FIX: experiration threshold < 30 days

This commit is contained in:
Dirk 2015-01-30 16:26:55 +01:00
parent 85bc14c946
commit 4f1ca24bd2

View File

@ -2,7 +2,7 @@
# #
# bash is needed for some distros which use dash as /bin/sh and for tcp sockets which # bash is needed for some distros which use dash as /bin/sh and for tcp sockets which
# this program uses a couple of times. Also some expressions are bashisms as I expect # this program uses a couple of times. Also some expressions are bashisms as I expect
# them to be faster. Idea is to not overdo it though # them to be faster. Idea is to not overdo it though.
# testssl.sh is a program for spotting weak SSL encryption, ciphers, version and some # testssl.sh is a program for spotting weak SSL encryption, ciphers, version and some
# vulnerablities or features # vulnerablities or features
@ -27,14 +27,17 @@ SWCONTACT="dirk aet testssl dot sh"
# your OWN RISK # your OWN RISK
# HISTORY: I know reading this shell script is sometimes neither nice nor is it rocket science # HISTORY: I know reading this shell script is sometimes neither nice nor is it rocket science
# As openssl is a such a good swiss army knife (e.g. wiki.openssl.org/index.php/Command_Line_Utilities) # (well ok, maybe the bash sockets are kind of cool).
# it was difficult to resist wrapping it with some shell commandos. That's how everything # It all started with a few openssl commands. It is a such a good swiss army knife (see e.g.
# started # wiki.openssl.org/index.php/Command_Line_Utilities) that it was difficult to resist wrapping
# with some shell commandos around it. This is how everything started
# Probably you can achieve the same result with my favorite zsh (zmodload zsh/net/socket b4
# -- checkout zsh/net/tcp too! -- but bash is way more often used, within Linux and: cross-platform!
# Q: So what's the difference between https://www.ssllabs.com/ssltest or # Q: So what's the difference between https://www.ssllabs.com/ssltest or
# https://sslcheck.globalsign.com/? # https://sslcheck.globalsign.com/?
# A: As of now ssllabs only check webservers on standard ports, reachable from # A: As of now ssllabs only check webservers on standard ports, reachable from
# the internet. And the two above are 3rd parties. If those restrictions are fine # the internet. And the examples above are 3rd parties. If those restrictions are fine
# with you, they might tell you more than this tool -- as of now. # with you, they might tell you more than this tool -- as of now.
# Note that for "standard" openssl binaries a lot of features (ciphers, protocols, vulnerabilities) # Note that for "standard" openssl binaries a lot of features (ciphers, protocols, vulnerabilities)
@ -349,7 +352,7 @@ poodle() {
ret=$? ret=$?
[ "$VERBERR" -eq 0 ] && cat $TMPFILE | egrep "error|failure" | egrep -v "unable to get local|verify error" [ "$VERBERR" -eq 0 ] && cat $TMPFILE | egrep "error|failure" | egrep -v "unable to get local|verify error"
if [ $ret -eq 0 ]; then if [ $ret -eq 0 ]; then
pr_litered "VULNERABLE"; out ", uses SSLv3 (no TLS_FALLBACK_SCSV tested)" pr_litered "VULNERABLE"; out ", uses SSLv3 (no TLS_FALLBACK_SCSV mitigation tested)"
else else
pr_green "not vulnerable (OK)" pr_green "not vulnerable (OK)"
fi fi
@ -1123,7 +1126,7 @@ server_defaults() {
if ! echo $expire | grep -qw not; then if ! echo $expire | grep -qw not; then
pr_red "expired!" pr_red "expired!"
else else
SECS2WARN=`expr 24 \* 60 \* 60 \* $DAYS2WARN1` # pr_red threshold first SECS2WARN=`expr 24 \* 60 \* 60 \* $DAYS2WARN2` # low threshold first
expire=`$OPENSSL x509 -in $HOSTCERT -checkend $SECS2WARN` expire=`$OPENSSL x509 -in $HOSTCERT -checkend $SECS2WARN`
if echo "$expire" | grep -qw not; then if echo "$expire" | grep -qw not; then
SECS2WARN=`expr 24 \* 60 \* 60 \* $DAYS2WARN2` SECS2WARN=`expr 24 \* 60 \* 60 \* $DAYS2WARN2`
@ -1131,10 +1134,10 @@ server_defaults() {
if echo "$expire" | grep -qw not; then if echo "$expire" | grep -qw not; then
pr_litegreen ">= $DAYS2WARN1 days" pr_litegreen ">= $DAYS2WARN1 days"
else else
pr_litered "expires < $DAYS2WARN2 days" pr_brown "expires < $DAYS2WARN1 days"
fi fi
else else
pr_brown "expires < $DAYS2WARN1 days" pr_litered "expires < $DAYS2WARN2 days!"
fi fi
fi fi
enddate=`date --date="$($OPENSSL x509 -in $HOSTCERT -noout -enddate | cut -d= -f 2)" +"%F %H:%M %z"` enddate=`date --date="$($OPENSSL x509 -in $HOSTCERT -noout -enddate | cut -d= -f 2)" +"%F %H:%M %z"`
@ -2050,7 +2053,7 @@ $PRG <options> URI
<-E|-ee|--cipher-per-proto> check those per protocol <-E|-ee|--cipher-per-proto> check those per protocol
<-f|--ciphers> check cipher suites <-f|--ciphers> check cipher suites
<-p|--protocols> check TLS/SSL protocols only <-p|--protocols> check TLS/SSL protocols only
<-S|--server_defaults> displays the servers default picks and cert info <-S|--server_defaults> displays the servers default picks and certificate info
<-P|--preference> displays the servers picks: protocol+cipher <-P|--preference> displays the servers picks: protocol+cipher
<-y|--spdy> checks for SPDY/NPN <-y|--spdy> checks for SPDY/NPN
<-x|--single-ciphers-test> <pattern> tests matched <pattern> of cipher <-x|--single-ciphers-test> <pattern> tests matched <pattern> of cipher
@ -2548,6 +2551,6 @@ case "$1" in
exit $ret ;; exit $ret ;;
esac esac
# $Id: testssl.sh,v 1.177 2015/01/29 22:24:48 dirkw Exp $ # $Id: testssl.sh,v 1.178 2015/01/30 15:26:54 dirkw Exp $
# vim:ts=5:sw=5 # vim:ts=5:sw=5