echelon/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

checkremotecerts: fail if CN doesn't match

Browse Source 
Since all reseed hosts now have proper certificates with matching CNs, I'm
making this script enforce a stricter policy, requiring matching CNs.
This commit is contained in:
kytv
2014-05-24 13:13:35 +00:00
parent 0537a221d3
commit faa2435e33
1 changed files with 3 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
tests/scripts/checkremotecerts.sh
View File

@ -126,18 +126,9 @@ check_hosts() {
# GnuTLS returns "certificate is trusted" # GnuTLS returns "certificate is trusted"
# GnuTLS v2 has the word "Peer" before certificate, v3 has the word "The" before it # GnuTLS v2 has the word "Peer" before certificate, v3 has the word "The" before it
if ! grep -q 'Verify return code: 0 (ok)\|certificate is trusted' "$WORK/$HOST"; then if ! grep -q 'Verify return code: 0 (ok)\|certificate is trusted' "$WORK/$HOST"; then
# If we end up here it's for one of two probable reasons: # If we end up here, it's possible that the certificate is valid, but CA: false is set in the certificate.
# 1) the the CN in the certificate doesn't match the hostname. # The OpenSSL binary is "picky" about this. GnuTLS doesn't seem to be.
# 2) the certificate is invalid verify_fingerprint $HOST
# OpenSSL returns code 21 with self-signed certs.
# GnuTLS returns "certificate issuer is unknown"
# As noted above, GnuTLS v2 has the word "Peer" before certificate, v3 has the word "The" before it
# If the CN just doesn't match the hostname, pass
if ! grep -q 'Verify return code: 21\|certificate issuer is unknown\|self signed' "$WORK/$HOST"; then : ;else
verify_fingerprint $HOST
fi
fi fi
echo echo
else else