Add host header to OCSP Request

Some OCSP responder seems to need a host header, see e.g. https://blog.ivanristic.com/2014/02/checking-ocsp-revocation-using-openssl.html . This commit adds this header. It addresses not all errors though. E.g. "https://testssl.sh" is fine now, "https://google.com" still returns "Code=400,Reason=Bad Request" which needs further investigation, Also this commit gives a warning if the OCSP request fails (fileout needs to be added)
2025-01-03 23:39:45 +01:00 · 2018-05-16 15:51:45 +02:00 · 2018-05-16 15:51:45 +02:00 · fac65d82b0
commit fac65d82b0
parent 567cc05fca
1 changed files with 11 additions and 5 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -1501,8 +1501,8 @@ check_revocation_ocsp() {

     "$PHONE_OUT" || return 0
     tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE
-     $OPENSSL ocsp -no_nonce -url "$uri" -issuer $TEMPDIR/hostcert_issuer.pem \
-          -verify_other $TEMPDIR/intermediatecerts.pem \
+     $OPENSSL ocsp -no_nonce -header Host ${uri##http://} -url "$uri" \
+          -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem  \
          -CAfile $TEMPDIR/intermediatecerts.pem -cert $HOSTCERT &> "$tmpfile"
     if [[ $? -eq 0 ]] && grep -q "Response verify OK" "$tmpfile"; then
          if grep -q "$HOSTCERT: good" "$tmpfile"; then
@ -1517,9 +1517,15 @@ check_revocation_ocsp() {
               outln
               cat "$tmpfile"
          fi
-     elif [[ $DEBUG -ge 2 ]]; then
-          outln
-          cat "$tmpfile"
+     else
+          out ", "
+          pr_warning "error querying OCSP responder"
+          if [[ $DEBUG -ge 2 ]]; then
+               outln
+               cat "$tmpfile"
+          else
+               out " (--debug >= 2 shows reason)"
+          fi
     fi
 }