mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 17:20:57 +01:00
Merge pull request #292 from dcooper16/multiple_certificates
Detect multiple certificates cleanup
This commit is contained in:
Dirk Wetter
commit
61c1669687
104
testssl.sh
104
testssl.sh
@ -2657,7 +2657,7 @@ verify_retcode_helper() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
determine_trust() {
|
determine_trust() {
|
||||||
local heading=$1
|
local json_prefix=$1
|
||||||
local -i i=1
|
local -i i=1
|
||||||
local -i num_ca_bundles=0
|
local -i num_ca_bundles=0
|
||||||
local bundle_fname
|
local bundle_fname
|
||||||
@ -2672,12 +2672,16 @@ determine_trust() {
|
|||||||
local -i certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
local -i certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
||||||
local addtl_warning
|
local addtl_warning
|
||||||
|
|
||||||
|
# If $json_prefix is not empty, then there is more than one certificate
|
||||||
|
# and the output should should be indented by two more spaces.
|
||||||
|
[[ -n $json_prefix ]] && spaces=" "
|
||||||
|
|
||||||
if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0" ]]; then
|
if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0" ]]; then
|
||||||
addtl_warning="(Your openssl 1.1.0 might be too new for a reliable check)"
|
addtl_warning="(Your openssl 1.1.0 might be too new for a reliable check)"
|
||||||
fileout "$heading trust" "WARN" "Your $OPENSSL is too new, need version 1.0.2 to determine trust"
|
fileout "${json_prefix}trust" "WARN" "Your $OPENSSL is too new, need version 1.0.2 to determine trust"
|
||||||
elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]]; then
|
elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]]; then
|
||||||
addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)"
|
addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)"
|
||||||
fileout "$heading trust_warn" "WARN" "$addtl_warning"
|
fileout "${json_prefix}trust_warn" "WARN" "$addtl_warning"
|
||||||
fi
|
fi
|
||||||
debugme outln
|
debugme outln
|
||||||
for bundle_fname in $ca_bundles; do
|
for bundle_fname in $ca_bundles; do
|
||||||
@ -2714,7 +2718,7 @@ determine_trust() {
|
|||||||
if $all_ok; then
|
if $all_ok; then
|
||||||
# all stores ok
|
# all stores ok
|
||||||
pr_litegreen "Ok "; pr_litemagenta "$addtl_warning"
|
pr_litegreen "Ok "; pr_litemagenta "$addtl_warning"
|
||||||
fileout "$heading trust" "OK" "All certificate trust checks passed. $addtl_warning"
|
fileout "${json_prefix}trust" "OK" "All certificate trust checks passed. $addtl_warning"
|
||||||
else
|
else
|
||||||
# at least one failed
|
# at least one failed
|
||||||
pr_red "NOT ok"
|
pr_red "NOT ok"
|
||||||
@ -2722,7 +2726,7 @@ determine_trust() {
|
|||||||
# all failed (we assume with the same issue), we're displaying the reason
|
# all failed (we assume with the same issue), we're displaying the reason
|
||||||
out " "
|
out " "
|
||||||
verify_retcode_helper "${verify_retcode[2]}"
|
verify_retcode_helper "${verify_retcode[2]}"
|
||||||
fileout "$heading trust" "NOT OK" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[2]}"). $addtl_warning"
|
fileout "${json_prefix}trust" "NOT OK" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[2]}"). $addtl_warning"
|
||||||
else
|
else
|
||||||
# is one ok and the others not ==> display the culprit store
|
# is one ok and the others not ==> display the culprit store
|
||||||
if $some_ok ; then
|
if $some_ok ; then
|
||||||
@ -2745,7 +2749,7 @@ determine_trust() {
|
|||||||
[[ "$DEBUG" -eq 0 ]] && out "$spaces"
|
[[ "$DEBUG" -eq 0 ]] && out "$spaces"
|
||||||
pr_litegreen "OK: $ok_was"
|
pr_litegreen "OK: $ok_was"
|
||||||
fi
|
fi
|
||||||
fileout "$heading trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning"
|
fileout "${json_prefix}trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning"
|
||||||
fi
|
fi
|
||||||
[[ -n "$addtl_warning" ]] && out "\n$spaces" && pr_litemagenta "$addtl_warning"
|
[[ -n "$addtl_warning" ]] && out "\n$spaces" && pr_litemagenta "$addtl_warning"
|
||||||
fi
|
fi
|
||||||
@ -2894,6 +2898,7 @@ certificate_info() {
|
|||||||
local cnfinding
|
local cnfinding
|
||||||
local cnok="OK"
|
local cnok="OK"
|
||||||
local expfinding expok="OK"
|
local expfinding expok="OK"
|
||||||
|
local json_prefix="" # string to place at begging of JSON IDs when there is more than one certificate
|
||||||
local indent=""
|
local indent=""
|
||||||
|
|
||||||
if [[ $number_of_certificates -gt 1 ]]; then
|
if [[ $number_of_certificates -gt 1 ]]; then
|
||||||
@ -2901,6 +2906,7 @@ certificate_info() {
|
|||||||
indent=" "
|
indent=" "
|
||||||
out "$indent"
|
out "$indent"
|
||||||
pr_headlineln "Server Certificate #$certificate_number"
|
pr_headlineln "Server Certificate #$certificate_number"
|
||||||
|
json_prefix="Server Certificate #$certificate_number "
|
||||||
spaces=" "
|
spaces=" "
|
||||||
else
|
else
|
||||||
spaces=" "
|
spaces=" "
|
||||||
@ -2913,33 +2919,33 @@ certificate_info() {
|
|||||||
case $sig_algo in
|
case $sig_algo in
|
||||||
sha1WithRSAEncryption)
|
sha1WithRSAEncryption)
|
||||||
pr_brownln "SHA1 with RSA"
|
pr_brownln "SHA1 with RSA"
|
||||||
fileout "$heading algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)"
|
fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)"
|
||||||
;;
|
;;
|
||||||
sha256WithRSAEncryption)
|
sha256WithRSAEncryption)
|
||||||
pr_litegreenln "SHA256 with RSA"
|
pr_litegreenln "SHA256 with RSA"
|
||||||
fileout "$heading algorithm" "OK" "Signature Algorithm: SHA256 with RSA (OK)"
|
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA256 with RSA (OK)"
|
||||||
;;
|
;;
|
||||||
sha384WithRSAEncryption)
|
sha384WithRSAEncryption)
|
||||||
pr_litegreenln "SHA384 with RSA"
|
pr_litegreenln "SHA384 with RSA"
|
||||||
fileout "$heading algorithm" "OK" "Signature Algorithm: SHA384 with RSA (OK)"
|
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA384 with RSA (OK)"
|
||||||
;;
|
;;
|
||||||
sha512WithRSAEncryption)
|
sha512WithRSAEncryption)
|
||||||
pr_litegreenln "SHA512 with RSA"
|
pr_litegreenln "SHA512 with RSA"
|
||||||
fileout "$heading algorithm" "OK" "Signature Algorithm: SHA512 with RSA (OK)"
|
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA512 with RSA (OK)"
|
||||||
;;
|
;;
|
||||||
ecdsa-with-SHA256)
|
ecdsa-with-SHA256)
|
||||||
pr_litegreenln "ECDSA with SHA256"
|
pr_litegreenln "ECDSA with SHA256"
|
||||||
fileout "$heading algorithm" "OK" "Signature Algorithm: ECDSA with SHA256 (OK)"
|
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA256 (OK)"
|
||||||
;;
|
;;
|
||||||
md5*)
|
md5*)
|
||||||
pr_redln "MD5"
|
pr_redln "MD5"
|
||||||
fileout "$heading algorithm" "NOT OK" "Signature Algorithm: MD5 (NOT ok)"
|
fileout "${json_prefix}algorithm" "NOT OK" "Signature Algorithm: MD5 (NOT ok)"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
out "$sig_algo ("
|
out "$sig_algo ("
|
||||||
pr_litemagenta "Unknown"
|
pr_litemagenta "Unknown"
|
||||||
outln ")"
|
outln ")"
|
||||||
fileout "$heading algorithm" "INFO" "Signature Algorithm: $sign_algo"
|
fileout "${json_prefix}algorithm" "INFO" "Signature Algorithm: $sign_algo"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
|
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
|
||||||
@ -2947,7 +2953,7 @@ certificate_info() {
|
|||||||
out "$indent"; pr_bold " Server key size "
|
out "$indent"; pr_bold " Server key size "
|
||||||
if [[ -z "$keysize" ]]; then
|
if [[ -z "$keysize" ]]; then
|
||||||
outln "(couldn't determine)"
|
outln "(couldn't determine)"
|
||||||
fileout "$heading key_size" "WARN" "Server keys size cannot be determined"
|
fileout "${json_prefix}key_size" "WARN" "Server keys size cannot be determined"
|
||||||
else
|
else
|
||||||
# https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/
|
# https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/
|
||||||
# http://infoscience.epfl.ch/record/164526/files/NPDF-22.pdf
|
# http://infoscience.epfl.ch/record/164526/files/NPDF-22.pdf
|
||||||
@ -2956,53 +2962,53 @@ certificate_info() {
|
|||||||
if [[ $sig_algo =~ ecdsa ]] || [[ $key_algo =~ ecPublicKey ]]; then
|
if [[ $sig_algo =~ ecdsa ]] || [[ $key_algo =~ ecPublicKey ]]; then
|
||||||
if [[ "$keysize" -le 110 ]]; then # a guess
|
if [[ "$keysize" -le 110 ]]; then # a guess
|
||||||
pr_red "$keysize"
|
pr_red "$keysize"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
|
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
|
||||||
elif [[ "$keysize" -le 123 ]]; then # a guess
|
elif [[ "$keysize" -le 123 ]]; then # a guess
|
||||||
pr_litered "$keysize"
|
pr_litered "$keysize"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
|
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
|
||||||
elif [[ "$keysize" -le 163 ]]; then
|
elif [[ "$keysize" -le 163 ]]; then
|
||||||
pr_brown "$keysize"
|
pr_brown "$keysize"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
|
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
|
||||||
elif [[ "$keysize" -le 224 ]]; then
|
elif [[ "$keysize" -le 224 ]]; then
|
||||||
out "$keysize"
|
out "$keysize"
|
||||||
fileout "$heading key_size" "INFO" "Server keys $keysize EC bits"
|
fileout "${json_prefix}key_size" "INFO" "Server keys $keysize EC bits"
|
||||||
elif [[ "$keysize" -le 533 ]]; then
|
elif [[ "$keysize" -le 533 ]]; then
|
||||||
pr_litegreen "$keysize"
|
pr_litegreen "$keysize"
|
||||||
fileout "$heading key_size" "OK" "Server keys $keysize EC bits (OK)"
|
fileout "${json_prefix}key_size" "OK" "Server keys $keysize EC bits (OK)"
|
||||||
else
|
else
|
||||||
out "keysize: $keysize (not expected, FIXME)"
|
out "keysize: $keysize (not expected, FIXME)"
|
||||||
fileout "$heading key_size" "WARN" "Server keys $keysize bits (not expected)"
|
fileout "${json_prefix}key_size" "WARN" "Server keys $keysize bits (not expected)"
|
||||||
fi
|
fi
|
||||||
outln " bit"
|
outln " bit"
|
||||||
elif [[ $sig_algo = *RSA* ]]; then
|
elif [[ $sig_algo = *RSA* ]]; then
|
||||||
if [[ "$keysize" -le 512 ]]; then
|
if [[ "$keysize" -le 512 ]]; then
|
||||||
pr_red "$keysize"
|
pr_red "$keysize"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
||||||
elif [[ "$keysize" -le 768 ]]; then
|
elif [[ "$keysize" -le 768 ]]; then
|
||||||
pr_litered "$keysize"
|
pr_litered "$keysize"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
||||||
elif [[ "$keysize" -le 1024 ]]; then
|
elif [[ "$keysize" -le 1024 ]]; then
|
||||||
pr_brown "$keysize"
|
pr_brown "$keysize"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
|
||||||
elif [[ "$keysize" -le 2048 ]]; then
|
elif [[ "$keysize" -le 2048 ]]; then
|
||||||
outln "$keysize bits"
|
outln "$keysize bits"
|
||||||
fileout "$heading key_size" "INFO" "Server keys $keysize bits"
|
fileout "${json_prefix}key_size" "INFO" "Server keys $keysize bits"
|
||||||
elif [[ "$keysize" -le 4096 ]]; then
|
elif [[ "$keysize" -le 4096 ]]; then
|
||||||
pr_litegreen "$keysize"
|
pr_litegreen "$keysize"
|
||||||
fileout "$heading key_size" "OK" "Server keys $keysize bits (OK)"
|
fileout "${json_prefix}key_size" "OK" "Server keys $keysize bits (OK)"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
else
|
else
|
||||||
pr_magenta "weird keysize: $keysize bits"; outln " (could cause compatibility problems)"
|
pr_magenta "weird keysize: $keysize bits"; outln " (could cause compatibility problems)"
|
||||||
fileout "$heading key_size" "WARN" "Server keys $keysize bits (Odd)"
|
fileout "${json_prefix}key_size" "WARN" "Server keys $keysize bits (Odd)"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
out "$keysize bits ("
|
out "$keysize bits ("
|
||||||
pr_litemagenta "can't tell whether $keysize bits is good or not"
|
pr_litemagenta "can't tell whether $keysize bits is good or not"
|
||||||
outln ")"
|
outln ")"
|
||||||
fileout "$heading key_size" "WARN" "Server keys $keysize bits (unknown signature algorithm)"
|
fileout "${json_prefix}key_size" "WARN" "Server keys $keysize bits (unknown signature algorithm)"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3012,7 +3018,7 @@ certificate_info() {
|
|||||||
cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g' )"
|
cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g' )"
|
||||||
outln "$cert_fingerprint_sha1 / $cert_fingerprint_serial"
|
outln "$cert_fingerprint_sha1 / $cert_fingerprint_serial"
|
||||||
outln "$spaces$cert_fingerprint_sha2"
|
outln "$spaces$cert_fingerprint_sha2"
|
||||||
fileout "$heading fingerprint" "INFO" "Fingerprints / Serial: $cert_fingerprint_sha1 / $cert_fingerprint_serial, $cert_fingerprint_sha2"
|
fileout "${json_prefix}fingerprint" "INFO" "Fingerprints / Serial: $cert_fingerprint_sha1 / $cert_fingerprint_serial, $cert_fingerprint_sha2"
|
||||||
|
|
||||||
out "$indent"; pr_bold " Common Name (CN) "
|
out "$indent"; pr_bold " Common Name (CN) "
|
||||||
cnfinding="Common Name (CN) : "
|
cnfinding="Common Name (CN) : "
|
||||||
@ -3083,7 +3089,7 @@ certificate_info() {
|
|||||||
cnfinding+=" (CN in response to request w/o SNI: \"$cn_nosni\")"
|
cnfinding+=" (CN in response to request w/o SNI: \"$cn_nosni\")"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fileout "$heading cn" "$cnok" "$cnfinding"
|
fileout "${json_prefix}cn" "$cnok" "$cnfinding"
|
||||||
|
|
||||||
sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \
|
sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \
|
||||||
sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername:<unsupported>//g')
|
sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername:<unsupported>//g')
|
||||||
@ -3094,10 +3100,10 @@ certificate_info() {
|
|||||||
pr_dquoted "$san"
|
pr_dquoted "$san"
|
||||||
out " "
|
out " "
|
||||||
done
|
done
|
||||||
fileout "$heading san" "INFO" "subjectAltName (SAN) : $sans"
|
fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : $sans"
|
||||||
else
|
else
|
||||||
out "-- "
|
out "-- "
|
||||||
fileout "$heading san" "INFO" "subjectAltName (SAN) : --"
|
fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : --"
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
out "$indent"; pr_bold " Issuer "
|
out "$indent"; pr_bold " Issuer "
|
||||||
@ -3109,7 +3115,7 @@ certificate_info() {
|
|||||||
|
|
||||||
if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$CN" ]]; then
|
if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$CN" ]]; then
|
||||||
pr_redln "self-signed (NOT ok)"
|
pr_redln "self-signed (NOT ok)"
|
||||||
fileout "$heading issuer" "NOT OK" "Issuer: selfsigned (NOT ok)"
|
fileout "${json_prefix}issuer" "NOT OK" "Issuer: selfsigned (NOT ok)"
|
||||||
else
|
else
|
||||||
pr_dquoted "$issuer_CN"
|
pr_dquoted "$issuer_CN"
|
||||||
out " ("
|
out " ("
|
||||||
@ -3117,9 +3123,9 @@ certificate_info() {
|
|||||||
if [[ -n "$issuer_C" ]]; then
|
if [[ -n "$issuer_C" ]]; then
|
||||||
out " from "
|
out " from "
|
||||||
pr_dquoted "$issuer_C"
|
pr_dquoted "$issuer_C"
|
||||||
fileout "$heading issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" from \"$issuer_C\")"
|
fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" from \"$issuer_C\")"
|
||||||
else
|
else
|
||||||
fileout "$heading issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" )"
|
fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" )"
|
||||||
fi
|
fi
|
||||||
outln ")"
|
outln ")"
|
||||||
fi
|
fi
|
||||||
@ -3136,10 +3142,10 @@ certificate_info() {
|
|||||||
[[ 1.3.6.1.4.1.17326.10.8.12.1.2 == "$policy_oid" ]] || \
|
[[ 1.3.6.1.4.1.17326.10.8.12.1.2 == "$policy_oid" ]] || \
|
||||||
[[ 1.3.6.1.4.1.13177.10.1.3.10 == "$policy_oid" ]] ; then
|
[[ 1.3.6.1.4.1.13177.10.1.3.10 == "$policy_oid" ]] ; then
|
||||||
out "yes "
|
out "yes "
|
||||||
fileout "$heading ev" "OK" "Extended Validation (EV) (experimental) : yes"
|
fileout "${json_prefix}ev" "OK" "Extended Validation (EV) (experimental) : yes"
|
||||||
else
|
else
|
||||||
out "no "
|
out "no "
|
||||||
fileout "$heading ev" "INFO" "Extended Validation (EV) (experimental) : no"
|
fileout "${json_prefix}ev" "INFO" "Extended Validation (EV) (experimental) : no"
|
||||||
fi
|
fi
|
||||||
debugme echo "($(newline_to_spaces "$policy_oid"))"
|
debugme echo "($(newline_to_spaces "$policy_oid"))"
|
||||||
outln
|
outln
|
||||||
@ -3187,60 +3193,60 @@ certificate_info() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
outln " ($startdate --> $enddate)"
|
outln " ($startdate --> $enddate)"
|
||||||
fileout "$heading expiration" "$expok" "Certificate Expiration : $expfinding ($startdate --> $enddate)"
|
fileout "${json_prefix}expiration" "$expok" "Certificate Expiration : $expfinding ($startdate --> $enddate)"
|
||||||
|
|
||||||
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
||||||
out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided"
|
out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided"
|
||||||
fileout "$heading certcount" "INFO" "# of certificates provided : $certificates_provided"
|
fileout "${json_prefix}certcount" "INFO" "# of certificates provided : $certificates_provided"
|
||||||
|
|
||||||
|
|
||||||
out "$indent"; pr_bold " Chain of trust"; out " (experim.) "
|
out "$indent"; pr_bold " Chain of trust"; out " (experim.) "
|
||||||
determine_trust "$heading" # Also handles fileout
|
determine_trust "$json_prefix" # Also handles fileout
|
||||||
|
|
||||||
out "$indent"; pr_bold " Certificate Revocation List "
|
out "$indent"; pr_bold " Certificate Revocation List "
|
||||||
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')"
|
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')"
|
||||||
if [[ -z "$crl" ]]; then
|
if [[ -z "$crl" ]]; then
|
||||||
pr_literedln "--"
|
pr_literedln "--"
|
||||||
fileout "$heading crl" "NOT OK" "No CRL provided (NOT ok)"
|
fileout "${json_prefix}crl" "NOT OK" "No CRL provided (NOT ok)"
|
||||||
elif grep -q http <<< "$crl"; then
|
elif grep -q http <<< "$crl"; then
|
||||||
if [[ $(count_lines "$crl") -eq 1 ]]; then
|
if [[ $(count_lines "$crl") -eq 1 ]]; then
|
||||||
outln "$crl"
|
outln "$crl"
|
||||||
fileout "$heading crl" "INFO" "Certificate Revocation List : $crl"
|
fileout "${json_prefix}crl" "INFO" "Certificate Revocation List : $crl"
|
||||||
else # more than one CRL
|
else # more than one CRL
|
||||||
out_row_aligned "$crl" "$spaces"
|
out_row_aligned "$crl" "$spaces"
|
||||||
fileout "$heading crl" "INFO" "Certificate Revocation List : $crl"
|
fileout "${json_prefix}crl" "INFO" "Certificate Revocation List : $crl"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
pr_litemagentaln "no parsable output \"$crl\", pls report"
|
pr_litemagentaln "no parsable output \"$crl\", pls report"
|
||||||
fileout "$heading crl" "WARN" "Certificate Revocation List : no parsable output \"$crl\", pls report"
|
fileout "${json_prefix}crl" "WARN" "Certificate Revocation List : no parsable output \"$crl\", pls report"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
out "$indent"; pr_bold " OCSP URI "
|
out "$indent"; pr_bold " OCSP URI "
|
||||||
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
|
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
|
||||||
if [[ -z "$ocsp_uri" ]]; then
|
if [[ -z "$ocsp_uri" ]]; then
|
||||||
pr_literedln "--"
|
pr_literedln "--"
|
||||||
fileout "$heading ocsp_uri" "NOT OK" "OCSP URI : -- (NOT ok)"
|
fileout "${json_prefix}ocsp_uri" "NOT OK" "OCSP URI : -- (NOT ok)"
|
||||||
else
|
else
|
||||||
outln "$ocsp_uri"
|
outln "$ocsp_uri"
|
||||||
fileout "$heading ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
|
fileout "${json_prefix}ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
out "$indent"; pr_bold " OCSP stapling "
|
out "$indent"; pr_bold " OCSP stapling "
|
||||||
if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
|
if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
|
||||||
pr_yellow "--"
|
pr_yellow "--"
|
||||||
fileout "$heading ocsp_stapling" "INFO" "OCSP stapling : not offered"
|
fileout "${json_prefix}ocsp_stapling" "INFO" "OCSP stapling : not offered"
|
||||||
else
|
else
|
||||||
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
||||||
pr_litegreen "offered"
|
pr_litegreen "offered"
|
||||||
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : offered"
|
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : offered"
|
||||||
else
|
else
|
||||||
if $GOST_STATUS_PROBLEM; then
|
if $GOST_STATUS_PROBLEM; then
|
||||||
outln "(GOST servers make problems here, sorry)"
|
outln "(GOST servers make problems here, sorry)"
|
||||||
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : (GOST servers make problems here, sorry)"
|
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : (GOST servers make problems here, sorry)"
|
||||||
ret=0
|
ret=0
|
||||||
else
|
else
|
||||||
out "(response status unknown)"
|
out "(response status unknown)"
|
||||||
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : not sure what's going on here, debug: grep -aA 20 "OCSP response" <<<"$ocsp_response""
|
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : not sure what's going on here, debug: grep -aA 20 "OCSP response" <<<"$ocsp_response""
|
||||||
debugme grep -a -A20 -B2 "OCSP response" <<<"$ocsp_response"
|
debugme grep -a -A20 -B2 "OCSP response" <<<"$ocsp_response"
|
||||||
ret=2
|
ret=2
|
||||||
fi
|
fi
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user