Fix case where query fails without SNI

Fix for case in which `$OPENSSL s_client` fails without SNI.
This commit is contained in:
David Cooper 2016-07-18 15:13:52 -04:00 committed by GitHub
parent 829231c381
commit 9d292358bc

View File

@ -3839,7 +3839,7 @@ certificate_info() {
local ocsp_response=$5 local ocsp_response=$5
local ocsp_response_status=$6 local ocsp_response_status=$6
local cert_sig_algo cert_sig_hash_algo cert_key_algo local cert_sig_algo cert_sig_hash_algo cert_key_algo
local expire days2expire secs2warn ocsp_uri crl startdate enddate issuer_C issuer_O issuer sans san cn cn_nosni local expire days2expire secs2warn ocsp_uri crl startdate enddate issuer_C issuer_O issuer sans san cn cn_nosni=""
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial
local policy_oid local policy_oid
local spaces="" local spaces=""
@ -4079,8 +4079,10 @@ certificate_info() {
# no cipher suites specified here. We just want the default vhost subject # no cipher suites specified here. We just want the default vhost subject
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT.nosni
if grep -q "\-\-\-\-\-BEGIN" "$HOSTCERT.nosni"; then
cn_nosni="$(get_cn_from_cert "$HOSTCERT.nosni")" cn_nosni="$(get_cn_from_cert "$HOSTCERT.nosni")"
[[ -z "$cn_nosni" ]] && cn_nosni="no CN field in subject" [[ -z "$cn_nosni" ]] && cn_nosni="no CN field in subject"
fi
#FIXME: check for SSLv3/v2 and look whether it goes to a different CN (probably not polite) #FIXME: check for SSLv3/v2 and look whether it goes to a different CN (probably not polite)