upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-06-03 13:59:02 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Explicitly handle "unknown" responses from openssl

Browse source
This commit is contained in:
Peter Eckersley 2017-01-05 12:06:51 -08:00
parent 3c757aec9b
commit 707b27418f
2 changed files with 14 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
certbot/ocsp.py
View file

@ -98,11 +98,13 @@ def _translate_ocsp_query(cert_path, ocsp_output, ocsp_errors):
pattern = r"{0}: (WARNING.*)?good".format(cert_path)
rpattern = r"{0}: (WARNING.*)?revoked".format(cert_path)
upattern = r"{0}: (WARNING.*)?unknown".format(cert_path)
good = re.search(pattern, ocsp_output, flags=re.DOTALL)
revoked = re.search(rpattern, ocsp_output, flags=re.DOTALL)
unknown = re.search(upattern, ocsp_output, flags=re.DOTALL)
warning = good.group(1) if good else None
if (not "Response verify OK" in ocsp_errors) or (good and warning):
if (not "Response verify OK" in ocsp_errors) or (good and warning) or unknown:
logger.info("Revocation status for %s is unknown", cert_path)
logger.debug("Uncertain output:\n%s\nstderr:\n%s", ocsp_output, ocsp_errors)
return False

11
certbot/tests/ocsp_test.py
View file

@ -98,6 +98,10 @@ class OCSPTest(unittest.TestCase):
self.assertEqual(ocsp._translate_ocsp_query(*openssl_confused), False)
self.assertEqual(mock_log.debug.call_count, 1)
self.assertEqual(mock_log.warn.call_count, 0)
mock_log.debug.call_count = 0
self.assertEqual(ocsp._translate_ocsp_query(*openssl_unknown), False)
self.assertEqual(mock_log.debug.call_count, 1)
self.assertEqual(mock_log.warn.call_count, 0)
self.assertEqual(ocsp._translate_ocsp_query(*openssl_expired_ocsp), False)
self.assertEqual(mock_log.debug.call_count, 2)
self.assertEqual(ocsp._translate_ocsp_query(*openssl_broken), False)
@ -135,6 +139,13 @@ blah.pem: revoked
""",
"""Response verify OK""")
openssl_unknown = ("blah.pem", """
blah.pem: unknown
This Update: Dec 20 18:00:00 2016 GMT
Next Update: Dec 27 18:00:00 2016 GMT
""",
"Response verify OK")
openssl_broken = ("", "tentacles", "Response verify OK")
openssl_expired_ocsp = ("blah.pem", """