Just get non-SNI certificate once

Currently the call to `$OPENSSL s_client` to obtain the certificate returned by the server when SNI is not provided is in `certificate_info()`, which means that it is called once for each certificate found the various called to `get_server_certificates()`.

This PR moves the call to `$OPENSSL s_client` to `run_server_defaults()` so that the call is made only once, even if more than one server certificate was found.

In addition, in most cases the certificate returned by the server when SNI is not provided will already have been retrieved by `run_server_defaults()` (in rounds 8-14), in which case `$HOSTCERT.nosni` can just be copied from there rather than making an additional call to `$OPENSSL s_client`.
This commit is contained in:
David Cooper 2017-03-24 14:16:36 -04:00
parent a395f91f0e
commit 34fa8fc98e
1 changed files with 6 additions and 2 deletions

View File

@ -5948,8 +5948,6 @@ certificate_info() {
fi fi
if [[ -n "$sni_used" ]]; then if [[ -n "$sni_used" ]]; then
# no cipher suites specified here. We just want the default vhost subject
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO") 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
if grep -q "\-\-\-\-\-BEGIN" "$HOSTCERT.nosni"; then if grep -q "\-\-\-\-\-BEGIN" "$HOSTCERT.nosni"; then
cn_nosni="$(get_cn_from_cert "$HOSTCERT.nosni")" cn_nosni="$(get_cn_from_cert "$HOSTCERT.nosni")"
[[ -z "$cn_nosni" ]] && cn_nosni="no CN field in subject" [[ -z "$cn_nosni" ]] && cn_nosni="no CN field in subject"
@ -6393,6 +6391,7 @@ run_server_defaults() {
success[n]=$? success[n]=$?
fi fi
if [[ ${success[n]} -eq 0 ]]; then if [[ ${success[n]} -eq 0 ]]; then
[[ $n -ge 8 ]] && [[ ! -e $HOSTCERT.nosni ]] && cp $HOSTCERT $HOSTCERT.nosni
cp "$TEMPDIR/$NODEIP.get_server_certificate.txt" $TMPFILE cp "$TEMPDIR/$NODEIP.get_server_certificate.txt" $TMPFILE
>$ERRFILE >$ERRFILE
if [[ -z "$sessticket_lifetime_hint" ]]; then if [[ -z "$sessticket_lifetime_hint" ]]; then
@ -6577,6 +6576,11 @@ run_server_defaults() {
tls_time tls_time
if [[ -n "$SNI" ]] && [[ $certs_found -ne 0 ]] && [[ ! -e $HOSTCERT.nosni ]]; then
# no cipher suites specified here. We just want the default vhost subject
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO") 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
fi
for (( i=1; i <= certs_found; i++ )); do for (( i=1; i <= certs_found; i++ )); do
echo "${previous_hostcert[i]}" > $HOSTCERT echo "${previous_hostcert[i]}" > $HOSTCERT
echo "${previous_intermediates[i]}" > $TEMPDIR/intermediatecerts.pem echo "${previous_intermediates[i]}" > $TEMPDIR/intermediatecerts.pem