Add support for client authentication, some minor refactoring #179
Conversation
…re publicly trusted.
|
Because of the client cert issue, there could be some times when the initial request fails (and so it would not seem to be valid) even though it actually is valid so I changed one part where the initial request does not complete to assume that it is still valid and just couldn't complete the TLS handshake for other reasons, and then look at the sslyze results later to see if the HTTPS isn't valid. |
|
I also refactored some of the redirect code and I think fixed a bug there where it would report a redirect when there were no redirects. |
|
I also changed most of the log output to include the URL for easier troubleshooting based on the logs. |
|
@konklone Following up on the discussion from the other thread, are the results from my version actually harsher than the earlier |
|
@echudow My question about whether this was harsher on untrusted certs was a genuine question. :) I'm not sure, and have to go back and look at what the current outputs are. |
|
@konklone Ok, let me know what you find out and then I'll work through any issues so hopefully we can all use the same code in the end. |
|
Ok, I just gave you and Eric access to my forks of |
Note that changing the logic from: if domain.https.live == False and domain.httpswww.live == False: to: if not domain.https.live and not domain.httpswww.live: changes the result when both domain.https.live and domain.httpswww.live are both None. This is because None != False but not None is True. I think that in the edge case where domain.https.live == None and domain.httpswww.live == None it makes more sense to return "N/A" anyway.
|
Reviewing the code, I don't see any problems with these changes. I could easily be missing something, but I think the only differences from the old code will be the new fields and sometimes the values of "liveness" and "is HTTPS valid". Still, I need to do a full In the meantime, I added some reviewers in hope of getting more eyes on this pull request. If folks want to test, I can also provide a few URLs that require client certificates: |
|
I don't have much experience with testing / using client cert sites, but this functionally looks fine to me. Do we have a verification that there aren't any regressions? |
|
Just fixed a bug that I introduced that prevented following some http redirects. I'm sure that would have caused some issues with some incorrect data. Has anyone compared the output to previous runs to see if there are any other bugs or regressions? Hopefully it just adds some data instead of some earlier errors. |
|
@jsf9k / @echudow -- Do you feel like this is ready to be merged? Looks like travis passed the PR build but hung on the branch build (sure...), I'm OK ignoring the coveralls drop which is the only real "fail" right now, though alternatively, is their more testing we could add for this to get the test coverage up? Also, note that you are in a much better position than I am to confirm that this is working as expected and doesn't cause regressions. If you're happy with it though, I can do the actual code review part for what I can comment on. |
|
@IanLee1521 and @echudow, this PR will break the BOD 18-01 scanning. This is because it treats some fields that were boolean as a union of a boolean and a string. This does give us more information than we had before, but I think it's important for the data fields to have a set type - particularly for the JSON output. What if we by default assign fields a type of I can probably find some time to work on that whis weekend if you guys agree. Thanks to @IanLee1521 for bumping this PR. We need to get this approved and merged since it's practically old enough to vote at this point. 👴 |
|
Thanks guys for looking at this again. Leaving fields as |
This is required to make the test pass after the changes in the last commit.
|
This pull request introduces 1 alert when merging 52b9c7b into 97c51ac - view on LGTM.com new alerts:
Comment posted by LGTM.com |
The block where the "Unknown" results were being set is tricky because of the continue statements. This time I was careful to remove only the statements that set fields from None to "Unknown" and leave the continue statements.
|
This pull request introduces 1 alert when merging fbc318a into 97c51ac - view on LGTM.com new alerts:
Comment posted by LGTM.com |
|
This pull request fixes 2 alerts when merging f20eca4 into 97c51ac - view on LGTM.com fixed alerts:
Comment posted by LGTM.com |
The latest saver and scanner account for the changes made by cisagov/pshtt#179, cisagov/trustymail#110, and 18F/domain-scan#286. See cisagov/saver#41 and cisagov/scanner#31 for details.
I'm opening this to more easily track @echudow's work on adding client cert authentication to
pshtt.There is some additional refactoring work in here, and possibly some logical changes. Let's use this PR to hash out the changes that would make
pshttusable for DHS, GSA, and DoD, without creating unintended regressions from existing reporting.See also 18F/domain-scan#286.