FIX #744
This commit is contained in:
parent
f3f29cd85c
commit
a90eb8c9be
39
testssl.sh
39
testssl.sh
|
@ -5437,7 +5437,8 @@ compare_server_name_to_cert()
|
|||
}
|
||||
|
||||
must_staple() {
|
||||
local json_prefix="$2"
|
||||
local json_prefix="OCSP must staple: "
|
||||
local provides_stapling="$2"
|
||||
local cert extn
|
||||
local -i extn_len
|
||||
local supported=false
|
||||
|
@ -5445,7 +5446,7 @@ must_staple() {
|
|||
# Note this function is only looking for status_request (5) and not
|
||||
# status_request_v2 (17), since OpenSSL seems to only include status_request (5)
|
||||
# in its ClientHello when the "-status" option is used.
|
||||
|
||||
|
||||
# OpenSSL 1.1.0 supports pretty-printing the "TLS Feature extension." For any
|
||||
# previous versions of OpenSSL, OpenSSL can only show if the extension OID is present.
|
||||
if $OPENSSL x509 -in "$HOSTCERT" -noout -text 2>>$ERRFILE | grep -A 1 "TLS Feature:" | grep -q "status_request"; then
|
||||
|
@ -5470,13 +5471,16 @@ must_staple() {
|
|||
fi
|
||||
|
||||
if "$supported"; then
|
||||
prln_done_best "Supported"
|
||||
fileout "${json_prefix}ocsp_must_staple" "OK" "OCSP must staple : supported"
|
||||
return 0
|
||||
if "$provides_stapling"; then
|
||||
prln_done_good "supported"
|
||||
fileout "${json_prefix}ocsp_must_staple" "OK" "OCSP must staple : supported"
|
||||
else
|
||||
prln_svrty_high "\"must staple\" requires OCSP stapling (NOT ok)"
|
||||
fileout "${json_prefix}" "HIGH" "must staple extension detected but no OCSP stapling provided"
|
||||
fi
|
||||
else
|
||||
outln "No"
|
||||
outln "no"
|
||||
fileout "${json_prefix}ocsp_must_staple" "INFO" "OCSP must staple : no"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -5490,7 +5494,7 @@ certificate_info() {
|
|||
local ocsp_response_status=$6
|
||||
local sni_used=$7
|
||||
local cert_sig_algo cert_sig_hash_algo cert_key_algo
|
||||
local expire days2expire secs2warn ocsp_uri ocsp_must_staple crl
|
||||
local expire days2expire secs2warn ocsp_uri crl
|
||||
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
|
||||
local issuer_DC issuerfinding cn_nosni=""
|
||||
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial
|
||||
|
@ -5505,6 +5509,7 @@ certificate_info() {
|
|||
local indent=""
|
||||
local days2warn2=$DAYS2WARN2
|
||||
local days2warn1=$DAYS2WARN1
|
||||
local provides_stapling=false
|
||||
|
||||
if [[ $number_of_certificates -gt 1 ]]; then
|
||||
[[ $certificate_number -eq 1 ]] && outln
|
||||
|
@ -6027,16 +6032,9 @@ certificate_info() {
|
|||
fileout "${json_prefix}ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
|
||||
fi
|
||||
|
||||
out "$indent"; pr_bold " OCSP must staple ";
|
||||
must_staple "$json_prefix"
|
||||
[[ $? -eq 0 ]] && ocsp_must_staple=true || ocsp_must_staple=false
|
||||
|
||||
out "$indent"; pr_bold " OCSP stapling "
|
||||
if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
|
||||
if "$ocsp_must_staple"; then
|
||||
pr_svrty_critical "--"
|
||||
fileout "${json_prefix}ocsp_stapling" "CRITICAL" "OCSP stapling : not offered"
|
||||
elif [[ -n "$ocsp_uri" ]]; then
|
||||
if grep -a "OCSP response" <<< "$ocsp_response" | grep -q "no response sent" ; then
|
||||
if [[ -n "$ocsp_uri" ]]; then
|
||||
pr_svrty_low "--"
|
||||
fileout "${json_prefix}ocsp_stapling" "LOW" "OCSP stapling : not offered"
|
||||
else
|
||||
|
@ -6047,6 +6045,7 @@ certificate_info() {
|
|||
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
||||
pr_done_good "offered"
|
||||
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : offered"
|
||||
provides_stapling=true
|
||||
else
|
||||
if $GOST_STATUS_PROBLEM; then
|
||||
outln "(GOST servers make problems here, sorry)"
|
||||
|
@ -6062,6 +6061,9 @@ certificate_info() {
|
|||
fi
|
||||
outln
|
||||
|
||||
out "$indent"; pr_bold " OCSP must staple ";
|
||||
must_staple "$json_prefix" "$provides_stapling"
|
||||
|
||||
out "$indent"; pr_bold " DNS CAA RR"; out " (experimental) "
|
||||
caa="$(get_caa_rr_record $NODE)"
|
||||
if [[ -n "$caa" ]]; then
|
||||
|
@ -6075,9 +6077,6 @@ certificate_info() {
|
|||
outln "\n"
|
||||
return $ret
|
||||
}
|
||||
# FIXME: revoked, see checkcert.sh
|
||||
# FIXME: Trust (only CN)
|
||||
|
||||
|
||||
run_server_defaults() {
|
||||
local ciph newhostcert sni
|
||||
|
|
Loading…
Reference in New Issue