From 34784b6c6a101b5f5d47b510454317ee5db6a4a6 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Thu, 9 Jan 2020 13:52:28 +0100 Subject: [PATCH] Fix HTTP time for recent OpenBSD See #1429. OpenBSD 6.6 had an offset with the HTTP header time of -3600 seconds. This PR fixes that by adding the GMT time zone to parse_date()'s HAS_FREEBSDDATE incarnation. That doesn't matter to FreeBSD. Also now for older OpenBSDs the local and remote time are now in the same format: ``` HTTP clock skew remote: Thu, 09 Jan 2020 12:52:32 GMT local: Thu, 09 Jan 2020 12:52:02 GMT `` so that a time difference is easier to spot. --- testssl.sh | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/testssl.sh b/testssl.sh index 9e53482..2021941 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1880,7 +1880,7 @@ if "$HAS_GNUDATE"; then # Linux and NetBSD } elif "$HAS_FREEBSDDATE"; then # FreeBSD, OS X and newer (~6.6) OpenBSD versions parse_date() { - LC_ALL=C date -j -f "$3" "$2" "$1" + LC_ALL=C TZ=GMT date -j -f "$3" "$2" "$1" } elif "$HAS_OPENBSDDATE"; then # We bascially echo it as a conversion as we want it is too difficult. Approach for that would be: @@ -2198,7 +2198,7 @@ run_http_header() { fi # Populate vars for HTTP time - debugme echo "$NOW_TIME: $HTTP_TIME" + debugme echo "NOW_TIME: $NOW_TIME | HTTP_TIME: $HTTP_TIME" # Quit on first empty line to catch 98% of the cases. Next pattern is there because the SEDs tested # so far seem not to be fine with header containing x0d x0a (CRLF) which is the usal case. @@ -2279,7 +2279,8 @@ match_ipv4_httpheader() { run_http_header "$1" || return 1 fi - # Whitelist some headers as they are mistakenly identified as ipv4 address. Issues #158, #323. Also facebook has a CSP rule for 127.0.0.1 + # Whitelist some headers as they are mistakenly identified as ipv4 address. Issues #158, #323. + # Also facebook used to have a CSP rule for 127.0.0.1 if grep -Evai "$whitelisted_header" $HEADERFILE | grep -Eiq "$ipv4address"; then pr_bold " IPv4 address in header " count=0 @@ -2308,7 +2309,7 @@ run_http_date() { local spaces=" " jsonID="HTTP_clock_skew" - if [[ $SERVICE != "HTTP" ]] || "$CLIENT_AUTH"; then + if [[ $SERVICE != HTTP ]] || "$CLIENT_AUTH"; then return 0 fi if [[ ! -s $HEADERFILE ]]; then @@ -2320,8 +2321,8 @@ run_http_date() { if "$HAS_OPENBSDDATE"; then # we can't normalize the date under OpenBSD thus no subtraction is possible outln "remote: $HTTP_TIME" - out "${spaces}local: $(date)" - fileout "$jsonID" "INFO" "$HTTP_TIME - $(date)" + out "${spaces}local: $(LC_ALL=C TZ=GMT date "+%a, %d %b %Y %T %Z")" + fileout "$jsonID" "INFO" "$HTTP_TIME - $(TZ=GMT date "+%a, %d %b %Y %T %Z")" else HTTP_TIME="$(parse_date "$HTTP_TIME" "+%s" "%a, %d %b %Y %T %Z" 2>>$ERRFILE)" difftime=$((HTTP_TIME - NOW_TIME)) @@ -2335,7 +2336,7 @@ run_http_date() { out "Got no HTTP time, maybe try different URL?"; fileout "$jsonID" "INFO" "Got no HTTP time, maybe try different URL?" fi - debugme tm_out ", epoch: $HTTP_TIME" + debugme tm_out ", HTTP_TIME in epoch: $HTTP_TIME" outln match_ipv4_httpheader "$1" return 0