check if certificate used by server is trused

Use system trust anchors to check if certificate chain used by server is actually valid.
arenstar · Apr 5, 2014 · f04567d · f04567d
1 parent 946cc6a
commit f04567d
Showing 1 changed file with 22 additions and 6 deletions.
diff --git a/cipherscan b/cipherscan
@@ -8,6 +8,10 @@
 DOBENCHMARK=0
 BENCHMARKITER=30
 OPENSSLBIN="$(dirname $0)/openssl"
+CACERTS=${CACERTS:-/etc/pki/tls/certs/ca-bundle.crt}
+if [ ! -e "$CACERTS" ]; then
+    echo "Warning: CA Certificates not found at $CACERTS, export CACERTS variable with location of your trust anchors" 1>&2
+fi
 CIPHERSUITE="ALL:COMPLEMENTOFALL"
 DEBUG=0
 VERBOSE=0
@@ -77,6 +81,12 @@ test_cipher_on_target() {
             current_pubkey=0
         fi
         current_sigalg=$(openssl x509 -noout -text 2>/dev/null <<<"$tmp"|grep Signature\ Algorithm | head -n 1 | awk '{print $3}') || current_sigalg="None"
+        grep 'Verify return code: 0 ' <<<"$tmp" >/dev/null
+        if [ $? -eq 0 ]; then
+            current_trusted="True"
+        else
+            current_trusted="False"
+        fi
         if [ -z $current_sigalg ]; then
             current_sigalg=None
         fi
@@ -102,6 +112,7 @@ test_cipher_on_target() {
         pfs=$current_pfs
         pubkey=$current_pubkey
         sigalg=$current_sigalg
+        trusted=$current_trusted
         # grab the cipher and PFS key size
     done
     # if cipher is empty, that means none of the TLS version worked with
@@ -113,13 +124,13 @@ test_cipher_on_target() {
 
     # if cipher contains NONE, the cipher wasn't accepted
     elif [ "$cipher" == '(NONE)  ' ]; then
-        result="$cipher $protocols $pubkey $sigalg $pfs"
+        result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
         verbose "handshake failed, server returned ciphersuite '$result'"
         return 1
 
     # the connection succeeded
     else
-        result="$cipher $protocols $pubkey $sigalg $pfs"
+        result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
         verbose "handshake succeeded, server returned ciphersuite '$result'"
         return 0
     fi
@@ -152,7 +163,11 @@ bench_cipher() {
 get_cipher_pref() {
     [ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.'
     local ciphersuite="$1"
-    local sslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
+    if [ -e $CACERTS ]; then
+        local sslcommand="$OPENSSLBIN s_client -CAfile $CACERTS $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
+    else
+        local sslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
+    fi
     verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
     test_cipher_on_target "$sslcommand"
     local success=$?
@@ -183,9 +198,9 @@ display_results_in_terminal() {
     done
 
     if [ $DOBENCHMARK -eq 1 ]; then
-        header="prio ciphersuite protocols pubkey_size signature_algoritm pfs_keysize avg_handshake_microsec"
+        header="prio ciphersuite protocols pubkey_size signature_algoritm trusted pfs_keysize avg_handshake_microsec"
     else
-        header="prio ciphersuite protocols pubkey_size signature_algorithm pfs_keysize"
+        header="prio ciphersuite protocols pubkey_size signature_algorithm trusted pfs_keysize"
     fi
     ctr=0
     for result in "${results[@]}"; do
@@ -208,7 +223,8 @@ display_results_in_json() {
         echo -n "\"protocols\":[\"$(echo $cipher|awk '{print $2}'|sed 's/,/","/g')\"],"
         echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"],"
         echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"],"
-        pfs=$(echo $cipher|awk '{print $5}')
+        echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\","
+        pfs=$(echo $cipher|awk '{print $6}')
         [ "$pfs" == "" ] && pfs="None"
         echo -n "\"pfs\":\"$pfs\"}"
         ctr=$((ctr+1))