Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-04-04 00:34:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix segfault with error 4 in check_revocation_ocsp() when using --phone-out

Browse Source 
As `--phone-out` sometimes doesn't work with our binary we switch transparently/automagically
to the vendor support openssl binary -- if available.

This fixes at least #2516 where the issue has been explained/debugged in detail.
See also #2667 and #1275.
This commit is contained in:
Dirk 2025-03-14 17:06:42 +01:00
parent c53f4a3e44
commit 4f1a91f92e
1 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
testssl.sh
View File

@ -2050,6 +2050,8 @@ check_revocation_ocsp() {
local -i success=1 local -i success=1
local response="" local response=""
local host_header="" local host_header=""
local openssl_bin="$OPENSSL"
local addtl_warning=""
"$PHONE_OUT" || [[ -n "$stapled_response" ]] || return 0 "$PHONE_OUT" || [[ -n "$stapled_response" ]] || return 0
[[ -n "$GOOD_CA_BUNDLE" ]] || return 0 [[ -n "$GOOD_CA_BUNDLE" ]] || return 0
@ -2079,6 +2081,17 @@ check_revocation_ocsp() {
success=$? success=$?
fi fi
else else
if [[ $OPENSSL =~ openssl.Linux.$(uname -m) ]]; then
# --phone-out in some cases throws a segfault with "our" binary, probably because a static binary with
# NSS and gethostbyname(3) doesn't work under Linux. So we use the vendor supplied binary if available.
# See #2516 and probably also #2667 and #1275 .
if [[ -x "$OPENSSL2" ]]; then
openssl_bin="$OPENSSL2"
[[ $DEBUG -ge 3 ]] && echo "Switching to $openssl_bin "
fi
else
addtl_warning="(a segfault indicates here you need to test this with another binary)"
fi
host_header=${uri##http://} host_header=${uri##http://}
host_header=${host_header%%/*} host_header=${host_header%%/*}
if [[ "$OSSL_NAME" =~ LibreSSL ]]; then if [[ "$OSSL_NAME" =~ LibreSSL ]]; then
@ -2089,7 +2102,7 @@ check_revocation_ocsp() {
else else
host_header="-header Host ${host_header}" host_header="-header Host ${host_header}"
fi fi
$OPENSSL ocsp -no_nonce ${host_header} -url "$uri" \ $openssl_bin ocsp -no_nonce ${host_header} -url "$uri" \
-issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \ -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
-CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile" -CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile"
success=$? success=$?
@ -2109,8 +2122,8 @@ check_revocation_ocsp() {
set_grade_cap "T" "Certificate revoked" set_grade_cap "T" "Certificate revoked"
else else
out ", " out ", "
pr_warning "error querying OCSP responder" pr_warning "error querying OCSP responder $addtl_warning"
fileout "$jsonID" "WARN" "$response" fileout "$jsonID" "WARN" "$response $addtl_warning"
if [[ $DEBUG -ge 2 ]]; then if [[ $DEBUG -ge 2 ]]; then
outln outln
cat "$tmpfile" cat "$tmpfile"