From 6825c0b363ebf77fb296f7f05e06f4f8244d07b4 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Wed, 1 Jun 2016 16:20:10 -0400 Subject: [PATCH] Allow for certificates with no subjectAltName extension While it seems that almost all certificates include a subjectAltName extension, need to allow for the possibility that the two certificates being compared don't have subjectAltName extensions. --- testssl.sh | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/testssl.sh b/testssl.sh index 81c48c2..2828d8d 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3610,14 +3610,18 @@ run_server_defaults() { # FIXME: Not sure what the matching rule should be. At # the moment, the no SNI certificate is considered a - # match if the CNs are the same and the SANs contain - # at least one DNS name in common. + # match if the CNs are the same and the SANs (if + # present) contain at least one DNS name in common. if [[ "$cn_nosni" == "$cn_sni" ]]; then sans_sni=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \ sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername://g') - for san in $sans_nosni; do - [[ " $sans_sni " =~ " $san " ]] && success[n]=0 && break - done + if [[ "$sans_nosni" == "$sans_sni" ]]; then + success[n]=0 + else + for san in $sans_nosni; do + [[ " $sans_sni " =~ " $san " ]] && success[n]=0 && break + done + fi fi fi # If the certificate found for TLSv1.1 w/o SNI appears to