From 83271719358789ab57bc65ee985bd2b82ed15a76 Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 23 Jan 2018 11:46:24 +0100 Subject: [PATCH] simplify few cert checks messages + hopefullt make Travis work again --- t/31_badssl.com.t | 28 +++++++++++++++------------- testssl.sh | 9 +++------ 2 files changed, 18 insertions(+), 19 deletions(-) diff --git a/t/31_badssl.com.t b/t/31_badssl.com.t index 01ca476..ad60255 100755 --- a/t/31_badssl.com.t +++ b/t/31_badssl.com.t @@ -14,7 +14,7 @@ my ( ); # OK pass("Running testssl.sh against badssl.com to create a baseline (may take 2~3 minutes)"); $tests++; -my $okout = `./testssl.sh -S -e -U --jsonfile tmp.json --color 0 badssl.com`; +my $okout = `./testssl.sh -S -e --freak --logjam --drown --rc4 --sweet32 --breach --crime --jsonfile tmp.json --color 0 badssl.com`; my $okjson = json('tmp.json'); unlink 'tmp.json'; cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); $tests++; @@ -22,14 +22,14 @@ cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); $tests++; # Expiration pass("Running testssl against expired.badssl.com"); $tests++; $out = `./testssl.sh -S --jsonfile tmp.json --color 0 expired.badssl.com`; -like($out, qr/Certificate Expiration\s+expired\!/,"The certificate should be expired"); $tests++; +like($out, qr/Certificate Expiration\s+expired/,"The certificate should be expired"); $tests++; $json = json('tmp.json'); unlink 'tmp.json'; $found = 0; foreach my $f ( @$json ) { - if ( $f->{id} eq "expiration" ) { + if ( $f->{id} eq "cert_expiration_status" ) { $found = 1; - like($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding reads expired."); $tests++; + like($f->{finding},qr/^expired/,"Finding reads expired."); $tests++; is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++; last; } @@ -44,9 +44,10 @@ $json = json('tmp.json'); unlink 'tmp.json'; $found = 0; foreach my $f ( @$json ) { - if ( $f->{id} eq "expiration" ) { + if ( $f->{id} eq "cert_expiration_status" ) { $found = 1; - like($f->{finding},qr/^Certificate Expiration \: \d+/,"Finding doesn't read expired."); $tests++; + like($f->{finding},qr/days/,"Finding doesn't read expired."); $tests++; +# hope they don't come below 60days: is($f->{severity}, "OK", "Severity should be ok"); $tests++; last; } @@ -56,9 +57,9 @@ is($found,1,"We had a finding for this in the JSON output"); $tests++; like($out, qr/Chain of trust.*?NOT ok.*\(self signed\)/,"Chain of trust should fail because of self signed"); $tests++; $found = 0; foreach my $f ( @$json ) { - if ( $f->{id} eq "chain_of_trust" ) { + if ( $f->{id} eq "cert_chain_of_trust" ) { $found = 1; - like($f->{finding},qr/^All certificate trust checks failed/,"Finding says certificate cannot be trusted."); $tests++; + like($f->{finding},qr/^.*self signed/,"Finding says certificate cannot be trusted."); $tests++; is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++; last; } @@ -68,9 +69,10 @@ is($found,1,"We had a finding for this in the JSON output"); $tests++; like($okout, qr/Chain of trust[^\n]*?Ok/,"Chain of trust should be ok"); $tests++; $found = 0; foreach my $f ( @$okjson ) { - if ( $f->{id} eq "chain_of_trust" ) { + if ( $f->{id} eq "cert_chain_of_trust" ) { $found = 1; - is($f->{finding},"All certificate trust checks passed.","Finding says certificate can be trusted."); $tests++; + like($f->{finding},qr/passed/,"Finding says certificate can be trusted."); $tests++; + # is($f->{finding},"^.*passed.*","Finding says certificate can be trusted."); $tests++; is($f->{severity}, "OK", "Severity should be OK"); $tests++; last; } @@ -102,9 +104,9 @@ $json = json('tmp.json'); unlink 'tmp.json'; $found = 0; foreach my $f ( @$json ) { - if ( $f->{id} eq "chain_of_trust" ) { + if ( $f->{id} eq "cert_chain_of_trust" ) { $found = 1; - like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++; + like($f->{finding},qr/^.*chain incomplete/,"Finding says certificate cannot be trusted."); $tests++; is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++; last; } @@ -121,7 +123,7 @@ is($found,1,"We had a finding for this in the JSON output"); $tests++; #unlink 'tmp.json'; #$found = 0; #foreach my $f ( @$json ) { -# if ( $f->{id} eq "chain_of_trust" ) { +# if ( $f->{id} eq "cert_chain_of_trust" ) { # $found = 1; # like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++; # is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++; diff --git a/testssl.sh b/testssl.sh index 50db43d..467eed7 100755 --- a/testssl.sh +++ b/testssl.sh @@ -5788,10 +5788,7 @@ determine_trust() { # all stores ok pr_done_good "Ok "; pr_warning "$addtl_warning" # we did to stdout the warning above already, so we could stay here with OK: - [[ -z "$addtl_warning" ]] && \ - fileout "${json_prefix}${json_postfix}" "OK" "All certificate trust checks passed" || \ - fileout "${json_prefix}${json_postfix}" "OK" "All certificate trust checks passed. $addtl_warning" - # The "." is otherwise confusing + fileout "${json_prefix}${json_postfix}" "OK" "passed. $addtl_warning" else # at least one failed pr_svrty_critical "NOT ok" @@ -5804,7 +5801,7 @@ determine_trust() { else out "$code" fi - fileout "${json_prefix}${json_postfix}" "CRITICAL" "All certificate trust checks failed: $code. $addtl_warning" + fileout "${json_prefix}${json_postfix}" "CRITICAL" "failed $code. $addtl_warning" else # is one ok and the others not ==> display the culprit store if "$some_ok"; then @@ -5832,7 +5829,7 @@ determine_trust() { [[ "$DEBUG" -eq 0 ]] && tm_out "$spaces" pr_done_good "OK: $ok_was" fi - fileout "${json_prefix}${json_postfix}" "CRITICAL" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning" + fileout "${json_prefix}${json_postfix}" "CRITICAL" "Some certificate trust checks failed -> $notok_was $addtl_warning, OK -> $ok_was" fi [[ -n "$addtl_warning" ]] && out "\n$spaces" && pr_warning "$addtl_warning" fi