mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-20 23:49:30 +01:00
Define extract_certificates() function
This PR defines an extract_certificates() function in order to remove some redundant code from get_server_certificate(). Currently, nearly identical code appears in two places in get_server_certificate() to extract certificates from the output of `$OPENSSL sclient`, in one place for SSLv2 responses and in another for SSLv3 through TLSv1.2. The code to get the certificates used with TLSv1.3 (see https://github.com/dcooper16/testssl.sh/tree/extended_tls_sockets) would have added a third place where this same code would be needed. This PR allows the code to be written once and used in all three places.
This commit is contained in:
parent
c4e4720133
commit
288175a61f
88
testssl.sh
88
testssl.sh
@ -5976,14 +5976,49 @@ determine_tls_extensions() {
|
|||||||
return $success
|
return $success
|
||||||
}
|
}
|
||||||
|
|
||||||
|
extract_certificates() {
|
||||||
|
local version="$1"
|
||||||
|
local savedir
|
||||||
|
local -i success nrsaved=0
|
||||||
|
|
||||||
|
# Place the server's certificate in $HOSTCERT and any intermediate
|
||||||
|
# certificates that were provided in $TEMPDIR/intermediatecerts.pem
|
||||||
|
savedir=$(pwd); cd $TEMPDIR
|
||||||
|
# http://backreference.org/2010/05/09/ocsp-verification-with-openssl/
|
||||||
|
if [[ "$version" == "ssl2" ]]; then
|
||||||
|
awk -v n=-1 '/Server certificate/ {start=1}
|
||||||
|
/-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} }
|
||||||
|
inc { print > ("level" n ".crt") }
|
||||||
|
/---END CERTIFICATE-----/{ inc=0 }' $TMPFILE
|
||||||
|
else
|
||||||
|
awk -v n=-1 '/Certificate chain/ {start=1}
|
||||||
|
/-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} }
|
||||||
|
inc { print > ("level" n ".crt") }
|
||||||
|
/---END CERTIFICATE-----/{ inc=0 }' $TMPFILE
|
||||||
|
fi
|
||||||
|
[[ -s level0.crt ]] && nrsaved=$(count_words "$(echo level?.crt 2>/dev/null)")
|
||||||
|
if [[ $nrsaved -eq 0 ]]; then
|
||||||
|
success=1
|
||||||
|
else
|
||||||
|
success=0
|
||||||
|
mv level0.crt $HOSTCERT
|
||||||
|
if [[ $nrsaved -eq 1 ]]; then
|
||||||
|
echo "" > $TEMPDIR/intermediatecerts.pem
|
||||||
|
else
|
||||||
|
cat level?.crt > $TEMPDIR/intermediatecerts.pem
|
||||||
|
rm level?.crt
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
cd "$savedir"
|
||||||
|
return $success
|
||||||
|
}
|
||||||
|
|
||||||
# arg1 is "-cipher <OpenSSL cipher>" or empty
|
# arg1 is "-cipher <OpenSSL cipher>" or empty
|
||||||
# arg2 is a list of protocols to try (tls1_2, tls1_1, tls1, ssl3) or empty (if all should be tried)
|
# arg2 is a list of protocols to try (tls1_2, tls1_1, tls1, ssl3) or empty (if all should be tried)
|
||||||
get_server_certificate() {
|
get_server_certificate() {
|
||||||
local protocols_to_try proto
|
local protocols_to_try proto
|
||||||
local success
|
local success
|
||||||
local npn_params="" line
|
local npn_params="" line
|
||||||
local savedir
|
|
||||||
local nrsaved=0
|
|
||||||
|
|
||||||
"$HAS_SPDY" && [[ -z "$STARTTLS" ]] && npn_params="-nextprotoneg \"$NPN_PROTOs\""
|
"$HAS_SPDY" && [[ -z "$STARTTLS" ]] && npn_params="-nextprotoneg \"$NPN_PROTOs\""
|
||||||
|
|
||||||
@ -6000,28 +6035,8 @@ get_server_certificate() {
|
|||||||
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY -ssl2 </dev/null 2>$ERRFILE >$TMPFILE
|
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY -ssl2 </dev/null 2>$ERRFILE >$TMPFILE
|
||||||
sclient_connect_successful $? $TMPFILE && success=0
|
sclient_connect_successful $? $TMPFILE && success=0
|
||||||
if [[ $success -eq 0 ]]; then
|
if [[ $success -eq 0 ]]; then
|
||||||
# Place the server's certificate in $HOSTCERT and any intermediate
|
extract_certificates "ssl2"
|
||||||
# certificates that were provided in $TEMPDIR/intermediatecerts.pem
|
success=$?
|
||||||
savedir=$(pwd); cd $TEMPDIR
|
|
||||||
# http://backreference.org/2010/05/09/ocsp-verification-with-openssl/
|
|
||||||
awk -v n=-1 '/Server certificate/ {start=1}
|
|
||||||
/-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} }
|
|
||||||
inc { print > ("level" n ".crt") }
|
|
||||||
/---END CERTIFICATE-----/{ inc=0 }' $TMPFILE
|
|
||||||
[[ -s level0.crt ]] && nrsaved=$(count_words "$(echo level?.crt 2>/dev/null)")
|
|
||||||
if [[ $nrsaved -eq 0 ]]; then
|
|
||||||
success=1
|
|
||||||
else
|
|
||||||
success=0
|
|
||||||
mv level0.crt $HOSTCERT
|
|
||||||
if [[ $nrsaved -eq 1 ]]; then
|
|
||||||
echo "" > $TEMPDIR/intermediatecerts.pem
|
|
||||||
else
|
|
||||||
cat level?.crt > $TEMPDIR/intermediatecerts.pem
|
|
||||||
rm level?.crt
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
cd "$savedir"
|
|
||||||
fi
|
fi
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return $success
|
return $success
|
||||||
@ -6063,29 +6078,8 @@ get_server_certificate() {
|
|||||||
"ssl3") DETECTED_TLS_VERSION="0300" ;;
|
"ssl3") DETECTED_TLS_VERSION="0300" ;;
|
||||||
esac
|
esac
|
||||||
extract_new_tls_extensions $TMPFILE
|
extract_new_tls_extensions $TMPFILE
|
||||||
|
extract_certificates "$proto"
|
||||||
# Place the server's certificate in $HOSTCERT and any intermediate
|
success=$?
|
||||||
# certificates that were provided in $TEMPDIR/intermediatecerts.pem
|
|
||||||
savedir=$(pwd); cd $TEMPDIR
|
|
||||||
# http://backreference.org/2010/05/09/ocsp-verification-with-openssl/
|
|
||||||
awk -v n=-1 '/Certificate chain/ {start=1}
|
|
||||||
/-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} }
|
|
||||||
inc { print > ("level" n ".crt") }
|
|
||||||
/---END CERTIFICATE-----/{ inc=0 }' $TMPFILE
|
|
||||||
[[ -s level0.crt ]] && nrsaved=$(count_words "$(echo level?.crt 2>/dev/null)")
|
|
||||||
if [[ $nrsaved -eq 0 ]]; then
|
|
||||||
success=1
|
|
||||||
else
|
|
||||||
success=0
|
|
||||||
mv level0.crt $HOSTCERT
|
|
||||||
if [[ $nrsaved -eq 1 ]]; then
|
|
||||||
echo "" > $TEMPDIR/intermediatecerts.pem
|
|
||||||
else
|
|
||||||
cat level?.crt > $TEMPDIR/intermediatecerts.pem
|
|
||||||
rm level?.crt
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
cd "$savedir"
|
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return $success
|
return $success
|
||||||
|
Loading…
Reference in New Issue
Block a user