From e35a6155bc6913793d4e5a6ac168d5ab2c952471 Mon Sep 17 00:00:00 2001 From: Richard Soderberg Date: Sat, 5 Sep 2015 00:22:40 -0700 Subject: [PATCH 1/3] Add --cafile , alongside --capath . For unknown reasons, while we previously supported --capath we did not support --cafile. This forces the --cafile autodetection logic to run every time, unnecessarily, when we have a specific file in mind to use. This patch relocates the -CAfile autodetection logic to run *only if* the --cafile parameter is not provided. If it is not provided, the autodetection logic occurs precisely as before. This patch declines to address what happens if both --capath and --cafile are passed. The previous logic already ensured that the CA file was *always* set, and then only sometimes was the CA path set. The new logic maintains that behavior precisely, reserving logic flow changes for a separate commit. --- cipherscan | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/cipherscan b/cipherscan index 21d52c6..9b6f302 100755 --- a/cipherscan +++ b/cipherscan @@ -54,19 +54,7 @@ if [[ -e $DIRNAMEPATH/openssl.cnf ]]; then export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf" fi -# find a list of trusted CAs on the local system, or use the provided list -if [[ -z "$CACERTS" ]]; then - for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do - if [[ -e "$f" ]]; then - CACERTS="$f" - break - fi - done -fi -if [[ ! -e "$CACERTS" ]]; then - CACERTS="$DIRNAMEPATH/ca-bundle.crt" -fi - +CACERTS="" # RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers # (probably a result of a workaround for the bug in Apple implementation of ECDSA) CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA" @@ -1313,6 +1301,10 @@ do DELAY=$2 shift 2 ;; + --cafile) + CACERTS="$2" + shift 2 + ;; --capath) CAPATH="$2" shift 2 @@ -1380,6 +1372,19 @@ if [[ $TEST_CURVES == "True" ]]; then fi fi +# find a list of trusted CAs on the local system, or use the provided list +if [[ -z "$CACERTS" ]]; then + for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do + if [[ -e "$f" ]]; then + CACERTS="$f" + break + fi + done +fi +if [[ ! -e "$CACERTS" ]]; then + CACERTS="$DIRNAMEPATH/ca-bundle.crt" +fi + if [[ $VERBOSE != 0 ]] ; then [[ -n "$CACERTS" ]] && echo "Using trust anchors from $CACERTS" echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))" From 5dc692566a9e67cb51c0173b1ac40f1770278a6c Mon Sep 17 00:00:00 2001 From: Richard Soderberg Date: Sat, 5 Sep 2015 00:34:24 -0700 Subject: [PATCH 2/3] Refuse to accept both --cafile and --capath. Prior to this commit, the code accepts both the --cafile and the --capath options, as that's how it's always behaved. This patch corrects that, refusing to proceed if the options are provided. Technically, openssl permits the use of both the -CAfile and -CApath options. However, cipherscan itself can only make use of one of the two options, and does not currently support "one or both" scenarios. So this patch ensures that users are not caught unaware when they specify --capath and --cafile and the script refuses to honor the latter. --- cipherscan | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cipherscan b/cipherscan index 9b6f302..429561d 100755 --- a/cipherscan +++ b/cipherscan @@ -1340,6 +1340,11 @@ do esac done +if [[ -n $CAPATH && -n $CACERTS ]]; then + echo "Both directory and file with CA certificates specified" 1>&2 + exit 1 +fi + # echo parameters left: $@ TEMPTARGET=$(sed -e 's/^.* //'<<<"${@}") From 6adda69af5b406ecc1041d0dd9433e5bd0851b36 Mon Sep 17 00:00:00 2001 From: Richard Soderberg Date: Sat, 5 Sep 2015 00:37:44 -0700 Subject: [PATCH 3/3] Revise CACERTS autodetection logic, ensure that CACERTS/CAPATH is readable/directory, add undocumented CAPATH env override. This takes advantage of the new --cafile logic to avoid running CACERTS autodetection when a file is provided on the command line. It then ensures the readability of that file, whether provided or autodetected. This also adds an undocumented CAPATH environment variable alternative to --capath, to go along with the existing undocumented CACERTS environment variable alternative to --cafile, to provide legacy support for preexisting users. --- cipherscan | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/cipherscan b/cipherscan index 429561d..52e88d1 100755 --- a/cipherscan +++ b/cipherscan @@ -54,7 +54,6 @@ if [[ -e $DIRNAMEPATH/openssl.cnf ]]; then export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf" fi -CACERTS="" # RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers # (probably a result of a workaround for the bug in Apple implementation of ECDSA) CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA" @@ -132,7 +131,6 @@ OUTPUTFORMAT="terminal" TIMEOUT=30 # place where to put the found intermediate CA certificates and where # trust anchors are stored -CAPATH="" SAVECRT="" TEST_CURVES="False" has_curves="False" @@ -1304,6 +1302,8 @@ do --cafile) CACERTS="$2" shift 2 + # We need to bypass autodetection if this is provided. + CACERTS_ARG_SET=1 ;; --capath) CAPATH="$2" @@ -1377,17 +1377,26 @@ if [[ $TEST_CURVES == "True" ]]; then fi fi -# find a list of trusted CAs on the local system, or use the provided list -if [[ -z "$CACERTS" ]]; then +if [[ -z $CACERTS ]] && ! [[ -n $CACERTS_ARG_SET ]]; then + # find a list of trusted CAs on the local system, or use the provided list for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do if [[ -e "$f" ]]; then CACERTS="$f" break fi done + if [[ ! -e "$CACERTS" ]]; then + CACERTS="$DIRNAMEPATH/ca-bundle.crt" + fi fi -if [[ ! -e "$CACERTS" ]]; then - CACERTS="$DIRNAMEPATH/ca-bundle.crt" +if ! [[ -e $CACERTS && -r $CACERTS ]]; then + echo "--cafile $CACERTS is not a readable file, aborting." 1>&2 + exit 1 +fi + +if [[ -n $CAPATH ]] && ! [[ -d $CAPATH ]]; then + echo "--capath $CAPATH is not a directory, aborting." 1>&2 + exit 1 fi if [[ $VERBOSE != 0 ]] ; then