mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-21 07:59:31 +01:00
- CAA RR (expertimental)
- replace some sed+grep by awk in get_mx_record()
This commit is contained in:
parent
cdbdc51f5d
commit
a3a30c7fa5
53
testssl.sh
53
testssl.sh
@ -6056,6 +6056,20 @@ certificate_info() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
outln
|
||||||
|
|
||||||
|
if "$EXPERIMENTAL"; then
|
||||||
|
out "$indent"; pr_bold " DNS CAA RR record "
|
||||||
|
caa="$(get_caa_rr_record $NODE)"
|
||||||
|
if [[ -n "$caa" ]]; then
|
||||||
|
pr_done_good "OK ($caa)"
|
||||||
|
fileout "${json_prefix}CAA_record" "OK" "DNS Certification Authority Authorization (CAA) Resource Record / RFC6844 : offered"
|
||||||
|
else
|
||||||
|
pr_svrty_minor "--"
|
||||||
|
fileout "${json_prefix}CAA_record" "LOW" "DNS Certification Authority Authorization (CAA) Resource Record / RFC6844 : not offered"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
outln "\n"
|
outln "\n"
|
||||||
|
|
||||||
return $ret
|
return $ret
|
||||||
@ -10961,6 +10975,41 @@ determine_rdns() {
|
|||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# RFC6844: DNS Certification Authority Authorization (CAA) Resource Record
|
||||||
|
# arg1: domain to check for
|
||||||
|
get_caa_rr_record() {
|
||||||
|
local caa=""
|
||||||
|
local saved_openssl_conf="$OPENSSL_CONF"
|
||||||
|
|
||||||
|
OPENSSL_CONF=""
|
||||||
|
if which dig &> /dev/null; then
|
||||||
|
caa="$(dig $1 type257 +short | awk '{ print $3 }')"
|
||||||
|
# empty if no CAA record
|
||||||
|
elif which host &> /dev/null; then
|
||||||
|
caa="$(host -t type257 $1)"
|
||||||
|
if grep -wq issue <<< "$caa" && grep -wvq "has no CAA" <<< "$caa"; then
|
||||||
|
caa="$(awk '/issue/ { print $NF }' <<< "$caa")"
|
||||||
|
fi
|
||||||
|
elif which nslookup &> /dev/null; then
|
||||||
|
caa="$(nslookup -type=type257 $1)"
|
||||||
|
if grep -wq issue <<< "$caa" && grep -wvq "No answer" <<< "$caa"; then
|
||||||
|
caa="$(awk '/issue/ { print $NF }' <<< "$caa")"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
# No dig, host, or nslookup --> complaint was elsewhere already and except for one which has drill only we don't get here
|
||||||
|
fi
|
||||||
|
OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134
|
||||||
|
echo "$caa"
|
||||||
|
return 0
|
||||||
|
# to do:
|
||||||
|
# 1: check old binaries whether they support this record at all
|
||||||
|
# 2: check whether hexstring is returned and deal with it
|
||||||
|
# 3: check more than domainname, see https://tools.ietf.org/html/rfc6844#section-3
|
||||||
|
# 4: check whether $1 is a CNAME and take this
|
||||||
|
# 5: query with drill
|
||||||
|
}
|
||||||
|
|
||||||
get_mx_record() {
|
get_mx_record() {
|
||||||
local mx=""
|
local mx=""
|
||||||
local saved_openssl_conf="$OPENSSL_CONF"
|
local saved_openssl_conf="$OPENSSL_CONF"
|
||||||
@ -10968,13 +11017,13 @@ get_mx_record() {
|
|||||||
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
|
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
|
||||||
check_resolver_bins
|
check_resolver_bins
|
||||||
if which host &> /dev/null; then
|
if which host &> /dev/null; then
|
||||||
mxs=$(host -t MX "$1" 2>/dev/null | grep 'handled by' | sed -e 's/^.*by //g' -e 's/\.$//')
|
mxs=$(host -t MX "$1" 2>/dev/null | awk '/is handled by/ { print $(NF-1), $NF }')
|
||||||
elif which dig &> /dev/null; then
|
elif which dig &> /dev/null; then
|
||||||
mxs=$(dig +short -t MX "$1" 2>/dev/null)
|
mxs=$(dig +short -t MX "$1" 2>/dev/null)
|
||||||
elif which drill &> /dev/null; then
|
elif which drill &> /dev/null; then
|
||||||
mxs=$(drill mx "$1" 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d')
|
mxs=$(drill mx "$1" 2>/dev/null | awk '/^\;\;\sANSWER\sSECTION\:$/,/\;\;\sAUTHORITY\sSECTION\:$/ { print $5,$6 }' | sed '/^\s$/d')
|
||||||
elif which nslookup &> /dev/null; then
|
elif which nslookup &> /dev/null; then
|
||||||
mxs=$(nslookup -type=MX "$1" 2>/dev/null | grep 'mail exchanger = ' | sed 's/^.*mail exchanger = //g')
|
mxs=$(nslookup -type=MX "$1" 2>/dev/null | awk '/mail exchanger/ { print $(NF-1), $NF }')
|
||||||
else
|
else
|
||||||
fatal "No dig, host, drill or nslookup" -3
|
fatal "No dig, host, drill or nslookup" -3
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user