From c4841c83eb9b954e02d896c9802bc72bb6c9520a Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Tue, 11 Aug 2020 15:30:53 +0200 Subject: [PATCH 1/2] Don't penalize rating for CAs which aren't in the Java store This fixes #1648. Java store doesn't seem to be as complete. No downgrading of trust rating to T but we still need to raise a red flag for some Java clients --- testssl.sh | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/testssl.sh b/testssl.sh index 3af9081..490aa54 100755 --- a/testssl.sh +++ b/testssl.sh @@ -7221,10 +7221,9 @@ determine_trust() { # we did to stdout the warning above already, so we could stay here with OK: fileout "${jsonID}${json_postfix}" "OK" "passed. $addtl_warning" else - # at least one failed pr_svrty_critical "NOT ok" if ! "$some_ok"; then - # all failed (we assume with the same issue), we're displaying the reason + # ALL failed (we assume with the same issue), we're displaying the reason out " " code="$(verify_retcode_helper "${verify_retcode[1]}")" if [[ "$code" =~ "pls report" ]]; then @@ -7235,15 +7234,13 @@ determine_trust() { fileout "${jsonID}${json_postfix}" "CRITICAL" "failed $code. $addtl_warning" set_grade_cap "T" "Issues with the chain of trust $code" else - # is one ok and the others not ==> display the culprit store + # alt least one ok and other(s) not ==> display the culprit store(s) if "$some_ok"; then pr_svrty_critical ":" - for ((i=1;i<=num_ca_bundles;i++)); do + for (( i=1; i<=num_ca_bundles; i++ )); do if ${trust[i]}; then ok_was="${certificate_file[i]} $ok_was" else - #code="$(verify_retcode_helper ${verify_retcode[i]})" - #notok_was="${certificate_file[i]} $notok_was" pr_svrty_high " ${certificate_file[i]} " code="$(verify_retcode_helper "${verify_retcode[i]}")" if [[ "$code" =~ "pls report" ]]; then @@ -7252,11 +7249,13 @@ determine_trust() { out "$code" fi notok_was="${certificate_file[i]} $code $notok_was" - set_grade_cap "T" "Issues with chain of trust $code" + if ! [[ ${certificate_file[i]} =~ Java ]]; then + # Exemption for Java AND rating, as this store doesn't seem to be as complete. + # We won't penelize this but we still need to raise a red flag. See #1648 + set_grade_cap "T" "Issues with chain of trust $code" + fi fi done - #pr_svrty_high "$notok_was " - #outln "$code" outln # lf + green ones [[ "$DEBUG" -eq 0 ]] && tm_out "$spaces" @@ -7269,7 +7268,6 @@ determine_trust() { outln return 0 } - # not handled: Root CA supplied ("contains anchor" in SSLlabs terminology) tls_time() { From 46536132111cd39f2dbd21a45a6113600535d3fc Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Tue, 11 Aug 2020 15:36:43 +0200 Subject: [PATCH 2/2] Add mitigate_javastore4rating --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7ada38e..b57102f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ * Don't use external pwd anymore * STARTTLS: XMPP server support * Rating (SSL Labs, not complete) +* Don't penalize missing trust in rating when CA not in Java store * Added support for certificates with EdDSA signatures and pubilc keys ### Features implemented / improvements in 3.0