Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Don't penalize rating for CAs which aren't in the Java store

Browse Source 
This fixes #1648.

Java store doesn't seem to be as complete. No downgrading of trust rating
to T but we still need to raise a red flag for some Java clients
This commit is contained in:
Dirk Wetter 2020-08-11 15:30:53 +02:00
parent 186dcfa735
commit c4841c83eb
1 changed files with 8 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
testssl.sh
View File

@ -7221,10 +7221,9 @@ determine_trust() {
# we did to stdout the warning above already, so we could stay here with OK: # we did to stdout the warning above already, so we could stay here with OK:
fileout "${jsonID}${json_postfix}" "OK" "passed. $addtl_warning" fileout "${jsonID}${json_postfix}" "OK" "passed. $addtl_warning"
else else
# at least one failed
pr_svrty_critical "NOT ok" pr_svrty_critical "NOT ok"
if ! "$some_ok"; then if ! "$some_ok"; then
# all failed (we assume with the same issue), we're displaying the reason # ALL failed (we assume with the same issue), we're displaying the reason
out " " out " "
code="$(verify_retcode_helper "${verify_retcode[1]}")" code="$(verify_retcode_helper "${verify_retcode[1]}")"
if [[ "$code" =~ "pls report" ]]; then if [[ "$code" =~ "pls report" ]]; then
@ -7235,15 +7234,13 @@ determine_trust() {
fileout "${jsonID}${json_postfix}" "CRITICAL" "failed $code. $addtl_warning" fileout "${jsonID}${json_postfix}" "CRITICAL" "failed $code. $addtl_warning"
set_grade_cap "T" "Issues with the chain of trust $code" set_grade_cap "T" "Issues with the chain of trust $code"
else else
# is one ok and the others not ==> display the culprit store # alt least one ok and other(s) not ==> display the culprit store(s)
if "$some_ok"; then if "$some_ok"; then
pr_svrty_critical ":" pr_svrty_critical ":"
for ((i=1;i<=num_ca_bundles;i++)); do for (( i=1; i<=num_ca_bundles; i++ )); do
if ${trust[i]}; then if ${trust[i]}; then
ok_was="${certificate_file[i]} $ok_was" ok_was="${certificate_file[i]} $ok_was"
else else
#code="$(verify_retcode_helper ${verify_retcode[i]})"
#notok_was="${certificate_file[i]} $notok_was"
pr_svrty_high " ${certificate_file[i]} " pr_svrty_high " ${certificate_file[i]} "
code="$(verify_retcode_helper "${verify_retcode[i]}")" code="$(verify_retcode_helper "${verify_retcode[i]}")"
if [[ "$code" =~ "pls report" ]]; then if [[ "$code" =~ "pls report" ]]; then
@ -7252,11 +7249,13 @@ determine_trust() {
out "$code" out "$code"
fi fi
notok_was="${certificate_file[i]} $code $notok_was" notok_was="${certificate_file[i]} $code $notok_was"
set_grade_cap "T" "Issues with chain of trust $code" if ! [[ ${certificate_file[i]} =~ Java ]]; then
# Exemption for Java AND rating, as this store doesn't seem to be as complete.
# We won't penelize this but we still need to raise a red flag. See #1648
set_grade_cap "T" "Issues with chain of trust $code"
fi
fi fi
done done
#pr_svrty_high "$notok_was "
#outln "$code"
outln outln
# lf + green ones # lf + green ones
[[ "$DEBUG" -eq 0 ]] && tm_out "$spaces" [[ "$DEBUG" -eq 0 ]] && tm_out "$spaces"
@ -7269,7 +7268,6 @@ determine_trust() {
outln outln
return 0 return 0
} }
# not handled: Root CA supplied ("contains anchor" in SSLlabs terminology) # not handled: Root CA supplied ("contains anchor" in SSLlabs terminology)
tls_time() { tls_time() {