Merge pull request #761 from dcooper16/SAN_preferred_update

SAN_preferred updates
This commit is contained in:
Dirk Wetter 2017-06-07 09:38:22 +02:00 committed by GitHub
commit 861b38bce5

View File

@ -5493,7 +5493,9 @@ certificate_info() {
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial
local policy_oid local policy_oid
local spaces="" local spaces=""
local trust_sni=0 trust_nosni=0 has_dns_sans local -i trust_sni=0 trust_nosni=0
local has_dns_sans has_dns_sans_nosni
local trust_sni_finding
local -i certificates_provided local -i certificates_provided
local cnfinding trustfinding trustfinding_nosni local cnfinding trustfinding trustfinding_nosni
local cnok="OK" local cnok="OK"
@ -5862,30 +5864,24 @@ certificate_info() {
esac esac
if [[ $trust_sni -eq 0 ]]; then if [[ $trust_sni -eq 0 ]]; then
pr_svrty_medium "$trustfinding" pr_svrty_high "$trustfinding"
trust_sni="fail" trust_sni_finding="HIGH"
elif ( [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]] ); then elif ( [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]] ); then
if "$has_dns_sans"; then
if [[ $SERVICE == "HTTP" ]]; then if [[ $SERVICE == "HTTP" ]]; then
https://bugs.chromium.org/p/chromium/issues/detail?id=308330 # https://bugs.chromium.org/p/chromium/issues/detail?id=308330
https://bugzilla.mozilla.org/show_bug.cgi?id=1245280 # https://bugzilla.mozilla.org/show_bug.cgi?id=1245280
https://www.chromestatus.com/feature/4981025180483584 # https://www.chromestatus.com/feature/4981025180483584
pr_svrty_high "$trustfinding"; out " -- Browsers are complaining" pr_svrty_high "$trustfinding"; out " -- Browsers are complaining"
trust_sni_finding="HIGH"
else else
pr_svrty_medium "$trustfinding" pr_svrty_medium "$trustfinding"
trust_sni="warn" trust_sni_finding="MEDIUM"
fi # we punish CN matching for non-HTTP as it is deprecated https://tools.ietf.org/html/rfc2818#section-3.1
else ! "$has_dns_sans" && out " -- CN only match is deprecated"
if [[ $SERVICE == "HTTP" ]]; then
pr_svrty_high "$trustfinding"; out " -- Browsers are complaining"
else
# we punish this for non-HTTP as it is deprecated https://tools.ietf.org/html/rfc2818#section-3.1
pr_svrty_medium "$trustfinding"; out " -- CN only match is deprecated"
fi
fi fi
else else
pr_done_good "$trustfinding" pr_done_good "$trustfinding"
trust_sni="ok" trust_sni_finding="OK"
fi fi
if [[ -n "$cn_nosni" ]]; then if [[ -n "$cn_nosni" ]]; then
@ -5893,35 +5889,56 @@ certificate_info() {
trust_nosni=$? trust_nosni=$?
$OPENSSL x509 -in "$HOSTCERT.nosni" -noout -text 2>>$ERRFILE | \ $OPENSSL x509 -in "$HOSTCERT.nosni" -noout -text 2>>$ERRFILE | \
grep -A2 "Subject Alternative Name" | grep -q "DNS:" && \ grep -A2 "Subject Alternative Name" | grep -q "DNS:" && \
has_dns_sans=true || has_dns_sans=false has_dns_sans_nosni=true || has_dns_sans_nosni=false
fi fi
# See issue #733.
if [[ -z "$sni_used" ]]; then if [[ -z "$sni_used" ]]; then
trustfinding_nosni="" trustfinding_nosni=""
elif "$has_dns_sans" && [[ $trust_nosni -eq 4 ]]; then elif ( [[ $trust_sni -eq $trust_sni ]] && [[ "$has_dns_sans" == "$has_dns_sans_nosni" ]] ) || \
trustfinding_nosni=" (w/o SNI: Ok via CN, but not SAN)" ( [[ $trust_sni -eq 0 ]] && [[ $trust_nosni -eq 0 ]] ); then
elif "$has_dns_sans" && [[ $trust_nosni -eq 8 ]]; then trustfinding_nosni=" (same w/o SNI)"
trustfinding_nosni=" (w/o SNI: Ok via CN wildcard, but not SAN)" elif [[ $trust_nosni -eq 0 ]]; then
elif [[ $trust_nosni -eq 0 ]] && ( [[ "$trust_sni" == "ok" ]] || [[ "$trust_sni" == "warn" ]] ); then if [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]]; then
trustfinding_nosni=" (w/o SNI: certificate does not match supplied URI)"
else
trustfinding_nosni=" (SNI mandatory)" trustfinding_nosni=" (SNI mandatory)"
elif [[ "$trust_sni" == "ok" ]] || [[ "$trust_sni" == "warn" ]]; then
trustfinding_nosni=" (works w/o SNI)"
elif [[ $trust_nosni -ne 0 ]]; then
trustfinding_nosni=" (however, works w/o SNI)"
else
trustfinding_nosni=""
fi fi
if "$has_dns_sans" && ( [[ $trust_nosni -eq 4 ]] || [[ $trust_nosni -eq 8 ]] ); then elif [[ $trust_nosni -eq 4 ]] || [[ $trust_nosni -eq 8 ]] || [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]]; then
prln_svrty_medium "$trustfinding_nosni" case $trust_nosni in
1) trustfinding_nosni="(w/o SNI: Ok via SAN)" ;;
2) trustfinding_nosni="(w/o SNI: Ok via SAN wildcard)" ;;
4) if "$has_dns_sans_nosni"; then
trustfinding_nosni="(w/o SNI: via CN, but not SAN)"
else else
trustfinding_nosni="(w/o SNI: via CN only)"
fi
;;
5) trustfinding_nosni="(w/o SNI: Ok via SAN and CN)" ;;
6) trustfinding_nosni="(w/o SNI: Ok via SAN wildcard and CN)" ;;
8) if "$has_dns_sans_nosni"; then
trustfinding_nosni="(w/o SNI: via CN wildcard, but not SAN)"
else
trustfinding_nosni="(w/o SNI: via CN (wildcard) only)"
fi
;;
9) trustfinding_nosni="(w/o SNI: Ok via CN wildcard and SAN)" ;;
10) trustfinding_nosni="(w/o SNI: Ok via SAN wildcard and CN wildcard)" ;;
esac
elif [[ $trust_sni -ne 0 ]]; then
trustfinding_nosni=" (works w/o SNI)"
else
trustfinding_nosni=" (however, works w/o SNI)"
fi
if [[ -n "$sni_used" ]] || [[ $trust_nosni -eq 0 ]] || ( [[ $trust_nosni -ne 4 ]] && [[ $trust_nosni -ne 8 ]] ); then
outln "$trustfinding_nosni" outln "$trustfinding_nosni"
elif [[ $SERVICE == "HTTP" ]]; then
prln_svrty_high "$trustfinding_nosni"
else
prln_svrty_medium "$trustfinding_nosni"
fi fi
if [[ "$trust_sni" == "ok" ]]; then fileout "${json_prefix}trust" "$trust_sni_finding" "${trustfinding}${trustfinding_nosni}"
fileout "${json_prefix}trust" "INFO" "${trustfinding}${trustfinding_nosni}"
else
fileout "${json_prefix}trust" "MEDIUM" ${trustfinding}${trustfinding_nosni}"
fi
out "$indent"; pr_bold " Chain of trust"; out " " out "$indent"; pr_bold " Chain of trust"; out " "
if [[ "$issuer_O" =~ StartCom ]] || [[ "$issuer_O" =~ WoSign ]] || [[ "$issuer_CN" =~ StartCom ]] || [[ "$issuer_CN" =~ WoSign ]]; then if [[ "$issuer_O" =~ StartCom ]] || [[ "$issuer_O" =~ WoSign ]] || [[ "$issuer_CN" =~ StartCom ]] || [[ "$issuer_CN" =~ WoSign ]]; then