mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-22 14:23:41 +01:00
Revise CACERTS autodetection logic, ensure that CACERTS/CAPATH is readable/directory, add undocumented CAPATH env override.
This takes advantage of the new --cafile logic to avoid running CACERTS autodetection when a file is provided on the command line. It then ensures the readability of that file, whether provided or autodetected. This also adds an undocumented CAPATH environment variable alternative to --capath, to go along with the existing undocumented CACERTS environment variable alternative to --cafile, to provide legacy support for preexisting users.
This commit is contained in:
parent
5dc692566a
commit
6adda69af5
17
cipherscan
17
cipherscan
@ -54,7 +54,6 @@ if [[ -e $DIRNAMEPATH/openssl.cnf ]]; then
|
|||||||
export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf"
|
export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
CACERTS=""
|
|
||||||
# RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
|
# RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
|
||||||
# (probably a result of a workaround for the bug in Apple implementation of ECDSA)
|
# (probably a result of a workaround for the bug in Apple implementation of ECDSA)
|
||||||
CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
|
CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
|
||||||
@ -132,7 +131,6 @@ OUTPUTFORMAT="terminal"
|
|||||||
TIMEOUT=30
|
TIMEOUT=30
|
||||||
# place where to put the found intermediate CA certificates and where
|
# place where to put the found intermediate CA certificates and where
|
||||||
# trust anchors are stored
|
# trust anchors are stored
|
||||||
CAPATH=""
|
|
||||||
SAVECRT=""
|
SAVECRT=""
|
||||||
TEST_CURVES="False"
|
TEST_CURVES="False"
|
||||||
has_curves="False"
|
has_curves="False"
|
||||||
@ -1304,6 +1302,8 @@ do
|
|||||||
--cafile)
|
--cafile)
|
||||||
CACERTS="$2"
|
CACERTS="$2"
|
||||||
shift 2
|
shift 2
|
||||||
|
# We need to bypass autodetection if this is provided.
|
||||||
|
CACERTS_ARG_SET=1
|
||||||
;;
|
;;
|
||||||
--capath)
|
--capath)
|
||||||
CAPATH="$2"
|
CAPATH="$2"
|
||||||
@ -1377,18 +1377,27 @@ if [[ $TEST_CURVES == "True" ]]; then
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ -z $CACERTS ]] && ! [[ -n $CACERTS_ARG_SET ]]; then
|
||||||
# find a list of trusted CAs on the local system, or use the provided list
|
# find a list of trusted CAs on the local system, or use the provided list
|
||||||
if [[ -z "$CACERTS" ]]; then
|
|
||||||
for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
|
for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
|
||||||
if [[ -e "$f" ]]; then
|
if [[ -e "$f" ]]; then
|
||||||
CACERTS="$f"
|
CACERTS="$f"
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
|
||||||
if [[ ! -e "$CACERTS" ]]; then
|
if [[ ! -e "$CACERTS" ]]; then
|
||||||
CACERTS="$DIRNAMEPATH/ca-bundle.crt"
|
CACERTS="$DIRNAMEPATH/ca-bundle.crt"
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
if ! [[ -e $CACERTS && -r $CACERTS ]]; then
|
||||||
|
echo "--cafile $CACERTS is not a readable file, aborting." 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -n $CAPATH ]] && ! [[ -d $CAPATH ]]; then
|
||||||
|
echo "--capath $CAPATH is not a directory, aborting." 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ $VERBOSE != 0 ]] ; then
|
if [[ $VERBOSE != 0 ]] ; then
|
||||||
[[ -n "$CACERTS" ]] && echo "Using trust anchors from $CACERTS"
|
[[ -n "$CACERTS" ]] && echo "Using trust anchors from $CACERTS"
|
||||||
|
Loading…
Reference in New Issue
Block a user