Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2024-12-29 04:49:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Extra warning for certificates >= 5yrs, italics handling for BSDs

Browse Source 
This PR fixes #803 and emit an extra warning if the certificate
has a lifetime longer or equal of five years which happens often
on appliances with self signed certificates. (CAs do not offer
such a long certificate lifetime.) This was tested under Linux,
FreeBSD and OpenBSD. On the latter however we only check the
years as opposed to other OS where we have a finer granularity
(seconds).

On the screen there's only an output if the lifetime is too long,
using JSON or CSV formats, it is always displayed (ID: cert_validityPeriod).

Also this PR changes the ID cert_expiration_status to cert_expirationStatus.

Older FreeBSD and OpenBSD can't deal with italics characters but it output
the escape codes which could result in a different markup. This PR detects
such OS and just doesn't dsiplay the escape sequence.

Also the manpage is reflecting the change and has updates in the server
defaults and standard cipher checks section.
This commit is contained in:
Dirk Wetter 2019-04-09 11:46:53 +02:00
parent 0e8807217d
commit e92b7326bc
4 changed files with 582 additions and 675 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
doc/testssl.1
View File

@ -1,7 +1,7 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "TESTSSL" "1" "January 2019" "" ""
.TH "TESTSSL" "1" "April 2019" "" ""
.
.SH "NAME"
\fBtestssl\fR
@ -185,16 +185,16 @@ Any single check switch supplied as an argument prevents testssl\.sh from doing
\fBAnonymous NULL ciphers\fR: \'aNULL:ADH\'
.
.IP "\(bu" 4
\fBExport ciphers\fR (w/o the preceding ones): \'EXPORT:!ADH:!NULL\' * \fBLOW\fR (64 Bit + DES ciphers, without EXPORT ciphers): \'LOW:DES:!ADH:!EXP:!NULL\'
\fBExport ciphers\fR (w/o the preceding ones): \'EXPORT:!ADH:!NULL\'
.
.IP "\(bu" 4
\fBWeak 128 Bit ciphers\fR: \'MEDIUM:!aNULL:!AES:!CAMELLIA:!ARIA:!CHACHA20:!3DES\'
\fBLOW\fR (64 Bit + DES ciphers, without EXPORT ciphers): \'LOW:DES:RC2:RC4:!ADH:!EXP:!NULL:!eNULL\'
.
.IP "\(bu" 4
\fB3DES Ciphers\fR: \'3DES:!aNULL:!ADH\'
\fB3DES + IDEA Ciphers\fR: \'3DES:IDEA:!aNULL:!ADH\'
.
.IP "\(bu" 4
\fBHigh grade Ciphers\fR: \'HIGH:!NULL:!aNULL:!DES:!3DES:!AESGCM:!CHACHA20:!AESGCM:!CamelliaGCM:!AESCCM8:!AESCCM\'
\fBAverage grade Ciphers\fR: \'HIGH:MEDIUM:AES:CAMELLIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AESGCM:!ARIAGCM:!aNULL\'
.
.IP "\(bu" 4
\fBStrong grade Ciphers\fR (AEAD): \'AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM8:AESCCM\'
@ -211,7 +211,63 @@ Any single check switch supplied as an argument prevents testssl\.sh from doing
\fB\-P, \-\-preference\fR displays the servers preferences: cipher order, with used openssl client: negotiated protocol and cipher\. If there\'s a cipher order enforced by the server it displays it for each protocol (openssl+sockets)\. If there\'s not, it displays instead which ciphers from the server were picked with each protocol\.
.
.P
\fB\-S, \-\-server_defaults\fR displays information from the server hello(s): available TLS extensions, TLS ticket + session information/capabilities, session resumption capabilities, time skew relative to localhost (most server implementations return random values) and several certificate info: certificate signature algorithm, certificate key size, X509v3 key usage and extended key usage, certificate fingerprints and serial, revocation info (CRL, OCSP, OCSP stapling/must staple), certificate transparency info (if provided by server)\. When \fB\-\-phone\-out\fR supplied it checks against the certificate issuer whether the host certificate has been revoked\. This section also displays certificate start and expiration time in GMT\. In addition it checks the trust (CN, SAN, chain of trust)\. For the trust chain check there are 5 certificate stores provided\. If the test against one of the trust stores failed, the one is being identified and the reason for the failure is displayed \- in addition the ones which succeeded are displayed too\. You can configure your own CA via ADDITIONAL_CA_FILES, see section \fBFILES\fR below\. If the server provides no matching record in Subject Alternative Name (SAN) but in Common Name (CN), it will be indicated as this is deprecated\. Also multiple server certificates are being checked for as well as the certificate reply to a non\-SNI (Server Name Indication) client hello to the IP address\. Also the Certification Authority Authorization (CAA) record is displayed and whether "Certificate Transparency" (CT) is supported (and if: how)\. TLS clock skew matches the time difference to the client\. Only a few TLS stacks nowadays still support this and return the local clock \fBgmt_unix_time\fR, e\.g\. IIS, openssl < 1\.0\.1f\. In addition to the HTTP date you could e\.g\. derive that there are different hosts where your TLS and your HTTP request ended \-\- if the time deltas differ significantly\.
\fB\-S, \-\-server_defaults\fR displays information from the server hello(s):
.
.IP "\(bu" 4
Available TLS extensions,
.
.IP "\(bu" 4
TLS ticket + session ID information/capabilities,
.
.IP "\(bu" 4
session resumption capabilities,
.
.IP "\(bu" 4
Time skew relative to localhost (most server implementations return random values)\.
.
.IP "\(bu" 4
Several certificate information:
.
.IP "\(bu" 4
signature algorithm,
.
.IP "\(bu" 4
key size,
.
.IP "\(bu" 4
key usage and extended key usage,
.
.IP "\(bu" 4
fingerprints and serial
.
.IP "\(bu" 4
Common Name (CN), Subject Alternative Name (SAN), Issuer,
.
.IP "\(bu" 4
Trust via hostname + chain of trust against supplied certificates
.
.IP "\(bu" 4
EV certificate detection
.
.IP "\(bu" 4
experimental "eTLS" detection
.
.IP "\(bu" 4
validity: start + end time, how many days to go (warning for certificate lifetime >=5 years)
.
.IP "\(bu" 4
revocation info (CRL, OCSP, OCSP stapling + must staple)\. When \fB\-\-phone\-out\fR supplied it checks against the certificate issuer whether the host certificate has been revoked (plain OCSP, CRL)\.
.
.IP "\(bu" 4
displaying DNS Certification Authority Authorization resource record
.
.IP "\(bu" 4
Certificate Transparency info (if provided by server)\.
.
.IP "" 0
.
.P
For the trust chain check 5 certificate stores are provided\. If the test against one of the trust stores failed, the one is being identified and the reason for the failure is displayed \- in addition the ones which succeeded are displayed too\. You can configure your own CA via ADDITIONAL_CA_FILES, see section \fBFILES\fR below\. If the server provides no matching record in Subject Alternative Name (SAN) but in Common Name (CN), it will be indicated as this is deprecated\. Also for multiple server certificates are being checked for as well as for the certificate reply to a non\-SNI (Server Name Indication) client hello to the IP address\. Regarding the TLS clock skew: it displays the time difference to the client\. Only a few TLS stacks nowadays still support this and return the local clock \fBgmt_unix_time\fR, e\.g\. IIS, openssl < 1\.0\.1f\. In addition to the HTTP date you could e\.g\. derive that there are different hosts where your TLS and your HTTP request ended \-\- if the time deltas differ significantly\.
.
.P
\fB\-x <pattern>, \-\-single\-cipher <pattern>\fR tests matched \fBpattern\fR of ciphers against a server\. Patterns are similar to \fB\-V pattern , \-\-local pattern\fR, see above about matching\.
@ -350,7 +406,7 @@ Please note that in testssl\.sh 3,0 you can still use \fBrfc\fR instead of \fBia
\fB\-\-show\-each\fR This is an option for all wide modes only: it displays all ciphers tested \-\- not only succeeded ones\. \fBSHOW_EACH_C\fR is your friend if you prefer to set this via the shell environment\.
.
.P
\fB\-\-color <0|1|2|3>\fR It determines the use of colors on the screen: \fB2\fR is the default and makes use of ANSI and termcap escape codes on your terminal\. \fB1\fR just uses non\-colored mark\-up like bold, italics, underline, reverse\. \fB0\fR means no mark\-up at all = no escape codes\. This is also what you want when you want a log file without any escape codes\. \fB3\fR will color ciphers and EC according to an internal (not yet perfect) rating\. Setting the environment variable \fBCOLOR\fR to the value achieves the same result\.
\fB\-\-color <0|1|2|3>\fR determines the use of colors on the screen and in the log file: \fB2\fR is the default and makes use of ANSI and termcap escape codes on your terminal\. \fB1\fR just uses non\-colored mark\-up like bold, italics, underline, reverse\. \fB0\fR means no mark\-up at all = no escape codes\. This is also what you want when you want a log file without any escape codes\. \fB3\fR will color ciphers and EC according to an internal (not yet perfect) rating\. Setting the environment variable \fBCOLOR\fR to the value achieves the same result\. Please not that OpenBSD and early FreeBSD do not support italics\.
.
.P
\fB\-\-colorblind\fR Swaps green and blue colors in the output, so that this percentage of folks (up to 8% of males, see https://en\.wikipedia\.org/wiki/Color_blindness) can distinguish those findings better\. \fBCOLORBLIND\fR is the according variable if you want to set this in the environment\.
@ -820,4 +876,4 @@ All native Windows platforms emulating Linux are known to be slow\.
Probably\. Current known ones and interface for filing new ones: https://testssl\.sh/bugs/ \.
.
.SH "SEE ALSO"
\fBciphers\fR(1), \fBopenssl\fR(1), \fBs_client\fR(1), \fBx509\fR(1), \fBverify\fR(1), \fBocsp\fR(1), \fBcrl\fR(1), \fBbash\fR(1) and the websites \fBhttps://testssl\.sh/\fR and \fBhttps://github\.com/drwetter/testssl\.sh/\fR \.
\fBciphers\fR(1), \fBopenssl\fR(1), \fBs_client\fR(1), \fBx509\fR(1), \fBverify\fR(1), \fBocsp\fR(1), \fBcrl\fR(1), \fBbash\fR(1) and the websites https://testssl\.sh/ and https://github\.com/drwetter/testssl\.sh/ \.

1070
doc/testssl.1.html
View File

File diff suppressed because it is too large Load Diff

48
doc/testssl.1.md
View File

@ -149,10 +149,10 @@ Any single check switch supplied as an argument prevents testssl.sh from doing a
* `NULL encryption ciphers`: 'NULL:eNULL'
* `Anonymous NULL ciphers`: 'aNULL:ADH'
* `Export ciphers` (w/o the preceding ones): 'EXPORT:!ADH:!NULL' * `LOW` (64 Bit + DES ciphers, without EXPORT ciphers): 'LOW:DES:!ADH:!EXP:!NULL'
* `Weak 128 Bit ciphers`: 'MEDIUM:!aNULL:!AES:!CAMELLIA:!ARIA:!CHACHA20:!3DES'
* `3DES Ciphers`: '3DES:!aNULL:!ADH'
* `High grade Ciphers`: 'HIGH:!NULL:!aNULL:!DES:!3DES:!AESGCM:!CHACHA20:!AESGCM:!CamelliaGCM:!AESCCM8:!AESCCM'
* `Export ciphers` (w/o the preceding ones): 'EXPORT:!ADH:!NULL'
* `LOW` (64 Bit + DES ciphers, without EXPORT ciphers): 'LOW:DES:RC2:RC4:!ADH:!EXP:!NULL:!eNULL'
* `3DES + IDEA Ciphers`: '3DES:IDEA:!aNULL:!ADH'
* `Average grade Ciphers`: 'HIGH:MEDIUM:AES:CAMELLIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AESGCM:!ARIAGCM:!aNULL'
* `Strong grade Ciphers` (AEAD): 'AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM8:AESCCM'
`-f, --pfs, --fs,--nsa ` Checks robust (perfect) forward secrecy key exchange. "Robust" means that ciphers having intrinsic severe weaknesses like Null Authentication or Encryption, 3DES and RC4 won't be considered here. There shouldn't be the wrong impression that a secure key exchange has been taking place and everything is fine when in reality the encryption sucks. Also this section lists the available elliptical curves and Diffie Hellman groups, as well as FFDHE groups (TLS 1.2 and TLS 1.3).
@ -162,20 +162,28 @@ Any single check switch supplied as an argument prevents testssl.sh from doing a
`-P, --preference` displays the servers preferences: cipher order, with used openssl client: negotiated protocol and cipher. If there's a cipher order enforced by the server it displays it for each protocol (openssl+sockets). If there's not, it displays instead which ciphers from the server were picked with each protocol.
`-S, --server_defaults` displays information from the server hello(s):
available TLS extensions, TLS ticket + session information/capabilities, session resumption
capabilities, time skew relative to localhost (most server implementations return random values) and several certificate info: certificate signature algorithm, certificate key size, X509v3 key usage and extended key usage, certificate fingerprints and serial, revocation info (CRL, OCSP, OCSP
stapling/must staple), certificate transparency info (if provided by
server). When `--phone-out` supplied it checks against the certificate issuer
whether the host certificate has been revoked.
This section also displays certificate start and expiration time in GMT. In addition it checks the trust (CN, SAN, chain of trust).
For the trust chain check there are 5 certificate stores provided. If the test against one of the trust stores failed, the one
is being identified and the reason for the failure is displayed - in addition the ones which succeeded are displayed too.
You can configure your own CA via ADDITIONAL_CA_FILES, see section `FILES` below. If the server provides
no matching record in Subject Alternative Name (SAN) but in Common Name (CN), it will be indicated as this is deprecated.
Also multiple server certificates are
being checked for as well as the certificate reply to a non-SNI (Server Name
Indication) client hello to the IP address. Also the Certification Authority Authorization (CAA) record is displayed and whether "Certificate Transparency" (CT) is supported (and if: how).
TLS clock skew matches the time difference to the client. Only a few TLS stacks nowadays still support this and return the local clock `gmt_unix_time`, e.g. IIS, openssl < 1.0.1f. In addition to the HTTP date you could e.g. derive that there are different hosts where your TLS and your HTTP request ended -- if the time deltas differ significantly.
* Available TLS extensions,
* TLS ticket + session ID information/capabilities,
* session resumption capabilities,
* Time skew relative to localhost (most server implementations return random values).
* Several certificate information
- signature algorithm,
- key size,
- key usage and extended key usage,
- fingerprints and serial
- Common Name (CN), Subject Alternative Name (SAN), Issuer,
- Trust via hostname + chain of trust against supplied certificates
- EV certificate detection
- experimental "eTLS" detection
- validity: start + end time, how many days to go (warning for certificate lifetime >=5 years)
- revocation info (CRL, OCSP, OCSP stapling + must staple). When `--phone-out` supplied it checks against the certificate issuer whether the host certificate has been revoked (plain OCSP, CRL).
- displaying DNS Certification Authority Authorization resource record
- Certificate Transparency info (if provided by server).
For the trust chain check 5 certificate stores are provided. If the test against one of the trust stores failed, the one is being identified and the reason for the failure is displayed - in addition the ones which succeeded are displayed too.
You can configure your own CA via ADDITIONAL_CA_FILES, see section `FILES` below. If the server provides no matching record in Subject Alternative Name (SAN) but in Common Name (CN), it will be indicated as this is deprecated.
Also for multiple server certificates are being checked for as well as for the certificate reply to a non-SNI (Server Name Indication) client hello to the IP address. Regarding the TLS clock skew: it displays the time difference to the client. Only a few TLS stacks nowadays still support this and return the local clock `gmt_unix_time`, e.g. IIS, openssl < 1.0.1f. In addition to the HTTP date you could e.g. derive that there are different hosts where your TLS and your HTTP request ended -- if the time deltas differ significantly.
`-x <pattern>, --single-cipher <pattern>` tests matched `pattern` of ciphers against a server. Patterns are similar to `-V pattern , --local pattern`, see above about matching.
@ -260,7 +268,7 @@ Please note that in testssl.sh 3,0 you can still use `rfc` instead of `iana` and
`--show-each` This is an option for all wide modes only: it displays all ciphers tested -- not only succeeded ones. `SHOW_EACH_C` is your friend if you prefer to set this via the shell environment.
`--color <0|1|2|3>` It determines the use of colors on the screen: `2` is the default and makes use of ANSI and termcap escape codes on your terminal. `1` just uses non-colored mark-up like bold, italics, underline, reverse. `0` means no mark-up at all = no escape codes. This is also what you want when you want a log file without any escape codes. `3` will color ciphers and EC according to an internal (not yet perfect) rating. Setting the environment variable `COLOR` to the value achieves the same result.
`--color <0|1|2|3>` determines the use of colors on the screen and in the log file: `2` is the default and makes use of ANSI and termcap escape codes on your terminal. `1` just uses non-colored mark-up like bold, italics, underline, reverse. `0` means no mark-up at all = no escape codes. This is also what you want when you want a log file without any escape codes. `3` will color ciphers and EC according to an internal (not yet perfect) rating. Setting the environment variable `COLOR` to the value achieves the same result. Please not that OpenBSD and early FreeBSD do not support italics.
`--colorblind` Swaps green and blue colors in the output, so that this percentage of folks (up to 8% of males, see https://en.wikipedia.org/wiki/Color_blindness) can distinguish those findings better. `COLORBLIND` is the according variable if you want to set this in the environment.
@ -495,5 +503,5 @@ Probably. Current known ones and interface for filing new ones: https://testssl.
## SEE ALSO
`ciphers`(1), `openssl`(1), `s_client`(1), `x509`(1), `verify`(1), `ocsp`(1), `crl`(1), `bash`(1) and the websites __https://testssl.sh/__ and __https://github.com/drwetter/testssl.sh/__ .
`ciphers`(1), `openssl`(1), `s_client`(1), `x509`(1), `verify`(1), `ocsp`(1), `crl`(1), `bash`(1) and the websites https://testssl.sh/ and https://github.com/drwetter/testssl.sh/ .

67
testssl.sh
View File

@ -134,6 +134,7 @@ fi
declare -r PROG_NAME="$(basename "$0")"
declare -r RUN_DIR="$(dirname "$0")"
declare -r SYSTEM="$(uname -s)"
declare -r SYSTEMREV="$(uname -r)"
SYSTEM2="" # currently only being used for WSL = bash on windows
TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR
CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}" # You can have your stores some place else
@ -576,7 +577,15 @@ tmln_bold() { tm_bold "$1"; tmln_out; }
pr_bold() { tm_bold "$1"; [[ "$COLOR" -ne 0 ]] && html_out "<span style=\"font-weight:bold;\">$(html_reserved "$1")</span>" || html_out "$(html_reserved "$1")"; }
prln_bold() { pr_bold "$1" ; outln; }
tm_italic() { [[ "$COLOR" -ne 0 ]] && tm_out "\033[3m$1" || tm_out "$1"; tm_off; }
NO_ITALICS=false
if [[ $SYSTEM == OpenBSD ]]; then
NO_ITALICS=true
elif [[ $SYSTEM == FreeBSD ]]; then
if [[ ${SYSTEMREV%\.*} -le 9 ]]; then
NO_ITALICS=true
fi
fi
tm_italic() { ( [[ "$COLOR" -ne 0 ]] && ! "$NO_ITALICS" ) && tm_out "\033[3m$1" || tm_out "$1"; tm_off; }
tmln_italic() { tm_italic "$1" ; tmln_out; }
pr_italic() { tm_italic "$1"; [[ "$COLOR" -ne 0 ]] && html_out "<i>$(html_reserved "$1")</i>" || html_out "$(html_reserved "$1")"; }
prln_italic() { pr_italic "$1"; outln; }
@ -631,14 +640,14 @@ pr_boldurl() { tm_bold "$1"; html_out "<a href=\"$1\" style=\"font-weight:bold;c
set_color_functions() {
local ncurses_tput=true
if [[ $(uname) == OpenBSD ]] && [[ "$TERM" =~ xterm-256 ]]; then
if [[ $SYSTEM == OpenBSD ]] && [[ "$TERM" =~ xterm-256 ]]; then
export TERM=xterm
# openBSD can't handle 256 colors (yet) in xterm which might lead to ugly errors
# OpenBSD can't handle 256 colors (yet) in xterm which might lead to ugly errors
# like "tput: not enough arguments (3) for capability `AF'". Not our fault but
# before we get blamed we fix it here.
fi
# empty all vars if we have COLOR=0 equals no escape code:
# Empty all vars if we have COLOR=0 equals no escape code -- these are globals:
red=""
green=""
brown=""
@ -666,7 +675,7 @@ set_color_functions() {
cyan=$(tput setaf 6)
grey=$(tput setaf 7)
yellow=$(tput setaf 3; tput bold)
else # this is a try for old BSD, see terminfo(5)
else # this is a try for old BSD, see terminfo(5)
red=$(tput AF 1)
green=$(tput AF 2)
brown=$(tput AF 3)
@ -677,25 +686,23 @@ set_color_functions() {
yellow=$(tput AF 3; tput md)
fi
fi
if [[ "$COLOR" -ge 1 ]]; then
if $ncurses_tput; then
bold=$(tput bold)
underline=$(tput sgr 0 1 2>/dev/null)
italic=$(tput sitm)
italic_end=$(tput ritm)
italic=$(tput sitm) # This doesn't work on FreeBSDi (9,10) and OpenBSD ...
italic_end=$(tput ritm) # ... and this, too
off=$(tput sgr0)
else # this is a try for old BSD, see terminfo(5)
else # this is a try for old BSD, see terminfo(5)
bold=$(tput md)
underline=$(tput us)
italic=$(tput ZH) # that doesn't work on FreeBSD 9+10.x
italic_end=$(tput ZR) # here too. Probably entry missing in /etc/termcap
italic=$(tput ZH 2>/dev/null) # This doesn't work on FreeBSDi (9,10) and OpenBSD
italic_end=$(tput ZR 2>/dev/null) # ... probably entry missing in /etc/termcap
reverse=$(tput mr)
off=$(tput me)
fi
# italic doesn't work under Linux, FreeBSD (9). But both work under OpenBSD.
# alternatively we could use escape codes
fi
# FreeBSD 10 understands ESC codes like 'echo -e "\e[3mfoobar\e[23m"', but also no tput for italics
}
strip_quote() {
@ -1822,7 +1829,7 @@ s_client_options() {
options="${options//-ciphersuites $tls13_ciphers/}"
tls13_ciphers="${tls13_ciphers##\'}"
tls13_ciphers="${tls13_ciphers%%\'}"
[[ "$tls13_ciphers" == "ALL" ]] && tls13_ciphers="$TLS13_OSSL_CIPHERS"
[[ "$tls13_ciphers" == ALL ]] && tls13_ciphers="$TLS13_OSSL_CIPHERS"
fi
# Don't include the -servername option for an SSLv2 or SSLv3 ClientHello.
@ -7795,7 +7802,7 @@ certificate_info() {
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial
local policy_oid
local spaces=""
local -i trust_sni=0 trust_nosni=0
local -i trust_sni=0 trust_nosni=0 diffseconds=0
local has_dns_sans has_dns_sans_nosni
local trust_sni_finding
local -i certificates_provided
@ -7811,6 +7818,7 @@ certificate_info() {
local provides_stapling=false
local caa_node="" all_caa="" caa_property_name="" caa_property_value=""
local response=""
local a b c yearstart yearend
if [[ $number_of_certificates -gt 1 ]]; then
[[ $certificate_number -eq 1 ]] && outln
@ -8368,12 +8376,20 @@ certificate_info() {
enddate="${enddate%%GMT*}GMT"
startdate="${cert_txt#*Validity*Not Before: }"
startdate="${startdate%%GMT*}GMT"
# Now we have a normalized enddate and startdate like "Feb 27 10:03:20 2017 GMT" -- also for OpenBSD
debugme echo "$enddate - $startdate"
# In all OS except OpenBSD it'll be reduced to "2017-02-27 11:03"
enddate="$(parse_date "$enddate" +"%F %H:%M" "%b %d %T %Y %Z")"
startdate="$(parse_date "$startdate" +"%F %H:%M" "%b %d %T %Y %Z")"
if "$HAS_OPENBSDDATE"; then
# best we are able to do under OpenBSD
days2expire=""
read a b c yearstart tz <<< "$startdate"
read a b c yearend tz <<< "$enddate"
# we only take the year here as OpenBSD's date is not for conversion
diffseconds=$((yearend - yearstart))
diffseconds=$((diffseconds * 3600 * 24 * 365))
else
days2expire=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(LC_ALL=C date "+%s") )) # first in seconds
days2expire=$((days2expire / 3600 / 24 ))
@ -8383,7 +8399,9 @@ certificate_info() {
days2warn2=$((days2warn2 / 2))
days2warn1=$((days2warn1 / 2))
fi
diffseconds=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(parse_date "$startdate" "+%s" $'%F %H:%M') ))
fi
debugme echo -n "diffseconds: $diffseconds"
expire=$($OPENSSL x509 -in $HOSTCERT -checkend 1 2>>$ERRFILE)
if ! grep -qw not <<< "$expire" ; then
pr_svrty_critical "expired"
@ -8410,10 +8428,24 @@ certificate_info() {
fi
fi
outln " ($startdate --> $enddate)"
fileout "cert_expiration_status${json_postfix}" "$expok" "$expfinding"
fileout "cert_expirationStatus${json_postfix}" "$expok" "$expfinding"
fileout "cert_notBefore${json_postfix}" "INFO" "$startdate" # we assume that the certificate has no start time in the future
fileout "cert_notAfter${json_postfix}" "$expok" "$enddate" # They are in UTC
if [[ $diffseconds -ge $((3600 * 24 * 365 * 10)) ]]; then
# certificate is valid >= 10 years
out "$spaces"
prln_svrty_high ">= 10 years is way too long"
fileout "cert_validityPeriod${json_postfix}" "HIGH" "$((diffseconds / 3600 * 24 )) days"
elif [[ $diffseconds -ge $((3600 * 24 * 365 * 5)) ]]; then
out "$spaces"
prln_svrty_medium ">= 5 years is too long"
fileout "cert_validityPeriod${json_postfix}" "MEDIUM" "$((diffseconds / 3600 * 24 )) days"
else
[[ "$DEBUG" -ge 1 ]] && outln "OK: below 5 years certificate life time"
fileout "cert_validityPeriod${json_postfix}" "INFO" "$((diffseconds / 3600 * 24 )) days"
fi
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
out "$indent"; pr_bold " # of certificates provided"; out " $certificates_provided"
fileout "certs_countServer${json_postfix}" "INFO" "${certificates_provided}"
@ -16603,10 +16635,11 @@ commandline: "$CMDLINE"
bash version: ${BASH_VERSINFO[0]}.${BASH_VERSINFO[1]}.${BASH_VERSINFO[2]}
status: ${BASH_VERSINFO[4]}
machine: ${BASH_VERSINFO[5]}
operating system: $SYSTEM
operating system: $SYSTEM $SYSTEMREV
os constraint: $SYSTEM2
shellopts: $SHELLOPTS
printf: $PRINTF
NO_ITALICS: $NO_ITALICS
$($OPENSSL version -a 2>/dev/null)
OSSL_VER_MAJOR: $OSSL_VER_MAJOR