Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Don't check expired certificates

Browse Source 
In general, a CA only needs to keep the status information for a certificate until it expires. So, once a certificate has expired, the information provided about it in a CRL or OCSP response may no longer be reliable. The certificate may no longer be listed as revoked, even it is had been revoked at some point before it expired.

So, this PR changes certificate_info() to only check CRLs for revocation status if the certificate has not expired.
This commit is contained in:
David Cooper 2018-04-26 10:23:52 -04:00 committed by GitHub
parent ddf5ff6bc9
commit 78cb75543f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
testssl.sh
View File

@ -7445,8 +7445,10 @@ certificate_info() {
else
if [[ $(count_lines "$crl") -eq 1 ]]; then
out "$crl"
check_revocation_crl "$crl" "cert_CRLrevoked_${json_postfix}"
ret=$((ret +$?))
if [[ "$expfinding" != "expired" ]]; then
check_revocation_crl "$crl" "cert_CRLrevoked_${json_postfix}"
ret=$((ret +$?))
fi
outln
else # more than one CRL
first_crl=true
@ -7457,8 +7459,10 @@ certificate_info() {
out "$spaces"
fi
out "$line"
check_revocation_crl "$line" "cert_CRLrevoked_${json_postfix}"
ret=$((ret +$?))
if [[ "$expfinding" != "expired" ]]; then
check_revocation_crl "$line" "cert_CRLrevoked_${json_postfix}"
ret=$((ret +$?))
fi
outln
done <<< "$crl"
fi