Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Minor additions to OCSP revocation check

Browse Source 
Error from OCSP responder is now being displayed (and logged to JSON, ...)

Whole replay is kept in $tmpfile for debugging purposes

JSON output added for OCSP responderi query failures

Furtermore wget was replaced by "type -p" and grep by fgrep.
This commit is contained in:
Dirk 2018-05-16 19:52:10 +02:00
parent fac65d82b0
commit 82aae158ba
1 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
testssl.sh
View File

@ -1402,10 +1402,10 @@ http_get() {
"$SNEAKY" && useragent="$UA_SNEAKY" "$SNEAKY" && useragent="$UA_SNEAKY"
# automatically handles proxy vars via ENV # automatically handles proxy vars via ENV
if which curl &>/dev/null; then if type -p curl &>/dev/null; then
curl -s -A $''"$useragent"'' -o $dl "$1" curl -s -A $''"$useragent"'' -o $dl "$1"
return $? return $?
elif which wget &>/dev/null; then elif type -p wget &>/dev/null; then
wget -q -U $''"$useragent"'' -O $dl "$1" wget -q -U $''"$useragent"'' -O $dl "$1"
return $? return $?
else else
@ -1432,7 +1432,7 @@ ldap_get() {
local tmpfile="$2" local tmpfile="$2"
local jsonID="$3" local jsonID="$3"
if which curl &>/dev/null; then if type -p curl &>/dev/null; then
ldif="$(curl -s "$crl")" ldif="$(curl -s "$crl")"
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
awk '/certificateRevocationList/ { print $2 }' <<< "$ldif" | $OPENSSL base64 -d -A -out "$tmpfile" 2>/dev/null awk '/certificateRevocationList/ { print $2 }' <<< "$ldif" | $OPENSSL base64 -d -A -out "$tmpfile" 2>/dev/null
@ -1498,18 +1498,19 @@ check_revocation_ocsp() {
local jsonID="$2" local jsonID="$2"
local tmpfile="" local tmpfile=""
local -i success local -i success
local code=""
"$PHONE_OUT" || return 0 "$PHONE_OUT" || return 0
tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE
$OPENSSL ocsp -no_nonce -header Host ${uri##http://} -url "$uri" \ $OPENSSL ocsp -no_nonce -header Host ${uri##http://} -url "$uri" \
-issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \ -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
-CAfile $TEMPDIR/intermediatecerts.pem -cert $HOSTCERT &> "$tmpfile" -CAfile $TEMPDIR/intermediatecerts.pem -cert $HOSTCERT -text &> "$tmpfile"
if [[ $? -eq 0 ]] && grep -q "Response verify OK" "$tmpfile"; then if [[ $? -eq 0 ]] && fgrep -q "Response verify OK" "$tmpfile"; then
if grep -q "$HOSTCERT: good" "$tmpfile"; then if grep -q "$HOSTCERT: good" "$tmpfile"; then
out ", " out ", "
pr_svrty_good "not revoked" pr_svrty_good "not revoked"
fileout "$jsonID" "OK" "not revoked" fileout "$jsonID" "OK" "not revoked"
elif grep -q "$HOSTCERT: revoked" "$tmpfile"; then elif fgrep -q "$HOSTCERT: revoked" "$tmpfile"; then
out ", " out ", "
pr_svrty_critical "revoked" pr_svrty_critical "revoked"
fileout "$jsonID" "CRITICAL" "revoked" fileout "$jsonID" "CRITICAL" "revoked"
@ -1518,13 +1519,15 @@ check_revocation_ocsp() {
cat "$tmpfile" cat "$tmpfile"
fi fi
else else
code="$(awk -F':' '/Code/ { print $NF }' $tmpfile)"
out ", " out ", "
pr_warning "error querying OCSP responder" pr_warning "error querying OCSP responder"
fileout "$jsonID" "WARN" "$code"
if [[ $DEBUG -ge 2 ]]; then if [[ $DEBUG -ge 2 ]]; then
outln outln
cat "$tmpfile" cat "$tmpfile"
else else
out " (--debug >= 2 shows reason)" out " ($code)"
fi fi
fi fi
} }