From 6b601e22c766ac61d4e23e4cf3a7c077f29f5fde Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 31 Mar 2017 17:04:04 +0200 Subject: [PATCH] adding Referrer-Policy header (FIX #604) introduced get_san_dns_from_cert() added two stub function get_session_ticket_lifetime_from_serverhello --- testssl.sh | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index f7d51da..91bb5f3 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2284,7 +2284,7 @@ run_cookie_flags() { # ARG1: Path run_more_flags() { local good_flags2test="X-Frame-Options X-XSS-Protection X-Content-Type-Options Content-Security-Policy X-Content-Security-Policy X-WebKit-CSP Content-Security-Policy-Report-Only" - local other_flags2test="Access-Control-Allow-Origin Upgrade X-Served-By X-UA-Compatible" + local other_flags2test="Access-Control-Allow-Origin Upgrade X-Served-By X-UA-Compatible Referrer-Policy" local f2t local first=true local spaces=" " @@ -5477,7 +5477,7 @@ compare_server_name_to_cert() # If the CN contains any characters that are not valid for a DNS name, # then assume it does not contain a DNS name. - [[ -n $(echo -n "$cn" | sed 's/^[\.a-zA-Z0-9*\-]*//') ]] && return $ret + [[ -n $(sed 's/^[\.a-zA-Z0-9*\-]*//' <<< "$cn") ]] && return $ret # Check whether the CN in the certificate matches the servername [[ $(toupper "$cn") == "$servername" ]] && ret+=4 && return $ret @@ -6241,7 +6241,7 @@ run_server_defaults() { if ! "$match_found"; then certs_found=$(($certs_found + 1)) cipher[certs_found]=${ciphers_to_test[n]} - keysize[certs_found]=$(grep -aw "^Server public key is" $TMPFILE | sed -e 's/^Server public key is //' -e 's/bit//' -e 's/ //') + keysize[certs_found]=$(awk '/Server public key/ { print $(NF-1) }' $TMPFILE) ocsp_response[certs_found]=$(grep -aA 20 "OCSP response" $TMPFILE) ocsp_response_status[certs_found]=$(grep -a "OCSP Response Status" $TMPFILE) previous_hostcert[certs_found]=$newhostcert @@ -6315,6 +6315,19 @@ run_server_defaults() { done } +get_session_ticket_lifetime_from_serverhello() { + awk '/session ticket.*lifetime/ { print $(NF-1) "$1" }' +} + +get_san_dns_from_cert() { + toupper "$($OPENSSL x509 -in "$1" -noout -text 2>>$ERRFILE | \ + grep -A2 "Subject Alternative Name" | tr ',' '\n' | grep "DNS:" | \ + sed -e 's/DNS://g' -e 's/ //g' | tr '\n' ' ')" +} + + + + run_pfs() { local -i sclient_success local pfs_offered=false ecdhe_offered=false ffdhe_offered=false