mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-06 00:39:44 +01:00
FIX #744
This commit is contained in:
parent
f3f29cd85c
commit
a90eb8c9be
39
testssl.sh
39
testssl.sh
@ -5437,7 +5437,8 @@ compare_server_name_to_cert()
|
|||||||
}
|
}
|
||||||
|
|
||||||
must_staple() {
|
must_staple() {
|
||||||
local json_prefix="$2"
|
local json_prefix="OCSP must staple: "
|
||||||
|
local provides_stapling="$2"
|
||||||
local cert extn
|
local cert extn
|
||||||
local -i extn_len
|
local -i extn_len
|
||||||
local supported=false
|
local supported=false
|
||||||
@ -5445,7 +5446,7 @@ must_staple() {
|
|||||||
# Note this function is only looking for status_request (5) and not
|
# Note this function is only looking for status_request (5) and not
|
||||||
# status_request_v2 (17), since OpenSSL seems to only include status_request (5)
|
# status_request_v2 (17), since OpenSSL seems to only include status_request (5)
|
||||||
# in its ClientHello when the "-status" option is used.
|
# in its ClientHello when the "-status" option is used.
|
||||||
|
|
||||||
# OpenSSL 1.1.0 supports pretty-printing the "TLS Feature extension." For any
|
# OpenSSL 1.1.0 supports pretty-printing the "TLS Feature extension." For any
|
||||||
# previous versions of OpenSSL, OpenSSL can only show if the extension OID is present.
|
# previous versions of OpenSSL, OpenSSL can only show if the extension OID is present.
|
||||||
if $OPENSSL x509 -in "$HOSTCERT" -noout -text 2>>$ERRFILE | grep -A 1 "TLS Feature:" | grep -q "status_request"; then
|
if $OPENSSL x509 -in "$HOSTCERT" -noout -text 2>>$ERRFILE | grep -A 1 "TLS Feature:" | grep -q "status_request"; then
|
||||||
@ -5470,13 +5471,16 @@ must_staple() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if "$supported"; then
|
if "$supported"; then
|
||||||
prln_done_best "Supported"
|
if "$provides_stapling"; then
|
||||||
fileout "${json_prefix}ocsp_must_staple" "OK" "OCSP must staple : supported"
|
prln_done_good "supported"
|
||||||
return 0
|
fileout "${json_prefix}ocsp_must_staple" "OK" "OCSP must staple : supported"
|
||||||
|
else
|
||||||
|
prln_svrty_high "\"must staple\" requires OCSP stapling (NOT ok)"
|
||||||
|
fileout "${json_prefix}" "HIGH" "must staple extension detected but no OCSP stapling provided"
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
outln "No"
|
outln "no"
|
||||||
fileout "${json_prefix}ocsp_must_staple" "INFO" "OCSP must staple : no"
|
fileout "${json_prefix}ocsp_must_staple" "INFO" "OCSP must staple : no"
|
||||||
return 1
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5490,7 +5494,7 @@ certificate_info() {
|
|||||||
local ocsp_response_status=$6
|
local ocsp_response_status=$6
|
||||||
local sni_used=$7
|
local sni_used=$7
|
||||||
local cert_sig_algo cert_sig_hash_algo cert_key_algo
|
local cert_sig_algo cert_sig_hash_algo cert_key_algo
|
||||||
local expire days2expire secs2warn ocsp_uri ocsp_must_staple crl
|
local expire days2expire secs2warn ocsp_uri crl
|
||||||
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
|
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
|
||||||
local issuer_DC issuerfinding cn_nosni=""
|
local issuer_DC issuerfinding cn_nosni=""
|
||||||
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial
|
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial
|
||||||
@ -5505,6 +5509,7 @@ certificate_info() {
|
|||||||
local indent=""
|
local indent=""
|
||||||
local days2warn2=$DAYS2WARN2
|
local days2warn2=$DAYS2WARN2
|
||||||
local days2warn1=$DAYS2WARN1
|
local days2warn1=$DAYS2WARN1
|
||||||
|
local provides_stapling=false
|
||||||
|
|
||||||
if [[ $number_of_certificates -gt 1 ]]; then
|
if [[ $number_of_certificates -gt 1 ]]; then
|
||||||
[[ $certificate_number -eq 1 ]] && outln
|
[[ $certificate_number -eq 1 ]] && outln
|
||||||
@ -6027,16 +6032,9 @@ certificate_info() {
|
|||||||
fileout "${json_prefix}ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
|
fileout "${json_prefix}ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
out "$indent"; pr_bold " OCSP must staple ";
|
|
||||||
must_staple "$json_prefix"
|
|
||||||
[[ $? -eq 0 ]] && ocsp_must_staple=true || ocsp_must_staple=false
|
|
||||||
|
|
||||||
out "$indent"; pr_bold " OCSP stapling "
|
out "$indent"; pr_bold " OCSP stapling "
|
||||||
if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
|
if grep -a "OCSP response" <<< "$ocsp_response" | grep -q "no response sent" ; then
|
||||||
if "$ocsp_must_staple"; then
|
if [[ -n "$ocsp_uri" ]]; then
|
||||||
pr_svrty_critical "--"
|
|
||||||
fileout "${json_prefix}ocsp_stapling" "CRITICAL" "OCSP stapling : not offered"
|
|
||||||
elif [[ -n "$ocsp_uri" ]]; then
|
|
||||||
pr_svrty_low "--"
|
pr_svrty_low "--"
|
||||||
fileout "${json_prefix}ocsp_stapling" "LOW" "OCSP stapling : not offered"
|
fileout "${json_prefix}ocsp_stapling" "LOW" "OCSP stapling : not offered"
|
||||||
else
|
else
|
||||||
@ -6047,6 +6045,7 @@ certificate_info() {
|
|||||||
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
||||||
pr_done_good "offered"
|
pr_done_good "offered"
|
||||||
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : offered"
|
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : offered"
|
||||||
|
provides_stapling=true
|
||||||
else
|
else
|
||||||
if $GOST_STATUS_PROBLEM; then
|
if $GOST_STATUS_PROBLEM; then
|
||||||
outln "(GOST servers make problems here, sorry)"
|
outln "(GOST servers make problems here, sorry)"
|
||||||
@ -6062,6 +6061,9 @@ certificate_info() {
|
|||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
|
|
||||||
|
out "$indent"; pr_bold " OCSP must staple ";
|
||||||
|
must_staple "$json_prefix" "$provides_stapling"
|
||||||
|
|
||||||
out "$indent"; pr_bold " DNS CAA RR"; out " (experimental) "
|
out "$indent"; pr_bold " DNS CAA RR"; out " (experimental) "
|
||||||
caa="$(get_caa_rr_record $NODE)"
|
caa="$(get_caa_rr_record $NODE)"
|
||||||
if [[ -n "$caa" ]]; then
|
if [[ -n "$caa" ]]; then
|
||||||
@ -6075,9 +6077,6 @@ certificate_info() {
|
|||||||
outln "\n"
|
outln "\n"
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
# FIXME: revoked, see checkcert.sh
|
|
||||||
# FIXME: Trust (only CN)
|
|
||||||
|
|
||||||
|
|
||||||
run_server_defaults() {
|
run_server_defaults() {
|
||||||
local ciph newhostcert sni
|
local ciph newhostcert sni
|
||||||
|
Loading…
Reference in New Issue
Block a user