
|
||||||
date -j -f '%s' 1234567 >/dev/null 2>&1 && \
|
date -j -f '%s' 1234567 >/dev/null 2>&1 && \
|
||||||
HAS_FREEBSDDATE=true
|
HAS_FREEBSDDATE=true
|
||||||
|
|
||||||
@ -1877,14 +1878,23 @@ if "$HAS_GNUDATE"; then # Linux and NetBSD
|
|||||||
parse_date() {
|
parse_date() {
|
||||||
LC_ALL=C date -d "$1" "$2"
|
LC_ALL=C date -d "$1" "$2"
|
||||||
}
|
}
|
||||||
elif "$HAS_FREEBSDDATE"; then # FreeBSD and OS X
|
elif "$HAS_FREEBSDDATE"; then # FreeBSD, OS X and newer (~6.6) OpenBSD versions
|
||||||
parse_date() {
|
parse_date() {
|
||||||
LC_ALL=C date -j -f "$3" "$2" "$1"
|
LC_ALL=C date -j -f "$3" "$2" "$1"
|
||||||
}
|
}
|
||||||
elif "$HAS_OPENBSDDATE"; then
|
elif "$HAS_OPENBSDDATE"; then
|
||||||
|
# We bascially echo it as a conversion as we want it is too difficult. Approach for that would be:
|
||||||
|
# printf '%s\n' "$1" | awk '{ printf "%04d%02d%02d\n", $4, $2, (index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3}'
|
||||||
|
# 4: year, 1: month, 2: day, $3: time (e.g. "Dec 8 10:16:13 2016")
|
||||||
|
# This way we could also kind of convert args to epoch but as newer OpenBSDs "date" behave like FreeBSD
|
||||||
parse_date() {
|
parse_date() {
|
||||||
# we just echo it as a conversion as we want it is not possible
|
local tmp=""
|
||||||
echo "$1"
|
if [[ $2 == +%s* ]]; then
|
||||||
|
echo "${1// GMT}"
|
||||||
|
else
|
||||||
|
tmp="$(printf '%s\n' "$1" | awk '{ printf "%04d-%02d-%02d %08s\n", $4, (index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3, $2, $3 }')"
|
||||||
|
echo "${tmp%:*}" # remove seconds, result now is in line with GNU date 2016-12-08 10:16
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
parse_date() {
|
parse_date() {
|
||||||
@ -8119,7 +8129,8 @@ certificate_info() {
|
|||||||
local provides_stapling=false
|
local provides_stapling=false
|
||||||
local caa_node="" all_caa="" caa_property_name="" caa_property_value=""
|
local caa_node="" all_caa="" caa_property_name="" caa_property_value=""
|
||||||
local response=""
|
local response=""
|
||||||
local a b c yearstart yearend
|
local yearstart yearend clockstart clockend y m d
|
||||||
|
local gt_825=false gt_825warn=false
|
||||||
|
|
||||||
if [[ $number_of_certificates -gt 1 ]]; then
|
if [[ $number_of_certificates -gt 1 ]]; then
|
||||||
[[ $certificate_number -eq 1 ]] && outln
|
[[ $certificate_number -eq 1 ]] && outln
|
||||||
@ -8674,37 +8685,51 @@ certificate_info() {
|
|||||||
# For now we leave this here. We may want to change that later or add infos to other sections (PFS & vulnerability)
|
# For now we leave this here. We may want to change that later or add infos to other sections (PFS & vulnerability)
|
||||||
|
|
||||||
out "$indent"; pr_bold " Certificate Validity (UTC) "
|
out "$indent"; pr_bold " Certificate Validity (UTC) "
|
||||||
|
|
||||||
# FreeBSD + OSX can't swallow the leading blank:
|
# FreeBSD + OSX can't swallow the leading blank:
|
||||||
enddate="${cert_txt#*Validity*Not Before: *Not After : }"
|
|
||||||
enddate="${enddate%%GMT*}GMT"
|
|
||||||
startdate="${cert_txt#*Validity*Not Before: }"
|
startdate="${cert_txt#*Validity*Not Before: }"
|
||||||
startdate="${startdate%%GMT*}GMT"
|
startdate="${startdate%%GMT*}GMT"
|
||||||
# Now we have a normalized enddate and startdate like "Feb 27 10:03:20 2017 GMT" -- also for OpenBSD
|
enddate="${cert_txt#*Validity*Not Before: *Not After : }"
|
||||||
|
enddate="${enddate%%GMT*}GMT"
|
||||||
debugme echo "$enddate - $startdate"
|
debugme echo "$enddate - $startdate"
|
||||||
# In all OS except OpenBSD it'll be reduced to "2017-02-27 11:03"
|
# Now we have a normalized enddate and startdate like "Feb 27 10:03:20 2017 GMT" -- also for OpenBSD
|
||||||
enddate="$(parse_date "$enddate" +"%F %H:%M" "%b %d %T %Y %Z")"
|
|
||||||
startdate="$(parse_date "$startdate" +"%F %H:%M" "%b %d %T %Y %Z")"
|
|
||||||
|
|
||||||
if "$HAS_OPENBSDDATE"; then
|
if "$HAS_OPENBSDDATE"; then
|
||||||
# best we are able to do under OpenBSD
|
# Best we want to do under old versions of OpenBSD, first just remove the GMT and keep start/endate for later output
|
||||||
days2expire=""
|
startdate="$(parse_date "$startdate" "+%s")"
|
||||||
read a b c yearstart tz <<< "$startdate"
|
enddate="$(parse_date "$enddate" "+%s")"
|
||||||
read a b c yearend tz <<< "$enddate"
|
# Now we extract a date block and a time block which we need for later output
|
||||||
# we only take the year here as OpenBSD's date is not for conversion
|
startdate="$(parse_date "$startdate" +"%F %H:%M" "%b %d %T %Y %Z")"
|
||||||
diffseconds=$((yearend - yearstart))
|
enddate="$(parse_date "$enddate" +"%F %H:%M" "%b %d %T %Y %Z")"
|
||||||
diffseconds=$((diffseconds * 3600 * 24 * 365))
|
read yearstart clockstart <<< "$startdate"
|
||||||
|
read yearend clockend <<< "$enddate"
|
||||||
|
debugme echo "$yearstart, $clockstart"
|
||||||
|
debugme echo "$yearend, $clockend"
|
||||||
|
y=$(( ${yearend:0:4} - ${yearstart:0:4} ))
|
||||||
|
m=$(( ${yearend:5:1} - ${yearstart:5:1} + ${yearend:6:1} - ${yearstart:6:1} ))
|
||||||
|
d=$(( ${yearend:8:2} - ${yearstart:8:2} ))
|
||||||
|
# We take the year, month, days here as old OpenBSD's date is too difficult for real conversion
|
||||||
|
# see comment in parse_date(). In diffseconds then we have the estimated absolute validity period
|
||||||
|
diffseconds=$(( d + ((m*30)) + ((y*365)) ))
|
||||||
|
diffseconds=$((diffseconds * 3600 * 24))
|
||||||
|
# Now we estimate the days left plus length of month/year:
|
||||||
|
yearnow="$(date -juz GMT "+%Y-%m-%d %H:%M")"
|
||||||
|
y=$(( ${yearend:0:4} - ${yearnow:0:4} ))
|
||||||
|
m=$(( ${yearend:5:1} - ${yearnow:5:1} + ${yearend:6:1} - ${yearnow:6:1} ))
|
||||||
|
d=$(( ${yearend:8:2} - ${yearnow:8:2} ))
|
||||||
|
days2expire=$(( d + ((m*30)) + ((y*365)) ))
|
||||||
else
|
else
|
||||||
|
startdate="$(parse_date "$startdate" +"%F %H:%M" "%b %d %T %Y %Z")"
|
||||||
|
enddate="$(parse_date "$enddate" +"%F %H:%M" "%b %d %T %Y %Z")"
|
||||||
days2expire=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(LC_ALL=C date "+%s") )) # first in seconds
|
days2expire=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(LC_ALL=C date "+%s") )) # first in seconds
|
||||||
days2expire=$((days2expire / 3600 / 24 ))
|
days2expire=$((days2expire / 3600 / 24 ))
|
||||||
# we adjust the thresholds by %50 for LE certificates, relaxing those warnings
|
diffseconds=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(parse_date "$startdate" "+%s" $'%F %H:%M') ))
|
||||||
|
fi
|
||||||
|
# We adjust the thresholds by %50 for LE certificates, relaxing warnings for those certificates.
|
||||||
# . instead of \' because it does not break syntax highlighting in vim
|
# . instead of \' because it does not break syntax highlighting in vim
|
||||||
if [[ "$issuer_CN" =~ ^Let.s\ Encrypt\ Authority ]] ; then
|
if [[ "$issuer_CN" =~ ^Let.s\ Encrypt\ Authority ]] ; then
|
||||||
days2warn2=$((days2warn2 / 2))
|
days2warn2=$((days2warn2 / 2))
|
||||||
days2warn1=$((days2warn1 / 2))
|
days2warn1=$((days2warn1 / 2))
|
||||||
fi
|
fi
|
||||||
diffseconds=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(parse_date "$startdate" "+%s" $'%F %H:%M') ))
|
|
||||||
fi
|
|
||||||
debugme echo -n "diffseconds: $diffseconds"
|
debugme echo -n "diffseconds: $diffseconds"
|
||||||
expire=$($OPENSSL x509 -in $HOSTCERT -checkend 1 2>>$ERRFILE)
|
expire=$($OPENSSL x509 -in $HOSTCERT -checkend 1 2>>$ERRFILE)
|
||||||
if ! grep -qw not <<< "$expire" ; then
|
if ! grep -qw not <<< "$expire" ; then
|
||||||
@ -8736,8 +8761,9 @@ certificate_info() {
|
|||||||
fileout "cert_notBefore${json_postfix}" "INFO" "$startdate" # we assume that the certificate has no start time in the future
|
fileout "cert_notBefore${json_postfix}" "INFO" "$startdate" # we assume that the certificate has no start time in the future
|
||||||
fileout "cert_notAfter${json_postfix}" "$expok" "$enddate" # They are in UTC
|
fileout "cert_notAfter${json_postfix}" "$expok" "$enddate" # They are in UTC
|
||||||
|
|
||||||
|
# Internal certificates or those from appliances often have too high validity periods.
|
||||||
|
# We check for ~10 years and >~ 5 years
|
||||||
if [[ $diffseconds -ge $((3600 * 24 * 365 * 10)) ]]; then
|
if [[ $diffseconds -ge $((3600 * 24 * 365 * 10)) ]]; then
|
||||||
# certificate is valid >= 10 years
|
|
||||||
out "$spaces"
|
out "$spaces"
|
||||||
prln_svrty_high ">= 10 years is way too long"
|
prln_svrty_high ">= 10 years is way too long"
|
||||||
fileout "cert_validityPeriod${json_postfix}" "HIGH" "$((diffseconds / (3600 * 24) )) days"
|
fileout "cert_validityPeriod${json_postfix}" "HIGH" "$((diffseconds / (3600 * 24) )) days"
|
||||||
@ -8745,9 +8771,32 @@ certificate_info() {
|
|||||||
out "$spaces"
|
out "$spaces"
|
||||||
prln_svrty_medium ">= 5 years is too long"
|
prln_svrty_medium ">= 5 years is too long"
|
||||||
fileout "cert_validityPeriod${json_postfix}" "MEDIUM" "$((diffseconds / (3600 * 24) )) days"
|
fileout "cert_validityPeriod${json_postfix}" "MEDIUM" "$((diffseconds / (3600 * 24) )) days"
|
||||||
|
elif [[ $diffseconds -ge $((3600 * 24 * 825)) ]]; then
|
||||||
|
# Also "official" certificates issued from March 1st, 2018 aren't supposed
|
||||||
|
# to be valid longer than 825 days which is 1517353200 in epoch seconds
|
||||||
|
# (GNUish: date --date='01/31/2018 00:00:00' +"%s")
|
||||||
|
gt_825=true
|
||||||
|
if "$HAS_OPENBSDDATE"; then
|
||||||
|
if [[ 20180301 -le ${yearstart//-/} ]]; then
|
||||||
|
gt_825warn=true
|
||||||
|
fi
|
||||||
|
elif [[ $(parse_date "$startdate" "+%s" $'%F %H:%M') -ge 1517353200 ]]; then
|
||||||
|
gt_825warn=true
|
||||||
|
fi
|
||||||
|
# Now, the verdict, depending on the issuing date
|
||||||
|
out "$spaces"
|
||||||
|
if "$gt_825warn" && "$gt_825"; then
|
||||||
|
prln_svrty_medium ">= 825 days issued after 2018/03/01 is too long"
|
||||||
|
fileout "cert_validityPeriod${json_postfix}" "MEDIUM" "$((diffseconds / (3600 * 24) )) >= 825 days"
|
||||||
|
elif "$gt_825"; then
|
||||||
|
outln ">= 825 days certificate life time but issued before 2018/03/01"
|
||||||
|
fileout "cert_validityPeriod${json_postfix}" "INFO" "$((diffseconds / (3600 * 24) )) < 825 days"
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
[[ "$DEBUG" -ge 1 ]] && outln "${spaces}OK: below 5 years certificate life time"
|
# All is fine with valididy period
|
||||||
fileout "cert_validityPeriod${json_postfix}" "INFO" "$((diffseconds / (3600 * 24) )) days"
|
# We ignore for now certificates < 2018/03/01. On the screen we only show debug info
|
||||||
|
[[ "$DEBUG" -ge 1 ]] && outln "${spaces}DEBUG: all is fine with certificate life time"
|
||||||
|
fileout "cert_validityPeriod${json_postfix}" "INFO" "No finding"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
||||||
|
Loading…
Reference in New Issue
Block a user