Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-08 09:40:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

using get_san_dns_from_cert()

Browse Source
This commit is contained in:
Dirk 2017-04-01 10:38:04 +02:00
parent 6b601e22c7
commit 498dda94ce
1 changed files with 5 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
testssl.sh
View File

@ -5449,8 +5449,7 @@ compare_server_name_to_cert()
local -i ret=0 local -i ret=0
# Check whether any of the DNS names in the certificate match the servername # Check whether any of the DNS names in the certificate match the servername
dns_sans=$($OPENSSL x509 -in "$cert" -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \ dns_sans="$(get_san_dns_from_cert "$cert")"
tr ',' '\n' | grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g')
for san in $dns_sans; do for san in $dns_sans; do
[[ $(toupper "$san") == "$servername" ]] && ret=1 && break [[ $(toupper "$san") == "$servername" ]] && ret=1 && break
done done
@ -5495,7 +5494,7 @@ must_staple() {
local cert extn local cert extn
local -i extn_len local -i extn_len
local supported=false local supported=false
# Note this function is only looking for status_request (5) and not # Note this function is only looking for status_request (5) and not
# status_request_v2 (17), since OpenSSL seems to only include status_request (5) # status_request_v2 (17), since OpenSSL seems to only include status_request (5)
# in its ClientHello when the "-status" option is used. # in its ClientHello when the "-status" option is used.
@ -6209,9 +6208,7 @@ run_server_defaults() {
if [[ ${success[n]} -ne 0 ]]; then if [[ ${success[n]} -ne 0 ]]; then
cn_nosni="$(toupper "$(get_cn_from_cert $HOSTCERT)")" cn_nosni="$(toupper "$(get_cn_from_cert $HOSTCERT)")"
sans_nosni="$(toupper "$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | \ sans_nosni="$(toupper "$(get_san_dns_from_cert "$HOSTCERT")")"
grep -A2 "Subject Alternative Name" | tr ',' '\n' | grep "DNS:" | \
sed -e 's/DNS://g' -e 's/ //g' | tr '\n' ' ')")"
echo "${previous_hostcert[1]}" > $HOSTCERT echo "${previous_hostcert[1]}" > $HOSTCERT
cn_sni="$(toupper "$(get_cn_from_cert $HOSTCERT)")" cn_sni="$(toupper "$(get_cn_from_cert $HOSTCERT)")"
@ -6221,9 +6218,7 @@ run_server_defaults() {
# match if the CNs are the same and the SANs (if # match if the CNs are the same and the SANs (if
# present) contain at least one DNS name in common. # present) contain at least one DNS name in common.
if [[ "$cn_nosni" == "$cn_sni" ]]; then if [[ "$cn_nosni" == "$cn_sni" ]]; then
sans_sni="$(toupper "$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | \ sans_sni="$(toupper "$(get_san_dns_from_cert "$HOSTCERT")")"
grep -A2 "Subject Alternative Name" | tr ',' '\n' | grep "DNS:" | \
sed -e 's/DNS://g' -e 's/ //g' | tr '\n' ' ')")"
if [[ "$sans_nosni" == "$sans_sni" ]]; then if [[ "$sans_nosni" == "$sans_sni" ]]; then
success[n]=0 success[n]=0
else else
@ -6320,7 +6315,7 @@ get_session_ticket_lifetime_from_serverhello() {
} }
get_san_dns_from_cert() { get_san_dns_from_cert() {
toupper "$($OPENSSL x509 -in "$1" -noout -text 2>>$ERRFILE | \ echo "$($OPENSSL x509 -in "$1" -noout -text 2>>$ERRFILE | \
grep -A2 "Subject Alternative Name" | tr ',' '\n' | grep "DNS:" | \ grep -A2 "Subject Alternative Name" | tr ',' '\n' | grep "DNS:" | \
sed -e 's/DNS://g' -e 's/ //g' | tr '\n' ' ')" sed -e 's/DNS://g' -e 's/ //g' | tr '\n' ' ')"
} }