Allow testng for weak certificate signing algorithms.

This is a good thing to do, as Chrome will apaprently be
refusing to show sites with SHA-1 in use over SHA-256.

This closes #12358.

1 files changed, 16 insertions, 3 deletions

diff --git a/lib/custodian/protocoltest/ssl.rb b/lib/custodian/protocoltest/ssl.rb
index 1dfe438..88f157c 100644
--- a/lib/custodian/protocoltest/ssl.rb
+++ b/lib/custodian/protocoltest/ssl.rb
@@ -13,7 +13,7 @@ require 'timeout'
 #
 class SSLCheck
 
-  ALL_TESTS = [:signature, :valid_from, :valid_to, :subject, :sslv3_disabled]
+  ALL_TESTS = [:signature, :valid_from, :valid_to, :subject, :sslv3_disabled, :signing_algorithm]
 
   attr_reader :errors
 
@@ -200,7 +200,7 @@ class SSLCheck
       self.errors << verbose("Failed to fetch certificate for #{self.domain}")
       return nil
     else
-      return ![verify_subject, verify_valid_from, verify_valid_to, verify_signature].any? { |r| false == r }
+      return ![verify_subject, verify_valid_from, verify_valid_to, verify_signature, verify_signing_algorithm ].any? { |r| false == r }
     end
   end
 
@@ -235,6 +235,19 @@ class SSLCheck
     false
   end
 
+  def verify_signing_algorithm
+    unless self.tests.include?(:signing_algorithm)
+      verbose "Skipping signing algorithm check for #{self.domain}"
+      return true
+    end
+    if self.certificate.signature_algorithm.start_with? "sha1"
+      self.errors << verbose("Certificate for #{self.domain} is signed with a weak algorithm (SHA1) and should be reissued.")
+      return false
+    else
+      return true
+    end
+  end
+
   def verify_subject
     unless self.tests.include?(:subject)
       verbose "Skipping subject verification for #{self.domain}"
@@ -451,7 +464,7 @@ module Custodian
         "ssl-validity"
       end
 
-      
+
       register_test_type 'https'
 
     end