mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-23 08:59:31 +01:00
- FIX for #104: check for hpkp pin match failed if \" was present
This commit is contained in:
parent
308c738b75
commit
4febd95b64
19
testssl.sh
19
testssl.sh
@ -566,16 +566,16 @@ hpkp() {
|
|||||||
# get the key fingerprints
|
# get the key fingerprints
|
||||||
sed -i -e 's/Public-Key-Pins://g' -e s'/Public-Key-Pins-Report-Only://' $TMPFILE
|
sed -i -e 's/Public-Key-Pins://g' -e s'/Public-Key-Pins-Report-Only://' $TMPFILE
|
||||||
[ -s "$HOSTCERT" ] || get_host_cert
|
[ -s "$HOSTCERT" ] || get_host_cert
|
||||||
|
hpkp_key_hostcert="$($OPENSSL x509 -in $HOSTCERT -pubkey -noout | grep -v PUBLIC | \
|
||||||
|
$OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL base64)"
|
||||||
while read hpkp_key; do
|
while read hpkp_key; do
|
||||||
hpkp_key_hostcert=$($OPENSSL x509 -in $HOSTCERT -pubkey -noout | $OPENSSL base64 -d | \
|
if [ "$hpkp_key_hostcert" = "$hpkp_key" ] || [ "$hpkp_key_hostcert" = "$hpkp_key=" ]; then
|
||||||
$OPENSSL dgst -sha256 -binary | $OPENSSL base64)
|
|
||||||
if [ "$hpkp_key_hostcert" == "$hpkp_key" ] || [ "$hpkp_key_hostcert" == "$hpkp_key=" ]; then
|
|
||||||
out "\n$spaces matching key: "
|
out "\n$spaces matching key: "
|
||||||
pr_litegreen "$hpkp_key"
|
pr_litegreen "$hpkp_key"
|
||||||
key_found=0
|
key_found=0
|
||||||
fi
|
fi
|
||||||
debugme echo "$hpkp_key | $hpkp_key_hostcert"
|
debugme echo "$hpkp_key | $hpkp_key_hostcert"
|
||||||
done < <(sed -e 's/;/\n/g' -e 's/ //g' $TMPFILE | awk -F'=' '/pin.*=/ { print $2 }')
|
done < <(sed -e 's/;/\n/g' -e 's/ //g' -e 's/\"//g' $TMPFILE | awk -F'=' '/pin.*=/ { print $2 }')
|
||||||
[ $key_found -ne 0 ] && out "\n$spaces " && pr_litered "No matching key for pin found"
|
[ $key_found -ne 0 ] && out "\n$spaces " && pr_litered "No matching key for pin found"
|
||||||
else
|
else
|
||||||
out "--"
|
out "--"
|
||||||
@ -593,7 +593,9 @@ emphasize_stuff_in_headers(){
|
|||||||
-e "s/Debian/"$yellow"\Debian$off/g" \
|
-e "s/Debian/"$yellow"\Debian$off/g" \
|
||||||
-e "s/Ubuntu/"$yellow"Ubuntu$off/g" \
|
-e "s/Ubuntu/"$yellow"Ubuntu$off/g" \
|
||||||
-e "s/ubuntu/"$yellow"ubuntu$off/g" \
|
-e "s/ubuntu/"$yellow"ubuntu$off/g" \
|
||||||
|
-e "s/jessie/"$yellow"jessie$off/g" \
|
||||||
-e "s/squeeze/"$yellow"squeeze$off/g" \
|
-e "s/squeeze/"$yellow"squeeze$off/g" \
|
||||||
|
-e "s/wheezy/"$yellow"wheezy$off/g" \
|
||||||
-e "s/lenny/"$yellow"lenny$off/g" \
|
-e "s/lenny/"$yellow"lenny$off/g" \
|
||||||
-e "s/SUSE/"$yellow"SUSE$off/g" \
|
-e "s/SUSE/"$yellow"SUSE$off/g" \
|
||||||
-e "s/Red Hat Enterprise Linux/"$yellow"Red Hat Enterprise Linux$off/g" \
|
-e "s/Red Hat Enterprise Linux/"$yellow"Red Hat Enterprise Linux$off/g" \
|
||||||
@ -617,8 +619,9 @@ serverbanner() {
|
|||||||
outln "banner exists but empty string"
|
outln "banner exists but empty string"
|
||||||
else
|
else
|
||||||
emphasize_stuff_in_headers "$serverbanner"
|
emphasize_stuff_in_headers "$serverbanner"
|
||||||
[[ "$serverbanner" = *Microsoft-IIS/6.* ]] && [[ $OSSL_VER == 1.0.2* ]] && pr_litemagentaln " It's recommended to run another test w/ OpenSSL 1.01 !"
|
[[ "$serverbanner" = *Microsoft-IIS/6.* ]] && [[ $OSSL_VER == 1.0.2* ]] && \
|
||||||
# see https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892
|
pr_litemagentaln " It's recommended to run another test w/ OpenSSL 1.01 !"
|
||||||
|
# see https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892
|
||||||
fi
|
fi
|
||||||
# mozilla.github.io/server-side-tls/ssl-config-generator/
|
# mozilla.github.io/server-side-tls/ssl-config-generator/
|
||||||
# https://support.microsoft.com/en-us/kb/245030
|
# https://support.microsoft.com/en-us/kb/245030
|
||||||
@ -1366,7 +1369,7 @@ server_defaults() {
|
|||||||
get_host_cert "-$proto"
|
get_host_cert "-$proto"
|
||||||
[ $? -eq 0 ] && [ $ret -eq 0 ] && break
|
[ $? -eq 0 ] && [ $ret -eq 0 ] && break
|
||||||
ret=7
|
ret=7
|
||||||
done # this loop is need for testing IIS/6
|
done # this loop is needed for IIS/6
|
||||||
if [ $ret -eq 7 ]; then
|
if [ $ret -eq 7 ]; then
|
||||||
# "-status" kills GOST only servers, so we do another test without it and see whether that works then:
|
# "-status" kills GOST only servers, so we do another test without it and see whether that works then:
|
||||||
if ! $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI -$proto -tlsextdebug </dev/null 2>/dev/null >$TMPFILE; then
|
if ! $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT $SNI -$proto -tlsextdebug </dev/null 2>/dev/null >$TMPFILE; then
|
||||||
@ -3489,6 +3492,6 @@ fi
|
|||||||
|
|
||||||
exit $ret
|
exit $ret
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.251 2015/05/18 19:51:44 dirkw Exp $
|
# $Id: testssl.sh,v 1.252 2015/05/18 21:10:33 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
||||||
|
Loading…
Reference in New Issue
Block a user