From 320e4f92d5d4a7810f56eb1a70ea7bb06f3167cc Mon Sep 17 00:00:00 2001
From: Steve Kemp <steve@steve.org.uk>
Date: Thu, 29 Oct 2015 10:27:49 +0200
Subject: Allow testng for weak certificate signing algorithms.
This is a good thing to do, as Chrome will apaprently be
refusing to show sites with SHA-1 in use over SHA-256.
This closes #12358.
---
lib/custodian/protocoltest/ssl.rb | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
(limited to 'lib/custodian/protocoltest')
diff --git a/lib/custodian/protocoltest/ssl.rb b/lib/custodian/protocoltest/ssl.rb
index 1dfe438..88f157c 100644
--- a/lib/custodian/protocoltest/ssl.rb
+++ b/lib/custodian/protocoltest/ssl.rb
@@ -13,7 +13,7 @@ require 'timeout'
#
class SSLCheck
- ALL_TESTS = [:signature, :valid_from, :valid_to, :subject, :sslv3_disabled]
+ ALL_TESTS = [:signature, :valid_from, :valid_to, :subject, :sslv3_disabled, :signing_algorithm]
attr_reader :errors
@@ -200,7 +200,7 @@ class SSLCheck
self.errors << verbose("Failed to fetch certificate for #{self.domain}")
return nil
else
- return ![verify_subject, verify_valid_from, verify_valid_to, verify_signature].any? { |r| false == r }
+ return ![verify_subject, verify_valid_from, verify_valid_to, verify_signature, verify_signing_algorithm ].any? { |r| false == r }
end
end
@@ -235,6 +235,19 @@ class SSLCheck
false
end
+ def verify_signing_algorithm
+ unless self.tests.include?(:signing_algorithm)
+ verbose "Skipping signing algorithm check for #{self.domain}"
+ return true
+ end
+ if self.certificate.signature_algorithm.start_with? "sha1"
+ self.errors << verbose("Certificate for #{self.domain} is signed with a weak algorithm (SHA1) and should be reissued.")
+ return false
+ else
+ return true
+ end
+ end
+
def verify_subject
unless self.tests.include?(:subject)
verbose "Skipping subject verification for #{self.domain}"
@@ -451,7 +464,7 @@ module Custodian
"ssl-validity"
end
-
+
register_test_type 'https'
end
--
cgit v1.2.3