mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-01 06:19:44 +01:00
Changes to outputs: certificate start+end time, CRL+OCSP
For certificate start+end time it is now displaying the time on UTC and without mentioning the timezone twice. Also if neither CRL nor OCSP URI is provided it'll appear on the screen below those two checks. JSON/CSV has then an additional finding
This commit is contained in:
parent
02b5497864
commit
656016eae4
34
testssl.sh
34
testssl.sh
@ -6976,13 +6976,15 @@ certificate_info() {
|
||||
# see #967
|
||||
|
||||
out "$indent"; pr_bold " Certificate Expiration "
|
||||
|
||||
# FreeBSD + OSX can't swallow the leading blank:
|
||||
enddate="$(strip_leading_space "$(awk -F':' '/Not After/ { print $2":"$3":"$4 }' $HOSTCERT_TXT)")" # in GMT
|
||||
startdate="$(strip_leading_space "$(awk -F':' '/Not Before/ { print $2":"$3":"$4 }' $HOSTCERT_TXT)")"
|
||||
days2expire=$(( $(parse_date "$enddate" "+%s" $'%b %d %T %Y %Z') - $(LC_ALL=C date "+%s") )) # first in seconds
|
||||
days2expire=$((days2expire / 3600 / 24 ))
|
||||
enddate="$(parse_date "$enddate" +"%F %H:%M" "%b %d %T %Y %Z")"
|
||||
startdate="$(parse_date "$startdate" +"%F %H:%M" "%b %d %T %Y %Z")"
|
||||
|
||||
enddate="$(strip_trailing_space "${enddate//GMT/}")"
|
||||
startdate="$(strip_trailing_space "${startdate//GMT/}")"
|
||||
days2expire=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(LC_ALL=C date "+%s") )) # first in seconds
|
||||
days2expire=$((days2expire / 3600 / 24 ))
|
||||
|
||||
# we adjust the thresholds by %50 for LE certificates, relaxing those warnings
|
||||
if grep -q "^Let's Encrypt Authority" <<< "$issuer_CN"; then
|
||||
@ -7015,14 +7017,14 @@ certificate_info() {
|
||||
expok="HIGH"
|
||||
fi
|
||||
fi
|
||||
outln " ($startdate --> $enddate)"
|
||||
outln " (UTC: $startdate --> $enddate)"
|
||||
fileout "cert_expiration_status${json_postfix}" "$expok" "$expfinding"
|
||||
fileout "cert_expiration_start${json_postfix}" "$expok" "$startdate"
|
||||
fileout "cert_expiration_end${json_postfix}" "$expok" "$enddate"
|
||||
fileout "cert_expirationUTC_start${json_postfix}" "INFO" "$startdate" # we assume that the certificate has no start time in the future
|
||||
fileout "cert_expirationUTC_end${json_postfix}" "$expok" "$enddate"
|
||||
|
||||
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
||||
out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided"
|
||||
fileout "certchain_count${json_postfix}" "INFO" "${certificates_provided} certificates"
|
||||
fileout "certchain_count${json_postfix}" "INFO" "${certificates_provided}"
|
||||
|
||||
# Get both CRL and OCSP URI upfront. If there's none, this is not good. And we need to penalize this in the output
|
||||
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | \
|
||||
@ -7032,14 +7034,8 @@ certificate_info() {
|
||||
out "$indent"; pr_bold " Certificate Revocation List "
|
||||
jsonID="cert_CRL"
|
||||
if [[ -z "$crl" ]] ; then
|
||||
if [[ -n "$ocsp_uri" ]]; then
|
||||
outln "--"
|
||||
fileout "${jsonID}${json_postfix}" "INFO" "none"
|
||||
else
|
||||
pr_svrty_high "NOT ok --"
|
||||
outln " neither CRL nor OCSP URI provided"
|
||||
fileout "${jsonID}${json_postfix}" "HIGH" "Neither CRL nor OCSP URI provided"
|
||||
fi
|
||||
fileout "${jsonID}${json_postfix}" "INFO" "--"
|
||||
outln "--"
|
||||
else
|
||||
if [[ $(count_lines "$crl") -eq 1 ]]; then
|
||||
outln "$crl"
|
||||
@ -7062,6 +7058,12 @@ certificate_info() {
|
||||
fi
|
||||
fileout "${jsonID}${json_postfix}" "INFO" "$ocsp_uri"
|
||||
fi
|
||||
if [[ -z "$ocsp_uri" ]] && [[ -z "$crl" ]]; then
|
||||
out "$spaces"
|
||||
pr_svrty_high "NOT ok --"
|
||||
outln " neither CRL nor OCSP URI provided"
|
||||
fileout "cert_revocation${json_postfix}" "HIGH" "Neither CRL nor OCSP URI provided"
|
||||
fi
|
||||
|
||||
out "$indent"; pr_bold " OCSP stapling "
|
||||
jsonID="OCSP_stapling"
|
||||
|
Loading…
Reference in New Issue
Block a user