Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2017 from drwetter/cab_is4browsers

Browse Source 
Add browser requirement for the entropy of cert serial
This commit is contained in:
Dirk Wetter 2021-10-21 09:51:00 +02:00 committed by GitHub
commit 489b63e9dd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
testssl.sh
View File

@ -8905,8 +8905,9 @@ certificate_info() {
outln outln
prln_svrty_low "${spaces}NOT ok: length must not exceed 20 bytes (is: $len_cert_serial bytes)" prln_svrty_low "${spaces}NOT ok: length must not exceed 20 bytes (is: $len_cert_serial bytes)"
fileout "cert_serialNumberLen${json_postfix}" "LOW" "$len_cert_serial is too long" fileout "cert_serialNumberLen${json_postfix}" "LOW" "$len_cert_serial is too long"
elif [[ $len_cert_serial -lt 8 ]]; then elif [[ $len_cert_serial -lt 8 ]] && [[ $SERVICE == HTTP ]]; then
# Wording is from https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.0.pdf # We only want this check for browsers as this requirement comes from the CA browser forum,
# see e.g. https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.0.pdf
prln_svrty_low " NOT ok: length should be >= 64 bits entropy (is: $len_cert_serial bytes)" prln_svrty_low " NOT ok: length should be >= 64 bits entropy (is: $len_cert_serial bytes)"
fileout "cert_serialNumberLen${json_postfix}" "LOW" "$len_cert_serial is not enough entropy" fileout "cert_serialNumberLen${json_postfix}" "LOW" "$len_cert_serial is not enough entropy"
else else