Closed jackassplus closed 7 years ago
bknowles
commented
7 years ago I've been seeing the "/etc/*.pem" error for a while on OSX, and I've been wondering why that was happening. The best I can figure is that somehow $TESTSSL_INSTALL_DIR is evaluating to null on line 5430.
jackassplus
commented
7 years ago in my script, I set TESTSSL_INSTALL_DIR=$(pwd) just in case this was a pathing problem, but it doesn't seem to make much of a difference. The difference in behavior is very curious though.
drwetter
commented
7 years ago Hmm... usually it should never be /etc/*pem . According to its name TESTSSL_INSTALL_DIR should be the path where testssl resides.
Without debugging output it's hars to tell for me what's wrong here-- I don't own a Mac.
Can one of you provide me this, see wiki?
-- Sent via mobile. Excuse my brevity, my typos and the autocorrection
Am 17. Feb. 2017, 19:40, um 19:40, jackassplus notifications@github.com schrieb:
in my script, I set TESTSSL_INSTALL_DIR=$(pwd) just in case this was a pathing problem, but it doesn't seem to make much of a difference. The difference in behavior is very curious though.
-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/drwetter/testssl.sh/issues/638#issuecomment-280731590
jackassplus
commented
7 years ago attached (google.com) Archive.zip
bknowles
commented
7 years ago Per the instructions at https://github.com/drwetter/testssl.sh/wiki/Bug-reporting:
testssl.sh -b 2>/dev/null | head -4 | tail -2)
$ testssl.sh -b 2>/dev/null | head -4 | tail -2
testssl.sh 2.9dev from https://testssl.sh/dev/
(d2cbbaf 2017-02-16 19:10:59 -- )81.169.199.25./testssl.sh https://testssl.sh
# Executed from ~/src/testssl.sh, as cloned from githubtestssl.sh -b 2>/dev/null | head -16 | tail -3)
$ testssl.sh -b 2>/dev/null | head -16 | tail -3
Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
on frobgaiju:$PWD/bin/openssl.Darwin.x86_64
(built: "Sep 7 19:34:54 2016", platform: "darwin64-x86_64-cc")uname -a)
$ uname -a
Darwin frobgaiju.local 14.5.0 Darwin Kernel Version 14.5.0: Sun Sep 25 22:07:15 PDT 2016; root:xnu-2782.50.9~1/RELEASE_X86_64 x86_64On line 99 of the output, we get the error message /etc/*.pem" cannot be found / not readable. Here's the context:
Testing server defaults (Server Hello)
TLS extensions (standard) "server name/#0" "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "status
request/#5" "heartbeat/#15" "next protocol/#13172" "application layer protocol negotiation/#16"
Session Tickets RFC 5077 300 seconds (PFS requires session ticket keys to be rotated <= daily)
SSL Session ID support yes
TLS clock skew random values, no fingerprinting possible
Signature Algorithm SHA256 with RSA
Server key size RSA 4096 bits
Fingerprint / Serial SHA1 25F891F0441EA2461A4AF1DE5EE7515CD955B6BE / 03EE5D3ACB7CB134D525468BBE179C179BB9
SHA256 167F79B340784BC3CCF94A91AD07792E6CB779D0E9EED3542930AD4534F846D9
Common Name (CN) testssl.sh (CN in response to request w/o SNI: default.name)
subjectAltName (SAN) testssl.sh
Issuer Let's Encrypt Authority X3 (Let's Encrypt from US)
Trust (hostname) Ok via SAN and CN (SNI mandatory)
Chain of trust "/etc/*.pem" cannot be found / not readable
EV cert (experimental) no
Certificate Expiration 77 >= 30 days (2017-02-05 13:40 --> 2017-05-06 14:40 -0500)
# of certificates provided 2
Certificate Revocation List --
OCSP URI http://ocsp.int-x3.letsencrypt.org/
OCSP stapling offered
DNS CAA RR (experimental) --I expected that $TESTSSL_INSTALL_DIR on line 5431 of the source code would not have been empty, thus leading $TESTSSL_INSTALL_DIR/etc/*.pem to become simply /etc/*.pem.
Furthermore, on line 140 of the output, we see the error message Local problem: couldn't read common primes file /etc/common-primes.txt. I believe that this is a result of the same problem.
See the sample gist at https://gist.github.com/bknowles/b50fc255bb3d9575a7e2412060464a81
drwetter
commented
7 years ago Pls try again. It looked like dirname ${BASH_SOURCE[0]} was empty.
If it didn't work please provide the environment.txt file and debug.script generated by script -c 'bash -vx ./testssl.sh -S <HOSTNAME>' -a debug.script will help.
bknowles
commented
7 years ago I can confirm that version c284185 2017-02-18 13:22:17 seems to fix the problem with "/etc/*.pem" cannot be found / not readable. However, it appears to make the other problem much worse.
Should I open a separate issue id for that?
jackassplus
commented
7 years ago Seems to be fixed. Have not seen any other issues. I think this issue can be closed.
Not sure what to do with this:
CCS (CVE-2014-0224) test failed around line 9405 (debug info: 1503010002020A)
which is a different output than the previous version, bit is the same on both OSX and Linux.
drwetter
commented
7 years ago @bknowles : Yes please. Could you also pls provide output as suggested, see my previous post, see below?
If it didn't work please provide the
environment.txtfile anddebug.scriptgenerated byscript -c 'bash -vx ./testssl.sh -S <HOSTNAME>' -a debug.scriptwill help.
Slackware 14.1 (in a VM from a shared folder): Issuer Symantec Class 3 Secure Server CA - G4 (Symantec Corporation from US) Trust (hostname) certificate does not match supplied URI Chain of trust Ok
EV cert (experimental) no
OSX (Sierra): Issuer Symantec Class 3 Secure Server CA - G4 (Symantec Corporation from US) Trust (hostname) certificate does not match supplied URI Chain of trust "/etc/*.pem" cannot be found / not readable EV cert (experimental) no
$ca_bundles appears to be correct, and the files have 755 permissions.