From 320e4f92d5d4a7810f56eb1a70ea7bb06f3167cc Mon Sep 17 00:00:00 2001 From: Steve Kemp Date: Thu, 29 Oct 2015 10:27:49 +0200 Subject: Allow testng for weak certificate signing algorithms. This is a good thing to do, as Chrome will apaprently be refusing to show sites with SHA-1 in use over SHA-256. This closes #12358. --- lib/custodian/protocoltest/ssl.rb | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/lib/custodian/protocoltest/ssl.rb b/lib/custodian/protocoltest/ssl.rb index 1dfe438..88f157c 100644 --- a/lib/custodian/protocoltest/ssl.rb +++ b/lib/custodian/protocoltest/ssl.rb @@ -13,7 +13,7 @@ require 'timeout' # class SSLCheck - ALL_TESTS = [:signature, :valid_from, :valid_to, :subject, :sslv3_disabled] + ALL_TESTS = [:signature, :valid_from, :valid_to, :subject, :sslv3_disabled, :signing_algorithm] attr_reader :errors @@ -200,7 +200,7 @@ class SSLCheck self.errors << verbose("Failed to fetch certificate for #{self.domain}") return nil else - return ![verify_subject, verify_valid_from, verify_valid_to, verify_signature].any? { |r| false == r } + return ![verify_subject, verify_valid_from, verify_valid_to, verify_signature, verify_signing_algorithm ].any? { |r| false == r } end end @@ -235,6 +235,19 @@ class SSLCheck false end + def verify_signing_algorithm + unless self.tests.include?(:signing_algorithm) + verbose "Skipping signing algorithm check for #{self.domain}" + return true + end + if self.certificate.signature_algorithm.start_with? "sha1" + self.errors << verbose("Certificate for #{self.domain} is signed with a weak algorithm (SHA1) and should be reissued.") + return false + else + return true + end + end + def verify_subject unless self.tests.include?(:subject) verbose "Skipping subject verification for #{self.domain}" @@ -451,7 +464,7 @@ module Custodian "ssl-validity" end - + register_test_type 'https' end -- cgit v1.2.1