Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #761 from dcooper16/SAN_preferred_update

Browse Source 
SAN_preferred updates
This commit is contained in:
Dirk Wetter 2017-06-07 09:38:22 +02:00 committed by GitHub
commit 861b38bce5
1 changed files with 56 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
testssl.sh
View File

@ -5493,7 +5493,9 @@ certificate_info() {
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial
local policy_oid
local spaces=""
local trust_sni=0 trust_nosni=0 has_dns_sans
local -i trust_sni=0 trust_nosni=0
local has_dns_sans has_dns_sans_nosni
local trust_sni_finding
local -i certificates_provided
local cnfinding trustfinding trustfinding_nosni
local cnok="OK"
@ -5862,30 +5864,24 @@ certificate_info() {
esac
if [[ $trust_sni -eq 0 ]]; then
pr_svrty_medium "$trustfinding"
trust_sni="fail"
pr_svrty_high "$trustfinding"
trust_sni_finding="HIGH"
elif ( [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]] ); then
if "$has_dns_sans"; then
if [[ $SERVICE == "HTTP" ]]; then
https://bugs.chromium.org/p/chromium/issues/detail?id=308330
https://bugzilla.mozilla.org/show_bug.cgi?id=1245280
https://www.chromestatus.com/feature/4981025180483584
pr_svrty_high "$trustfinding"; out " -- Browsers are complaining"
else
pr_svrty_medium "$trustfinding"
trust_sni="warn"
fi
if [[ $SERVICE == "HTTP" ]]; then
# https://bugs.chromium.org/p/chromium/issues/detail?id=308330
# https://bugzilla.mozilla.org/show_bug.cgi?id=1245280
# https://www.chromestatus.com/feature/4981025180483584
pr_svrty_high "$trustfinding"; out " -- Browsers are complaining"
trust_sni_finding="HIGH"
else
if [[ $SERVICE == "HTTP" ]]; then
pr_svrty_high "$trustfinding"; out " -- Browsers are complaining"
else
# we punish this for non-HTTP as it is deprecated https://tools.ietf.org/html/rfc2818#section-3.1
pr_svrty_medium "$trustfinding"; out " -- CN only match is deprecated"
fi
pr_svrty_medium "$trustfinding"
trust_sni_finding="MEDIUM"
# we punish CN matching for non-HTTP as it is deprecated https://tools.ietf.org/html/rfc2818#section-3.1
! "$has_dns_sans" && out " -- CN only match is deprecated"
fi
else
pr_done_good "$trustfinding"
trust_sni="ok"
trust_sni_finding="OK"
fi
if [[ -n "$cn_nosni" ]]; then
@ -5893,35 +5889,56 @@ certificate_info() {
trust_nosni=$?
$OPENSSL x509 -in "$HOSTCERT.nosni" -noout -text 2>>$ERRFILE | \
grep -A2 "Subject Alternative Name" | grep -q "DNS:" && \
has_dns_sans=true || has_dns_sans=false
has_dns_sans_nosni=true || has_dns_sans_nosni=false
fi
# See issue #733.
if [[ -z "$sni_used" ]]; then
trustfinding_nosni=""
elif "$has_dns_sans" && [[ $trust_nosni -eq 4 ]]; then
trustfinding_nosni=" (w/o SNI: Ok via CN, but not SAN)"
elif "$has_dns_sans" && [[ $trust_nosni -eq 8 ]]; then
trustfinding_nosni=" (w/o SNI: Ok via CN wildcard, but not SAN)"
elif [[ $trust_nosni -eq 0 ]] && ( [[ "$trust_sni" == "ok" ]] || [[ "$trust_sni" == "warn" ]] ); then
trustfinding_nosni=" (SNI mandatory)"
elif [[ "$trust_sni" == "ok" ]] || [[ "$trust_sni" == "warn" ]]; then
elif ( [[ $trust_sni -eq $trust_sni ]] && [[ "$has_dns_sans" == "$has_dns_sans_nosni" ]] ) || \
( [[ $trust_sni -eq 0 ]] && [[ $trust_nosni -eq 0 ]] ); then
trustfinding_nosni=" (same w/o SNI)"
elif [[ $trust_nosni -eq 0 ]]; then
if [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]]; then
trustfinding_nosni=" (w/o SNI: certificate does not match supplied URI)"
else
trustfinding_nosni=" (SNI mandatory)"
fi
elif [[ $trust_nosni -eq 4 ]] || [[ $trust_nosni -eq 8 ]] || [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]]; then
case $trust_nosni in
1) trustfinding_nosni="(w/o SNI: Ok via SAN)" ;;
2) trustfinding_nosni="(w/o SNI: Ok via SAN wildcard)" ;;
4) if "$has_dns_sans_nosni"; then
trustfinding_nosni="(w/o SNI: via CN, but not SAN)"
else
trustfinding_nosni="(w/o SNI: via CN only)"
fi
;;
5) trustfinding_nosni="(w/o SNI: Ok via SAN and CN)" ;;
6) trustfinding_nosni="(w/o SNI: Ok via SAN wildcard and CN)" ;;
8) if "$has_dns_sans_nosni"; then
trustfinding_nosni="(w/o SNI: via CN wildcard, but not SAN)"
else
trustfinding_nosni="(w/o SNI: via CN (wildcard) only)"
fi
;;
9) trustfinding_nosni="(w/o SNI: Ok via CN wildcard and SAN)" ;;
10) trustfinding_nosni="(w/o SNI: Ok via SAN wildcard and CN wildcard)" ;;
esac
elif [[ $trust_sni -ne 0 ]]; then
trustfinding_nosni=" (works w/o SNI)"
elif [[ $trust_nosni -ne 0 ]]; then
else
trustfinding_nosni=" (however, works w/o SNI)"
else
trustfinding_nosni=""
fi
if "$has_dns_sans" && ( [[ $trust_nosni -eq 4 ]] || [[ $trust_nosni -eq 8 ]] ); then
prln_svrty_medium "$trustfinding_nosni"
else
if [[ -n "$sni_used" ]] || [[ $trust_nosni -eq 0 ]] || ( [[ $trust_nosni -ne 4 ]] && [[ $trust_nosni -ne 8 ]] ); then
outln "$trustfinding_nosni"
elif [[ $SERVICE == "HTTP" ]]; then
prln_svrty_high "$trustfinding_nosni"
else
prln_svrty_medium "$trustfinding_nosni"
fi
if [[ "$trust_sni" == "ok" ]]; then
fileout "${json_prefix}trust" "INFO" "${trustfinding}${trustfinding_nosni}"
else
fileout "${json_prefix}trust" "MEDIUM" ${trustfinding}${trustfinding_nosni}"
fi
fileout "${json_prefix}trust" "$trust_sni_finding" "${trustfinding}${trustfinding_nosni}"
out "$indent"; pr_bold " Chain of trust"; out " "
if [[ "$issuer_O" =~ StartCom ]] || [[ "$issuer_O" =~ WoSign ]] || [[ "$issuer_CN" =~ StartCom ]] || [[ "$issuer_CN" =~ WoSign ]]; then