From a90eb8c9be28fd32ab9be5612d1a425aa9af96bd Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 1 Jun 2017 16:24:45 +0200 Subject: [PATCH] FIX #744 --- testssl.sh | 39 +++++++++++++++++++-------------------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/testssl.sh b/testssl.sh index 1998da3bf..4e4b020e9 100755 --- a/testssl.sh +++ b/testssl.sh @@ -5437,7 +5437,8 @@ compare_server_name_to_cert() } must_staple() { - local json_prefix="$2" + local json_prefix="OCSP must staple: " + local provides_stapling="$2" local cert extn local -i extn_len local supported=false @@ -5445,7 +5446,7 @@ must_staple() { # Note this function is only looking for status_request (5) and not # status_request_v2 (17), since OpenSSL seems to only include status_request (5) # in its ClientHello when the "-status" option is used. - + # OpenSSL 1.1.0 supports pretty-printing the "TLS Feature extension." For any # previous versions of OpenSSL, OpenSSL can only show if the extension OID is present. if $OPENSSL x509 -in "$HOSTCERT" -noout -text 2>>$ERRFILE | grep -A 1 "TLS Feature:" | grep -q "status_request"; then @@ -5470,13 +5471,16 @@ must_staple() { fi if "$supported"; then - prln_done_best "Supported" - fileout "${json_prefix}ocsp_must_staple" "OK" "OCSP must staple : supported" - return 0 + if "$provides_stapling"; then + prln_done_good "supported" + fileout "${json_prefix}ocsp_must_staple" "OK" "OCSP must staple : supported" + else + prln_svrty_high "\"must staple\" requires OCSP stapling (NOT ok)" + fileout "${json_prefix}" "HIGH" "must staple extension detected but no OCSP stapling provided" + fi else - outln "No" + outln "no" fileout "${json_prefix}ocsp_must_staple" "INFO" "OCSP must staple : no" - return 1 fi } @@ -5490,7 +5494,7 @@ certificate_info() { local ocsp_response_status=$6 local sni_used=$7 local cert_sig_algo cert_sig_hash_algo cert_key_algo - local expire days2expire secs2warn ocsp_uri ocsp_must_staple crl + local expire days2expire secs2warn ocsp_uri crl local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn local issuer_DC issuerfinding cn_nosni="" local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial @@ -5505,6 +5509,7 @@ certificate_info() { local indent="" local days2warn2=$DAYS2WARN2 local days2warn1=$DAYS2WARN1 + local provides_stapling=false if [[ $number_of_certificates -gt 1 ]]; then [[ $certificate_number -eq 1 ]] && outln @@ -6027,16 +6032,9 @@ certificate_info() { fileout "${json_prefix}ocsp_uri" "INFO" "OCSP URI : $ocsp_uri" fi - out "$indent"; pr_bold " OCSP must staple "; - must_staple "$json_prefix" - [[ $? -eq 0 ]] && ocsp_must_staple=true || ocsp_must_staple=false - out "$indent"; pr_bold " OCSP stapling " - if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then - if "$ocsp_must_staple"; then - pr_svrty_critical "--" - fileout "${json_prefix}ocsp_stapling" "CRITICAL" "OCSP stapling : not offered" - elif [[ -n "$ocsp_uri" ]]; then + if grep -a "OCSP response" <<< "$ocsp_response" | grep -q "no response sent" ; then + if [[ -n "$ocsp_uri" ]]; then pr_svrty_low "--" fileout "${json_prefix}ocsp_stapling" "LOW" "OCSP stapling : not offered" else @@ -6047,6 +6045,7 @@ certificate_info() { if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then pr_done_good "offered" fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : offered" + provides_stapling=true else if $GOST_STATUS_PROBLEM; then outln "(GOST servers make problems here, sorry)" @@ -6062,6 +6061,9 @@ certificate_info() { fi outln + out "$indent"; pr_bold " OCSP must staple "; + must_staple "$json_prefix" "$provides_stapling" + out "$indent"; pr_bold " DNS CAA RR"; out " (experimental) " caa="$(get_caa_rr_record $NODE)" if [[ -n "$caa" ]]; then @@ -6075,9 +6077,6 @@ certificate_info() { outln "\n" return $ret } -# FIXME: revoked, see checkcert.sh -# FIXME: Trust (only CN) - run_server_defaults() { local ciph newhostcert sni