From 252cceb5dd0389416b1defcc606334a1e49e3a23 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 1 Jun 2017 14:52:19 +0200 Subject: [PATCH] Trying to address #735, not complete yet. Open issues: 1) The SNI logic 2) The fileout logic. 3) another section with ``trust_nosni -eq 4/8`` For 2): fileout is a general finding MEDIUM [1] which isn't in line now with the pr_*finding in the section above anymore. It would make sense to punish HTTP services more than others. Unfortunately he fileout statement cannot be moved below pr_svrty_medium/pr_svrty_high as trustfinding_nosni hasn't been determined yet. Fast solution would be probably to move the trustfinding_nosni section above the trustfinding section. Still 3) and a different trust over non-SNI makes it difficult -- e.g. Server has CN match only over SNI but without SNI SAN matches. That's an edge case though which probably doesn't exist (like Bielefeld) [1] That was WARN before. WARN should indicate a status of testssl that it cannot perform a check --- testssl.sh | 43 +++++++++++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/testssl.sh b/testssl.sh index 4e8ad8e..0ecff1c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -5774,12 +5774,11 @@ certificate_info() { fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : $all_san" else if [[ $SERVICE == "HTTP" ]]; then - # https://bugzilla.mozilla.org/show_bug.cgi?id=1245280, https://bugzilla.mozilla.org/show_bug.cgi?id=1245280 - pr_svrty_medium "missing (NOT ok)"; outln " -- Browser will complain soon" - fileout "${json_prefix}san" "MEDIUM" "subjectAltName (SAN) : -- Browser will complain soon" + pr_svrty_high "missing (NOT ok)"; outln " -- Browsers are complaining" + fileout "${json_prefix}san" "HIGH" "subjectAltName (SAN) : -- Browsers are complaining" else - pr_svrty_low "missing"; outln " -- no SAN is deprecated" - fileout "${json_prefix}san" "LOW" "subjectAltName (SAN) : -- no SAN is deprecated" + pr_svrty_medium "missing"; outln " -- no SAN is deprecated" + fileout "${json_prefix}san" "MEDIUM" "subjectAltName (SAN) : -- no SAN is deprecated" fi fi out "$indent"; pr_bold " Issuer " @@ -5841,19 +5840,19 @@ certificate_info() { 0) trustfinding="certificate does not match supplied URI" ;; 1) trustfinding="Ok via SAN" ;; 2) trustfinding="Ok via SAN wildcard" ;; - 4) if $has_dns_sans; then - trustfinding="Ok via CN, but not SAN" + 4) if "$has_dns_sans"; then + trustfinding="via CN, but not SAN" else - trustfinding="Ok via CN" + trustfinding="via CN only" fi ;; 5) trustfinding="Ok via SAN and CN" ;; 6) trustfinding="Ok via SAN wildcard and CN" ;; - 8) if $has_dns_sans; then - trustfinding="Ok via CN wildcard, but not SAN" + 8) if "$has_dns_sans"; then + trustfinding="via CN wildcard, but not SAN" else - trustfinding="Ok via CN wildcard" + trustfinding="via CN (wildcard) only" fi ;; 9) trustfinding="Ok via CN wildcard and SAN" @@ -5865,9 +5864,25 @@ certificate_info() { if [[ $trust_sni -eq 0 ]]; then pr_svrty_medium "$trustfinding" trust_sni="fail" - elif "$has_dns_sans" && ( [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]] ); then - pr_svrty_medium "$trustfinding" - trust_sni="warn" + elif ( [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]] ); then + if "$has_dns_sans"; then + if [[ $SERVICE == "HTTP" ]]; then + https://bugs.chromium.org/p/chromium/issues/detail?id=308330 + https://bugzilla.mozilla.org/show_bug.cgi?id=1245280 + https://www.chromestatus.com/feature/4981025180483584 + pr_svrty_high "$trustfinding"; out " -- Browsers are complaining" + else + pr_svrty_medium "$trustfinding" + trust_sni="warn" + fi + else + if [[ $SERVICE == "HTTP" ]]; then + pr_svrty_high "$trustfinding"; out " -- Browsers are complaining" + else + # we punish this for non-HTTP as it is deprecated https://tools.ietf.org/html/rfc2818#section-3.1 + pr_svrty_medium "$trustfinding"; out " -- CN only match is deprecated" + fi + fi else pr_done_good "$trustfinding" trust_sni="ok"