Rollup: OpenBSD compatbility, SLES 10 incompatibility

bash 3.2 is now a minium requirement and it is being tested. It refuses to run if anything lower is detected/ Rollback of d5c86a8df2, see #999 Backport (f812403292) for OpenBSD date. Also adding LibreSSL not to warn bceause of trust reliability
2025-01-10 18:50:58 +01:00 · 2018-02-19 11:16:04 +01:00 · 2018-02-19 11:16:04 +01:00 · a2d59abf87
commit a2d59abf87
parent d5c86a8df2
1 changed files with 43 additions and 19 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -5,6 +5,7 @@

 [ -z "$BASH_VERSINFO" ] && printf "\n\033[1;35m Please make sure you're using \"bash\"! Bye...\033[m\n\n" >&2 && exit 245
 [ $(kill -l | grep -c SIG) -eq 0 ] && printf "\n\033[1;35m Please make sure you're calling me without leading \"sh\"! Bye...\033[m\n\n"  >&2 && exit 245
+[ ${BASH_VERSINFO[0]} -le 3 -a ${BASH_VERSINFO[1]} -le 1 ] && printf "\n\033[1;35m Minimum requirement is bash 3.2. You have $BASH_VERSION \033[m\n\n"  >&2 && exit 245

 # testssl.sh is a program for spotting weak SSL encryption, ciphers, version and some
 # vulnerabilities or features
@ -137,13 +138,23 @@ else
 fi
 readonly SYSTEM=$(uname -s)
 SYSTEM2=""                                             # currently only being used for WSL = bash on windows
-date -d @735275209 >/dev/null 2>&1 && \
-     readonly HAS_GNUDATE=true || \
-     readonly HAS_GNUDATE=false
+
+HAS_GNUDATE=false
+HAS_FREEBSDDATE=false
+HAS_OPENBSDDATE=false
+
+if date -d @735275209 >/dev/null 2>&1; then
+     if date -r @735275209  >/dev/null 2>&1; then
+          # it can't do any conversion from a plain date output
+	     HAS_OPENBSDDATE=true
+     else
+          HAS_GNUDATE=true
+     fi
+fi
 # FreeBSD and OS X date(1) accept "-f inputformat"
 date -j -f '%s' 1234567 >/dev/null 2>&1 && \
-     readonly HAS_FREEBSDDATE=true || \
-     readonly HAS_FREEBSDDATE=false
+     HAS_FREEBSDDATE=true
+
 echo A | sed -E 's/A//' >/dev/null 2>&1 && \
     readonly HAS_SED_E=true || \
     readonly HAS_SED_E=false
@ -1240,6 +1251,11 @@ elif "$HAS_FREEBSDDATE"; then # FreeBSD and OS X
 	parse_date() {
 		LC_ALL=C date -j -f "$3"  "$2" "$1"
 	}
+elif "$HAS_OPENBSDDATE"; then
+     parse_date() {
+          # we just echo it as a conversion is not possible
+          echo "$1"
+}
 else
 	parse_date() {
 		LC_ALL=C date -j "$2" "$1"
@ -1300,7 +1316,7 @@ s_client_options() {
     local options="$1"

     # Don't include the -servername option for an SSLv2 or SSLv3 ClientHello.
-     [[ -n "$SNI" ]] && ( [[ " $options " =~ \ -ssl2\  ]] || [[ " $options " =~ \ -ssl3\  ]] )  && options="$(sed "s/$SNI//" <<< "$options")"
+     [[ -n "$SNI" ]] && [[ " $options " =~ \ -ssl[2|3]\  ]] && options="$(sed "s/$SNI//" <<< "$options")"

     # The server_name extension should not be included in the ClientHello unless
     # the -servername option is provided. However, OpenSSL 1.1.1 will include the
@ -5093,12 +5109,14 @@ determine_trust() {
     # and the output should should be indented by two more spaces.
     [[ -n $json_prefix ]] && spaces="                                "

-     if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]] && \
-          [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.0" ]] && \
-          [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.1" ]]; then
-          addtl_warning="(Your $OPENSSL <= 1.0.2 might be too unreliable to determine trust)"
-          fileout "${json_prefix}chain_of_trust_Problem" "WARN" "$addtl_warning"
-     fi
+     case $OSSL_VER_MAJOR.$OSSL_VER_MINOR in
+          1.0.2|1.1.0|1.1.1|2.[1-9].*)
+               :              # 2.x is LibreSSL. 2.1.1 was tested to work, below is not sure
+          ;;
+          *)   addtl_warning="(Your $OPENSSL <= 1.0.2 might be too unreliable to determine trust)"
+               fileout "${json_prefix}chain_of_trust_Problem" "WARN" "$addtl_warning"
+               ;;
+     esac
     debugme tmln_out

     # if you run testssl.sh from a different path /you can set either TESTSSL_INSTALL_DIR or CA_BUNDLES_PATH to find the CA BUNDLES
@ -6198,14 +6216,19 @@ certificate_info() {

     enddate=$(parse_date "$($OPENSSL x509 -in $HOSTCERT -noout -enddate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M" "%b %d %T %Y %Z")
     startdate=$(parse_date "$($OPENSSL x509 -in $HOSTCERT -noout -startdate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M" "%b %d %T %Y %Z")
-     days2expire=$(( $(parse_date "$enddate" "+%s" "%F %H:%M %z") - $(LC_ALL=C date "+%s") ))    # in seconds
-     days2expire=$((days2expire  / 3600 / 24 ))

-     if grep -q "^Let's Encrypt Authority" <<< "$issuer_CN"; then          # we take the half of the thresholds for LE certificates
-          days2warn2=$((days2warn2 / 2))
-          days2warn1=$((days2warn1 / 2))
+     if "$HAS_OPENBSDDATE"; then
+          # best we are able to do under OpenBSD
+          days2expire=""
+     else
+          days2expire=$(( $(parse_date "$enddate" "+%s" "%F %H:%M %z") - $(LC_ALL=C date "+%s") ))    # in seconds
+          days2expire=$((days2expire  / 3600 / 24 ))
+
+          if grep -q "^Let's Encrypt Authority" <<< "$issuer_CN"; then          # we take the half of the thresholds for LE certificates
+               days2warn2=$((days2warn2 / 2))
+               days2warn1=$((days2warn1 / 2))
+          fi
     fi
-
     expire=$($OPENSSL x509 -in $HOSTCERT -checkend 1 2>>$ERRFILE)
     if ! grep -qw not <<< "$expire" ; then
          pr_svrty_critical "expired!"
@ -11658,6 +11681,7 @@ TERM_WIDTH: $TERM_WIDTH
 INTERACTIVE: $INTERACTIVE
 HAS_GNUDATE: $HAS_GNUDATE
 HAS_FREEBSDDATE: $HAS_FREEBSDDATE
+HAS_OPENBSDDATE: $HAS_OPENBSDDATE
 HAS_SED_E: $HAS_SED_E

 SHOW_EACH_C: $SHOW_EACH_C
@ -13678,7 +13702,7 @@ lets_roll() {
     SCAN_TIME=$(( END_TIME - START_TIME ))
     datebanner " Done"

-     "$MEASURE_TIME" && printf "%${COLUMNS}s\n" "$SCAN_TIME"
+     "$MEASURE_TIME" && printf "$1: %${COLUMNS}s\n" "$SCAN_TIME"
     [[ -e "$MEASURE_TIME_FILE" ]] && echo "Total : $SCAN_TIME " >> "$MEASURE_TIME_FILE"

     return $ret