- "secret" env switch shows during -e/-E the signature algorithm (see also #276)

- exp. date check corrected esp. for openssl 1.1.0
- warning relaxed for chain of trust
This commit is contained in:
Dirk 2016-02-01 22:06:27 +01:00
parent ff714a673f
commit dd65050ee1

View File

@ -135,6 +135,7 @@ declare -x OPENSSL
COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all
COLORBLIND=${COLORBLIND:-false} # if true, swap blue and green in the output COLORBLIND=${COLORBLIND:-false} # if true, swap blue and green in the output
SHOW_EACH_C=${SHOW_EACH_C:-0} # where individual ciphers are tested show just the positively ones tested #FIXME: upside down value SHOW_EACH_C=${SHOW_EACH_C:-0} # where individual ciphers are tested show just the positively ones tested #FIXME: upside down value
SHOW_SIGALGO=${SHOW_SIGALGO:-false} # "secret" switch weher testssl.sh shows the signature algorithm for -E / -e
SNEAKY=${SNEAKY:-false} # is the referer and useragent we leave behind just usual? SNEAKY=${SNEAKY:-false} # is the referer and useragent we leave behind just usual?
QUIET=${QUIET:-false} # don't output the banner. By doing this yiu acknowledge usage term appearing in the banner QUIET=${QUIET:-false} # don't output the banner. By doing this yiu acknowledge usage term appearing in the banner
SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native" SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native"
@ -1582,8 +1583,12 @@ run_allciphers(){
available="not a/v" available="not a/v"
fi fi
fi fi
fileout "cipher_$HEXC" "INFO" "$(neat_list "$HEXC" "$ciph" "$kx" "$enc") $available" if "$SHOW_SIGALGO"; then
$OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1
else
outln outln
fi
fileout "cipher_$HEXC" "INFO" "$(neat_list "$HEXC" "$ciph" "$kx" "$enc") $available"
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
done done
outln outln
@ -1628,7 +1633,11 @@ run_cipher_per_proto(){
available="not a/v" available="not a/v"
fi fi
fi fi
if "$SHOW_SIGALGO"; then
$OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1
else
outln outln
fi
id="cipher$proto" id="cipher$proto"
id+="_$HEXC" id+="_$HEXC"
fileout "$id" "INFO" "$proto_text $(neat_list "$HEXC" "$ciph" "$kx" "$enc") $available" fileout "$id" "INFO" "$proto_text $(neat_list "$HEXC" "$ciph" "$kx" "$enc") $available"
@ -2656,19 +2665,15 @@ determine_trust() {
local addtl_warning local addtl_warning
if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0" ]]; then if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0" ]]; then
pr_litemagentaln "Your $OPENSSL is too new, needed is version 1.0.2" addtl_warning="(Your openssl 1.1.0 might be too new for a reliable check)"
out "$spaces"
fileout "$heading trust" "WARN" "Your $OPENSSL is too new, need version 1.0.2 to determine trust" fileout "$heading trust" "WARN" "Your $OPENSSL is too new, need version 1.0.2 to determine trust"
return 7
elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]]; then elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]]; then
pr_litemagentaln "Your $OPENSSL is too old, needed is version >=1.0.2" addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)"
out "$spaces"
addtl_warning="Your $OPENSSL is too old, need version 1.0.2 to determine trust. Results may be unreliable."
fileout "$heading trust_warn" "WARN" "$addtl_warning" fileout "$heading trust_warn" "WARN" "$addtl_warning"
fi fi
debugme outln debugme outln
for bundle_fname in $ca_bundles; do for bundle_fname in $ca_bundles; do
certificate_file[i]=$(basename "$bundle_fname" | sed 's/\.pem//') certificate_file[i]=$(basename ${bundle_fname//.pem})
if [[ ! -r $bundle_fname ]]; then if [[ ! -r $bundle_fname ]]; then
pr_litemagentaln "\"$bundle_fname\" cannot be found / not readable" pr_litemagentaln "\"$bundle_fname\" cannot be found / not readable"
return 7 return 7
@ -2696,14 +2701,14 @@ determine_trust() {
fi fi
i=$((i + 1)) i=$((i + 1))
done done
num_ca_bundles=$(($i - 1)) num_ca_bundles=$((i - 1))
debugme out " " debugme out " "
# all stores ok
if $all_ok; then if $all_ok; then
pr_litegreen "Ok " # all stores ok
pr_litegreen "Ok "; pr_litemagenta "$addtl_warning"
fileout "$heading trust" "OK" "All certificate trust checks passed. $addtl_warning" fileout "$heading trust" "OK" "All certificate trust checks passed. $addtl_warning"
# at least one failed
else else
# at least one failed
pr_red "NOT ok" pr_red "NOT ok"
if ! $some_ok; then if ! $some_ok; then
# all failed (we assume with the same issue), we're displaying the reason # all failed (we assume with the same issue), we're displaying the reason
@ -2734,14 +2739,13 @@ determine_trust() {
fi fi
fileout "$heading trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning" fileout "$heading trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning"
fi fi
out "\n$spaces"; pr_litemagenta "$addtl_warning"
fi fi
outln outln
return 0 return 0
} }
# not handled: Root CA supplied (contains anchor) # not handled: Root CA supplied (contains anchor)
# attention: 1.0.1 fails on mozilla
tls_time() { tls_time() {
local now difftime local now difftime
@ -3121,7 +3125,7 @@ certificate_info() {
fi fi
days2expire=$((days2expire / 3600 / 24 )) days2expire=$((days2expire / 3600 / 24 ))
expire=$($OPENSSL x509 -in $HOSTCERT -checkend 0 2>>$ERRFILE) expire=$($OPENSSL x509 -in $HOSTCERT -checkend 1 2>>$ERRFILE)
if ! echo $expire | grep -qw not; then if ! echo $expire | grep -qw not; then
pr_red "expired!" pr_red "expired!"
expfinding="expired!" expfinding="expired!"
@ -6716,4 +6720,4 @@ fi
exit $? exit $?
# $Id: testssl.sh,v 1.456 2016/02/01 16:33:58 dirkw Exp $ # $Id: testssl.sh,v 1.458 2016/02/01 21:05:44 dirkw Exp $