Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
if (
endpoint.https_self_signed_cert is False and (
len(cert_plugin_result.received_certificate_chain) < 2
)
):
# *** TODO check that it is not a bad hostname and that the root cert is trusted before suggesting that it is an intermediate cert issue.
endpoint.https_missing_intermediate_cert = True
if(cert_plugin_result.verified_certificate_chain is None):
logging.warning("{}: Untrusted certificate chain, probably due to missing intermediate certificate.".format(endpoint.url))
utils.debug("{}: Only {} certificates in certificate chain received.".format(endpoint.url, cert_plugin_result.received_certificate_chain.__len__()))
elif(custom_trust is True and public_trust is False):
# recheck public trust using custom public trust store with manually added intermediate certificates
if(PT_INT_CA_FILE is not None):
try:
cert_plugin_result = None
command = sslyze.plugins.certificate_info_plugin.CertificateInfoScanCommand(ca_file=PT_INT_CA_FILE)
cert_plugin_result = scanner.run_scan_command(server_info, command)
if(cert_plugin_result.verified_certificate_chain is not None):
public_trust = True
endpoint.https_public_trusted = public_trust
logging.warning("{}: Trusted by special public trust store with intermediate certificates.".format(endpoint.url))
except Exception:
logging.exception("Error while rechecking public trust")
else:
endpoint.https_missing_intermediate_cert = False
except Exception:
logging.exception("Error while determining length of certificate chain")
# If anything is wrong then https is not valid
if (
endpoint.https_expired_cert or
endpoint.https_self_signed_cert or
logging.warning("{}: Client Authentication REQUIRED".format(endpoint.url))
except ServerConnectivityError as err:
endpoint.live = False
endpoint.https_valid = False
logging.warning("{}: Error in sslyze server connectivity check when connecting to {}".format(endpoint.url, err.server_info.hostname))
utils.debug("{}: {}".format(endpoint.url, err))
return
except Exception as err:
endpoint.unknown_error = True
logging.warning("{}: Unknown exception in sslyze server connectivity check.".format(endpoint.url))
utils.debug("{}: {}".format(endpoint.url, err))
return
try:
cert_plugin_result = None
command = sslyze.plugins.certificate_info_plugin.CertificateInfoScanCommand(ca_file=CA_FILE)
scanner = sslyze.synchronous_scanner.SynchronousScanner()
cert_plugin_result = scanner.run_scan_command(server_info, command)
except Exception as err:
try:
if("timed out" in str(err)):
logging.warning("{}: Retrying sslyze scanner certificate plugin.".format(endpoint.url))
cert_plugin_result = scanner.run_scan_command(server_info, command)
except Exception:
pass
if(cert_plugin_result is None):
logging.warning("{}: Unknown exception in sslyze scanner certificate plugin.".format(endpoint.url))
utils.debug("{}: {}".format(endpoint.url, err))
endpoint.unknown_error = True
endpoint.https_valid = None # could make this False, but there was an error so we don't know
return
if (
endpoint.https_self_signed_cert is False and (
len(cert_plugin_result.certificate_chain) < 2
)
):
# *** TODO check that it is not a bad hostname and that the root cert is trusted before suggesting that it is an intermediate cert issue.
endpoint.https_missing_intermediate_cert = True
if(cert_plugin_result.successful_trust_store is None):
logging.warning("{}: Untrusted certificate chain, probably due to missing intermediate certificate.".format(endpoint.url))
utils.debug("{}: Only {} certificates in certificate chain received.".format(endpoint.url, cert_plugin_result.certificate_chain.__len__()))
elif(custom_trust is True and public_trust is False):
# recheck public trust using custom public trust store with manually added intermediate certificates
if(PT_INT_CA_FILE is not None):
try:
cert_plugin_result = None
command = sslyze.plugins.certificate_info_plugin.CertificateInfoScanCommand(ca_file=PT_INT_CA_FILE)
cert_plugin_result = scanner.run_scan_command(server_info, command)
if(cert_plugin_result.successful_trust_store is not None):
public_trust = True
endpoint.https_public_trusted = public_trust
logging.warning("{}: Trusted by special public trust store with intermediate certificates.".format(endpoint.url))
except Exception:
pass
else:
endpoint.https_missing_intermediate_cert = False
except Exception:
# Squash exceptions
pass
# If anything is wrong then https is not valid
if (
endpoint.https_expired_cert or
logging.warning("{}: Client Authentication REQUIRED".format(endpoint.url))
except ServerConnectivityError as err:
endpoint.live = False
endpoint.https_valid = False
logging.exception("{}: Error in sslyze server connectivity check when connecting to {}".format(endpoint.url, err.server_info.hostname))
utils.debug("{}: {}".format(endpoint.url, err))
return
except Exception as err:
endpoint.unknown_error = True
logging.exception("{}: Unknown exception in sslyze server connectivity check.".format(endpoint.url))
utils.debug("{}: {}".format(endpoint.url, err))
return
try:
cert_plugin_result = None
command = sslyze.plugins.certificate_info_plugin.CertificateInfoScanCommand(ca_file=CA_FILE)
scanner = sslyze.synchronous_scanner.SynchronousScanner()
cert_plugin_result = scanner.run_scan_command(server_info, command)
except Exception as err:
try:
if "timed out" in str(err):
logging.exception("{}: Retrying sslyze scanner certificate plugin.".format(endpoint.url))
cert_plugin_result = scanner.run_scan_command(server_info, command)
else:
logging.exception("{}: Unknown exception in sslyze scanner certificate plugin.".format(endpoint.url))
utils.debug("{}: {}".format(endpoint.url, err))
endpoint.unknown_error = True
# We could make this False, but there was an error so
# we don't know
endpoint.https_valid = None
return
except Exception: