output FIX for multiple CRLs (#165)

This commit is contained in:
Dirk Wetter 2015-08-21 10:47:29 +02:00
parent 4862ece267
commit 394bde8ff5

View File

@ -368,6 +368,20 @@ toupper() {
printf "$1" | tr '[a-z]' '[A-Z]' printf "$1" | tr '[a-z]' '[A-Z]'
} }
# prints out multiple lines in $1, left aligned by spaces in $2
out_row_aligned() {
local first=true
echo "$1" | while read line; do
if $first; then
first=false
else
out "$2"
fi
outln "$line"
done
}
tmpfile_handle() { tmpfile_handle() {
if [[ "$DEBUG" -eq 0 ]] ; then if [[ "$DEBUG" -eq 0 ]] ; then
@ -553,11 +567,12 @@ run_http_date() {
} }
# Borrowd from Glenn Jackman, see https://unix.stackexchange.com/users/4667/glenn-jackman # Borrowed from Glenn Jackman, see https://unix.stackexchange.com/users/4667/glenn-jackman
detect_ipv4() { detect_ipv4() {
local octet="(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])" local octet="(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])"
local ipv4address="$octet\\.$octet\\.$octet\\.$octet" local ipv4address="$octet\\.$octet\\.$octet\\.$octet"
local your_ip_msg=" (check if it's yours or e.g. a cluster IP)" local your_ip_msg=" (check if it's yours or e.g. a cluster IP)"
local result
local first=true local first=true
local spaces=" " local spaces=" "
@ -570,7 +585,7 @@ detect_ipv4() {
if egrep -vi "pagespeed|page-speed" $HEADERFILE | grep -iqE $ipv4address; then if egrep -vi "pagespeed|page-speed" $HEADERFILE | grep -iqE $ipv4address; then
pr_bold " IPv4 address in header " pr_bold " IPv4 address in header "
cat $HEADERFILE | while read line; do cat $HEADERFILE | while read line; do
result="$(echo -n "$line" | grep -E $ipv4address )" result="$(echo -n "$line" | grep -E $ipv4address)"
result=$(strip_lf "$result") result=$(strip_lf "$result")
if [ -n "$result" ] ; then if [ -n "$result" ] ; then
if ! $first; then if ! $first; then
@ -1664,6 +1679,7 @@ run_server_defaults() {
local sessticket_str lifetime unit keysize sig_algo key_algo local sessticket_str lifetime unit keysize sig_algo key_algo
local expire secs2warn ocsp_uri crl savedir startdate enddate issuer_c issuer_o issuer sans san cn cn_nosni local expire secs2warn ocsp_uri crl savedir startdate enddate issuer_c issuer_o issuer sans san cn cn_nosni
local policy_oid local policy_oid
local spaces=" "
outln outln
pr_blue "--> Testing server defaults (Server Hello)"; outln "\n" pr_blue "--> Testing server defaults (Server Hello)"; outln "\n"
@ -1745,7 +1761,7 @@ run_server_defaults() {
pr_bold " Fingerprint / Serial " pr_bold " Fingerprint / Serial "
outln "$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha1 | sed 's/Fingerprint=//' | sed 's/://g' ) / $($OPENSSL x509 -noout -in $HOSTCERT -serial | sed 's/serial=//')" outln "$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha1 | sed 's/Fingerprint=//' | sed 's/://g' ) / $($OPENSSL x509 -noout -in $HOSTCERT -serial | sed 's/serial=//')"
outln " $($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 | sed 's/Fingerprint=//' | sed 's/://g' )" outln "$spaces$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 | sed 's/Fingerprint=//' | sed 's/://g' )"
pr_bold " Common Name (CN) " pr_bold " Common Name (CN) "
if $OPENSSL x509 -in $HOSTCERT -noout -subject | grep -wq CN; then if $OPENSSL x509 -in $HOSTCERT -noout -subject | grep -wq CN; then
@ -1872,8 +1888,12 @@ run_server_defaults() {
cd "$savedir" cd "$savedir"
pr_bold " Certificate Revocation List " pr_bold " Certificate Revocation List "
crl=$($OPENSSL x509 -in $HOSTCERT -noout -text | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://') crl="$($OPENSSL x509 -in $HOSTCERT -noout -text | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')"
[ x"$crl" == "x" ] && pr_literedln "--" || echo "$crl" case $(count_lines "$crl") in
0) pr_literedln "--" ;;
1) outln "$crl" ;;
*) out_row_aligned "$crl" "$spaces" ;;
esac
pr_bold " OCSP URI " pr_bold " OCSP URI "
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri) ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri)
@ -1910,7 +1930,6 @@ run_server_defaults() {
# FIXME: Trust (only CN) # FIXME: Trust (only CN)
# http://www.heise.de/security/artikel/Forward-Secrecy-testen-und-einrichten-1932806.html # http://www.heise.de/security/artikel/Forward-Secrecy-testen-und-einrichten-1932806.html
run_pfs() { run_pfs() {
local ret ret2 local ret ret2
@ -4699,4 +4718,4 @@ fi
exit $ret exit $ret
# $Id: testssl.sh,v 1.347 2015/08/17 18:13:46 dirkw Exp $ # $Id: testssl.sh,v 1.348 2015/08/21 08:47:28 dirkw Exp $