Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
def process_task(self, target, command, arg):
(_, _, _, sslVersion) = target
# Get the server's cert chain
sslConn = create_sslyze_connection(target, self._shared_settings, sslVersion)
try: # Perform the SSL handshake
sslConn.connect()
certChain = sslConn.get_peer_cert_chain()
except ClientCertificateRequested: # The server asked for a client cert
# We can get the server cert chain anyway
certChain = sslConn.get_peer_cert_chain()
finally:
sslConn.close()
outputXml = Element(command, title = self.CMD_TITLE)
outputTxt = [self.PLUGIN_TITLE_FORMAT(self.CMD_TITLE)]
# Is this cert chain affected ?
leafNotAfter = datetime.datetime.strptime(certChain[0].as_dict()['validity']['notAfter'], "%b %d %H:%M:%S %Y %Z")
if leafNotAfter.year < 2016:
# Not affected - the certificate expires before 2016
outputTxt.append(self.FIELD_FORMAT('OK - Leaf certificate expires before 2016.', ''))
outputXml.append(Element('chromeSha1Deprecation', isServerAffected = str(False)))
else:
def process_task(self, target, command, args):
sslConn = create_sslyze_connection(target, self._shared_settings)
# Make sure OpenSSL was built with support for compression to avoid false negatives
if 'zlib compression' not in sslConn.get_available_compression_methods():
raise RuntimeError('OpenSSL was not built with support for zlib / compression. Did you build nassl yourself ?')
try: # Perform the SSL handshake
sslConn.connect()
compName = sslConn.get_current_compression_method()
except ClientCertificateRequested: # The server asked for a client cert
compName = sslConn.get_current_compression_method()
finally:
sslConn.close()
# Text output
if compName:
compTxt = 'VULNERABLE - Server supports Deflate compression'
else:
compTxt = 'OK - Compression disabled'
cmdTitle = 'Deflate Compression'
txtOutput = [self.PLUGIN_TITLE_FORMAT(cmdTitle)]
txtOutput.append(self.FIELD_FORMAT(compTxt, ""))
# XML output
xmlOutput = Element(command, title=cmdTitle)
(_, _, _, sslVersion) = target
sslConn = create_sslyze_connection(target, self._shared_settings,
sslVersion,
sslVerifyLocations=storePath)
# Enable OCSP stapling
sslConn.set_tlsext_status_ocsp()
try: # Perform the SSL handshake
sslConn.connect()
ocspResp = sslConn.get_tlsext_status_ocsp_resp()
x509Chain = sslConn.get_peer_cert_chain()
(_, verifyStr) = sslConn.get_certificate_chain_verify_result()
except ClientCertificateRequested: # The server asked for a client cert
# We can get the server cert anyway
ocspResp = sslConn.get_tlsext_status_ocsp_resp()
x509Chain = sslConn.get_peer_cert_chain()
(_, verifyStr) = sslConn.get_certificate_chain_verify_result()
finally:
sslConn.close()
return (x509Chain, verifyStr, ocspResp)