allow ca_bundles path to be configurable from command line

2025-01-10 10:40:57 +01:00 · 2016-09-16 15:58:31 +02:00 · 2016-09-16 15:58:31 +02:00 · 33b1b2f73a
commit 33b1b2f73a
parent 05fe064763
1 changed files with 8 additions and 2 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -211,6 +211,7 @@ OSSL_VER=""                             # openssl version, will be auto-determin
 OSSL_VER_MAJOR=0
 OSSL_VER_MINOR=0
 OSSL_VER_APPENDIX="none"
+CA_BUNDLES="$INSTALL_DIR/etc/*.pem"
 HAS_DH_BITS=${HAS_DH_BITS:-false}       # initialize openssl variables
 HAS_SSL2=false
 HAS_SSL3=false
@ -3798,7 +3799,6 @@ determine_trust() {
 	local all_ok=true
 	local some_ok=false
     local code
-     local ca_bundles="$INSTALL_DIR/etc/*.pem"
     local spaces="                              "
     local -i certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
     local addtl_warning
@ -3812,7 +3812,7 @@ determine_trust() {
          fileout "${json_prefix}chain_of_trust_warn" "WARN" "$addtl_warning"
     fi
     debugme outln
-	for bundle_fname in $ca_bundles; do
+	for bundle_fname in $CA_BUNDLES; do
 		certificate_file[i]=$(basename ${bundle_fname//.pem})
          if [[ ! -r $bundle_fname ]]; then
               pr_warningln "\"$bundle_fname\" cannot be found / not readable"
@ -7344,6 +7344,8 @@ tuning options (can also be preset via environment variables):
     --proxy <host>:<port>         connect via the specified HTTP proxy
     -6                            use also IPv6. Works only with supporting OpenSSL version and IPv6 connectivity
     --sneaky                      leave less traces in target logs: user agent, referer
+     --ca-bundles <PATH>           set path to trusted ca certificates for building the chain of trust
+                                   defaults to "$INSTALL_DIR/etc/*.pem"

 output options (can also be preset via environment variables):
     --warnings <batch|off|false>  "batch" doesn't wait for keypress, "off" or "false" skips connection warning
@ -8391,6 +8393,10 @@ parse_cmd_line() {
               -E|--cipher-per-proto|--cipher_per_proto)
                    do_cipher_per_proto=true
                    ;;
+               --ca-bundles|--ca-bundles=*)
+                    CA_BUNDLES=$(parse_opt_equal_sign "$1" "$2")
+                    [[ $? -eq 0 ]] && shift
+                    ;;
               -p|--protocols)
                    do_protocols=true
                    do_spdy=true