Merge pull request #1698 from drwetter/mitigate_javastore4rating
Don't penalize rating for CAs which aren't in the Java store
This commit is contained in:
commit
ee7a21ef76
|
@ -16,6 +16,7 @@
|
||||||
* Don't use external pwd anymore
|
* Don't use external pwd anymore
|
||||||
* STARTTLS: XMPP server support
|
* STARTTLS: XMPP server support
|
||||||
* Rating (SSL Labs, not complete)
|
* Rating (SSL Labs, not complete)
|
||||||
|
* Don't penalize missing trust in rating when CA not in Java store
|
||||||
* Added support for certificates with EdDSA signatures and pubilc keys
|
* Added support for certificates with EdDSA signatures and pubilc keys
|
||||||
|
|
||||||
### Features implemented / improvements in 3.0
|
### Features implemented / improvements in 3.0
|
||||||
|
|
18
testssl.sh
18
testssl.sh
|
@ -7221,10 +7221,9 @@ determine_trust() {
|
||||||
# we did to stdout the warning above already, so we could stay here with OK:
|
# we did to stdout the warning above already, so we could stay here with OK:
|
||||||
fileout "${jsonID}${json_postfix}" "OK" "passed. $addtl_warning"
|
fileout "${jsonID}${json_postfix}" "OK" "passed. $addtl_warning"
|
||||||
else
|
else
|
||||||
# at least one failed
|
|
||||||
pr_svrty_critical "NOT ok"
|
pr_svrty_critical "NOT ok"
|
||||||
if ! "$some_ok"; then
|
if ! "$some_ok"; then
|
||||||
# all failed (we assume with the same issue), we're displaying the reason
|
# ALL failed (we assume with the same issue), we're displaying the reason
|
||||||
out " "
|
out " "
|
||||||
code="$(verify_retcode_helper "${verify_retcode[1]}")"
|
code="$(verify_retcode_helper "${verify_retcode[1]}")"
|
||||||
if [[ "$code" =~ "pls report" ]]; then
|
if [[ "$code" =~ "pls report" ]]; then
|
||||||
|
@ -7235,15 +7234,13 @@ determine_trust() {
|
||||||
fileout "${jsonID}${json_postfix}" "CRITICAL" "failed $code. $addtl_warning"
|
fileout "${jsonID}${json_postfix}" "CRITICAL" "failed $code. $addtl_warning"
|
||||||
set_grade_cap "T" "Issues with the chain of trust $code"
|
set_grade_cap "T" "Issues with the chain of trust $code"
|
||||||
else
|
else
|
||||||
# is one ok and the others not ==> display the culprit store
|
# alt least one ok and other(s) not ==> display the culprit store(s)
|
||||||
if "$some_ok"; then
|
if "$some_ok"; then
|
||||||
pr_svrty_critical ":"
|
pr_svrty_critical ":"
|
||||||
for ((i=1;i<=num_ca_bundles;i++)); do
|
for (( i=1; i<=num_ca_bundles; i++ )); do
|
||||||
if ${trust[i]}; then
|
if ${trust[i]}; then
|
||||||
ok_was="${certificate_file[i]} $ok_was"
|
ok_was="${certificate_file[i]} $ok_was"
|
||||||
else
|
else
|
||||||
#code="$(verify_retcode_helper ${verify_retcode[i]})"
|
|
||||||
#notok_was="${certificate_file[i]} $notok_was"
|
|
||||||
pr_svrty_high " ${certificate_file[i]} "
|
pr_svrty_high " ${certificate_file[i]} "
|
||||||
code="$(verify_retcode_helper "${verify_retcode[i]}")"
|
code="$(verify_retcode_helper "${verify_retcode[i]}")"
|
||||||
if [[ "$code" =~ "pls report" ]]; then
|
if [[ "$code" =~ "pls report" ]]; then
|
||||||
|
@ -7252,11 +7249,13 @@ determine_trust() {
|
||||||
out "$code"
|
out "$code"
|
||||||
fi
|
fi
|
||||||
notok_was="${certificate_file[i]} $code $notok_was"
|
notok_was="${certificate_file[i]} $code $notok_was"
|
||||||
set_grade_cap "T" "Issues with chain of trust $code"
|
if ! [[ ${certificate_file[i]} =~ Java ]]; then
|
||||||
|
# Exemption for Java AND rating, as this store doesn't seem to be as complete.
|
||||||
|
# We won't penelize this but we still need to raise a red flag. See #1648
|
||||||
|
set_grade_cap "T" "Issues with chain of trust $code"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
#pr_svrty_high "$notok_was "
|
|
||||||
#outln "$code"
|
|
||||||
outln
|
outln
|
||||||
# lf + green ones
|
# lf + green ones
|
||||||
[[ "$DEBUG" -eq 0 ]] && tm_out "$spaces"
|
[[ "$DEBUG" -eq 0 ]] && tm_out "$spaces"
|
||||||
|
@ -7269,7 +7268,6 @@ determine_trust() {
|
||||||
outln
|
outln
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
# not handled: Root CA supplied ("contains anchor" in SSLlabs terminology)
|
# not handled: Root CA supplied ("contains anchor" in SSLlabs terminology)
|
||||||
|
|
||||||
tls_time() {
|
tls_time() {
|
||||||
|
|
Loading…
Reference in New Issue