diff --git a/t/51_badssl.com.t b/t/51_badssl.com.t index 9b9e278..40b6e91 100755 --- a/t/51_badssl.com.t +++ b/t/51_badssl.com.t @@ -22,6 +22,7 @@ cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); $tests++; # Expiration pass("Running testssl against expired.badssl.com"); $tests++; $out = `./testssl.sh -S --jsonfile tmp.json --color 0 expired.badssl.com`; +like($out, qr/Chain of trust\s+NOT ok \(expired\)/,"The chain of trust should be expired"); $tests++; like($out, qr/Certificate Validity \(UTC\)\s+expired/,"The certificate should be expired"); $tests++; $json = json('tmp.json'); unlink 'tmp.json'; diff --git a/testssl.sh b/testssl.sh index 17bbf66..ba8d675 100755 --- a/testssl.sh +++ b/testssl.sh @@ -410,6 +410,7 @@ KEY_EXCH_SCORE=100 # Keeps track of the score for category CIPH_STR_BEST=0 # Keeps track of the best bit size for category 3 "Cipher Strength" CIPH_STR_WORST=100000 # Keeps track of the worst bit size for category 3 "Cipher Strength" # Intentionally set very high, so it can be set to 0, if necessary +TRUSTED1ST="" # Contains the `-trusted_first` flag, if this version of openssl supports it ########### Global variables for parallel mass testing # @@ -7264,9 +7265,9 @@ determine_trust() { # in a subshell because that should be valid here only (export SSL_CERT_DIR="/dev/null"; export SSL_CERT_FILE="/dev/null" if [[ $certificates_provided -ge 2 ]]; then - $OPENSSL verify -purpose sslserver -CAfile <(cat $ADDTL_CA_FILES "$bundle_fname") -untrusted $TEMPDIR/intermediatecerts.pem $HOSTCERT >$TEMPDIR/${certificate_file[i]}.1 2>$TEMPDIR/${certificate_file[i]}.2 + $OPENSSL verify $TRUSTED1ST -purpose sslserver -CAfile <(cat $ADDTL_CA_FILES "$bundle_fname") -untrusted $TEMPDIR/intermediatecerts.pem $HOSTCERT >$TEMPDIR/${certificate_file[i]}.1 2>$TEMPDIR/${certificate_file[i]}.2 else - $OPENSSL verify -purpose sslserver -CAfile <(cat $ADDTL_CA_FILES "$bundle_fname") $HOSTCERT >$TEMPDIR/${certificate_file[i]}.1 2>$TEMPDIR/${certificate_file[i]}.2 + $OPENSSL verify $TRUSTED1ST -purpose sslserver -CAfile <(cat $ADDTL_CA_FILES "$bundle_fname") $HOSTCERT >$TEMPDIR/${certificate_file[i]}.1 2>$TEMPDIR/${certificate_file[i]}.2 fi) verify_retcode[i]=$(awk '/error [1-9][0-9]? at [0-9]+ depth lookup:/ { if (!found) {print $2; found=1} }' $TEMPDIR/${certificate_file[i]}.1 $TEMPDIR/${certificate_file[i]}.2) [[ -z "${verify_retcode[i]}" ]] && verify_retcode[i]=0 @@ -19238,6 +19239,7 @@ find_openssl_binary() { HAS_ZLIB=false HAS_UDS=false HAS_UDS2=false + TRUSTED1ST="" $OPENSSL ciphers -s 2>&1 | grep -aiq "unknown option" || OSSL_CIPHERS_S="-s" @@ -19326,6 +19328,8 @@ find_openssl_binary() { [[ "$(echo -e "\x78\x9C\xAB\xCA\xC9\x4C\xE2\x02\x00\x06\x20\x01\xBC" | $OPENSSL zlib -d 2>/dev/null)" == zlib ]] && HAS_ZLIB=true + $OPENSSL verify -trusted_first &1 | grep -q '^usage' || TRUSTED1ST="-trusted_first" + if [[ -n "$CONNECT_TIMEOUT" ]] || [[ -n "$OPENSSL_TIMEOUT" ]]; then # We don't set a general timeout as we might not have "timeout" installed and we only # do what is instructed. Thus we check first what the command line params were,