mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 17:20:57 +01:00
Handle host header in OCSP request properly
My previous commit added a host header but didn't properly format the host header (trailing slashes / path). This commit corrects that so that the 305 times HTTP 400 in #1056 should now be gone (TBC), including Google CA responders. One issue which needs to be addressed (same as in CRL revocation checks): Not trusted certificates (zhanqi.tv, taken from my Alexa scans) fail for obvious reasons.
This commit is contained in:
parent
82aae158ba
commit
7d36734a96
@ -1499,10 +1499,13 @@ check_revocation_ocsp() {
|
|||||||
local tmpfile=""
|
local tmpfile=""
|
||||||
local -i success
|
local -i success
|
||||||
local code=""
|
local code=""
|
||||||
|
local host_header=""
|
||||||
|
|
||||||
"$PHONE_OUT" || return 0
|
"$PHONE_OUT" || return 0
|
||||||
tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE
|
tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE
|
||||||
$OPENSSL ocsp -no_nonce -header Host ${uri##http://} -url "$uri" \
|
host_header=${uri##http://}
|
||||||
|
host_header=${host_header%/*}
|
||||||
|
$OPENSSL ocsp -no_nonce -header Host ${host_header} -url "$uri" \
|
||||||
-issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
|
-issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
|
||||||
-CAfile $TEMPDIR/intermediatecerts.pem -cert $HOSTCERT -text &> "$tmpfile"
|
-CAfile $TEMPDIR/intermediatecerts.pem -cert $HOSTCERT -text &> "$tmpfile"
|
||||||
if [[ $? -eq 0 ]] && fgrep -q "Response verify OK" "$tmpfile"; then
|
if [[ $? -eq 0 ]] && fgrep -q "Response verify OK" "$tmpfile"; then
|
||||||
@ -1522,10 +1525,11 @@ check_revocation_ocsp() {
|
|||||||
code="$(awk -F':' '/Code/ { print $NF }' $tmpfile)"
|
code="$(awk -F':' '/Code/ { print $NF }' $tmpfile)"
|
||||||
out ", "
|
out ", "
|
||||||
pr_warning "error querying OCSP responder"
|
pr_warning "error querying OCSP responder"
|
||||||
|
[[ -s "$tmpfile" ]] && code="empty ocsp response"
|
||||||
fileout "$jsonID" "WARN" "$code"
|
fileout "$jsonID" "WARN" "$code"
|
||||||
if [[ $DEBUG -ge 2 ]]; then
|
if [[ $DEBUG -ge 2 ]]; then
|
||||||
outln
|
outln
|
||||||
cat "$tmpfile"
|
[[ -s "$tmpfile" ]] && cat "$tmpfile" || echo "empty ocsp response"
|
||||||
else
|
else
|
||||||
out " ($code)"
|
out " ($code)"
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user