Merge pull request #1698 from drwetter/mitigate_javastore4rating

Don't penalize rating for CAs which aren't in the Java store
This commit is contained in:
Dirk Wetter 2020-08-11 16:25:25 +02:00 committed by GitHub
commit ee7a21ef76
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 10 deletions

View File

@ -16,6 +16,7 @@
* Don't use external pwd anymore * Don't use external pwd anymore
* STARTTLS: XMPP server support * STARTTLS: XMPP server support
* Rating (SSL Labs, not complete) * Rating (SSL Labs, not complete)
* Don't penalize missing trust in rating when CA not in Java store
* Added support for certificates with EdDSA signatures and pubilc keys * Added support for certificates with EdDSA signatures and pubilc keys
### Features implemented / improvements in 3.0 ### Features implemented / improvements in 3.0

View File

@ -7221,10 +7221,9 @@ determine_trust() {
# we did to stdout the warning above already, so we could stay here with OK: # we did to stdout the warning above already, so we could stay here with OK:
fileout "${jsonID}${json_postfix}" "OK" "passed. $addtl_warning" fileout "${jsonID}${json_postfix}" "OK" "passed. $addtl_warning"
else else
# at least one failed
pr_svrty_critical "NOT ok" pr_svrty_critical "NOT ok"
if ! "$some_ok"; then if ! "$some_ok"; then
# all failed (we assume with the same issue), we're displaying the reason # ALL failed (we assume with the same issue), we're displaying the reason
out " " out " "
code="$(verify_retcode_helper "${verify_retcode[1]}")" code="$(verify_retcode_helper "${verify_retcode[1]}")"
if [[ "$code" =~ "pls report" ]]; then if [[ "$code" =~ "pls report" ]]; then
@ -7235,15 +7234,13 @@ determine_trust() {
fileout "${jsonID}${json_postfix}" "CRITICAL" "failed $code. $addtl_warning" fileout "${jsonID}${json_postfix}" "CRITICAL" "failed $code. $addtl_warning"
set_grade_cap "T" "Issues with the chain of trust $code" set_grade_cap "T" "Issues with the chain of trust $code"
else else
# is one ok and the others not ==> display the culprit store # alt least one ok and other(s) not ==> display the culprit store(s)
if "$some_ok"; then if "$some_ok"; then
pr_svrty_critical ":" pr_svrty_critical ":"
for ((i=1;i<=num_ca_bundles;i++)); do for (( i=1; i<=num_ca_bundles; i++ )); do
if ${trust[i]}; then if ${trust[i]}; then
ok_was="${certificate_file[i]} $ok_was" ok_was="${certificate_file[i]} $ok_was"
else else
#code="$(verify_retcode_helper ${verify_retcode[i]})"
#notok_was="${certificate_file[i]} $notok_was"
pr_svrty_high " ${certificate_file[i]} " pr_svrty_high " ${certificate_file[i]} "
code="$(verify_retcode_helper "${verify_retcode[i]}")" code="$(verify_retcode_helper "${verify_retcode[i]}")"
if [[ "$code" =~ "pls report" ]]; then if [[ "$code" =~ "pls report" ]]; then
@ -7252,11 +7249,13 @@ determine_trust() {
out "$code" out "$code"
fi fi
notok_was="${certificate_file[i]} $code $notok_was" notok_was="${certificate_file[i]} $code $notok_was"
set_grade_cap "T" "Issues with chain of trust $code" if ! [[ ${certificate_file[i]} =~ Java ]]; then
# Exemption for Java AND rating, as this store doesn't seem to be as complete.
# We won't penelize this but we still need to raise a red flag. See #1648
set_grade_cap "T" "Issues with chain of trust $code"
fi
fi fi
done done
#pr_svrty_high "$notok_was "
#outln "$code"
outln outln
# lf + green ones # lf + green ones
[[ "$DEBUG" -eq 0 ]] && tm_out "$spaces" [[ "$DEBUG" -eq 0 ]] && tm_out "$spaces"
@ -7269,7 +7268,6 @@ determine_trust() {
outln outln
return 0 return 0
} }
# not handled: Root CA supplied ("contains anchor" in SSLlabs terminology) # not handled: Root CA supplied ("contains anchor" in SSLlabs terminology)
tls_time() { tls_time() {