LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 14:23:41 +01:00
Code Issues Releases Wiki Activity

Revise CACERTS autodetection logic, ensure that CACERTS/CAPATH is readable/directory, add undocumented CAPATH env override.

Browse Source 
This takes advantage of the new --cafile logic to avoid running CACERTS
autodetection when a file is provided on the command line.

It then ensures the readability of that file, whether provided or
autodetected.

This also adds an undocumented CAPATH environment variable alternative
to --capath, to go along with the existing undocumented CACERTS
environment variable alternative to --cafile, to provide legacy support
for preexisting users.
This commit is contained in:
Richard Soderberg 2015-09-05 00:37:44 -07:00
parent 5dc692566a
commit 6adda69af5
1 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
cipherscan
View File

@ -54,7 +54,6 @@ if [[ -e $DIRNAMEPATH/openssl.cnf ]]; then
export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf" export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf"
fi fi
CACERTS=""
# RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers # RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
# (probably a result of a workaround for the bug in Apple implementation of ECDSA) # (probably a result of a workaround for the bug in Apple implementation of ECDSA)
CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA" CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
@ -132,7 +131,6 @@ OUTPUTFORMAT="terminal"
TIMEOUT=30 TIMEOUT=30
# place where to put the found intermediate CA certificates and where # place where to put the found intermediate CA certificates and where
# trust anchors are stored # trust anchors are stored
CAPATH=""
SAVECRT="" SAVECRT=""
TEST_CURVES="False" TEST_CURVES="False"
has_curves="False" has_curves="False"
@ -1304,6 +1302,8 @@ do
--cafile) --cafile)
CACERTS="$2" CACERTS="$2"
shift 2 shift 2
# We need to bypass autodetection if this is provided.
CACERTS_ARG_SET=1
;; ;;
--capath) --capath)
CAPATH="$2" CAPATH="$2"
@ -1377,17 +1377,26 @@ if [[ $TEST_CURVES == "True" ]]; then
fi fi
fi fi
# find a list of trusted CAs on the local system, or use the provided list if [[ -z $CACERTS ]] && ! [[ -n $CACERTS_ARG_SET ]]; then
if [[ -z "$CACERTS" ]]; then # find a list of trusted CAs on the local system, or use the provided list
for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
if [[ -e "$f" ]]; then if [[ -e "$f" ]]; then
CACERTS="$f" CACERTS="$f"
break break
fi fi
done done
if [[ ! -e "$CACERTS" ]]; then
CACERTS="$DIRNAMEPATH/ca-bundle.crt"
fi
fi fi
if [[ ! -e "$CACERTS" ]]; then if ! [[ -e $CACERTS && -r $CACERTS ]]; then
CACERTS="$DIRNAMEPATH/ca-bundle.crt" echo "--cafile $CACERTS is not a readable file, aborting." 1>&2
exit 1
fi
if [[ -n $CAPATH ]] && ! [[ -d $CAPATH ]]; then
echo "--capath $CAPATH is not a directory, aborting." 1>&2
exit 1
fi fi
if [[ $VERBOSE != 0 ]] ; then if [[ $VERBOSE != 0 ]] ; then