@@ -108,8 +108,13 @@ test_cipher_on_target() {
108108 fi
109109 # filter out the OCSP server certificate
110110 tmp=$( awk ' BEGIN { pr="yes" } /^======================================/ { if ( pr=="yes" ) pr="no"; else pr="yes" } { if ( pr == "yes" ) print }' <<< " $tmp" )
111+ current_certcn=$( grep " subject=" <<< " $tmp" | grep -oP " (?<=CN\=)[^ |\/]+" )
112+ current_subjaltnames=$( ${OPENSSLBIN} x509 -noout -text 2> /dev/null <<< " $tmp" | awk ' /X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0);print}' | tr -d " DNS:" )
111113 current_cipher=$( grep " New, " <<< " $tmp" | awk ' {print $5}' )
112114 current_pfs=$( grep ' Server Temp Key' <<< " $tmp" | awk ' {print $4$5$6$7}' )
115+ if [ -z $current_pfs ]; then
116+ current_pfs=" None"
117+ fi
113118 current_protocol=$( egrep " ^\s+Protocol\s+:" <<< " $tmp" | awk ' {print $3}' )
114119 current_pubkey=$( grep ' Server public key is ' <<< " $tmp" | awk ' {print $5}' )
115120 if [ -z $current_pubkey ]; then
@@ -147,6 +152,16 @@ test_cipher_on_target() {
147152 else
148153 protocols=" $protocols ,$current_protocol "
149154 fi
155+ certcns=" $current_certcn "
156+ # Let's add the alternative subject names if they exist
157+ if [ -n " $current_subjaltnames " ; then
158+ IFS=' ,' read -ra subjaltnamesarray <<< " $current_subjaltnames"
159+ for altname in " ${subjaltnamesarray[@]} " ; do
160+ if [[ " $altname " != " $current_certcn " ; then
161+ certcns=" $certcns ,$altname "
162+ fi
163+ done
164+ fi
150165 cipher=$current_cipher
151166 pfs=$current_pfs
152167 pubkey=$current_pubkey
@@ -165,13 +180,13 @@ test_cipher_on_target() {
165180
166181 # if cipher contains NONE, the cipher wasn't accepted
167182 elif [ " $cipher " == ' (NONE) ' ; then
168- result=" $cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs "
183+ result=" $cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs $certcns "
169184 verbose " handshake failed, server returned ciphersuite '$result '"
170185 return 1
171186
172187 # the connection succeeded
173188 else
174- result=" $cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs "
189+ result=" $cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs $certcns "
175190 verbose " handshake succeeded, server returned ciphersuite '$result '"
176191 return 0
177192 fi
@@ -226,6 +241,7 @@ get_cipher_pref() {
226241display_results_in_terminal () {
227242 # Display the results
228243 ctr=1
244+ local certcns
229245 local pubkey
230246 local sigalg
231247 local trusted
@@ -246,6 +262,7 @@ display_results_in_terminal() {
246262 trusted=$( awk ' {print $5}' <<< $cipher )
247263 tickethint=$( awk ' {print $6}' <<< $cipher )
248264 ocspstaple=$( awk ' {print $7}' <<< $cipher )
265+ certcns=$( awk ' {print $9}' <<< $cipher )
249266 else
250267 if [ " $pubkey " != " $( awk ' {print $3}' <<< $cipher ) " ; then
251268 different=True
@@ -291,11 +308,28 @@ display_results_in_terminal() {
291308 fi
292309 done| column -t
293310 echo
311+
312+ matchhostname=0
313+ hostcertcn=" Not a match"
314+ if [ -z " $certcns " ; then
315+ hostcertcn=" CN not found"
316+ else
317+ IFS=' ,' read -ra certcnsarray <<< " $certcns"
318+ for certcn in " ${certcnsarray[@]} " ; do
319+ if [[ " $certcn " == " $HOST " ; then
320+ matchhostname=1
321+ hostcertcn=" $certcn "
322+ break
323+ fi
324+ done
325+
326+
327+ fi
294328 if [ $different != " True" ; then
295329 if [ " $trusted " == " True" ; then
296- echo " Certificate: trusted, $pubkey bit, $sigalg signature"
330+ echo " Certificate: $hostcertcn , trusted, $pubkey bit, $sigalg signature"
297331 else
298- echo " Certificate: UNTRUSTED, $pubkey bit, $sigalg signature"
332+ echo " Certificate: $hostcertcn , UNTRUSTED, $pubkey bit, $sigalg signature"
299333 fi
300334 echo " TLS ticket lifetime hint: $tickethint "
301335 fi
@@ -304,6 +338,13 @@ display_results_in_terminal() {
304338 else
305339 echo " OCSP stapling: not supported"
306340 fi
341+ if [ $matchhostname -eq 0 ]; then
342+ echo " WARNING - None of the CNs match the hostname given"
343+ fi
344+ if [ -n " $certcns " ; then
345+ echo " Here is the list of common names found in the certificate"
346+ echo $certcns
347+ fi
307348}
308349
309350
@@ -315,6 +356,7 @@ display_results_in_json() {
315356 [ $ctr -gt 0 ] && echo -n ' ,'
316357 echo -n " {\" cipher\" :\" $( echo $cipher | awk ' {print $1}' ) \" ,"
317358 echo -n " \" protocols\" :[\" $( echo $cipher | awk ' {print $2}' | sed ' s/,/","/g' ) \" ],"
359+ echo -n " \" certcns\" :[\" $( echo $cipher | awk ' {print $9}' | sed ' s/,/","/g' ) \" ],"
318360 echo -n " \" pubkey\" :[\" $( echo $cipher | awk ' {print $3}' | sed ' s/,/","/g' ) \" ],"
319361 echo -n " \" sigalg\" :[\" $( echo $cipher | awk ' {print $4}' | sed ' s/,/","/g' ) \" ],"
320362 echo -n " \" trusted\" :\" $( echo $cipher | awk ' {print $5}' | sed ' s/,/","/g' ) \" ,"
0 commit comments