Closed esabol closed 3 years ago
Was able to reproduce with www.ethz.ch on Travis CI with Ubuntu 14 (Trusty)
The problem is here
[DBG] OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL 1.0.1 is no more supported since 2016.
I know that RedHat (you are using RHEL 6 as I see) backports security fixes so as long as RHEL 6 is supported you are fine. But features are not back ported and SCT support was introduced with 1.0.1
The only fixes are
I implemented a simple check with man verify
which should make it possible to detect if SCTs are supported.
OK, that works. Thanks for all your efforts with this fantastic project!
Can I make just one more request and then I'll get out of your hair? Could you add env GZIP=-q
(or env GZIP=--quiet
) right before man verify
? I have $GZIP
set to -v -9
in all of my shells (I can't be the only one?), so I get the following output now when I run check_ssl_cert 1.142.0:
% ./check_ssl_cert-1.142.0/check_ssl_cert -H google.com
/usr/share/man/man1/verify.1ssl.gz: 69.8%
/usr/share/man/man1/verify.1ssl.gz: 69.8%
/usr/share/man/man1/verify.1ssl.gz: 69.8%
SSL_CERT OK - x509 certificate '*.google.com' from 'GTS CA 1O1' valid until May 12 12:27:53 2021 GMT (expires in 62 days)|days_chain_elem1=62;20;15;; days_chain_elem2=279;20;15;;
This change fixed that:
--- check_ssl_cert-1.142.0/check_ssl_cert 2021-03-10 10:10:38.000000000 -0500
+++ check_ssl_cert-1.142.0/check_ssl_cert.modified 2021-03-10 12:20:38.027130000 -0500
@@ -3397,3 +3397,3 @@
# check if OpenSSL supoort SCTs
- if man verify | grep -F -q SCT ; then
+ if env GZIP=-q man verify | grep -F -q SCT ; then
% ./check_ssl_cert-1.142.0/check_ssl_cert.modified -H google.com
SSL_CERT OK - x509 certificate '*.google.com' from 'GTS CA 1O1' valid until May 12 12:27:53 2021 GMT (expires in 62 days)|days_chain_elem1=62;20;15;; days_chain_elem2=279;20;15;;
Sure Anyway the man check is really a bad hack. But checking the version was not so easy ...
I committed the change. Do you need a new release or you can leave with the checked out version from GitHub?
I can wait until your next release. Thanks again!
Tested google.com using check_ssl_cert-1.141.0, and it doesn't seem to work on my system. Maybe it depends on a specific version of OpenSSL being installed?