- fix for issue when a non-HTTP service indicates a misleading non-match of certificate
- wildcard check
This commit is contained in:
parent
b9bfa2355a
commit
566a059250
25
testssl.sh
25
testssl.sh
|
@ -1767,6 +1767,7 @@ run_server_defaults() {
|
||||||
local expire secs2warn ocsp_uri crl startdate enddate issuer_c issuer_o issuer sans san cn cn_nosni
|
local expire secs2warn ocsp_uri crl startdate enddate issuer_c issuer_o issuer sans san cn cn_nosni
|
||||||
local policy_oid
|
local policy_oid
|
||||||
local spaces=" "
|
local spaces=" "
|
||||||
|
local wildcard=false
|
||||||
|
|
||||||
outln
|
outln
|
||||||
pr_blue "--> Testing server defaults (Server Hello)"; outln "\n"
|
pr_blue "--> Testing server defaults (Server Hello)"; outln "\n"
|
||||||
|
@ -1854,6 +1855,16 @@ run_server_defaults() {
|
||||||
if $OPENSSL x509 -in $HOSTCERT -noout -subject 2>>$ERRFILE | grep -wq CN; then
|
if $OPENSSL x509 -in $HOSTCERT -noout -subject 2>>$ERRFILE | grep -wq CN; then
|
||||||
cn=$($OPENSSL x509 -in $HOSTCERT -noout -subject 2>>$ERRFILE | sed 's/subject= //' | sed -e 's/^.*CN=//' -e 's/\/emailAdd.*//')
|
cn=$($OPENSSL x509 -in $HOSTCERT -noout -subject 2>>$ERRFILE | sed 's/subject= //' | sed -e 's/^.*CN=//' -e 's/\/emailAdd.*//')
|
||||||
pr_underline "$cn"
|
pr_underline "$cn"
|
||||||
|
if echo -n "$cn" | grep -q '^*.' ; then
|
||||||
|
out " (wildcard certificate"
|
||||||
|
if [[ "$cn" == "*.$(echo -n "$cn" | sed 's/^\*.//')" ]]; then
|
||||||
|
out " match)"
|
||||||
|
wildcard=true
|
||||||
|
else
|
||||||
|
:
|
||||||
|
#FIXME: we need to test also the SANs as they can contain a wild card (google.de .e.g) ==> 2.7dev
|
||||||
|
fi
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
cn="(no CN field in subject)"
|
cn="(no CN field in subject)"
|
||||||
out "$cn"
|
out "$cn"
|
||||||
|
@ -1867,16 +1878,20 @@ run_server_defaults() {
|
||||||
cn_nosni="no CN field in subject"
|
cn_nosni="no CN field in subject"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
debugme out "\"$NODE\" | \"$cn\" | \"$cn_nosni\""
|
debugme out "\"$NODE\" | \"$cn\" | \"$cn_nosni\""
|
||||||
if [[ $NODE == "$cn_nosni" ]]; then
|
if [[ $NODE == "$cn_nosni" ]]; then
|
||||||
if [[ $SERVICE != "HTTP" ]]; then
|
if [[ $SERVICE == "HTTP" ]]; then
|
||||||
outln " (matches certificate directly)"
|
|
||||||
else
|
|
||||||
outln " (works w/o SNI)"
|
outln " (works w/o SNI)"
|
||||||
|
else
|
||||||
|
outln " (matches certificate directly)"
|
||||||
|
# for services != HTTP it depends on the protocol, server and client but it is not named "SNI"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [[ $SERVICE != "HTTP" ]]; then
|
if [[ $SERVICE != "HTTP" ]]; then
|
||||||
pr_brownln " (CN doesn't match but for non-HTTP services it might be ok)"
|
outln
|
||||||
|
#pr_brownln " (non-SNI clients don't match CN but for non-HTTP services it might be ok)"
|
||||||
|
#FIXME: this is irritating and needs to be redone. Then also the wildcard match needs to be tested against "$cn_nosni"
|
||||||
elif [[ -z "$cn_nosni" ]]; then
|
elif [[ -z "$cn_nosni" ]]; then
|
||||||
out " (request w/o SNI didn't succeed";
|
out " (request w/o SNI didn't succeed";
|
||||||
[[ $algo =~ ecdsa ]] && out ", usual for EC certificates"
|
[[ $algo =~ ecdsa ]] && out ", usual for EC certificates"
|
||||||
|
@ -4828,4 +4843,4 @@ fi
|
||||||
exit $ret
|
exit $ret
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.372 2015/09/04 12:19:05 dirkw Exp $
|
# $Id: testssl.sh,v 1.373 2015/09/06 16:21:07 dirkw Exp $
|
||||||
|
|
Loading…
Reference in New Issue