- fix key problem hpkp

This commit is contained in:
Dirk 2016-02-20 11:07:47 +01:00
parent 7846fc5fef
commit 71b4c03202

View File

@ -985,10 +985,13 @@ run_hpkp() {
fileout "hpkp_preload" "INFO" "HPKP header is NOT marked for browser preloading" fileout "hpkp_preload" "INFO" "HPKP header is NOT marked for browser preloading"
fi fi
[[ -s "$HOSTCERT" ]] || get_host_cert if [[ ! -s "$HOSTCERT" ]]; then
# get the key fingerprints get_host_cert || return 1
fi
# get the key fingerprint from the host certificate
hpkp_key_hostcert="$($OPENSSL x509 -in $HOSTCERT -pubkey -noout | grep -v PUBLIC | \ hpkp_key_hostcert="$($OPENSSL x509 -in $HOSTCERT -pubkey -noout | grep -v PUBLIC | \
$OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL base64)" $OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL base64)"
# compare it with the ones provided in the header
while read hpkp_key; do while read hpkp_key; do
if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then
out "\n$spaces matching host key: " out "\n$spaces matching host key: "
@ -2626,13 +2629,15 @@ cipher_pref_check() {
get_host_cert() { get_host_cert() {
local tmpvar=$TEMPDIR/$FUNCNAME.txt # change later to $TMPFILE local tmpvar=$TEMPDIR/$FUNCNAME.txt # change later to $TMPFILE
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $1 2>/dev/null </dev/null >$tmpdir $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $1 2>/dev/null </dev/null >$tmpvar
if sclient_connect_successful $? $tmpvar; then if sclient_connect_successful $? $tmpvar; then
awk '/-----BEGIN/,/-----END/ { print $0 }' $tmpvar >$HOSTCERT awk '/-----BEGIN/,/-----END/ { print $0 }' $tmpvar >$HOSTCERT
return 0
else else
pr_litemagentaln "could not retrieve host certificate!"
return 1 return 1
fi fi
tmpfile_handle $FUNCNAME.txt #tmpfile_handle $FUNCNAME.txt
#return $((${PIPESTATUS[0]} + ${PIPESTATUS[1]})) #return $((${PIPESTATUS[0]} + ${PIPESTATUS[1]}))
} }