Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-30 21:35:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1066 from dcooper16/ocsp_error_responses

Browse Source 
OCSP error handling
This commit is contained in:
Dirk Wetter
2018-05-25 22:28:05 +02:00
committed by GitHub
parent c21ed3212e 5e7f1b75f6
commit 626e0fc65a
1 changed files with 24 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
testssl.sh
View File

@@ -1499,7 +1499,7 @@ check_revocation_ocsp() {
local jsonID="$2" local jsonID="$2"
local tmpfile="" local tmpfile=""
local -i success local -i success
local code="" local response=""
local host_header="" local host_header=""
"$PHONE_OUT" || return 0 "$PHONE_OUT" || return 0
@@ -1514,30 +1514,42 @@ check_revocation_ocsp() {
$OPENSSL ocsp -no_nonce ${host_header} -url "$uri" \ $OPENSSL ocsp -no_nonce ${host_header} -url "$uri" \
-issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \ -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
-CAfile $TEMPDIR/intermediatecerts.pem -cert $HOSTCERT -text &> "$tmpfile" -CAfile $TEMPDIR/intermediatecerts.pem -cert $HOSTCERT -text &> "$tmpfile"
if [[ $? -eq 0 ]] && fgrep -q "Response verify OK" "$tmpfile"; then if [[ $? -eq 0 ]] && grep -Fq "Response verify OK" "$tmpfile"; then
if grep -q "$HOSTCERT: good" "$tmpfile"; then response="$(grep -F "$HOSTCERT: " "$tmpfile")"
response="${response#$HOSTCERT: }"
response="${response%\.}"
if [[ "$response" =~ "good" ]]; then
out ", " out ", "
pr_svrty_good "not revoked" pr_svrty_good "not revoked"
fileout "$jsonID" "OK" "not revoked" fileout "$jsonID" "OK" "not revoked"
elif fgrep -q "$HOSTCERT: revoked" "$tmpfile"; then elif [[ "$response" =~ "revoked" ]]; then
out ", " out ", "
pr_svrty_critical "revoked" pr_svrty_critical "revoked"
fileout "$jsonID" "CRITICAL" "revoked" fileout "$jsonID" "CRITICAL" "revoked"
elif [[ $DEBUG -ge 2 ]]; then else
outln out ", "
cat "$tmpfile" pr_warning "error querying OCSP responder"
fileout "$jsonID" "WARN" "$response"
if [[ $DEBUG -ge 2 ]]; then
outln
cat "$tmpfile"
else
out " ($response)"
fi
fi fi
else else
code="$(awk -F':' '/Code/ { print $NF }' $tmpfile)" [[ -s "$tmpfile" ]] || response="empty ocsp response"
[[ -z "$response" ]] && response="$(awk '/Responder Error:/ { print $3 }' "$tmpfile")"
[[ -z "$response" ]] && grep -Fq "Response Verify Failure" "$tmpfile" && response="unable to verify response"
[[ -z "$response" ]] && response="$(awk -F':' '/Code/ { print $NF }' $tmpfile)"
out ", " out ", "
pr_warning "error querying OCSP responder" pr_warning "error querying OCSP responder"
[[ -s "$tmpfile" ]] || code="empty ocsp response" fileout "$jsonID" "WARN" "$response"
fileout "$jsonID" "WARN" "$code"
if [[ $DEBUG -ge 2 ]]; then if [[ $DEBUG -ge 2 ]]; then
outln outln
[[ -s "$tmpfile" ]] && cat "$tmpfile" || echo "empty ocsp response" [[ -s "$tmpfile" ]] && cat "$tmpfile" || echo "empty ocsp response"
else elif [[ -n "$response" ]]; then
out " ($code)" out " ($response)"
fi fi
fi fi
} }