Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-30 21:35:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'SAN_preferred' into 2.9dev

Browse Source
This commit is contained in:
Dirk
2017-06-09 13:48:28 +02:00
parent 69fa8ca378 861b38bce5
commit 30d3233cb4
1 changed files with 69 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

106
testssl.sh
View File

@@ -5500,7 +5500,9 @@ certificate_info() {
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial
local policy_oid local policy_oid
local spaces="" local spaces=""
local trust_sni=0 trust_nosni=0 has_dns_sans local -i trust_sni=0 trust_nosni=0
local has_dns_sans has_dns_sans_nosni
local trust_sni_finding
local -i certificates_provided local -i certificates_provided
local cnfinding trustfinding trustfinding_nosni local cnfinding trustfinding trustfinding_nosni
local cnok="OK" local cnok="OK"
@@ -5782,12 +5784,11 @@ certificate_info() {
fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : $all_san" fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : $all_san"
else else
if [[ $SERVICE == "HTTP" ]]; then if [[ $SERVICE == "HTTP" ]]; then
# https://bugzilla.mozilla.org/show_bug.cgi?id=1245280, https://bugzilla.mozilla.org/show_bug.cgi?id=1245280 pr_svrty_high "missing (NOT ok)"; outln " -- Browsers are complaining"
pr_svrty_medium "missing (NOT ok)"; outln " -- Browser will complain soon" fileout "${json_prefix}san" "HIGH" "subjectAltName (SAN) : -- Browsers are complaining"
fileout "${json_prefix}san" "MEDIUM" "subjectAltName (SAN) : -- Browser will complain soon"
else else
pr_svrty_low "missing"; outln " -- no SAN is deprecated" pr_svrty_medium "missing"; outln " -- no SAN is deprecated"
fileout "${json_prefix}san" "LOW" "subjectAltName (SAN) : -- no SAN is deprecated" fileout "${json_prefix}san" "MEDIUM" "subjectAltName (SAN) : -- no SAN is deprecated"
fi fi
fi fi
out "$indent"; pr_bold " Issuer " out "$indent"; pr_bold " Issuer "
@@ -5849,19 +5850,19 @@ certificate_info() {
0) trustfinding="certificate does not match supplied URI" ;; 0) trustfinding="certificate does not match supplied URI" ;;
1) trustfinding="Ok via SAN" ;; 1) trustfinding="Ok via SAN" ;;
2) trustfinding="Ok via SAN wildcard" ;; 2) trustfinding="Ok via SAN wildcard" ;;
4) if $has_dns_sans; then 4) if "$has_dns_sans"; then
trustfinding="Ok via CN, but not SAN" trustfinding="via CN, but not SAN"
else else
trustfinding="Ok via CN" trustfinding="via CN only"
fi fi
;; ;;
5) trustfinding="Ok via SAN and CN" ;; 5) trustfinding="Ok via SAN and CN" ;;
6) trustfinding="Ok via SAN wildcard and CN" 6) trustfinding="Ok via SAN wildcard and CN"
;; ;;
8) if $has_dns_sans; then 8) if "$has_dns_sans"; then
trustfinding="Ok via CN wildcard, but not SAN" trustfinding="via CN wildcard, but not SAN"
else else
trustfinding="Ok via CN wildcard" trustfinding="via CN (wildcard) only"
fi fi
;; ;;
9) trustfinding="Ok via CN wildcard and SAN" 9) trustfinding="Ok via CN wildcard and SAN"
@@ -5871,14 +5872,24 @@ certificate_info() {
esac esac
if [[ $trust_sni -eq 0 ]]; then if [[ $trust_sni -eq 0 ]]; then
pr_svrty_medium "$trustfinding" pr_svrty_high "$trustfinding"
trust_sni="fail" trust_sni_finding="HIGH"
elif "$has_dns_sans" && ( [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]] ); then elif ( [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]] ); then
pr_svrty_medium "$trustfinding" if [[ $SERVICE == "HTTP" ]]; then
trust_sni="warn" # https://bugs.chromium.org/p/chromium/issues/detail?id=308330
# https://bugzilla.mozilla.org/show_bug.cgi?id=1245280
# https://www.chromestatus.com/feature/4981025180483584
pr_svrty_high "$trustfinding"; out " -- Browsers are complaining"
trust_sni_finding="HIGH"
else
pr_svrty_medium "$trustfinding"
trust_sni_finding="MEDIUM"
# we punish CN matching for non-HTTP as it is deprecated https://tools.ietf.org/html/rfc2818#section-3.1
! "$has_dns_sans" && out " -- CN only match is deprecated"
fi
else else
pr_done_good "$trustfinding" pr_done_good "$trustfinding"
trust_sni="ok" trust_sni_finding="OK"
fi fi
if [[ -n "$cn_nosni" ]]; then if [[ -n "$cn_nosni" ]]; then
@@ -5886,35 +5897,56 @@ certificate_info() {
trust_nosni=$? trust_nosni=$?
$OPENSSL x509 -in "$HOSTCERT.nosni" -noout -text 2>>$ERRFILE | \ $OPENSSL x509 -in "$HOSTCERT.nosni" -noout -text 2>>$ERRFILE | \
grep -A2 "Subject Alternative Name" | grep -q "DNS:" && \ grep -A2 "Subject Alternative Name" | grep -q "DNS:" && \
has_dns_sans=true || has_dns_sans=false has_dns_sans_nosni=true || has_dns_sans_nosni=false
fi fi
# See issue #733.
if [[ -z "$sni_used" ]]; then if [[ -z "$sni_used" ]]; then
trustfinding_nosni="" trustfinding_nosni=""
elif "$has_dns_sans" && [[ $trust_nosni -eq 4 ]]; then elif ( [[ $trust_sni -eq $trust_sni ]] && [[ "$has_dns_sans" == "$has_dns_sans_nosni" ]] ) || \
trustfinding_nosni=" (w/o SNI: Ok via CN, but not SAN)" ( [[ $trust_sni -eq 0 ]] && [[ $trust_nosni -eq 0 ]] ); then
elif "$has_dns_sans" && [[ $trust_nosni -eq 8 ]]; then trustfinding_nosni=" (same w/o SNI)"
trustfinding_nosni=" (w/o SNI: Ok via CN wildcard, but not SAN)" elif [[ $trust_nosni -eq 0 ]]; then
elif [[ $trust_nosni -eq 0 ]] && ( [[ "$trust_sni" == "ok" ]] || [[ "$trust_sni" == "warn" ]] ); then if [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]]; then
trustfinding_nosni=" (SNI mandatory)" trustfinding_nosni=" (w/o SNI: certificate does not match supplied URI)"
elif [[ "$trust_sni" == "ok" ]] || [[ "$trust_sni" == "warn" ]]; then else
trustfinding_nosni=" (SNI mandatory)"
fi
elif [[ $trust_nosni -eq 4 ]] || [[ $trust_nosni -eq 8 ]] || [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]]; then
case $trust_nosni in
1) trustfinding_nosni="(w/o SNI: Ok via SAN)" ;;
2) trustfinding_nosni="(w/o SNI: Ok via SAN wildcard)" ;;
4) if "$has_dns_sans_nosni"; then
trustfinding_nosni="(w/o SNI: via CN, but not SAN)"
else
trustfinding_nosni="(w/o SNI: via CN only)"
fi
;;
5) trustfinding_nosni="(w/o SNI: Ok via SAN and CN)" ;;
6) trustfinding_nosni="(w/o SNI: Ok via SAN wildcard and CN)" ;;
8) if "$has_dns_sans_nosni"; then
trustfinding_nosni="(w/o SNI: via CN wildcard, but not SAN)"
else
trustfinding_nosni="(w/o SNI: via CN (wildcard) only)"
fi
;;
9) trustfinding_nosni="(w/o SNI: Ok via CN wildcard and SAN)" ;;
10) trustfinding_nosni="(w/o SNI: Ok via SAN wildcard and CN wildcard)" ;;
esac
elif [[ $trust_sni -ne 0 ]]; then
trustfinding_nosni=" (works w/o SNI)" trustfinding_nosni=" (works w/o SNI)"
elif [[ $trust_nosni -ne 0 ]]; then else
trustfinding_nosni=" (however, works w/o SNI)" trustfinding_nosni=" (however, works w/o SNI)"
else
trustfinding_nosni=""
fi fi
if "$has_dns_sans" && ( [[ $trust_nosni -eq 4 ]] || [[ $trust_nosni -eq 8 ]] ); then if [[ -n "$sni_used" ]] || [[ $trust_nosni -eq 0 ]] || ( [[ $trust_nosni -ne 4 ]] && [[ $trust_nosni -ne 8 ]] ); then
prln_svrty_medium "$trustfinding_nosni"
else
outln "$trustfinding_nosni" outln "$trustfinding_nosni"
elif [[ $SERVICE == "HTTP" ]]; then
prln_svrty_high "$trustfinding_nosni"
else
prln_svrty_medium "$trustfinding_nosni"
fi fi
if [[ "$trust_sni" == "ok" ]]; then fileout "${json_prefix}trust" "$trust_sni_finding" "${trustfinding}${trustfinding_nosni}"
fileout "${json_prefix}trust" "INFO" "${trustfinding}${trustfinding_nosni}"
else
fileout "${json_prefix}trust" "WARN" "${trustfinding}${trustfinding_nosni}"
fi
out "$indent"; pr_bold " Chain of trust"; out " " out "$indent"; pr_bold " Chain of trust"; out " "
if [[ "$issuer_O" =~ StartCom ]] || [[ "$issuer_O" =~ WoSign ]] || [[ "$issuer_CN" =~ StartCom ]] || [[ "$issuer_CN" =~ WoSign ]]; then if [[ "$issuer_O" =~ StartCom ]] || [[ "$issuer_O" =~ WoSign ]] || [[ "$issuer_CN" =~ StartCom ]] || [[ "$issuer_CN" =~ WoSign ]]; then