Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sometimes returns None for Valid HTTPS #198

Open
jsf9k opened this issue Aug 1, 2019 · 3 comments
Open

Sometimes returns None for Valid HTTPS #198

jsf9k opened this issue Aug 1, 2019 · 3 comments
Assignees
@jsf9k
Labels
bug This issue or pull request addresses broken functionality
Projects
BOD 18-01

Comments

@jsf9k
Copy link
Member

jsf9k commented Aug 1, 2019

馃悰 Bug Report

pshtt sometimes returns None for the Valid HTTPS field. Originally reported by @climber-girl.

To Reproduce

This error is difficult to reproduce. It happened with the following domains (and more) in the July 26-28 BOD scanning run:

  • icisairtestnode.epa.gov
  • icisbatchcdxtest.epa.gov
  • icisreportsxidev.epa.gov
  • icisstagenode.epa.gov
  • iciswsprod.epa.gov
  • iciswsstage.epa.gov
  • iciswstest.epa.gov

Expected behavior

The Valid HTTPS field should be True or False.

Any helpful log output

Cross-referencing the CloudWatch logs and the pshtt source code, I can see that the error is due to an exception thrown by sslyze when analyzing certificates.
@jsf9k jsf9k added the bug This issue or pull request addresses broken functionality label Aug 1, 2019
@jsf9k jsf9k self-assigned this Aug 1, 2019
@jsf9k
Copy link
Member Author

jsf9k commented Aug 1, 2019

See #197. I improved the exception logging in pshtt, so if this issue happens again I should be able to glean more information.

@jsf9k jsf9k added this to To do in BOD 18-01 via automation Aug 1, 2019
@echudow
Copy link
Collaborator

echudow commented Aug 2, 2019

From looking at the code and a quick test of these domains, it looks like sometimes the sslyze certificate plugin times out even though the connectivity check earlier was successful. That is probably what is happening here. Since the certificate check couldn't get the cert data, and we try to do the sslyze check even in cases where requests determined that the certificate was not trusted, we don't know at this point whether https_valid should be True or False so it is explicitly set to None to mean Unknown. One thing that might fix this in some cases would be to store the earlier result from the requests check and use that for https_valid, but it will still not have a result in some cases if the website requires client authentication because requests will always be unable to connect to those websites.

@treyperrone
Copy link

I've recently run into an issue the past couple weeks where pshtt seems to not see the redirect and i get https_valid: null I have an AWS CloudFront redirect all http --> https which i think is similar to a rewrite method. I am getting some really odd behavior though. Even setup a new instance on GCP and grabbed pshtt 0.6.6 and it fails, then downgrade to 0.6.5 and it passes fine; upgrade back to 0.6.6 and it passes. Not sure if related or I should try and open a new issue, if thats helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsf9k jsf9k

Labels
bug This issue or pull request addresses broken functionality
Projects
BOD 18-01
Status: To do
BOD 18-01
  
To do
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jsf9k @treyperrone @echudow