From 7d36734a969658628f2d89689552c4e8f55224c0 Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Fri, 18 May 2018 20:30:37 +0200
Subject: [PATCH] Handle host header in OCSP request properly

My previous commit added a host header but didn't properly
format the host header (trailing slashes / path). This commit
corrects that so that the 305 times HTTP 400 in #1056
should now be gone (TBC), including Google CA responders.

One issue which needs to be addressed (same as in CRL
revocation checks): Not trusted certificates (zhanqi.tv,
taken from my Alexa scans) fail for obvious reasons.
---
 testssl.sh | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 8427544..725cc1a 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -1499,10 +1499,13 @@ check_revocation_ocsp() {
      local tmpfile=""
      local -i success
      local code=""
+     local host_header=""
 
      "$PHONE_OUT" || return 0
      tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE
-     $OPENSSL ocsp -no_nonce -header Host ${uri##http://} -url "$uri" \
+     host_header=${uri##http://}
+     host_header=${host_header%/*}
+     $OPENSSL ocsp -no_nonce -header Host ${host_header} -url "$uri" \
           -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
           -CAfile $TEMPDIR/intermediatecerts.pem -cert $HOSTCERT -text &> "$tmpfile"
      if [[ $? -eq 0 ]] && fgrep -q "Response verify OK" "$tmpfile"; then
@@ -1522,10 +1525,11 @@ check_revocation_ocsp() {
           code="$(awk -F':' '/Code/ { print $NF }' $tmpfile)"
           out ", "
           pr_warning "error querying OCSP responder"
+          [[ -s "$tmpfile" ]] && code="empty ocsp response"
           fileout "$jsonID" "WARN" "$code"
           if [[ $DEBUG -ge 2 ]]; then
                outln
-               cat "$tmpfile"
+               [[ -s "$tmpfile" ]] && cat "$tmpfile" || echo "empty ocsp response"
           else
                out " ($code)"
           fi