- indentation reverted to old value if in only one certificate
- minor cleanups in the output
This commit is contained in:
parent
5178e0db37
commit
fc346a35fe
59
testssl.sh
59
testssl.sh
|
@ -2730,27 +2730,29 @@ determine_trust() {
|
||||||
|
|
||||||
tls_time() {
|
tls_time() {
|
||||||
local now difftime
|
local now difftime
|
||||||
|
local spaces=" "
|
||||||
|
|
||||||
tls_sockets "01" "$TLS_CIPHER" # try first TLS 1.0 (mostfrequently used protocol)
|
tls_sockets "01" "$TLS_CIPHER" # try first TLS 1.0 (mostfrequently used protocol)
|
||||||
[[ -z "$TLS_TIME" ]] && tls_sockets "03" "$TLS12_CIPHER" # TLS 1.2
|
[[ -z "$TLS_TIME" ]] && tls_sockets "03" "$TLS12_CIPHER" # TLS 1.2
|
||||||
[[ -z "$TLS_TIME" ]] && tls_sockets "02" "$TLS_CIPHER" # TLS 1.1
|
[[ -z "$TLS_TIME" ]] && tls_sockets "02" "$TLS_CIPHER" # TLS 1.1
|
||||||
[[ -z "$TLS_TIME" ]] && tls_sockets "00" "$TLS_CIPHER" # SSL 3
|
[[ -z "$TLS_TIME" ]] && tls_sockets "00" "$TLS_CIPHER" # SSL 3
|
||||||
|
|
||||||
|
pr_bold " TLS clock skew" ; out "$spaces"
|
||||||
if [[ -n "$TLS_TIME" ]]; then # nothing returned a time!
|
if [[ -n "$TLS_TIME" ]]; then # nothing returned a time!
|
||||||
difftime=$(($TLS_TIME - $TLS_NOW)) # TLS_NOW is being set in tls_sockets()
|
difftime=$(($TLS_TIME - $TLS_NOW)) # TLS_NOW is being set in tls_sockets()
|
||||||
if [[ "${#difftime}" -gt 5 ]]; then
|
if [[ "${#difftime}" -gt 5 ]]; then
|
||||||
# openssl >= 1.0.1f fills this field with random values! --> good for possible fingerprint
|
# openssl >= 1.0.1f fills this field with random values! --> good for possible fingerprint
|
||||||
pr_bold " TLS timestamp" ; outln " random values, no fingerprinting possible "
|
out "random values, no fingerprinting possible "
|
||||||
fileout "tls_time" "INFO" "Your TLS time seems to be filled with random values to prevent fingerprinting"
|
fileout "tls_time" "INFO" "Your TLS time seems to be filled with random values to prevent fingerprinting"
|
||||||
else
|
else
|
||||||
[[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime"
|
[[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime"
|
||||||
pr_bold " TLS clock skew" ; outln " $difftime sec from localtime";
|
out "$difftime"; out " sec from localtime";
|
||||||
fileout "tls_time" "INFO" "Your TLS time is skewed from your localtime by $difftime seconds"
|
fileout "tls_time" "INFO" "Your TLS time is skewed from your localtime by $difftime seconds"
|
||||||
fi
|
fi
|
||||||
debugme out "$TLS_TIME"
|
debugme out "$TLS_TIME"
|
||||||
outln
|
outln
|
||||||
else
|
else
|
||||||
pr_bold " TLS timestamp" ; out " "; pr_litemagentaln "SSLv3 through TLS 1.2 didn't return a timestamp"
|
pr_litemagenta "SSLv3 through TLS 1.2 didn't return a timestamp"
|
||||||
fileout "tls_time" "INFO" "No TLS timestamp returned by SSLv3 through TLSv1.2"
|
fileout "tls_time" "INFO" "No TLS timestamp returned by SSLv3 through TLSv1.2"
|
||||||
fi
|
fi
|
||||||
return 0
|
return 0
|
||||||
|
@ -2845,18 +2847,19 @@ certificate_info() {
|
||||||
local cnfinding
|
local cnfinding
|
||||||
local cnok="OK"
|
local cnok="OK"
|
||||||
local expfinding expok="OK"
|
local expfinding expok="OK"
|
||||||
local heading=""
|
local indent=""
|
||||||
|
|
||||||
outln
|
|
||||||
out " "
|
|
||||||
if [[ $number_of_certificates -gt 1 ]]; then
|
if [[ $number_of_certificates -gt 1 ]]; then
|
||||||
heading="Server Certifcate #$certificate_number"
|
[[ $certificate_number -eq 1 ]] && outln
|
||||||
|
indent=" "
|
||||||
|
out "$indent"
|
||||||
|
pr_headlineln "Server Certifcate #$certificate_number"
|
||||||
|
spaces=" "
|
||||||
else
|
else
|
||||||
heading="Server Certifcate"
|
spaces=" "
|
||||||
fi
|
fi
|
||||||
pr_headlineln " $heading "
|
|
||||||
outln
|
|
||||||
|
|
||||||
|
out "$indent"
|
||||||
pr_bold " Server key size "
|
pr_bold " Server key size "
|
||||||
sig_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep "Signature Algorithm" | sed 's/^.*Signature Algorithm: //' | sort -u )
|
sig_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep "Signature Algorithm" | sed 's/^.*Signature Algorithm: //' | sort -u )
|
||||||
key_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | awk -F':' '/Public Key Algorithm:/ { print $2 }' | sort -u )
|
key_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | awk -F':' '/Public Key Algorithm:/ { print $2 }' | sort -u )
|
||||||
|
@ -2889,7 +2892,7 @@ certificate_info() {
|
||||||
fi
|
fi
|
||||||
outln " bit"
|
outln " bit"
|
||||||
|
|
||||||
pr_bold " Signature Algorithm "
|
out "$indent" ; pr_bold " Signature Algorithm "
|
||||||
case $sig_algo in
|
case $sig_algo in
|
||||||
sha1WithRSAEncryption)
|
sha1WithRSAEncryption)
|
||||||
pr_brownln "SHA1 with RSA"
|
pr_brownln "SHA1 with RSA"
|
||||||
|
@ -2922,7 +2925,7 @@ certificate_info() {
|
||||||
esac
|
esac
|
||||||
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
|
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
|
||||||
|
|
||||||
pr_bold " Fingerprint / Serial "
|
out "$indent"; pr_bold " Fingerprint / Serial "
|
||||||
cert_fingerprint_sha1="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha1 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g')"
|
cert_fingerprint_sha1="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha1 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g')"
|
||||||
cert_fingerprint_serial="$($OPENSSL x509 -noout -in $HOSTCERT -serial 2>>$ERRFILE | sed 's/serial=//')"
|
cert_fingerprint_serial="$($OPENSSL x509 -noout -in $HOSTCERT -serial 2>>$ERRFILE | sed 's/serial=//')"
|
||||||
cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g' )"
|
cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g' )"
|
||||||
|
@ -2930,7 +2933,7 @@ certificate_info() {
|
||||||
outln "$spaces$cert_fingerprint_sha2"
|
outln "$spaces$cert_fingerprint_sha2"
|
||||||
fileout "$heading fingerprint" "INFO" "Fingerprints / Serial: $cert_fingerprint_sha1 / $cert_fingerprint_serial, $cert_fingerprint_sha2"
|
fileout "$heading fingerprint" "INFO" "Fingerprints / Serial: $cert_fingerprint_sha1 / $cert_fingerprint_serial, $cert_fingerprint_sha2"
|
||||||
|
|
||||||
pr_bold " Common Name (CN) "
|
out "$indent"; pr_bold " Common Name (CN) "
|
||||||
cnfinding="Common Name (CN) : "
|
cnfinding="Common Name (CN) : "
|
||||||
if $OPENSSL x509 -in $HOSTCERT -noout -subject 2>>$ERRFILE | grep -wq CN; then
|
if $OPENSSL x509 -in $HOSTCERT -noout -subject 2>>$ERRFILE | grep -wq CN; then
|
||||||
cn=$($OPENSSL x509 -in $HOSTCERT -noout -subject 2>>$ERRFILE | sed 's/subject= //' | sed -e 's/^.*CN=//' -e 's/\/emailAdd.*//')
|
cn=$($OPENSSL x509 -in $HOSTCERT -noout -subject 2>>$ERRFILE | sed 's/subject= //' | sed -e 's/^.*CN=//' -e 's/\/emailAdd.*//')
|
||||||
|
@ -3006,7 +3009,7 @@ certificate_info() {
|
||||||
sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \
|
sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \
|
||||||
sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername:<unsupported>//g')
|
sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername:<unsupported>//g')
|
||||||
# ^^^ CACert
|
# ^^^ CACert
|
||||||
pr_bold " subjectAltName (SAN) "
|
out "$indent"; pr_bold " subjectAltName (SAN) "
|
||||||
if [[ -n "$sans" ]]; then
|
if [[ -n "$sans" ]]; then
|
||||||
for san in $sans; do
|
for san in $sans; do
|
||||||
pr_dquoted "$san"
|
pr_dquoted "$san"
|
||||||
|
@ -3018,7 +3021,7 @@ certificate_info() {
|
||||||
fileout "$heading san" "INFO" "subjectAltName (SAN) : --"
|
fileout "$heading san" "INFO" "subjectAltName (SAN) : --"
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
pr_bold " Issuer "
|
out "$indent"; pr_bold " Issuer "
|
||||||
issuer=$($OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE| sed -e 's/^.*CN=//g' -e 's/\/.*$//g')
|
issuer=$($OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE| sed -e 's/^.*CN=//g' -e 's/\/.*$//g')
|
||||||
issuer_O=$($OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE | sed 's/^.*O=//g' | sed 's/\/.*$//g')
|
issuer_O=$($OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE | sed 's/^.*O=//g' | sed 's/\/.*$//g')
|
||||||
if $OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE | grep -q 'C=' ; then
|
if $OPENSSL x509 -in $HOSTCERT -noout -issuer 2>>$ERRFILE | grep -q 'C=' ; then
|
||||||
|
@ -3044,7 +3047,7 @@ certificate_info() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse-a-safe-place.pdf, see page 40pp
|
# http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse-a-safe-place.pdf, see page 40pp
|
||||||
pr_bold " EV cert"; out " (experimental) "
|
out "$indent"; pr_bold " EV cert"; out " (experimental) "
|
||||||
policy_oid=$($OPENSSL x509 -in $HOSTCERT -text 2>>$ERRFILE | awk '/ .Policy: / { print $2 }')
|
policy_oid=$($OPENSSL x509 -in $HOSTCERT -text 2>>$ERRFILE | awk '/ .Policy: / { print $2 }')
|
||||||
if echo "$issuer" | egrep -q 'Extended Validation|Extended Validated|EV SSL|EV CA' || \
|
if echo "$issuer" | egrep -q 'Extended Validation|Extended Validated|EV SSL|EV CA' || \
|
||||||
[[ 2.16.840.1.114028.10.1.2 == "$policy_oid" ]] || \
|
[[ 2.16.840.1.114028.10.1.2 == "$policy_oid" ]] || \
|
||||||
|
@ -3067,7 +3070,7 @@ certificate_info() {
|
||||||
# http://src.chromium.org/chrome/trunk/src/net/cert/ev_root_ca_metadata.cc
|
# http://src.chromium.org/chrome/trunk/src/net/cert/ev_root_ca_metadata.cc
|
||||||
# https://certs.opera.com/03/ev-oids.xml
|
# https://certs.opera.com/03/ev-oids.xml
|
||||||
|
|
||||||
pr_bold " Certificate Expiration "
|
out "$indent"; pr_bold " Certificate Expiration "
|
||||||
|
|
||||||
if $HAS_GNUDATE ; then
|
if $HAS_GNUDATE ; then
|
||||||
enddate=$(date --date="$($OPENSSL x509 -in $HOSTCERT -noout -enddate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M %z")
|
enddate=$(date --date="$($OPENSSL x509 -in $HOSTCERT -noout -enddate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M %z")
|
||||||
|
@ -3109,14 +3112,14 @@ certificate_info() {
|
||||||
fileout "$heading expiration" "$expok" "Certificate Expiration : $expfinding ($startdate --> $enddate)"
|
fileout "$heading expiration" "$expok" "Certificate Expiration : $expfinding ($startdate --> $enddate)"
|
||||||
|
|
||||||
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
||||||
pr_bold " # of certificates provided"; outln " $certificates_provided"
|
out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided"
|
||||||
fileout "$heading certcount" "INFO" "# of certificates provided : $certificates_provided"
|
fileout "$heading certcount" "INFO" "# of certificates provided : $certificates_provided"
|
||||||
|
|
||||||
|
|
||||||
pr_bold " Chain of trust"; out " (experim.) "
|
out "$indent"; pr_bold " Chain of trust"; out " (experim.) "
|
||||||
determine_trust "$heading" #Also handles fileout
|
determine_trust "$heading" #Also handles fileout
|
||||||
|
|
||||||
pr_bold " Certificate Revocation List "
|
out "$indent"; pr_bold " Certificate Revocation List "
|
||||||
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')"
|
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')"
|
||||||
if [[ -z "$crl" ]]; then
|
if [[ -z "$crl" ]]; then
|
||||||
pr_literedln "--"
|
pr_literedln "--"
|
||||||
|
@ -3134,7 +3137,7 @@ certificate_info() {
|
||||||
fileout "$heading crl" "WARN" "Certificate Revocation List : no parsable output \"$crl\", pls report"
|
fileout "$heading crl" "WARN" "Certificate Revocation List : no parsable output \"$crl\", pls report"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pr_bold " OCSP URI "
|
out "$indent"; pr_bold " OCSP URI "
|
||||||
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
|
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
|
||||||
if [[ -z "$ocsp_uri" ]]; then
|
if [[ -z "$ocsp_uri" ]]; then
|
||||||
pr_literedln "--"
|
pr_literedln "--"
|
||||||
|
@ -3144,17 +3147,17 @@ certificate_info() {
|
||||||
fileout "$heading ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
|
fileout "$heading ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pr_bold " OCSP stapling "
|
out "$indent"; pr_bold " OCSP stapling "
|
||||||
if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
|
if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
|
||||||
out " not offered"
|
outln " not offered"
|
||||||
fileout "$heading ocsp_stapling" "INFO" "OCSP stapling : not offered"
|
fileout "$heading ocsp_stapling" "INFO" "OCSP stapling : not offered"
|
||||||
else
|
else
|
||||||
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
|
||||||
pr_litegreen " offered"
|
pr_litegreenln " offered"
|
||||||
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : offered"
|
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : offered"
|
||||||
else
|
else
|
||||||
if $GOST_STATUS_PROBLEM; then
|
if $GOST_STATUS_PROBLEM; then
|
||||||
out " (GOST servers make problems here, sorry)"
|
outln " (GOST servers make problems here, sorry)"
|
||||||
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : (GOST servers make problems here, sorry)"
|
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : (GOST servers make problems here, sorry)"
|
||||||
ret=0
|
ret=0
|
||||||
else
|
else
|
||||||
|
@ -3287,7 +3290,7 @@ run_server_defaults() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pr_bold " SSL Session ID support "
|
pr_bold " SSL Session ID support "
|
||||||
if $NO_SSL_SESSIONID; then
|
if "$NO_SSL_SESSIONID"; then
|
||||||
outln "no"
|
outln "no"
|
||||||
fileout "session_id" "INFO" "SSL session ID support: no"
|
fileout "session_id" "INFO" "SSL session ID support: no"
|
||||||
else
|
else
|
||||||
|
@ -3302,7 +3305,7 @@ run_server_defaults() {
|
||||||
echo "${previous_hostcert[i]}" > $HOSTCERT
|
echo "${previous_hostcert[i]}" > $HOSTCERT
|
||||||
echo "${previous_intermediates[i]}" > $TEMPDIR/intermediatecerts.pem
|
echo "${previous_intermediates[i]}" > $TEMPDIR/intermediatecerts.pem
|
||||||
certificate_info "$i" "$certs_found" "${cipher[i]}" "${keysize[i]}" "${ocsp_response[i]}" "${ocsp_response_status[i]}"
|
certificate_info "$i" "$certs_found" "${cipher[i]}" "${keysize[i]}" "${ocsp_response[i]}" "${ocsp_response_status[i]}"
|
||||||
i=$(($i + 1))
|
i=$((i + 1))
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -6662,4 +6665,4 @@ fi
|
||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.445 2016/01/23 22:33:16 dirkw Exp $
|
# $Id: testssl.sh,v 1.447 2016/01/30 22:59:28 dirkw Exp $
|
||||||
|
|
Loading…
Reference in New Issue