How to use the sslyze.plugins function in sslyze

To help you get started, we’ve selected a few sslyze examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github cisagov / pshtt / pshtt / pshtt.py View on Github external
if (
                endpoint.https_self_signed_cert is False and (
                    len(cert_plugin_result.received_certificate_chain) < 2
                )
        ):
            # *** TODO check that it is not a bad hostname and that the root cert is trusted before suggesting that it is an intermediate cert issue.
            endpoint.https_missing_intermediate_cert = True
            if(cert_plugin_result.verified_certificate_chain is None):
                logging.warning("{}: Untrusted certificate chain, probably due to missing intermediate certificate.".format(endpoint.url))
                utils.debug("{}: Only {} certificates in certificate chain received.".format(endpoint.url, cert_plugin_result.received_certificate_chain.__len__()))
            elif(custom_trust is True and public_trust is False):
                # recheck public trust using custom public trust store with manually added intermediate certificates
                if(PT_INT_CA_FILE is not None):
                    try:
                        cert_plugin_result = None
                        command = sslyze.plugins.certificate_info_plugin.CertificateInfoScanCommand(ca_file=PT_INT_CA_FILE)
                        cert_plugin_result = scanner.run_scan_command(server_info, command)
                        if(cert_plugin_result.verified_certificate_chain is not None):
                            public_trust = True
                            endpoint.https_public_trusted = public_trust
                            logging.warning("{}: Trusted by special public trust store with intermediate certificates.".format(endpoint.url))
                    except Exception:
                        logging.exception("Error while rechecking public trust")
        else:
            endpoint.https_missing_intermediate_cert = False
    except Exception:
        logging.exception("Error while determining length of certificate chain")

    # If anything is wrong then https is not valid
    if (
        endpoint.https_expired_cert or
        endpoint.https_self_signed_cert or
github cisagov / pshtt / pshtt / pshtt.py View on Github external
logging.warning("{}: Client Authentication REQUIRED".format(endpoint.url))
    except ServerConnectivityError as err:
        endpoint.live = False
        endpoint.https_valid = False
        logging.warning("{}: Error in sslyze server connectivity check when connecting to {}".format(endpoint.url, err.server_info.hostname))
        utils.debug("{}: {}".format(endpoint.url, err))
        return
    except Exception as err:
        endpoint.unknown_error = True
        logging.warning("{}: Unknown exception in sslyze server connectivity check.".format(endpoint.url))
        utils.debug("{}: {}".format(endpoint.url, err))
        return

    try:
        cert_plugin_result = None
        command = sslyze.plugins.certificate_info_plugin.CertificateInfoScanCommand(ca_file=CA_FILE)
        scanner = sslyze.synchronous_scanner.SynchronousScanner()
        cert_plugin_result = scanner.run_scan_command(server_info, command)
    except Exception as err:
        try:
            if("timed out" in str(err)):
                logging.warning("{}: Retrying sslyze scanner certificate plugin.".format(endpoint.url))
                cert_plugin_result = scanner.run_scan_command(server_info, command)
        except Exception:
            pass
        if(cert_plugin_result is None):
            logging.warning("{}: Unknown exception in sslyze scanner certificate plugin.".format(endpoint.url))
            utils.debug("{}: {}".format(endpoint.url, err))
            endpoint.unknown_error = True
            endpoint.https_valid = None  # could make this False, but there was an error so we don't know
            return
github cisagov / pshtt / pshtt / pshtt.py View on Github external
if (
                endpoint.https_self_signed_cert is False and (
                    len(cert_plugin_result.certificate_chain) < 2
                )
        ):
            # *** TODO check that it is not a bad hostname and that the root cert is trusted before suggesting that it is an intermediate cert issue.
            endpoint.https_missing_intermediate_cert = True
            if(cert_plugin_result.successful_trust_store is None):
                logging.warning("{}: Untrusted certificate chain, probably due to missing intermediate certificate.".format(endpoint.url))
                utils.debug("{}: Only {} certificates in certificate chain received.".format(endpoint.url, cert_plugin_result.certificate_chain.__len__()))
            elif(custom_trust is True and public_trust is False):
                # recheck public trust using custom public trust store with manually added intermediate certificates
                if(PT_INT_CA_FILE is not None):
                    try:
                        cert_plugin_result = None
                        command = sslyze.plugins.certificate_info_plugin.CertificateInfoScanCommand(ca_file=PT_INT_CA_FILE)
                        cert_plugin_result = scanner.run_scan_command(server_info, command)
                        if(cert_plugin_result.successful_trust_store is not None):
                            public_trust = True
                            endpoint.https_public_trusted = public_trust
                            logging.warning("{}: Trusted by special public trust store with intermediate certificates.".format(endpoint.url))
                    except Exception:
                        pass
        else:
            endpoint.https_missing_intermediate_cert = False
    except Exception:
        # Squash exceptions
        pass

    # If anything is wrong then https is not valid
    if (
        endpoint.https_expired_cert or
github cisagov / pshtt / pshtt / pshtt.py View on Github external
logging.warning("{}: Client Authentication REQUIRED".format(endpoint.url))
    except ServerConnectivityError as err:
        endpoint.live = False
        endpoint.https_valid = False
        logging.exception("{}: Error in sslyze server connectivity check when connecting to {}".format(endpoint.url, err.server_info.hostname))
        utils.debug("{}: {}".format(endpoint.url, err))
        return
    except Exception as err:
        endpoint.unknown_error = True
        logging.exception("{}: Unknown exception in sslyze server connectivity check.".format(endpoint.url))
        utils.debug("{}: {}".format(endpoint.url, err))
        return

    try:
        cert_plugin_result = None
        command = sslyze.plugins.certificate_info_plugin.CertificateInfoScanCommand(ca_file=CA_FILE)
        scanner = sslyze.synchronous_scanner.SynchronousScanner()
        cert_plugin_result = scanner.run_scan_command(server_info, command)
    except Exception as err:
        try:
            if "timed out" in str(err):
                logging.exception("{}: Retrying sslyze scanner certificate plugin.".format(endpoint.url))
                cert_plugin_result = scanner.run_scan_command(server_info, command)
            else:
                logging.exception("{}: Unknown exception in sslyze scanner certificate plugin.".format(endpoint.url))
                utils.debug("{}: {}".format(endpoint.url, err))
                endpoint.unknown_error = True
                # We could make this False, but there was an error so
                # we don't know
                endpoint.https_valid = None
                return
        except Exception: