SSL Certificate chain display with -s

[EppO]

Hi,

It would be very handy to have the certificate chain displayed when running htrace.sh with -s argument, the only way so far is to run openssl by hand or use --sslabs and wait for the report to generate.

Thanks for this tool, really useful!

[trimstray]

Hi @EppO !

Please pull new changes and test it.

I'm waiting for you opinion.

[EppO]

Awesome! I love how you make it look pretty. I noticed some issues though:

• The chain of trust lists only the certificates returned by the server, not the one referenced by the certificates sent (like the root CA that might be in the OS trust store). Having the breakdown of the certificates sent by the server and the ones in the trust store that are in the chain of trust would be ideal
• I tried with couple of servers that uses Digicert SSL certs and I couldn't see anything beside the index of the certificate and some icons (what's the orange round icon stands for?). Here is a screenshot showing what I can see.
• As I couldn't see anything, I tried with HTRACE_COLORS=off to check if I was missing some text, and I couldn't make this setting work, colors were always showing up. I had to set explicitly the setting to off in src/setting to disable it. For the record, I'm using the docker image I built using the build script (with master branch at b877688ac6a8cd0813a7e880a7e5d6eb6afd4c45), so I tried using the docker run parameter -e HTRACE_COLORS=off, it didn't work, even from the container itself with the export statement before calling htrace.sh. So there might be an issue with the setting in src/setting always overriding the value set by the environment variable.

[EppO]

For the colors always on bug, I tried to rollback to 64e33d7af086d46d5b11b8290e97410fa7fbd270 and the parameter worked! so b877688ac6a8cd0813a7e880a7e5d6eb6afd4c45 is the commit introducing the change of behavior.

[EppO]

Just tried with badssl.com and I observe the same issue

[trimstray]

Dear @EppO!

Thanks for this. First of all:

• HTRACE_COLORS now you set from src/settings file, this variable is responsible only for output colors
• if you want to hide IP addresses from output, use --hide-src-ip param ;)
• the bug with empty fields was caused by different versions of openssl - i fixed it, openssl 1.1.1.a and 1.1.1b they change the way values are stored, e.g.:

  Certificate chain
  0 s:CN = blkcipher.info
  i:CN = Let's Encrypt Authority X3

Please see also wiki for other information ;) but also something about funny icons:

• ★ - specifies a server certificate that matches the CN field, so if your domain is domain.com, the CN value should also domain.com for the first certificate in the chain, (always gold/yellow), e.g.:

  chain of trust:
        └─0:blkcipher.info ★ ✓
          ├   Let's Encrypt Authority X3
          └─1:Let's Encrypt Authority X3 ✓
            ├   DST Root CA X3
            └─2:DST Root CA X3 ✓ ⊙
              └ DST Root CA X3
       verification: ok

• ✓ - show you correct relationship between certificates (always green)
• × - determines where the problem with the chain is (always red), e.g.:

  chain of trust:
        └─0:prod.domain.com ★ ✓
          ├   thawte SHA256 SSL CA
          └─1:Thawte SSL CA ×
            ├   thawte Primary Root CA
            └─2:thawte Primary Root CA ✓
              ├   Thawte Premium Server CA
              └─3:Thawte Premium Server CA ✓ ⊙
                └ Thawte Premium Server CA
       verification: unable to verify the first certificate

• ⊙ - the certificate is located in the local certificate store (gold/yellow) or not (red)

  chain of trust:
        └─0:*.badssl.com ★ ✓
          ├   DigiCert SHA2 Secure Server CA
          └─1:DigiCert SHA2 Secure Server CA ✓ ⊙
            └ DigiCert SHA2 Secure Server CA
       verification: unable to verify the first certificate

I'll add these info about icons to the wiki.

[EppO]

Amazing!! It works great! Thanks for the quick fix, really appreciated.

What is the 2x? I can see it next to a root CA in the trust store:

            └─2:DigiCert Global Root G2 ✓ ⊙ 2x
                └ DigiCert Global Root G2

[trimstray]

Ohh... i forgot about it:

• 2x - means a duplicate root certificate, include a root certificate to the chain is not a good practice but it's not a bug, sometimes administrators add it, please see:
• https://stackoverflow.com/questions/34945244/should-the-trusted-root-ca-be-a-part-of-the-certificate-chain
• https://community.qualys.com/thread/11026
• https://security.stackexchange.com/questions/65332/ssl-root-certificate-optional

[EppO]

Oh my! that's true, in the test I made, the Root CA was bundle with the server+intermediate certificates, my bad! This goes beyond my expectations, thanks again. Your tool was amazingly useful, you just made it even better.