From 61947405e0183bc1872ccaf5feacb45850d93f9b Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Tue, 10 Jun 2025 22:54:11 +0200 Subject: [PATCH 1/3] Fix missing issuer CN This fixes a problem which was introduced @ 8d8f83ace507db6a699acb4901d1329f31731a04. It caused for some hosts not to parse / display the issuer CN correctly. Also it adds some code in testssl.sh and in a unit test to detect this earlier. In general an output string FIXME will now cause a unit test to fail. This can + should be used at other places too! Fixes #2789 --- t/10_baseline_ipv4_http.t | 4 ++-- testssl.sh | 9 ++++++--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/t/10_baseline_ipv4_http.t b/t/10_baseline_ipv4_http.t index 6df9422..aa52f38 100755 --- a/t/10_baseline_ipv4_http.t +++ b/t/10_baseline_ipv4_http.t @@ -26,8 +26,8 @@ my $openssl_json=""; # @args="$prg $check2run $uri >/dev/null"; # system("@args") == 0 # or die ("FAILED: \"@args\" "); -my $socket_errors='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found'; -my $openssl_errors='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found'; +my $socket_errors='(e|E)rror|FIXME|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found'; +my $openssl_errors='(e|E)rror|FIXME|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found'; my $json_errors='(id".*:\s"scanProblem"|severity".*:\s"FATAL"|"Scan interrupted")'; diff --git a/testssl.sh b/testssl.sh index 18c6cd5..6ad85ed 100755 --- a/testssl.sh +++ b/testssl.sh @@ -10121,9 +10121,12 @@ certificate_info() { expok="OK" fi out " ($enddate). " - # Match on Subject/Issuer plus next 3 lines - cn="$(awk '/Subject:/{stop=NR+3}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')" - issuer_CN="$(awk '/Issuer:/{stop=NR+3}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')" + # Match on Subject/Issuer plus next 4 lines, there should be the CN + cn="$(awk '/Subject:/{stop=NR+4}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')" + issuer_CN="$(awk '/Issuer:/{stop=NR+4}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')" + # to catch errors like #2789 during unit test: + [[ -z "$cn" ]] && cn="FIXME: cn Error" + [[ -z "$issuer_CN" ]] && issuer_CN="FIXME: issuer_CN Error" pr_italic "$(strip_leading_space "$cn")"; out " <-- "; prln_italic "$(strip_leading_space "$issuer_CN")" fileout "intermediate_cert_notAfter <#${i}>${json_postfix}" "$expok" "$enddate" fileout "intermediate_cert_expiration <#${i}>${json_postfix}" "$expok" "$cn_finding" From 39029e999549f9b0c50f3dfa174076d93a63e6b7 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Tue, 10 Jun 2025 23:13:00 +0200 Subject: [PATCH 2/3] fix orthographic error --- testssl.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index 6ad85ed..be0d7df 100755 --- a/testssl.sh +++ b/testssl.sh @@ -10125,8 +10125,8 @@ certificate_info() { cn="$(awk '/Subject:/{stop=NR+4}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')" issuer_CN="$(awk '/Issuer:/{stop=NR+4}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')" # to catch errors like #2789 during unit test: - [[ -z "$cn" ]] && cn="FIXME: cn Error" - [[ -z "$issuer_CN" ]] && issuer_CN="FIXME: issuer_CN Error" + [[ -z "$cn" ]] && cn="FIXME: cn error" + [[ -z "$issuer_CN" ]] && issuer_CN="FIXME: issuer_CN error" pr_italic "$(strip_leading_space "$cn")"; out " <-- "; prln_italic "$(strip_leading_space "$issuer_CN")" fileout "intermediate_cert_notAfter <#${i}>${json_postfix}" "$expok" "$enddate" fileout "intermediate_cert_expiration <#${i}>${json_postfix}" "$expok" "$cn_finding" From 0a89d5c94f50b1e863c27c8d54a2002930bfa167 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Wed, 11 Jun 2025 09:06:41 +0200 Subject: [PATCH 3/3] Some cert need 5 lines to reach the CN --- testssl.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index be0d7df..1d133cc 100755 --- a/testssl.sh +++ b/testssl.sh @@ -10121,9 +10121,9 @@ certificate_info() { expok="OK" fi out " ($enddate). " - # Match on Subject/Issuer plus next 4 lines, there should be the CN - cn="$(awk '/Subject:/{stop=NR+4}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')" - issuer_CN="$(awk '/Issuer:/{stop=NR+4}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')" + # Match Subject/Issuer on next 5 lines, where the CN is (4 lines is fine in most cases, 5 should suffice for all certs) + cn="$(awk '/Subject:/{stop=NR+5}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')" + issuer_CN="$(awk '/Issuer:/{stop=NR+5}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')" # to catch errors like #2789 during unit test: [[ -z "$cn" ]] && cn="FIXME: cn error" [[ -z "$issuer_CN" ]] && issuer_CN="FIXME: issuer_CN error"