From 529a373b2eb5a2425f8d55b55af173a69721b0c1 Mon Sep 17 00:00:00 2001
From: secinto <office@secinto.com>
Date: Fri, 13 Jun 2025 10:54:13 +0200
Subject: [PATCH] Update testssl.sh

Modified grading for incomplete chain
---
 testssl.sh | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index aa6311e..f38c61a 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -7814,7 +7814,11 @@ determine_trust() {
                     out "$code"
                fi
                fileout "${jsonID}${json_postfix}" "CRITICAL" "failed $code. $addtl_warning"
-               set_grade_cap "T" "Issues with the chain of trust $code"
+               if [[ "$code" =~ "chain incomplete" ]]; then 
+                  set_grade_cap "B" "Issues with chain of trust $code"
+               else
+                  set_grade_cap "T" "Issues with chain of trust $code"
+               fi
           else
                # alt least one ok and other(s) not ==> display the culprit store(s)
                if "$some_ok"; then
@@ -7834,7 +7838,12 @@ determine_trust() {
                               if ! [[ ${certificate_file[i]} =~ Java ]]; then
                                    # Exemption for Java AND rating, as this store doesn't seem to be as complete.
                                    # We won't penalize this but we still need to raise a red flag. See #1648
-                                   set_grade_cap "T" "Issues with chain of trust $code"
+                                   # set_grade_cap "T" "Issues with chain of trust $code"
+                                   if [[ "$code" =~ "chain incomplete" ]]; then 
+                                      set_grade_cap "B" "Issues with chain of trust $code"
+                                   else
+                                      set_grade_cap "T" "Issues with chain of trust $code"
+                                   fi 
                               fi
                          fi
                     done