Skip to content

Commit

Permalink
Fix some problems with CRL revocation checking
Browse files Browse the repository at this point in the history 
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation.

This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used.

Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided.

So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked".

Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
  • Loading branch information
@dcooper16
dcooper16 committed Oct 8, 2024
1 parent 541d3ff commit f7ab7b8
Showing 1 changed file with 18 additions and 4 deletions.
22 changes: 18 additions & 4 deletions testssl.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -345,6 +345,7 @@ HAS_CIPHERSUITES=false
HAS_SECLEVEL=false
HAS_COMP=false
HAS_NO_COMP=false
HAS_PARTIAL_CHAIN=false
HAS_ALPN=false
HAS_NPN=false
HAS_FALLBACK_SCSV=false
Expand Down Expand Up @@ -1967,7 +1968,7 @@ check_revocation_crl() {
local -i success

"$PHONE_OUT" || return 0
[[ -n "$GOOD_CA_BUNDLE" ]] || return 0
[[ -n "$GOOD_CA_BUNDLE" ]] || "$HAS_PARTIAL_CHAIN" || return 0
scheme="$(tolower "${crl%%://*}")"
# The code for obtaining CRLs only supports LDAP, HTTP, and HTTPS URLs.
[[ "$scheme" == http ]] || [[ "$scheme" == https ]] || [[ "$scheme" == ldap ]] || return 0
Expand Down Expand Up @@ -1998,10 +1999,16 @@ check_revocation_crl() {
return 1
fi
fi
if grep -qe '-----BEGIN CERTIFICATE-----' $TEMPDIR/intermediatecerts.pem; then
$OPENSSL verify -crl_check -CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE" "${tmpfile%%.crl}.pem") -untrusted $TEMPDIR/intermediatecerts.pem $HOSTCERT &> "${tmpfile%%.crl}.err"
if [[ -n "$GOOD_CA_BUNDLE" ]]; then
if grep -qe '-----BEGIN CERTIFICATE-----' $TEMPDIR/intermediatecerts.pem; then
$OPENSSL verify -crl_check -CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE" "${tmpfile%%.crl}.pem") -untrusted $TEMPDIR/intermediatecerts.pem $HOSTCERT &> "${tmpfile%%.crl}.err"
else
$OPENSSL verify -crl_check -CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE" "${tmpfile%%.crl}.pem") $HOSTCERT &> "${tmpfile%%.crl}.err"
fi
else
$OPENSSL verify -crl_check -CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE" "${tmpfile%%.crl}.pem") $HOSTCERT &> "${tmpfile%%.crl}.err"
cat $TEMPDIR/intermediatecerts.pem "${tmpfile%%.crl}.pem" >$TEMPDIR/${NODE}-${NODEIP}-CRL-chain.pem
# See https://github.com/drwetter/testssl.sh/pull/1051
$OPENSSL verify -crl_check -partial_chain -CAfile $TEMPDIR/${NODE}-${NODEIP}-CRL-chain.pem $TEMPDIR/host_certificate.pem &> "${tmpfile%%.crl}.err"
fi
if [[ $? -eq 0 ]]; then
out ", "
Expand Down Expand Up @@ -20324,6 +20331,13 @@ find_openssl_binary() {

$OPENSSL verify -trusted_first </dev/null 2>&1 | grep -q '^usage' || TRUSTED1ST="-trusted_first"

$OPENSSL verify -partial_chain <<< "-----BEGIN CERTIFICATE-----
MIGYMGYCAQEwCQYHKoZIzj0EATAAMB4XDTE4MDUwMjE5NDk1NVoXDTE4MDYwMTE5
NDk1NVowADAyMBAGByqGSM49AgEGBSuBBAAGAx4ABIqtRNoHWKXwhKqS065E2p+0
bGW4kYxYp8ON+FMwCQYHKoZIzj0EAQMjADAgAg4qMOUGcBYIn9OouAC6EwIODVw+
r5TrwCZfR3CoB+k=
-----END CERTIFICATE-----" 2>&1 | grep -aq "recognized usages" || HAS_PARTIAL_CHAIN=true

if [[ -n "$CONNECT_TIMEOUT" ]] || [[ -n "$OPENSSL_TIMEOUT" ]]; then
# We don't set a general timeout as we might not have "timeout" installed and we only
# do what is instructed. Thus we check first what the command line params were,
Expand Down

0 comments on commit f7ab7b8

Please sign in to comment.