Add support for client authentication #286
Conversation
…ient Authentication and whether the certs are publicly trusted.
|
Added some reviewers in hope of getting more eyes on these changes. |
Someone had accidentally committed a merge conflict.
This is for the dmarc, mx, spf, and starttls CLI options.
These options are the trustymail options --mx, --dmarc, --spf, and --starttls.
|
@echudow and @IanLee1521, I'm doing a full BOD 18-01 scan in my staging environment (with echudow/pshtt, echudow/trustymail, and echudow/domain-scan) as a means of regression testing. I will hopefully have results to share tomorrow. |
|
@echudow and @IanLee1521 Second update: Reports are generating! I will take a look at them tonight or tomorrow morning. Third update: The HTTPS reports are looking good. I verified that some sites that require client certs are now passing, and they weren't before. Except for that, the overall results look very similar to those from last weekend. So that's good news! Fourth update: The Trustworthy Email reports look almost identical to the ones from the past weekend's run. So it looks like those are good too! |
|
Based on the results from a full run with the new code, I think this PR is ready to be merged. I can't approve the PR myself, though, since I created it. @echudow or @IanLee1521, can either of you approve this PR? After that we should be able to merge. |
… websites that require client certs and include DNSSEC data
|
Once cisagov/trustymail#110 is merged I will rerun the CI for this repo and it will pass. |
The latest saver and scanner account for the changes made by cisagov/pshtt#179, cisagov/trustymail#110, and 18F/domain-scan#286. See cisagov/saver#41 and cisagov/scanner#31 for details.
The differences between 0.6.0 and 0.6.1 are purely cosmetic, but we may as well be current.
| @@ -108,26 +110,26 @@ def to_rows(data): | |||
| row = [] | |||
| for field in headers: | |||
| value = data[field] | |||
|
|
|||
There was a problem hiding this comment.
If you're removing all of this logic, then this block can collapse to row = [data[field] for field in headers]
| if (field != "HSTS Header") and (field != "HSTS Max Age") and (field != "Redirect To"): | ||
| if value is None: | ||
| value = False | ||
|
|
||
| row.append(value) | ||
|
|
||
| return [row] |
There was a problem hiding this comment.
Do we really intend to return a list of the row list?
There was a problem hiding this comment.
@konklone did this intentionally. This is what all the scanners (are supposed to) do. If we change it here we need to change it in all scanners, and we also need to change the code that gathers all the CSV rows into a single results file. All doable, but I think that is best done in a separate PR.
| @@ -405,10 +461,26 @@ def analyze_certs(certs): | |||
| # Signature of the leaf certificate only. | |||
| data['certs']['leaf_signature'] = leaf.signature_hash_algorithm.name | |||
|
|
|||
| if(leaf.signature_hash_algorithm.name == "MD5"): | |||
There was a problem hiding this comment.
These two blocks could be simplified to:
sig_alg = leaf.signature_hash_algorithm.name
data['certs']['md5_signed_certificate'] = (sig_alg == "MD5")
data['certs']['sha1_signed_certificate'] = (sig_alg == "SHA1")There was a problem hiding this comment.
Yes, that is better.
| # Beginning and expiration dates of the leaf certificate | ||
| data['certs']['not_before'] = leaf.not_valid_before | ||
| data['certs']['not_after'] = leaf.not_valid_after | ||
|
|
||
| now = datetime.datetime.now() | ||
| if (now < leaf.not_valid_before) or (now > leaf.not_valid_after): |
There was a problem hiding this comment.
This could be simplified to:
data['certs']['expired_certificate'] = not(leaf.not_valid_before < now < leaf.not_valid_after)
| @@ -497,16 +569,26 @@ def cert_issuer_name(parsed): | |||
| return attrs[0].value | |||
|
|
|||
|
|
|||
| # Analyze the results of a renegotiation test | |||
| def analyze_reneg(data, reneg): | |||
| if (reneg.accepts_client_renegotiation is True) and (reneg.supports_secure_renegotiation is False): | |||
There was a problem hiding this comment.
This could simply be:
if reneg.accepts_client_renegotiation and not reneg.supports_secure_renegotiation:
And then further, the whole block could be:
data['config']['insecure_renegotiation'] = reneg.accepts_client_renegotiation and not reneg.supports_secure_renegotiation
| def run_scan(scan_type, command, errors): | ||
| if(errors >= 2): | ||
| return None, errors | ||
| logging.debug("\t\t{} scan.".format(scan_type)) |
There was a problem hiding this comment.
FWIW, I think with the logging calls, it might actually be preferred to use formatting similar to:
logging.debug("\t\t%s scan.", scan_type)
Which matches more what is done in the documentation, where the parameters (scan_type in this case) are passed to logging.debug as arguments, rather than doing the substitution first: https://docs.python.org/3/library/logging.html#logging.Logger.debug
There was a problem hiding this comment.
I'm not at all opposed to this change, but I think we should make it wholesale, across all scanners, in a separate pull request.
| try: | ||
| result = scanner.run_scan_command(server_info, command) | ||
| except Exception as err: | ||
| logging.warning("{}: Error during {} scan.".format(server_info.hostname, scan_type)) |
There was a problem hiding this comment.
Should this be logging.error(...) ?
| @@ -589,7 +686,7 @@ def queue(command): | |||
| return None, None, None, None, None, None, None | |||
|
|
|||
| # Initialize commands and result containers | |||
| sslv2, sslv3, tlsv1, tlsv1_1, tlsv1_2, tlsv1_3, certs = None, None, None, None, None, None | |||
| sslv2, sslv3, tlsv1, tlsv1_1, tlsv1_2, tlsv1_3, certs, reneg = None, None, None, None, None, None, None, None | |||
There was a problem hiding this comment.
This can be simplified to:
sslv2 = sslv3 = tlsv1 = tlsv1_1 = tlsv1_2 = tlsv1_3 = certs = reneg = None
| @@ -602,6 +699,9 @@ def queue(command): | |||
| if options.get("sslyze-certs", True) is True: | |||
| queue(CertificateInfoScanCommand()) | |||
|
|
|||
| if options.get("sslyze-reneg", True) is True: | |||
There was a problem hiding this comment.
This should just be if options.get("sslyze-reneg", True):
|
@IanLee1521, yes this is the code I used to run the BOD 18-01 scans and compare against the "official" results from this past weekend. The only two commits that weren't included were b812928 and 2019622, but since I was running in AWS Lambda those wouldn't change anything. I did make the analogous changes in cisagov/lambda_functions#34, and I used that to generate the Lambda functions that were used for the test run. |
|
Sounds good, then yes, I think once we get the build tests sorted out, we can merge this (not sure if you want to address some of the other code improvements I suggested, or do that elsewhere. |
|
@IanLee1521, I like your changes but I'd prefer they be addressed in a couple of separate PRs. There's a lot in this one already. What do you think? Do you want to create a new PRs with some or all of those changes once this one is merged? If not then I can do it. The failing build test is only because I went ahead and committed the change to use trustymail version 0.7.0, and that won't exist until cisagov/trustymail#110 is approved, merged, tagged, and the CI runs. So that other PR is holding this one up. |
|
That seems totally reasonable to me. 👍 |
|
OK, I will continue waiting for someone to review cisagov/trustymail#110 then. Once that happens and that PR is merged I will merge this one. |
Creating a pull request from @echudow's fork. This pull request goes along with cisagov/pshtt#179 and should not be merged before that one is.