Merge branch '2.9dev' into negotiated_cipher

This commit is contained in:
David Cooper 2017-02-16 13:19:07 -05:00
commit c8f3dd0db0
1 changed files with 12 additions and 10 deletions

View File

@ -6377,7 +6377,7 @@ certificate_info() {
out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided" out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided"
fileout "${json_prefix}certcount" "INFO" "# of certificates provided : $certificates_provided" fileout "${json_prefix}certcount" "INFO" "# of certificates provided : $certificates_provided"
# Get both CRL and OCSP URL upfront. If there's none, this is not good. And we need to penalize this in the output # Get both CRL and OCSP URI upfront. If there's none, this is not good. And we need to penalize this in the output
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | \ crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | \
awk '/X509v3 CRL Distribution/{i=50} i&&i--' | awk '/^$/,/^ [a-zA-Z0-9]+|^ Signature Algorithm:/' | awk -F'URI:' '/URI/ { print $2 }')" awk '/X509v3 CRL Distribution/{i=50} i&&i--' | awk '/^$/,/^ [a-zA-Z0-9]+|^ Signature Algorithm:/' | awk -F'URI:' '/URI/ { print $2 }')"
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE) ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
@ -6388,10 +6388,11 @@ certificate_info() {
outln "--" outln "--"
fileout "${json_prefix}crl" "INFO" "No CRL provided" fileout "${json_prefix}crl" "INFO" "No CRL provided"
else else
pr_svrty_highln "-- (NOT ok)" pr_svrty_high "NOT ok --"
fileout "${json_prefix}crl" "HIGH" "Neither CRL nor OCSP URL provided" outln " neither CRL nor OCSP URI provided"
fileout "${json_prefix}crl" "HIGH" "Neither CRL nor OCSP URI provided"
fi fi
elif grep -q http <<< "$crl"; then else
if [[ $(count_lines "$crl") -eq 1 ]]; then if [[ $(count_lines "$crl") -eq 1 ]]; then
outln "$crl" outln "$crl"
fileout "${json_prefix}crl" "INFO" "Certificate Revocation List : $crl" fileout "${json_prefix}crl" "INFO" "Certificate Revocation List : $crl"
@ -6399,9 +6400,6 @@ certificate_info() {
out_row_aligned "$crl" "$spaces" out_row_aligned "$crl" "$spaces"
fileout "${json_prefix}crl" "INFO" "Certificate Revocation List : $crl" fileout "${json_prefix}crl" "INFO" "Certificate Revocation List : $crl"
fi fi
else
pr_warningln "no parsable output \"$crl\", pls report"
fileout "${json_prefix}crl" "WARN" "Certificate Revocation List : no parsable output \"$crl\", pls report"
fi fi
out "$indent"; pr_bold " OCSP URI " out "$indent"; pr_bold " OCSP URI "
@ -11435,12 +11433,16 @@ parse_hn_port() {
NODE=$(echo "$NODE" | sed -e 's/\/.*$//') NODE=$(echo "$NODE" | sed -e 's/\/.*$//')
# if there's a trailing ':' probably a starttls/application protocol was specified # if there's a trailing ':' probably a starttls/application protocol was specified
if grep -q ':$' <<< $NODE ; then if grep -q ':$' <<< $NODE; then
if grep -wq http <<< $NODE; then
fatal "\"http\" is not what you meant probably" 1
else
fatal "\"$1\" is not a valid URI" 1 fatal "\"$1\" is not a valid URI" 1
fi fi
fi
# was the address supplied like [AA:BB:CC::]:port ? # was the address supplied like [AA:BB:CC::]:port ?
if echo "$NODE" | grep -q ']' ; then if grep -q ']' <<< "$NODE"; then
tmp_port=$(printf "$NODE" | sed 's/\[.*\]//' | sed 's/://') tmp_port=$(printf "$NODE" | sed 's/\[.*\]//' | sed 's/://')
# determine v6 port, supposed it was supplied additionally # determine v6 port, supposed it was supplied additionally
if [[ -n "$tmp_port" ]]; then if [[ -n "$tmp_port" ]]; then