FIX #744

testssl.sh

@@ -5437,7 +5437,8 @@ compare_server_name_to_cert()
 }
 
 must_staple() {
-     local json_prefix="$2"
+     local json_prefix="OCSP must staple: "
+     local provides_stapling="$2"
      local cert extn
      local -i extn_len
      local supported=false
@@ -5470,13 +5471,16 @@ must_staple() {
      fi
 
      if "$supported"; then
-          prln_done_best "Supported"
+          if "$provides_stapling"; then
-          fileout "${json_prefix}ocsp_must_staple" "OK" "OCSP must staple : supported"
+               prln_done_good "supported"
-          return 0
+               fileout "${json_prefix}ocsp_must_staple" "OK" "OCSP must staple : supported"
+          else
+               prln_svrty_high "\"must staple\" requires OCSP stapling (NOT ok)"
+               fileout "${json_prefix}" "HIGH" "must staple extension detected but no OCSP stapling provided"
+          fi
      else
-          outln "No"
+          outln "no"
           fileout "${json_prefix}ocsp_must_staple" "INFO" "OCSP must staple : no"
-          return 1
      fi
 }
 
@@ -5490,7 +5494,7 @@ certificate_info() {
      local ocsp_response_status=$6
      local sni_used=$7
      local cert_sig_algo cert_sig_hash_algo cert_key_algo
-     local expire days2expire secs2warn ocsp_uri ocsp_must_staple crl
+     local expire days2expire secs2warn ocsp_uri crl
      local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
      local issuer_DC issuerfinding cn_nosni=""
      local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial
@@ -5505,6 +5509,7 @@ certificate_info() {
      local indent=""
      local days2warn2=$DAYS2WARN2
      local days2warn1=$DAYS2WARN1
+     local provides_stapling=false
 
      if [[ $number_of_certificates -gt 1 ]]; then
           [[ $certificate_number -eq 1 ]] && outln
@@ -6027,16 +6032,9 @@ certificate_info() {
           fileout "${json_prefix}ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
      fi
 
-     out "$indent"; pr_bold " OCSP must staple             ";
-     must_staple "$json_prefix"
-     [[ $? -eq 0 ]] && ocsp_must_staple=true || ocsp_must_staple=false
-
      out "$indent"; pr_bold " OCSP stapling                "
-     if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
+     if grep -a "OCSP response" <<< "$ocsp_response" | grep -q "no response sent" ; then
-          if "$ocsp_must_staple"; then
+          if [[ -n "$ocsp_uri" ]]; then
-               pr_svrty_critical "--"
-               fileout "${json_prefix}ocsp_stapling" "CRITICAL" "OCSP stapling : not offered"
-          elif [[ -n "$ocsp_uri" ]]; then
                pr_svrty_low "--"
                fileout "${json_prefix}ocsp_stapling" "LOW" "OCSP stapling : not offered"
           else
@@ -6047,6 +6045,7 @@ certificate_info() {
           if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
                pr_done_good "offered"
                fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : offered"
+               provides_stapling=true
           else
                if $GOST_STATUS_PROBLEM; then
                     outln "(GOST servers make problems here, sorry)"
@@ -6062,6 +6061,9 @@ certificate_info() {
      fi
      outln
 
+     out "$indent"; pr_bold " OCSP must staple             ";
+     must_staple "$json_prefix" "$provides_stapling"
+
      out "$indent"; pr_bold " DNS CAA RR"; out " (experimental)    "
      caa="$(get_caa_rr_record $NODE)"
      if [[ -n "$caa" ]]; then
@@ -6075,9 +6077,6 @@ certificate_info() {
      outln "\n"
      return $ret
 }
-# FIXME: revoked, see checkcert.sh
-# FIXME: Trust (only CN)
-
 
 run_server_defaults() {
      local ciph newhostcert sni