Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 13:55:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix --phone-out + ocsp, also in docker container

Browse Source 
Previously in 4f1a91f92e there was a
double header sent to the server to check whether the certificate
was revoked.

This PR addresses that and fixes #2667 .
This commit is contained in:
Dirk
2025-03-15 15:58:28 +01:00
parent 73be4f7381
commit 430c5c8d09
1 changed files with 15 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
testssl.sh
View File

@@ -2052,6 +2052,7 @@ check_revocation_ocsp() {
local host_header="" local host_header=""
local openssl_bin="$OPENSSL" local openssl_bin="$OPENSSL"
local addtl_warning="" local addtl_warning=""
local smartswitch=false
"$PHONE_OUT" || [[ -n "$stapled_response" ]] || return 0 "$PHONE_OUT" || [[ -n "$stapled_response" ]] || return 0
[[ -n "$GOOD_CA_BUNDLE" ]] || return 0 [[ -n "$GOOD_CA_BUNDLE" ]] || return 0
@@ -2087,6 +2088,7 @@ check_revocation_ocsp() {
# See #2516 and probably also #2667 and #1275 . # See #2516 and probably also #2667 and #1275 .
if [[ -x "$OPENSSL2" ]]; then if [[ -x "$OPENSSL2" ]]; then
openssl_bin="$OPENSSL2" openssl_bin="$OPENSSL2"
smartswitch=true
[[ $DEBUG -ge 3 ]] && echo "Switching to $openssl_bin " [[ $DEBUG -ge 3 ]] && echo "Switching to $openssl_bin "
fi fi
else else
@@ -2094,19 +2096,26 @@ check_revocation_ocsp() {
fi fi
host_header=${uri##http://} host_header=${uri##http://}
host_header=${host_header%%/*} host_header=${host_header%%/*}
if [[ "$OSSL_NAME" =~ LibreSSL ]]; then
host_header="-header Host ${host_header}" # This the follwomg is the default (like "-header Host r11.o.lencr.org")
elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.0* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* ]] || \ host_header="-header Host ${host_header}"
[[ $OSSL_VER_MAJOR -ge 3 ]]; then
host_header="-header Host=${host_header}" if "$smartswitch" ; then
case $(openssl version -v | awk -F' ' '{ print $2 }') in
# for those versions it's "-header Host=r11.o.lencr.org"
3.*|1.1*) host_header=${host_header/Host /Host=} ;;
esac
else else
host_header="-header Host ${host_header}" case $OSSL_VER_MAJOR.$OSSL_VER_MINOR in
3.*|1.1*) host_header=${host_header/Host /Host=} ;;
esac
fi fi
$openssl_bin ocsp -no_nonce ${host_header} -url "$uri" \ $openssl_bin ocsp -no_nonce ${host_header} -url "$uri" \
-issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \ -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
-CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile" -CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile"
success=$? success=$?
fi fi
if [[ $success -eq 0 ]] && grep -Fq "Response verify OK" "$tmpfile"; then if [[ $success -eq 0 ]] && grep -Fq "Response verify OK" "$tmpfile"; then
response="$(grep -F "$HOSTCERT: " "$tmpfile")" response="$(grep -F "$HOSTCERT: " "$tmpfile")"
response="${response#$HOSTCERT: }" response="${response#$HOSTCERT: }"