From fac65d82b0a12f3177429c382515111e847a7abd Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Wed, 16 May 2018 15:51:45 +0200
Subject: [PATCH] Add host header to OCSP Request

Some OCSP responder seems to need a host header, see e.g.
https://blog.ivanristic.com/2014/02/checking-ocsp-revocation-using-openssl.html .

This commit adds this header.

It addresses not all errors though. E.g. "https://testssl.sh" is fine now,
"https://google.com" still returns "Code=400,Reason=Bad Request" which
needs further investigation,

Also this commit gives a warning if the OCSP request fails (fileout needs
to be added)
---
 testssl.sh | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 2d0dad9..db2bfde 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -1501,8 +1501,8 @@ check_revocation_ocsp() {
 
      "$PHONE_OUT" || return 0
      tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE
-     $OPENSSL ocsp -no_nonce -url "$uri" -issuer $TEMPDIR/hostcert_issuer.pem \
-          -verify_other $TEMPDIR/intermediatecerts.pem \
+     $OPENSSL ocsp -no_nonce -header Host ${uri##http://} -url "$uri" \
+          -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem  \
           -CAfile $TEMPDIR/intermediatecerts.pem -cert $HOSTCERT &> "$tmpfile"
      if [[ $? -eq 0 ]] && grep -q "Response verify OK" "$tmpfile"; then
           if grep -q "$HOSTCERT: good" "$tmpfile"; then
@@ -1517,9 +1517,15 @@ check_revocation_ocsp() {
                outln
                cat "$tmpfile"
           fi
-     elif [[ $DEBUG -ge 2 ]]; then
-          outln
-          cat "$tmpfile"
+     else
+          out ", "
+          pr_warning "error querying OCSP responder"
+          if [[ $DEBUG -ge 2 ]]; then
+               outln
+               cat "$tmpfile"
+          else
+               out " (--debug >= 2 shows reason)"
+          fi
      fi
 }