check if certificate used by server is trused

Use system trust anchors to check if certificate chain used by server is actually valid.
2024-11-04 23:13:41 +01:00 · 2014-04-05 19:36:51 +02:00 · 2014-04-05 19:36:51 +02:00 · f04567d40e
commit f04567d40e
parent 946cc6a9ac
1 changed files with 22 additions and 6 deletions
--- a/28
+++ b/28
@ -8,6 +8,10 @@
 DOBENCHMARK=0
 BENCHMARKITER=30
 OPENSSLBIN="$(dirname $0)/openssl"
+CACERTS=${CACERTS:-/etc/pki/tls/certs/ca-bundle.crt}
+if [ ! -e "$CACERTS" ]; then
+    echo "Warning: CA Certificates not found at $CACERTS, export CACERTS variable with location of your trust anchors" 1>&2
+fi
 CIPHERSUITE="ALL:COMPLEMENTOFALL"
 DEBUG=0
 VERBOSE=0
@ -77,6 +81,12 @@ test_cipher_on_target() {
            current_pubkey=0
        fi
        current_sigalg=$(openssl x509 -noout -text 2>/dev/null <<<"$tmp"|grep Signature\ Algorithm | head -n 1 | awk '{print $3}') || current_sigalg="None"
+        grep 'Verify return code: 0 ' <<<"$tmp" >/dev/null
+        if [ $? -eq 0 ]; then
+            current_trusted="True"
+        else
+            current_trusted="False"
+        fi
        if [ -z $current_sigalg ]; then
            current_sigalg=None
        fi
@ -102,6 +112,7 @@ test_cipher_on_target() {
        pfs=$current_pfs
        pubkey=$current_pubkey
        sigalg=$current_sigalg
+        trusted=$current_trusted
        # grab the cipher and PFS key size
    done
    # if cipher is empty, that means none of the TLS version worked with
@ -113,13 +124,13 @@ test_cipher_on_target() {

    # if cipher contains NONE, the cipher wasn't accepted
    elif [ "$cipher" == '(NONE)  ' ]; then
-        result="$cipher $protocols $pubkey $sigalg $pfs"
+        result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
        verbose "handshake failed, server returned ciphersuite '$result'"
        return 1

    # the connection succeeded
    else
-        result="$cipher $protocols $pubkey $sigalg $pfs"
+        result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
        verbose "handshake succeeded, server returned ciphersuite '$result'"
        return 0
    fi
@ -152,7 +163,11 @@ bench_cipher() {
 get_cipher_pref() {
    [ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.'
    local ciphersuite="$1"
-    local sslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
+    if [ -e $CACERTS ]; then
+        local sslcommand="$OPENSSLBIN s_client -CAfile $CACERTS $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
+    else
+        local sslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
+    fi
    verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
    test_cipher_on_target "$sslcommand"
    local success=$?
@ -183,9 +198,9 @@ display_results_in_terminal() {
    done

    if [ $DOBENCHMARK -eq 1 ]; then
-        header="prio ciphersuite protocols pubkey_size signature_algoritm pfs_keysize avg_handshake_microsec"
+        header="prio ciphersuite protocols pubkey_size signature_algoritm trusted pfs_keysize avg_handshake_microsec"
    else
-        header="prio ciphersuite protocols pubkey_size signature_algorithm pfs_keysize"
+        header="prio ciphersuite protocols pubkey_size signature_algorithm trusted pfs_keysize"
    fi
    ctr=0
    for result in "${results[@]}"; do
@ -208,7 +223,8 @@ display_results_in_json() {
        echo -n "\"protocols\":[\"$(echo $cipher|awk '{print $2}'|sed 's/,/","/g')\"],"
        echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"],"
        echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"],"
-        pfs=$(echo $cipher|awk '{print $5}')
+        echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\","
+        pfs=$(echo $cipher|awk '{print $6}')
        [ "$pfs" == "" ] && pfs="None"
        echo -n "\"pfs\":\"$pfs\"}"
        ctr=$((ctr+1))