Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2026-04-21 10:23:31 +02:00
Code Issues Packages Projects Releases Wiki Activity

OpenSSL 4 compatibility for stapled OCSP responses

Browse Source 
It seems that OpenSSL 4.0.0 allows for the possibility that a server's response to the status request extension may include more than one OCSP response (presumably one for each certificate in the certification path).

As a result, the line indicating that the server does not provide status information was changed from "OCSP response: no response sent" to "OCSP responses: no responses sent". If a response was included, "OCSP responses:" is followed by an indication of the number of responses included.

This commit addresses the change from "response" to "responses".

I do not know of any servers that provide more than one OCSP response, so I have not tried to make any changes to handle more than one response.
This commit is contained in:
David Cooper
2026-04-11 15:26:10 -07:00
committed by GitHub
parent b14ed4def5
commit a0b1f13b84
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
testssl.sh
View File

@@ -10218,7 +10218,7 @@ certificate_info() {
out "$indent"; pr_bold " OCSP stapling " out "$indent"; pr_bold " OCSP stapling "
jsonID="OCSP_stapling" jsonID="OCSP_stapling"
if grep -a "OCSP response" <<< "$ocsp_response" | grep -q "no response sent" ; then if grep -a "OCSP response" <<< "$ocsp_response" | grep -Eq "no response[s]? sent" ; then
if [[ -n "$ocsp_uri" ]]; then if [[ -n "$ocsp_uri" ]]; then
pr_svrty_low "not offered" pr_svrty_low "not offered"
fileout "${jsonID}${json_postfix}" "LOW" "not offered" fileout "${jsonID}${json_postfix}" "LOW" "not offered"
@@ -10638,10 +10638,10 @@ run_server_defaults() {
# response so that certificate_info() can determine # response so that certificate_info() can determine
# whether it includes a certificate transparency extension. # whether it includes a certificate transparency extension.
ocsp_response_binary[certs_found]="$STAPLED_OCSP_RESPONSE" ocsp_response_binary[certs_found]="$STAPLED_OCSP_RESPONSE"
if grep -a "OCSP response:" $TMPFILE | grep -q "no response sent"; then if grep -aE "OCSP response[s]?:" $TMPFILE | grep -Eq "no response[s]? sent"; then
ocsp_response[certs_found]="$(grep -a "OCSP response" $TMPFILE)" ocsp_response[certs_found]="$(grep -a "OCSP response" $TMPFILE)"
else else
ocsp_response[certs_found]="$(awk -v n=2 '/OCSP response:/ {start=1; inc=2} /======================================/ { if (start) {inc--} } inc' $TMPFILE)" ocsp_response[certs_found]="$(awk -v n=2 '/OCSP response[s]?:/ {start=1; inc=2} /======================================/ { if (start) {inc--} } inc' $TMPFILE)"
fi fi
ocsp_response_status[certs_found]=$(grep -a "OCSP Response Status" $TMPFILE) ocsp_response_status[certs_found]=$(grep -a "OCSP Response Status" $TMPFILE)
previous_hostcert[certs_found]=$newhostcert previous_hostcert[certs_found]=$newhostcert