mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-21 07:59:31 +01:00
Changes to outputs: certificate start+end time, CRL+OCSP
For certificate start+end time it is now displaying the time on UTC and without mentioning the timezone twice. Also if neither CRL nor OCSP URI is provided it'll appear on the screen below those two checks. JSON/CSV has then an additional finding
This commit is contained in:
parent
02b5497864
commit
656016eae4
32
testssl.sh
32
testssl.sh
@ -6976,13 +6976,15 @@ certificate_info() {
|
|||||||
# see #967
|
# see #967
|
||||||
|
|
||||||
out "$indent"; pr_bold " Certificate Expiration "
|
out "$indent"; pr_bold " Certificate Expiration "
|
||||||
|
|
||||||
|
# FreeBSD + OSX can't swallow the leading blank:
|
||||||
enddate="$(strip_leading_space "$(awk -F':' '/Not After/ { print $2":"$3":"$4 }' $HOSTCERT_TXT)")" # in GMT
|
enddate="$(strip_leading_space "$(awk -F':' '/Not After/ { print $2":"$3":"$4 }' $HOSTCERT_TXT)")" # in GMT
|
||||||
startdate="$(strip_leading_space "$(awk -F':' '/Not Before/ { print $2":"$3":"$4 }' $HOSTCERT_TXT)")"
|
startdate="$(strip_leading_space "$(awk -F':' '/Not Before/ { print $2":"$3":"$4 }' $HOSTCERT_TXT)")"
|
||||||
days2expire=$(( $(parse_date "$enddate" "+%s" $'%b %d %T %Y %Z') - $(LC_ALL=C date "+%s") )) # first in seconds
|
enddate="$(parse_date "$enddate" +"%F %H:%M" "%b %d %T %Y %Z")"
|
||||||
days2expire=$((days2expire / 3600 / 24 ))
|
startdate="$(parse_date "$startdate" +"%F %H:%M" "%b %d %T %Y %Z")"
|
||||||
|
|
||||||
enddate="$(strip_trailing_space "${enddate//GMT/}")"
|
days2expire=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(LC_ALL=C date "+%s") )) # first in seconds
|
||||||
startdate="$(strip_trailing_space "${startdate//GMT/}")"
|
days2expire=$((days2expire / 3600 / 24 ))
|
||||||
|
|
||||||
# we adjust the thresholds by %50 for LE certificates, relaxing those warnings
|
# we adjust the thresholds by %50 for LE certificates, relaxing those warnings
|
||||||
if grep -q "^Let's Encrypt Authority" <<< "$issuer_CN"; then
|
if grep -q "^Let's Encrypt Authority" <<< "$issuer_CN"; then
|
||||||
@ -7015,14 +7017,14 @@ certificate_info() {
|
|||||||
expok="HIGH"
|
expok="HIGH"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
outln " ($startdate --> $enddate)"
|
outln " (UTC: $startdate --> $enddate)"
|
||||||
fileout "cert_expiration_status${json_postfix}" "$expok" "$expfinding"
|
fileout "cert_expiration_status${json_postfix}" "$expok" "$expfinding"
|
||||||
fileout "cert_expiration_start${json_postfix}" "$expok" "$startdate"
|
fileout "cert_expirationUTC_start${json_postfix}" "INFO" "$startdate" # we assume that the certificate has no start time in the future
|
||||||
fileout "cert_expiration_end${json_postfix}" "$expok" "$enddate"
|
fileout "cert_expirationUTC_end${json_postfix}" "$expok" "$enddate"
|
||||||
|
|
||||||
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
||||||
out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided"
|
out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided"
|
||||||
fileout "certchain_count${json_postfix}" "INFO" "${certificates_provided} certificates"
|
fileout "certchain_count${json_postfix}" "INFO" "${certificates_provided}"
|
||||||
|
|
||||||
# Get both CRL and OCSP URI upfront. If there's none, this is not good. And we need to penalize this in the output
|
# Get both CRL and OCSP URI upfront. If there's none, this is not good. And we need to penalize this in the output
|
||||||
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | \
|
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | \
|
||||||
@ -7032,14 +7034,8 @@ certificate_info() {
|
|||||||
out "$indent"; pr_bold " Certificate Revocation List "
|
out "$indent"; pr_bold " Certificate Revocation List "
|
||||||
jsonID="cert_CRL"
|
jsonID="cert_CRL"
|
||||||
if [[ -z "$crl" ]] ; then
|
if [[ -z "$crl" ]] ; then
|
||||||
if [[ -n "$ocsp_uri" ]]; then
|
fileout "${jsonID}${json_postfix}" "INFO" "--"
|
||||||
outln "--"
|
outln "--"
|
||||||
fileout "${jsonID}${json_postfix}" "INFO" "none"
|
|
||||||
else
|
|
||||||
pr_svrty_high "NOT ok --"
|
|
||||||
outln " neither CRL nor OCSP URI provided"
|
|
||||||
fileout "${jsonID}${json_postfix}" "HIGH" "Neither CRL nor OCSP URI provided"
|
|
||||||
fi
|
|
||||||
else
|
else
|
||||||
if [[ $(count_lines "$crl") -eq 1 ]]; then
|
if [[ $(count_lines "$crl") -eq 1 ]]; then
|
||||||
outln "$crl"
|
outln "$crl"
|
||||||
@ -7062,6 +7058,12 @@ certificate_info() {
|
|||||||
fi
|
fi
|
||||||
fileout "${jsonID}${json_postfix}" "INFO" "$ocsp_uri"
|
fileout "${jsonID}${json_postfix}" "INFO" "$ocsp_uri"
|
||||||
fi
|
fi
|
||||||
|
if [[ -z "$ocsp_uri" ]] && [[ -z "$crl" ]]; then
|
||||||
|
out "$spaces"
|
||||||
|
pr_svrty_high "NOT ok --"
|
||||||
|
outln " neither CRL nor OCSP URI provided"
|
||||||
|
fileout "cert_revocation${json_postfix}" "HIGH" "Neither CRL nor OCSP URI provided"
|
||||||
|
fi
|
||||||
|
|
||||||
out "$indent"; pr_bold " OCSP stapling "
|
out "$indent"; pr_bold " OCSP stapling "
|
||||||
jsonID="OCSP_stapling"
|
jsonID="OCSP_stapling"
|
||||||
|
Loading…
Reference in New Issue
Block a user