Fix --phone-out + ocsp, also in docker container

drwetter · drwetter · commit 430c5c8d0934 · 2025-03-15T15:58:28.000+01:00
Previously in 4f1a91f there was a double header sent to the server to check whether the certificate was revoked. This PR addresses that and fixes #2667 .
diff --git a/testssl.sh b/testssl.sh
@@ -2052,6 +2052,7 @@ check_revocation_ocsp() {
      local host_header=""
      local openssl_bin="$OPENSSL"
      local addtl_warning=""
+     local smartswitch=false
 
      "$PHONE_OUT" || [[ -n "$stapled_response" ]] || return 0
      [[ -n "$GOOD_CA_BUNDLE" ]] || return 0
@@ -2087,26 +2088,34 @@ check_revocation_ocsp() {
                # See #2516 and probably also #2667 and #1275 .
                if [[ -x "$OPENSSL2" ]]; then
                     openssl_bin="$OPENSSL2"
+                    smartswitch=true
                     [[ $DEBUG -ge 3 ]] && echo "Switching to $openssl_bin "
                fi
           else
                addtl_warning="(a segfault indicates here you need to test this with another binary)"
           fi
           host_header=${uri##http://}
           host_header=${host_header%%/*}
-          if [[ "$OSSL_NAME" =~ LibreSSL ]]; then
-               host_header="-header Host ${host_header}"
-          elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.0* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* ]] || \
-               [[ $OSSL_VER_MAJOR -ge 3 ]]; then
-               host_header="-header Host=${host_header}"
+
+          # This the follwomg is the default (like "-header Host r11.o.lencr.org")
+          host_header="-header Host ${host_header}"
+
+          if "$smartswitch" ; then
+               case $(openssl version -v | awk -F' ' '{ print $2 }') in
+                    # for those versions it's "-header Host=r11.o.lencr.org"
+                    3.*|1.1*) host_header=${host_header/Host /Host=} ;;
+               esac
           else
-               host_header="-header Host ${host_header}"
+               case $OSSL_VER_MAJOR.$OSSL_VER_MINOR in
+                    3.*|1.1*) host_header=${host_header/Host /Host=} ;;
+               esac
           fi
           $openssl_bin ocsp -no_nonce ${host_header} -url "$uri" \
                -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
                -CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile"
           success=$?
      fi
+
      if [[ $success -eq 0 ]] && grep -Fq "Response verify OK" "$tmpfile"; then
           response="$(grep -F "$HOSTCERT: " "$tmpfile")"
           response="${response#$HOSTCERT: }"
