Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 08:49:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow for certificates with no subjectAltName extension

Browse Source 
While it seems that almost all certificates include a subjectAltName extension, need to allow for the possibility that the two certificates being compared don't have subjectAltName extensions.
This commit is contained in:
David Cooper 2016-06-01 16:20:10 -04:00
parent 3bc0d6b45c
commit 6825c0b363
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
testssl.sh
View File

@ -3610,14 +3610,18 @@ run_server_defaults() {
# FIXME: Not sure what the matching rule should be. At # FIXME: Not sure what the matching rule should be. At
# the moment, the no SNI certificate is considered a # the moment, the no SNI certificate is considered a
# match if the CNs are the same and the SANs contain # match if the CNs are the same and the SANs (if
# at least one DNS name in common. # present) contain at least one DNS name in common.
if [[ "$cn_nosni" == "$cn_sni" ]]; then if [[ "$cn_nosni" == "$cn_sni" ]]; then
sans_sni=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \ sans_sni=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \
sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername:<unsupported>//g') sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername:<unsupported>//g')
for san in $sans_nosni; do if [[ "$sans_nosni" == "$sans_sni" ]]; then
[[ " $sans_sni " =~ " $san " ]] && success[n]=0 && break success[n]=0
done else
for san in $sans_nosni; do
[[ " $sans_sni " =~ " $san " ]] && success[n]=0 && break
done
fi
fi fi
fi fi
# If the certificate found for TLSv1.1 w/o SNI appears to # If the certificate found for TLSv1.1 w/o SNI appears to