mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
Merge pull request #1652 from dcooper16/fix_wildcard
Fix and enhance CN matching
This commit is contained in:
commit
d19aed2345
30
testssl.sh
30
testssl.sh
@ -7804,9 +7804,9 @@ wildcard_match()
|
|||||||
|
|
||||||
compare_server_name_to_cert() {
|
compare_server_name_to_cert() {
|
||||||
local cert="$1"
|
local cert="$1"
|
||||||
local servername cn dns_sans ip_sans san dercert tag
|
local servername cns cn dns_sans ip_sans san dercert tag
|
||||||
local srv_id="" xmppaddr=""
|
local srv_id="" xmppaddr=""
|
||||||
local -i i len len1
|
local -i i len len1 cn_match=0
|
||||||
local -i subret=0 # no error condition, passing results
|
local -i subret=0 # no error condition, passing results
|
||||||
|
|
||||||
HAS_DNS_SANS=false
|
HAS_DNS_SANS=false
|
||||||
@ -7960,19 +7960,23 @@ compare_server_name_to_cert() {
|
|||||||
done <<< "$dns_sans"
|
done <<< "$dns_sans"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cn="$(get_cn_from_cert "$cert")"
|
# Get every CN from the subject field and compare against the server name.
|
||||||
|
cns="$($OPENSSL x509 -in $1 -noout -subject -nameopt multiline,-align,sname,-esc_msb,utf8,-space_eq 2>>$ERRFILE | awk -F'=' '/CN=/ { print $2 }')"
|
||||||
|
while read cn; do
|
||||||
|
# If the CN contains any characters that are not valid for a DNS name,
|
||||||
|
# then assume it does not contain a DNS name.
|
||||||
|
[[ -n $(sed 's/^[_\.a-zA-Z0-9*\-]*//' <<< "$cn") ]] && continue
|
||||||
|
|
||||||
# If the CN contains any characters that are not valid for a DNS name,
|
# Check whether the CN matches the servername
|
||||||
# then assume it does not contain a DNS name.
|
[[ $(toupper "$cn") == "$servername" ]] && cn_match=4 && break
|
||||||
[[ -n $(sed 's/^[_\.a-zA-Z0-9*\-]*//' <<< "$cn") ]] && return $subret
|
|
||||||
|
|
||||||
# Check whether the CN in the certificate matches the servername
|
# Check whether the CN is a wildcard name that matches the servername
|
||||||
[[ $(toupper "$cn") == "$servername" ]] && subret+=4 && return $subret
|
# NOTE: Don't stop loop on a wildcard match in case there is another CN
|
||||||
|
# that is an exact match.
|
||||||
# Check whether the CN in the certificate is a wildcard name that matches
|
wildcard_match "$servername" "$cn"
|
||||||
# the servername
|
[[ $? -eq 0 ]] && cn_match=8
|
||||||
wildcard_match "$servername" "$cn"
|
done <<< "$cns"
|
||||||
[[ $? -eq 0 ]] && subret+=8
|
subret+=$cn_match
|
||||||
return $subret
|
return $subret
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user