Fix #981

This commit fixes #981 by using a while loop instead of a for loop to check each DNS name in the SAN extension, copying the syntax used in certificate_info() to display all of the SANs.
2025-10-30 21:35:26 +01:00 · 2018-02-06 14:05:27 -05:00
parent 364011b6ca
commit 39990f5ace
1 changed files with 13 additions and 12 deletions
--- a/testssl.sh
+++ b/testssl.sh
@@ -6235,26 +6235,27 @@ compare_server_name_to_cert()

     # Check whether any of the DNS names in the certificate match the servername
     dns_sans="$(get_san_dns_from_cert "$cert")"
-     for san in $dns_sans; do
-          [[ $(toupper "$san") == "$servername" ]] && ret=1 && break
-     done
+     while read san; do
+          [[ -n "$san" ]] && [[ $(toupper "$san") == "$servername" ]] && ret=1 && break
+     done <<< "$dns_sans"

     if [[ $ret -eq 0 ]]; then
          # Check whether any of the IP addresses in the certificate match the servername
          ip_sans=$($OPENSSL x509 -in "$cert" -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
                  tr ',' '\n' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g')
-          for san in $ip_sans; do
-               [[ "$san" == "$servername" ]] && ret=1 && break
-          done
+          while read san; do
+               [[ -n "$san" ]] && [[ "$san" == "$servername" ]] && ret=1 && break
+          done <<< "$ip_sans"
     fi

     # Check whether any of the DNS names in the certificate are wildcard names
     # that match the servername
     if [[ $ret -eq 0 ]]; then
-          for san in $dns_sans; do
+          while read san; do
+               [[ -n "$san" ]] || continue
               wildcard_match "$servername" "$san"
               [[ $? -eq 0 ]] && ret=2 && break
-          done
+          done <<< "$dns_sans"
     fi

     cn="$(get_cn_from_cert "$cert")"
@@ -7250,9 +7251,9 @@ run_server_defaults() {
                                   if [[ "$sans_nosni" == "$sans_sni" ]]; then
                                        success[n]=0
                                   else
-                                        for san in $sans_nosni; do
-                                             [[ " $sans_sni " =~ " $san " ]] && success[n]=0 && break
-                                        done
+                                        while read san; do
+                                             [[ -n "$san" ]] && [[ " $sans_sni " =~ " $san " ]] && success[n]=0 && break
+                                        done <<< "$sans_nosni"
                                   fi
                              fi
                         fi
@@ -7457,7 +7458,7 @@ get_session_ticket_lifetime_from_serverhello() {
 get_san_dns_from_cert() {
     echo "$($OPENSSL x509 -in "$1" -noout -text 2>>$ERRFILE | \
          grep -A2 "Subject Alternative Name" | tr ',' '\n' | grep "DNS:" | \
-          sed -e 's/DNS://g' -e 's/ //g' | tr '\n' ' ')"
+          sed -e 's/DNS://g' -e 's/ //g')"
 }