From 0e27cfeadd9e49281428e02f6d2c5490cdd3727e Mon Sep 17 00:00:00 2001 From: David Cooper Date: Wed, 23 May 2018 14:32:51 -0400 Subject: [PATCH] OCSP improvements This PR fixes two issues with OCSP checking. First, the syntax for specifying a host header changed in OpenSSL between versions 1.0.2 and 1.1.0. With OpenSSL 1.0.2-chacha, 1.0.2o, and LibreSSL the syntax needs to be "-header HOST ". With OpenSSL 1.1.0h and 1.1.1 the syntax needs to be "-header HOST=". I have not been able to test other versions of OpenSSL 1.0.2 or 1.1.0, but am assuming that all versions of OpenSSL 1.1.0 use the same syntax as 1.1.0h. This PR also fixes a typo in the case of an error, which was causing $code to be set to "empty ocsp response" if the response was not empty rather than if it was empty. --- testssl.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index 064f22a..8fa8327 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1506,7 +1506,12 @@ check_revocation_ocsp() { tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE host_header=${uri##http://} host_header=${host_header%%/*} - $OPENSSL ocsp -no_nonce -header Host ${host_header} -url "$uri" \ + if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0"* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.1"* ]]; then + host_header="-header Host=${host_header}" + else + host_header="-header Host ${host_header}" + fi + $OPENSSL ocsp -no_nonce ${host_header} -url "$uri" \ -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \ -CAfile $TEMPDIR/intermediatecerts.pem -cert $HOSTCERT -text &> "$tmpfile" if [[ $? -eq 0 ]] && fgrep -q "Response verify OK" "$tmpfile"; then @@ -1526,7 +1531,7 @@ check_revocation_ocsp() { code="$(awk -F':' '/Code/ { print $NF }' $tmpfile)" out ", " pr_warning "error querying OCSP responder" - [[ -s "$tmpfile" ]] && code="empty ocsp response" + [[ -s "$tmpfile" ]] || code="empty ocsp response" fileout "$jsonID" "WARN" "$code" if [[ $DEBUG -ge 2 ]]; then outln