diff --git a/testssl.sh b/testssl.sh index ac90014..720c4b2 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1702,9 +1702,9 @@ check_revocation_crl() { [[ -n "$GOOD_CA_BUNDLE" ]] || return 0 scheme="$(tolower "${crl%%://*}")" # The code for obtaining CRLs only supports LDAP, HTTP, and HTTPS URLs. - [[ "$scheme" == "http" ]] || [[ "$scheme" == "https" ]] || [[ "$scheme" == "ldap" ]] || return 0 + [[ "$scheme" == http ]] || [[ "$scheme" == https ]] || [[ "$scheme" == ldap ]] || return 0 tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${crl##*\/} || exit $ERR_FCREATE - if [[ "$scheme" == "ldap" ]]; then + if [[ "$scheme" == ldap ]]; then ldap_get "$crl" "$tmpfile" "$jsonID" success=$? else @@ -1737,7 +1737,7 @@ check_revocation_crl() { fileout "$jsonID" "OK" "not revoked" else retcode=$(awk '/error [1-9][0-9]? at [0-9]+ depth lookup:/ { if (!found) {print $2; found=1} }' "${tmpfile%%.crl}.err") - if [[ "$retcode" == "23" ]]; then # see verify_retcode_helper() + if [[ "$retcode" == 23 ]]; then # see verify_retcode_helper() out ", " pr_svrty_critical "revoked" fileout "$jsonID" "CRITICAL" "revoked" @@ -5027,8 +5027,8 @@ run_protocols() { run_prototest_openssl "-tls1" fi case $? in - 0) outln "offered" - fileout "$jsonID" "INFO" "offered" + 0) pr_svrty_low "offered" ; outln " (deprecated)" + fileout "$jsonID" "LOW" "offered (deprecated)" latest_supported="0301" latest_supported_string="TLSv1.0" add_tls_offered tls1 yes @@ -5101,8 +5101,8 @@ run_protocols() { run_prototest_openssl "-tls1_1" fi case $? in - 0) outln "offered" - fileout "$jsonID" "INFO" "offered" + 0) pr_svrty_low "offered" ; outln " (deprecated)" + fileout "$jsonID" "LOW" "offered (deprecated)" latest_supported="0302" latest_supported_string="TLSv1.1" add_tls_offered tls1_1 yes @@ -5375,33 +5375,35 @@ run_protocols() { latest_supported_string="TLSv1.3" add_tls_offered tls1_3 yes ;; - 1) out "not offered" + 1) pr_svrty_low "not offered" if ! "$using_sockets" || [[ -z $latest_supported ]]; then outln - fileout "$jsonID" "INFO" "not offered" + fileout "$jsonID" "LOW" "not offered" else prln_svrty_critical " -- connection failed rather than downgrading to $latest_supported_string" fileout "$jsonID" "CRITICAL" "connection failed rather than downgrading to $latest_supported_string" fi add_tls_offered tls1_3 no ;; - 2) out "not offered" - if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then + 2) if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then detected_version_string="SSLv3" elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" fi if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then [[ $DEBUG -ge 1 ]] && tm_out " -- downgraded" - outln - fileout "$jsonID" "INFO" "not offered and downgraded to a weaker protocol" + outln "not offered and downgraded to a weaker protocol" + fileout "$jsonID" "INFO" "not offered + downgraded to weaker protocol" elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then + out "not offered" prln_svrty_critical " -- server supports $latest_supported_string, but downgraded to $detected_version_string" fileout "$jsonID" "CRITICAL" "not offered, and downgraded to $detected_version_string rather than $latest_supported_string" elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -gt 0x0304 ]]; then + out "not offered" prln_svrty_critical " -- server responded with higher version number ($detected_version_string) than requested by client" fileout "$jsonID" "CRITICAL" "not offered, server responded with higher version number ($detected_version_string) than requested by client" else + out "not offered" prln_svrty_critical " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fileout "$jsonID" "CRITICAL" "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fi