Changeset faa2435 for tests


Ignore:
Timestamp:
May 24, 2014 1:13:35 PM (6 years ago)
Author:
kytv <kytv@…>
Branches:
master
Children:
f9dbd74
Parents:
0537a22
Message:

checkremotecerts: fail if CN doesn't match

Since all reseed hosts now have proper certificates with matching CNs, I'm
making this script enforce a stricter policy, requiring matching CNs.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • tests/scripts/checkremotecerts.sh

    r0537a22 rfaa2435  
    127127            # GnuTLS v2 has the word "Peer" before certificate, v3 has the word "The" before it
    128128            if ! grep -q 'Verify return code: 0 (ok)\|certificate is trusted' "$WORK/$HOST"; then
    129                 # If we end up here it's for one of two probable reasons:
    130                 # 1) the the CN in the certificate doesn't match the hostname.
    131                 # 2) the certificate is invalid
    132 
    133                 # OpenSSL returns code 21 with self-signed certs.
    134                 # GnuTLS returns "certificate issuer is unknown"
    135                 # As noted above, GnuTLS v2 has the word "Peer" before certificate, v3 has the word "The" before it
    136 
    137                 # If the CN just doesn't match the hostname, pass
    138                 if ! grep -q 'Verify return code: 21\|certificate issuer is unknown\|self signed' "$WORK/$HOST"; then : ;else
    139                     verify_fingerprint $HOST
    140                 fi
     129                # If we end up here, it's possible that the certificate is valid, but CA: false is set in the certificate.
     130                # The OpenSSL binary is "picky" about this. GnuTLS doesn't seem to be.
     131                verify_fingerprint $HOST
    141132            fi
    142133            echo
Note: See TracChangeset for help on using the changeset viewer.