- "secret" env switch shows during -e/-E the signature algorithm (see also #276)

- exp. date check corrected esp. for openssl 1.1.0 - warning relaxed for chain of trust
2025-01-01 06:19:44 +01:00 · 2016-02-01 22:06:27 +01:00 · 2016-02-01 22:06:27 +01:00 · dd65050ee1
commit dd65050ee1
parent ff714a673f
1 changed files with 23 additions and 19 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -135,6 +135,7 @@ declare -x OPENSSL
 COLOR=${COLOR:-2}                       # 2: Full color, 1: b/w+positioning, 0: no ESC at all
 COLORBLIND=${COLORBLIND:-false}         # if true, swap blue and green in the output
 SHOW_EACH_C=${SHOW_EACH_C:-0}           # where individual ciphers are tested show just the positively ones tested #FIXME: upside down value
+SHOW_SIGALGO=${SHOW_SIGALGO:-false}     # "secret" switch weher testssl.sh shows the signature algorithm for -E / -e
 SNEAKY=${SNEAKY:-false}                 # is the referer and useragent we leave behind just usual?
 QUIET=${QUIET:-false}                   # don't output the banner. By doing this yiu acknowledge usage term appearing in the banner
 SSL_NATIVE=${SSL_NATIVE:-false}         # we do per default bash sockets where possible "true": switch back to "openssl native"
@ -1582,8 +1583,12 @@ run_allciphers(){
                    available="not a/v"
               fi
          fi
+          if "$SHOW_SIGALGO"; then
+               $OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1
+          else
+               outln
+          fi
          fileout "cipher_$HEXC" "INFO" "$(neat_list "$HEXC" "$ciph" "$kx" "$enc") $available"
-          outln
          tmpfile_handle $FUNCNAME.txt
     done
     outln
@ -1628,7 +1633,11 @@ run_cipher_per_proto(){
                         available="not a/v"
                    fi
               fi
-               outln
+               if "$SHOW_SIGALGO"; then
+                    $OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1
+               else
+                    outln
+               fi
               id="cipher$proto"
               id+="_$HEXC"
               fileout "$id" "INFO" "$proto_text  $(neat_list "$HEXC" "$ciph" "$kx" "$enc") $available"
@ -2656,19 +2665,15 @@ determine_trust() {
     local addtl_warning

     if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0" ]]; then
-          pr_litemagentaln "Your $OPENSSL is too new, needed is version 1.0.2"
-          out "$spaces"
+          addtl_warning="(Your openssl 1.1.0 might be too new for a reliable check)"
          fileout "$heading trust" "WARN" "Your $OPENSSL is too new, need version 1.0.2 to determine trust"
-          return 7
     elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]]; then
-          pr_litemagentaln "Your $OPENSSL is too old, needed is version >=1.0.2"
-          out "$spaces"
-          addtl_warning="Your $OPENSSL is too old, need version 1.0.2 to determine trust. Results may be unreliable."
+          addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)"
          fileout "$heading trust_warn" "WARN" "$addtl_warning"
     fi
     debugme outln
 	for bundle_fname in $ca_bundles; do
-		certificate_file[i]=$(basename "$bundle_fname" | sed 's/\.pem//')
+		certificate_file[i]=$(basename ${bundle_fname//.pem})
          if [[ ! -r $bundle_fname ]]; then
               pr_litemagentaln "\"$bundle_fname\" cannot be found / not readable"
               return 7
@ -2696,14 +2701,14 @@ determine_trust() {
 		fi
 		i=$((i + 1))
 	done
-	num_ca_bundles=$(($i - 1))
+	num_ca_bundles=$((i - 1))
     debugme out " "
-	# all stores ok
 	if $all_ok; then
-		pr_litegreen "Ok   "
+	     # all stores ok
+		pr_litegreen "Ok   "; pr_litemagenta "$addtl_warning"
          fileout "$heading trust" "OK" "All certificate trust checks passed. $addtl_warning"
-	# at least one failed
 	else
+	     # at least one failed
 		pr_red "NOT ok"
 		if ! $some_ok; then
 		     # all failed (we assume with the same issue), we're displaying the reason
@ -2728,20 +2733,19 @@ determine_trust() {
 				#pr_litered "$notok_was "
                    #outln "$code"
                    outln
-				#lf + green ones
+				# lf + green ones
                    [[ "$DEBUG" -eq 0 ]] && out "$spaces"
 				pr_litegreen "OK: $ok_was"
               fi
-               fileout "$heading trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was  NOT ok: $notok_was  $addtl_warning"
+               fileout "$heading trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was  NOT ok: $notok_was $addtl_warning"
          fi
+          out "\n$spaces"; pr_litemagenta "$addtl_warning"
 	fi
 	outln
     return 0
 }

 # not handled: Root CA supplied (contains anchor)
-# attention: 1.0.1 fails on mozilla
-

 tls_time() {
     local now difftime
@ -3121,7 +3125,7 @@ certificate_info() {
     fi
     days2expire=$((days2expire  / 3600 / 24 ))

-     expire=$($OPENSSL x509 -in $HOSTCERT -checkend 0 2>>$ERRFILE)
+     expire=$($OPENSSL x509 -in $HOSTCERT -checkend 1 2>>$ERRFILE)
     if ! echo $expire | grep -qw not; then
          pr_red "expired!"
          expfinding="expired!"
@ -6716,4 +6720,4 @@ fi
 exit $?


-#  $Id: testssl.sh,v 1.456 2016/02/01 16:33:58 dirkw Exp $
+#  $Id: testssl.sh,v 1.458 2016/02/01 21:05:44 dirkw Exp $