- indentation reverted to old value if in only one certificate

- minor cleanups in the output
This commit is contained in:
Dirk 2016-01-30 23:59:29 +01:00
parent 5178e0db37
commit fc346a35fe
1 changed files with 34 additions and 31 deletions

View File

@ -2730,27 +2730,29 @@ determine_trust() {
tls_time() { tls_time() {
local now difftime local now difftime
local spaces=" "
tls_sockets "01" "$TLS_CIPHER" # try first TLS 1.0 (mostfrequently used protocol) tls_sockets "01" "$TLS_CIPHER" # try first TLS 1.0 (mostfrequently used protocol)
[[ -z "$TLS_TIME" ]] && tls_sockets "03" "$TLS12_CIPHER" # TLS 1.2 [[ -z "$TLS_TIME" ]] && tls_sockets "03" "$TLS12_CIPHER" # TLS 1.2
[[ -z "$TLS_TIME" ]] && tls_sockets "02" "$TLS_CIPHER" # TLS 1.1 [[ -z "$TLS_TIME" ]] && tls_sockets "02" "$TLS_CIPHER" # TLS 1.1
[[ -z "$TLS_TIME" ]] && tls_sockets "00" "$TLS_CIPHER" # SSL 3 [[ -z "$TLS_TIME" ]] && tls_sockets "00" "$TLS_CIPHER" # SSL 3
pr_bold " TLS clock skew" ; out "$spaces"
if [[ -n "$TLS_TIME" ]]; then # nothing returned a time! if [[ -n "$TLS_TIME" ]]; then # nothing returned a time!
difftime=$(($TLS_TIME - $TLS_NOW)) # TLS_NOW is being set in tls_sockets() difftime=$(($TLS_TIME - $TLS_NOW)) # TLS_NOW is being set in tls_sockets()
if [[ "${#difftime}" -gt 5 ]]; then if [[ "${#difftime}" -gt 5 ]]; then
# openssl >= 1.0.1f fills this field with random values! --> good for possible fingerprint # openssl >= 1.0.1f fills this field with random values! --> good for possible fingerprint
pr_bold " TLS timestamp" ; outln " random values, no fingerprinting possible " out "random values, no fingerprinting possible "
fileout "tls_time" "INFO" "Your TLS time seems to be filled with random values to prevent fingerprinting" fileout "tls_time" "INFO" "Your TLS time seems to be filled with random values to prevent fingerprinting"
else else
[[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime" [[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime"
pr_bold " TLS clock skew" ; outln " $difftime sec from localtime"; out "$difftime"; out " sec from localtime";
fileout "tls_time" "INFO" "Your TLS time is skewed from your localtime by $difftime seconds" fileout "tls_time" "INFO" "Your TLS time is skewed from your localtime by $difftime seconds"
fi fi
debugme out "$TLS_TIME" debugme out "$TLS_TIME"
outln outln
else else
pr_bold " TLS timestamp" ; out " "; pr_litemagentaln "SSLv3 through TLS 1.2 didn't return a timestamp" pr_litemagenta "SSLv3 through TLS 1.2 didn't return a timestamp"
fileout "tls_time" "INFO" "No TLS timestamp returned by SSLv3 through TLSv1.2" fileout "tls_time" "INFO" "No TLS timestamp returned by SSLv3 through TLSv1.2"
fi fi
return 0 return 0
@ -2845,18 +2847,19 @@ certificate_info() {
local cnfinding local cnfinding
local cnok="OK" local cnok="OK"
local expfinding expok="OK" local expfinding expok="OK"
local heading="" local indent=""
outln
out " "
if [[ $number_of_certificates -gt 1 ]]; then if [[ $number_of_certificates -gt 1 ]]; then
heading="Server Certifcate #$certificate_number" [[ $certificate_number -eq 1 ]] && outln
indent=" "
out "$indent"
pr_headlineln "Server Certifcate #$certificate_number"
spaces=" "
else else
heading="Server Certifcate" spaces=" "
fi fi
pr_headlineln " $heading "
outln
out "$indent"
pr_bold " Server key size " pr_bold " Server key size "
sig_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep "Signature Algorithm" | sed 's/^.*Signature Algorithm: //' | sort -u ) sig_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep "Signature Algorithm" | sed 's/^.*Signature Algorithm: //' | sort -u )
key_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | awk -F':' '/Public Key Algorithm:/ { print $2 }' | sort -u ) key_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | awk -F':' '/Public Key Algorithm:/ { print $2 }' | sort -u )
@ -2889,7 +2892,7 @@ certificate_info() {
fi fi
outln " bit" outln " bit"
pr_bold " Signature Algorithm " out "$indent" ; pr_bold " Signature Algorithm "
case $sig_algo in case $sig_algo in
sha1WithRSAEncryption) sha1WithRSAEncryption)
pr_brownln "SHA1 with RSA" pr_brownln "SHA1 with RSA"
@ -2922,7 +2925,7 @@ certificate_info() {
esac esac
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html # old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
pr_bold " Fingerprint / Serial " out "$indent"; pr_bold " Fingerprint / Serial "
cert_fingerprint_sha1="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha1 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g')" cert_fingerprint_sha1="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha1 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g')"
cert_fingerprint_serial="$($OPENSSL x509 -noout -in $HOSTCERT -serial 2>>$ERRFILE | sed 's/serial=//')" cert_fingerprint_serial="$($OPENSSL x509 -noout -in $HOSTCERT -serial 2>>$ERRFILE | sed 's/serial=//')"
cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g' )" cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g' )"
@ -2930,7 +2933,7 @@ certificate_info() {
outln "$spaces$cert_fingerprint_sha2" outln "$spaces$cert_fingerprint_sha2"
fileout "$heading fingerprint" "INFO" "Fingerprints / Serial: $cert_fingerprint_sha1 / $cert_fingerprint_serial, $cert_fingerprint_sha2" fileout "$heading fingerprint" "INFO" "Fingerprints / Serial: $cert_fingerprint_sha1 / $cert_fingerprint_serial, $cert_fingerprint_sha2"
pr_bold " Common Name (CN) " out "$indent"; pr_bold " Common Name (CN) "
cnfinding="Common Name (CN) : " cnfinding="Common Name (CN) : "
if $OPENSSL x509 -in $HOSTCERT -noout -subject 2>>$ERRFILE | grep -wq CN; then if $OPENSSL x509 -in $HOSTCERT -noout -subject 2>>$ERRFILE | grep -wq CN; then
cn=$($OPENSSL x509 -in $HOSTCERT -noout -subject 2>>$ERRFILE | sed 's/subject= //' | sed -e 's/^.*CN=//' -e 's/\/emailAdd.*//') cn=$($OPENSSL x509 -in $HOSTCERT -noout -subject 2>>$ERRFILE | sed 's/subject= //' | sed -e 's/^.*CN=//' -e 's/\/emailAdd.*//')
@ -3006,7 +3009,7 @@ certificate_info() {
sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \ sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \
sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername:<unsupported>//g') sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername:<unsupported>//g')
# ^^^ CACert # ^^^ CACert
pr_bold " subjectAltName (SAN) " out "$indent"; pr_bold " subjectAltName (SAN) "
if [[ -n "$sans" ]]; then if [[ -n "$sans" ]]; then
for san in $sans; do for san in $sans; do
pr_dquoted "$san" pr_dquoted "$san"
@ -3018,7 +3021,7 @@ certificate_info() {
fileout "$heading san" "INFO" "subjectAltName (SAN) : --" fileout "$heading san" "INFO" "subjectAltName (SAN) : --"
fi fi
outln outln
pr_bold " Issuer " out "$indent"; pr_bold " Issuer "
issuer=$($OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE| sed -e 's/^.*CN=//g' -e 's/\/.*$//g') issuer=$($OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE| sed -e 's/^.*CN=//g' -e 's/\/.*$//g')
issuer_O=$($OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE | sed 's/^.*O=//g' | sed 's/\/.*$//g') issuer_O=$($OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE | sed 's/^.*O=//g' | sed 's/\/.*$//g')
if $OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE | grep -q 'C=' ; then if $OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE | grep -q 'C=' ; then
@ -3044,7 +3047,7 @@ certificate_info() {
fi fi
# http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse-a-safe-place.pdf, see page 40pp # http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse-a-safe-place.pdf, see page 40pp
pr_bold " EV cert"; out " (experimental) " out "$indent"; pr_bold " EV cert"; out " (experimental) "
policy_oid=$($OPENSSL x509 -in $HOSTCERT -text 2>>$ERRFILE | awk '/ .Policy: / { print $2 }') policy_oid=$($OPENSSL x509 -in $HOSTCERT -text 2>>$ERRFILE | awk '/ .Policy: / { print $2 }')
if echo "$issuer" | egrep -q 'Extended Validation|Extended Validated|EV SSL|EV CA' || \ if echo "$issuer" | egrep -q 'Extended Validation|Extended Validated|EV SSL|EV CA' || \
[[ 2.16.840.1.114028.10.1.2 == "$policy_oid" ]] || \ [[ 2.16.840.1.114028.10.1.2 == "$policy_oid" ]] || \
@ -3067,7 +3070,7 @@ certificate_info() {
# http://src.chromium.org/chrome/trunk/src/net/cert/ev_root_ca_metadata.cc # http://src.chromium.org/chrome/trunk/src/net/cert/ev_root_ca_metadata.cc
# https://certs.opera.com/03/ev-oids.xml # https://certs.opera.com/03/ev-oids.xml
pr_bold " Certificate Expiration " out "$indent"; pr_bold " Certificate Expiration "
if $HAS_GNUDATE ; then if $HAS_GNUDATE ; then
enddate=$(date --date="$($OPENSSL x509 -in $HOSTCERT -noout -enddate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M %z") enddate=$(date --date="$($OPENSSL x509 -in $HOSTCERT -noout -enddate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M %z")
@ -3109,14 +3112,14 @@ certificate_info() {
fileout "$heading expiration" "$expok" "Certificate Expiration : $expfinding ($startdate --> $enddate)" fileout "$heading expiration" "$expok" "Certificate Expiration : $expfinding ($startdate --> $enddate)"
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem) certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
pr_bold " # of certificates provided"; outln " $certificates_provided" out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided"
fileout "$heading certcount" "INFO" "# of certificates provided : $certificates_provided" fileout "$heading certcount" "INFO" "# of certificates provided : $certificates_provided"
pr_bold " Chain of trust"; out " (experim.) " out "$indent"; pr_bold " Chain of trust"; out " (experim.) "
determine_trust "$heading" #Also handles fileout determine_trust "$heading" #Also handles fileout
pr_bold " Certificate Revocation List " out "$indent"; pr_bold " Certificate Revocation List "
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')" crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')"
if [[ -z "$crl" ]]; then if [[ -z "$crl" ]]; then
pr_literedln "--" pr_literedln "--"
@ -3134,7 +3137,7 @@ certificate_info() {
fileout "$heading crl" "WARN" "Certificate Revocation List : no parsable output \"$crl\", pls report" fileout "$heading crl" "WARN" "Certificate Revocation List : no parsable output \"$crl\", pls report"
fi fi
pr_bold " OCSP URI " out "$indent"; pr_bold " OCSP URI "
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE) ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
if [[ -z "$ocsp_uri" ]]; then if [[ -z "$ocsp_uri" ]]; then
pr_literedln "--" pr_literedln "--"
@ -3144,17 +3147,17 @@ certificate_info() {
fileout "$heading ocsp_uri" "INFO" "OCSP URI : $ocsp_uri" fileout "$heading ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
fi fi
pr_bold " OCSP stapling " out "$indent"; pr_bold " OCSP stapling "
if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
out " not offered" outln " not offered"
fileout "$heading ocsp_stapling" "INFO" "OCSP stapling : not offered" fileout "$heading ocsp_stapling" "INFO" "OCSP stapling : not offered"
else else
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
pr_litegreen " offered" pr_litegreenln " offered"
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : offered" fileout "$heading ocsp_stapling" "OK" "OCSP stapling : offered"
else else
if $GOST_STATUS_PROBLEM; then if $GOST_STATUS_PROBLEM; then
out " (GOST servers make problems here, sorry)" outln " (GOST servers make problems here, sorry)"
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : (GOST servers make problems here, sorry)" fileout "$heading ocsp_stapling" "OK" "OCSP stapling : (GOST servers make problems here, sorry)"
ret=0 ret=0
else else
@ -3287,7 +3290,7 @@ run_server_defaults() {
fi fi
pr_bold " SSL Session ID support " pr_bold " SSL Session ID support "
if $NO_SSL_SESSIONID; then if "$NO_SSL_SESSIONID"; then
outln "no" outln "no"
fileout "session_id" "INFO" "SSL session ID support: no" fileout "session_id" "INFO" "SSL session ID support: no"
else else
@ -3302,7 +3305,7 @@ run_server_defaults() {
echo "${previous_hostcert[i]}" > $HOSTCERT echo "${previous_hostcert[i]}" > $HOSTCERT
echo "${previous_intermediates[i]}" > $TEMPDIR/intermediatecerts.pem echo "${previous_intermediates[i]}" > $TEMPDIR/intermediatecerts.pem
certificate_info "$i" "$certs_found" "${cipher[i]}" "${keysize[i]}" "${ocsp_response[i]}" "${ocsp_response_status[i]}" certificate_info "$i" "$certs_found" "${cipher[i]}" "${keysize[i]}" "${ocsp_response[i]}" "${ocsp_response_status[i]}"
i=$(($i + 1)) i=$((i + 1))
done done
} }
@ -6662,4 +6665,4 @@ fi
exit $? exit $?
# $Id: testssl.sh,v 1.445 2016/01/23 22:33:16 dirkw Exp $ # $Id: testssl.sh,v 1.447 2016/01/30 22:59:28 dirkw Exp $