Fix typo in check_revocation_crl() #1047
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When verifying the CRL, check_revocation_crl() calls "openssl" rather than "$OPENSSL".
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
May 2, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
May 2, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
May 2, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
May 7, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
May 15, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
drwetter
added a commit
that referenced
this pull request
May 18, 2018
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
May 21, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
May 23, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
May 23, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
May 24, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
May 29, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
May 29, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jun 5, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jun 5, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jun 13, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
pushed a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jun 19, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jun 19, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jun 19, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jun 20, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jun 22, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jun 25, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jun 26, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jun 28, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jul 9, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jul 11, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jul 19, 2018
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
May 23, 2023
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jul 4, 2023
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Aug 4, 2023
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Aug 28, 2023
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Aug 28, 2023
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Sep 5, 2023
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Sep 8, 2023
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Sep 11, 2023
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Sep 15, 2023
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Oct 3, 2023
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Oct 10, 2023
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Oct 11, 2023
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Nov 1, 2023
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jan 3, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jan 22, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Mar 19, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Apr 25, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jun 13, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jun 13, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Jul 23, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Aug 27, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Sep 5, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Sep 6, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Sep 9, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Oct 8, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Oct 15, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Oct 17, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Oct 29, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Nov 22, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
dcooper16
added a commit
to dcooper16/testssl.sh
that referenced
this pull request
Nov 27, 2024
There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. drwetter#1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation. This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used. Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided. So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked". Note that this PR also fixes two other minor issues. It incorporates drwetter#1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When verifying the CRL,
check_revocation_crl()callsopensslrather than$OPENSSL.