Just get non-SNI certificate once
Currently the call to `$OPENSSL s_client` to obtain the certificate returned by the server when SNI is not provided is in `certificate_info()`, which means that it is called once for each certificate found the various called to `get_server_certificates()`. This PR moves the call to `$OPENSSL s_client` to `run_server_defaults()` so that the call is made only once, even if more than one server certificate was found. In addition, in most cases the certificate returned by the server when SNI is not provided will already have been retrieved by `run_server_defaults()` (in rounds 8-14), in which case `$HOSTCERT.nosni` can just be copied from there rather than making an additional call to `$OPENSSL s_client`.
This commit is contained in:
parent
a395f91f0e
commit
34fa8fc98e
|
@ -5948,8 +5948,6 @@ certificate_info() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ -n "$sni_used" ]]; then
|
if [[ -n "$sni_used" ]]; then
|
||||||
# no cipher suites specified here. We just want the default vhost subject
|
|
||||||
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO") 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
|
|
||||||
if grep -q "\-\-\-\-\-BEGIN" "$HOSTCERT.nosni"; then
|
if grep -q "\-\-\-\-\-BEGIN" "$HOSTCERT.nosni"; then
|
||||||
cn_nosni="$(get_cn_from_cert "$HOSTCERT.nosni")"
|
cn_nosni="$(get_cn_from_cert "$HOSTCERT.nosni")"
|
||||||
[[ -z "$cn_nosni" ]] && cn_nosni="no CN field in subject"
|
[[ -z "$cn_nosni" ]] && cn_nosni="no CN field in subject"
|
||||||
|
@ -6393,6 +6391,7 @@ run_server_defaults() {
|
||||||
success[n]=$?
|
success[n]=$?
|
||||||
fi
|
fi
|
||||||
if [[ ${success[n]} -eq 0 ]]; then
|
if [[ ${success[n]} -eq 0 ]]; then
|
||||||
|
[[ $n -ge 8 ]] && [[ ! -e $HOSTCERT.nosni ]] && cp $HOSTCERT $HOSTCERT.nosni
|
||||||
cp "$TEMPDIR/$NODEIP.get_server_certificate.txt" $TMPFILE
|
cp "$TEMPDIR/$NODEIP.get_server_certificate.txt" $TMPFILE
|
||||||
>$ERRFILE
|
>$ERRFILE
|
||||||
if [[ -z "$sessticket_lifetime_hint" ]]; then
|
if [[ -z "$sessticket_lifetime_hint" ]]; then
|
||||||
|
@ -6577,6 +6576,11 @@ run_server_defaults() {
|
||||||
|
|
||||||
tls_time
|
tls_time
|
||||||
|
|
||||||
|
if [[ -n "$SNI" ]] && [[ $certs_found -ne 0 ]] && [[ ! -e $HOSTCERT.nosni ]]; then
|
||||||
|
# no cipher suites specified here. We just want the default vhost subject
|
||||||
|
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO") 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
|
||||||
|
fi
|
||||||
|
|
||||||
for (( i=1; i <= certs_found; i++ )); do
|
for (( i=1; i <= certs_found; i++ )); do
|
||||||
echo "${previous_hostcert[i]}" > $HOSTCERT
|
echo "${previous_hostcert[i]}" > $HOSTCERT
|
||||||
echo "${previous_intermediates[i]}" > $TEMPDIR/intermediatecerts.pem
|
echo "${previous_intermediates[i]}" > $TEMPDIR/intermediatecerts.pem
|
||||||
|
|
Loading…
Reference in New Issue