summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/custodian/protocoltest/ssl.rb19
1 files changed, 16 insertions, 3 deletions
diff --git a/lib/custodian/protocoltest/ssl.rb b/lib/custodian/protocoltest/ssl.rb
index 1dfe438..88f157c 100644
--- a/lib/custodian/protocoltest/ssl.rb
+++ b/lib/custodian/protocoltest/ssl.rb
@@ -13,7 +13,7 @@ require 'timeout'
#
class SSLCheck
- ALL_TESTS = [:signature, :valid_from, :valid_to, :subject, :sslv3_disabled]
+ ALL_TESTS = [:signature, :valid_from, :valid_to, :subject, :sslv3_disabled, :signing_algorithm]
attr_reader :errors
@@ -200,7 +200,7 @@ class SSLCheck
self.errors << verbose("Failed to fetch certificate for #{self.domain}")
return nil
else
- return ![verify_subject, verify_valid_from, verify_valid_to, verify_signature].any? { |r| false == r }
+ return ![verify_subject, verify_valid_from, verify_valid_to, verify_signature, verify_signing_algorithm ].any? { |r| false == r }
end
end
@@ -235,6 +235,19 @@ class SSLCheck
false
end
+ def verify_signing_algorithm
+ unless self.tests.include?(:signing_algorithm)
+ verbose "Skipping signing algorithm check for #{self.domain}"
+ return true
+ end
+ if self.certificate.signature_algorithm.start_with? "sha1"
+ self.errors << verbose("Certificate for #{self.domain} is signed with a weak algorithm (SHA1) and should be reissued.")
+ return false
+ else
+ return true
+ end
+ end
+
def verify_subject
unless self.tests.include?(:subject)
verbose "Skipping subject verification for #{self.domain}"
@@ -451,7 +464,7 @@ module Custodian
"ssl-validity"
end
-
+
register_test_type 'https'
end