From feb48c0295bd24ca4c04b17192c4db96be6484d5 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Thu, 24 May 2018 17:00:27 -0400 Subject: [PATCH 1/2] OCSP error handling This PR improves the handling of error responses when checking status using OCSP. It can handle a few types of errors: * When the responder just returns an error (e.g., "Responder error: unauthorized"). * When the response cannot be verified (e.g., invalid signature, expired certificate). * When the response is valid ("Response verify OK"), but there is a problem with the response for the individual certificate (e.g., information is too old, or status is "unknown"). --- testssl.sh | 35 +++++++++++++++++++++++------------ 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/testssl.sh b/testssl.sh index 77eec36..a72695f 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1499,7 +1499,7 @@ check_revocation_ocsp() { local jsonID="$2" local tmpfile="" local -i success - local code="" + local response="" local host_header="" "$PHONE_OUT" || return 0 @@ -1514,30 +1514,41 @@ check_revocation_ocsp() { $OPENSSL ocsp -no_nonce ${host_header} -url "$uri" \ -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \ -CAfile $TEMPDIR/intermediatecerts.pem -cert $HOSTCERT -text &> "$tmpfile" - if [[ $? -eq 0 ]] && fgrep -q "Response verify OK" "$tmpfile"; then - if grep -q "$HOSTCERT: good" "$tmpfile"; then + if [[ $? -eq 0 ]] && grep -Fq "Response verify OK" "$tmpfile"; then + response="$(grep -F "$HOSTCERT: " "$tmpfile")" + response="${response#$HOSTCERT: }" + response="${response%\.}" + if [[ "$response" =~ "good" ]]; then out ", " pr_svrty_good "not revoked" fileout "$jsonID" "OK" "not revoked" - elif fgrep -q "$HOSTCERT: revoked" "$tmpfile"; then + elif [[ "$response" =~ "revoked" ]]; then out ", " pr_svrty_critical "revoked" fileout "$jsonID" "CRITICAL" "revoked" - elif [[ $DEBUG -ge 2 ]]; then - outln - cat "$tmpfile" + else + out ", " + pr_warning "error querying OCSP responder" + fileout "$jsonID" "WARN" "$response" + if [[ $DEBUG -ge 2 ]]; then + outln + cat "$tmpfile" + else + out " ($response)" + fi fi else - code="$(awk -F':' '/Code/ { print $NF }' $tmpfile)" + [[ -s "$tmpfile" ]] || response="empty ocsp response" + [[ -z "$response" ]] && response="$(awk '/Responder Error:/ { print $3 }' "$tmpfile")" + [[ -z "$response" ]] && grep -Fq "Response Verify Failure" "$tmpfile" && response="unable to verify response" out ", " pr_warning "error querying OCSP responder" - [[ -s "$tmpfile" ]] || code="empty ocsp response" - fileout "$jsonID" "WARN" "$code" + fileout "$jsonID" "WARN" "$response" if [[ $DEBUG -ge 2 ]]; then outln [[ -s "$tmpfile" ]] && cat "$tmpfile" || echo "empty ocsp response" - else - out " ($code)" + elif [[ -n "$response" ]]; then + out " ($response)" fi fi } From 5e7f1b75f608c95e702a1f4553f6c68898f59f8b Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 25 May 2018 10:51:22 -0400 Subject: [PATCH 2/2] Check for HTTP errors Added back in check for HTTP error codes. --- testssl.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/testssl.sh b/testssl.sh index a72695f..3e7ca69 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1541,6 +1541,7 @@ check_revocation_ocsp() { [[ -s "$tmpfile" ]] || response="empty ocsp response" [[ -z "$response" ]] && response="$(awk '/Responder Error:/ { print $3 }' "$tmpfile")" [[ -z "$response" ]] && grep -Fq "Response Verify Failure" "$tmpfile" && response="unable to verify response" + [[ -z "$response" ]] && response="$(awk -F':' '/Code/ { print $NF }' $tmpfile)" out ", " pr_warning "error querying OCSP responder" fileout "$jsonID" "WARN" "$response"