mirror of
				https://github.com/drwetter/testssl.sh.git
				synced 2025-10-26 21:31:01 +01:00 
			
		
		
		
	Display SNI information in "Server Certificate" line
This PR is an attempt to address issue #447. If more than one certificate is being displayed, then a parenthetical saying "(in response to request w/o SNI)" is added for any certificate that was obtained using `$SNI=""`. In addition, if the certificate was obtained without SNI, then `certificate_info()` doesn't call `$OPENSSL s_client` in order to obtain the non-SNI host certificate and it does not display a separate "Trust (hostname)" finding for the non-SNI certificate.
This commit is contained in:
		
							parent
							
								
									ba1ea6dcba
								
							
						
					
					
						commit
						e79e980336
					
				
							
								
								
									
										33
									
								
								testssl.sh
									
									
									
									
									
								
							
							
						
						
									
										33
									
								
								testssl.sh
									
									
									
									
									
								
							| @ -4113,6 +4113,7 @@ certificate_info() { | |||||||
|      local cert_keysize=$4 |      local cert_keysize=$4 | ||||||
|      local ocsp_response=$5 |      local ocsp_response=$5 | ||||||
|      local ocsp_response_status=$6 |      local ocsp_response_status=$6 | ||||||
|  |      local sni_used=$7 | ||||||
|      local cert_sig_algo cert_sig_hash_algo cert_key_algo |      local cert_sig_algo cert_sig_hash_algo cert_key_algo | ||||||
|      local expire days2expire secs2warn ocsp_uri crl startdate enddate issuer_CN issuer_C issuer_O issuer sans san cn |      local expire days2expire secs2warn ocsp_uri crl startdate enddate issuer_CN issuer_C issuer_O issuer sans san cn | ||||||
|      local issuer_DC issuerfinding cn_nosni="" |      local issuer_DC issuerfinding cn_nosni="" | ||||||
| @ -4133,7 +4134,9 @@ certificate_info() { | |||||||
|           [[ $certificate_number -eq 1 ]] && outln |           [[ $certificate_number -eq 1 ]] && outln | ||||||
|           indent="  " |           indent="  " | ||||||
|           out "$indent" |           out "$indent" | ||||||
|           pr_headlineln "Server Certificate #$certificate_number" |           pr_headline "Server Certificate #$certificate_number" | ||||||
|  |           [[ -z "$sni_used" ]] && pr_underline " (in response to request w/o SNI)" | ||||||
|  |           outln | ||||||
|           json_prefix="Server Certificate #$certificate_number " |           json_prefix="Server Certificate #$certificate_number " | ||||||
|           spaces="                                " |           spaces="                                " | ||||||
|      else |      else | ||||||
| @ -4342,17 +4345,21 @@ certificate_info() { | |||||||
|           cnok="INFO" |           cnok="INFO" | ||||||
|      fi |      fi | ||||||
| 
 | 
 | ||||||
|      # no cipher suites specified here. We just want the default vhost subject |      if [[ -n "$sni_used" ]]; then | ||||||
|      $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }'  >$HOSTCERT.nosni |           # no cipher suites specified here. We just want the default vhost subject | ||||||
|      if grep -q "\-\-\-\-\-BEGIN" "$HOSTCERT.nosni"; then |           $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $OPTIMAL_PROTO 2>>$ERRFILE </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }'  >$HOSTCERT.nosni | ||||||
|           cn_nosni="$(get_cn_from_cert "$HOSTCERT.nosni")" |           if grep -q "\-\-\-\-\-BEGIN" "$HOSTCERT.nosni"; then | ||||||
|           [[ -z "$cn_nosni" ]] && cn_nosni="no CN field in subject" |                cn_nosni="$(get_cn_from_cert "$HOSTCERT.nosni")" | ||||||
|  |                [[ -z "$cn_nosni" ]] && cn_nosni="no CN field in subject" | ||||||
|  |           fi | ||||||
|  |           debugme out "\"$NODE\" | \"$cn\" | \"$cn_nosni\"" | ||||||
|  |      else | ||||||
|  |           debugme out "\"$NODE\" | \"$cn\"" | ||||||
|      fi |      fi | ||||||
| 
 | 
 | ||||||
| #FIXME: check for SSLv3/v2 and look whether it goes to a different CN (probably not polite) | #FIXME: check for SSLv3/v2 and look whether it goes to a different CN (probably not polite) | ||||||
| 
 | 
 | ||||||
|      debugme out "\"$NODE\" | \"$cn\" | \"$cn_nosni\"" |      if [[ -z "$sni_used" ]] || [[ "$(toupper "$cn_nosni")" == "$(toupper "$cn")" ]]; then | ||||||
|      if [[ "$(toupper "$cn_nosni")" == "$(toupper "$cn")" ]]; then |  | ||||||
|           outln |           outln | ||||||
|      elif [[ -z "$cn_nosni" ]]; then |      elif [[ -z "$cn_nosni" ]]; then | ||||||
|           out " (request w/o SNI didn't succeed"; |           out " (request w/o SNI didn't succeed"; | ||||||
| @ -4483,7 +4490,9 @@ certificate_info() { | |||||||
|                has_dns_sans=true || has_dns_sans=false |                has_dns_sans=true || has_dns_sans=false | ||||||
|      fi |      fi | ||||||
| 
 | 
 | ||||||
|      if "$has_dns_sans" && [[ $trust_nosni -eq 4 ]]; then |      if [[ -z "$sni_used" ]]; then | ||||||
|  |           trustfinding_nosni="" | ||||||
|  |      elif "$has_dns_sans" && [[ $trust_nosni -eq 4 ]]; then | ||||||
|           trustfinding_nosni=" (w/o SNI: Ok via CN, but not SAN)" |           trustfinding_nosni=" (w/o SNI: Ok via CN, but not SAN)" | ||||||
|      elif "$has_dns_sans" && [[ $trust_nosni -eq 8 ]]; then |      elif "$has_dns_sans" && [[ $trust_nosni -eq 8 ]]; then | ||||||
|           trustfinding_nosni=" (w/o SNI: Ok via CN wildcard, but not SAN)" |           trustfinding_nosni=" (w/o SNI: Ok via CN wildcard, but not SAN)" | ||||||
| @ -4647,7 +4656,8 @@ run_server_defaults() { | |||||||
|      local -i i n |      local -i i n | ||||||
|      local all_tls_extensions="" |      local all_tls_extensions="" | ||||||
|      local -i certs_found=0 |      local -i certs_found=0 | ||||||
|      local -a previous_hostcert previous_intermediates keysize cipher ocsp_response ocsp_response_status |      local -a previous_hostcert previous_intermediates keysize cipher | ||||||
|  |      local -a ocsp_response ocsp_response_status sni_used | ||||||
|      local -a ciphers_to_test success |      local -a ciphers_to_test success | ||||||
|      local cn_nosni cn_sni sans_nosni sans_sni san |      local cn_nosni cn_sni sans_nosni sans_sni san | ||||||
| 
 | 
 | ||||||
| @ -4768,6 +4778,7 @@ run_server_defaults() { | |||||||
|                      ocsp_response_status[certs_found]=$(grep -a "OCSP Response Status" $TMPFILE) |                      ocsp_response_status[certs_found]=$(grep -a "OCSP Response Status" $TMPFILE) | ||||||
|                      previous_hostcert[certs_found]=$newhostcert |                      previous_hostcert[certs_found]=$newhostcert | ||||||
|                      previous_intermediates[certs_found]=$(cat $TEMPDIR/intermediatecerts.pem) |                      previous_intermediates[certs_found]=$(cat $TEMPDIR/intermediatecerts.pem) | ||||||
|  |                      [[ $n -ge 8 ]] && sni_used[certs_found]="" || sni_used[certs_found]="$SNI" | ||||||
|                  fi |                  fi | ||||||
|              fi |              fi | ||||||
|          fi |          fi | ||||||
| @ -4825,7 +4836,7 @@ run_server_defaults() { | |||||||
|      while [[ $i -le $certs_found ]]; do |      while [[ $i -le $certs_found ]]; do | ||||||
|          echo "${previous_hostcert[i]}" > $HOSTCERT |          echo "${previous_hostcert[i]}" > $HOSTCERT | ||||||
|          echo "${previous_intermediates[i]}" > $TEMPDIR/intermediatecerts.pem |          echo "${previous_intermediates[i]}" > $TEMPDIR/intermediatecerts.pem | ||||||
|          certificate_info "$i" "$certs_found" "${cipher[i]}" "${keysize[i]}" "${ocsp_response[i]}" "${ocsp_response_status[i]}" |          certificate_info "$i" "$certs_found" "${cipher[i]}" "${keysize[i]}" "${ocsp_response[i]}" "${ocsp_response_status[i]}" "${sni_used[i]}" | ||||||
|          i=$((i + 1)) |          i=$((i + 1)) | ||||||
|      done |      done | ||||||
| } | } | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user