-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Distinguish incomplete chains from untrusted roots #25
Comments
This remains a great idea, if we can somehow distinguish those things. I think it means going beyond |
mcdonnnj
pushed a commit
that referenced
this issue
Mar 9, 2022
Add codeowners file with team OIS maintainers.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
At least in a naïve fashion, flagging likely incomplete chains from untrusted roots should be feasible by counting the number of certificates returned in "Certificate Chain Received" from
sslyze
.requests
may also return something that could be useful.I recall
openssl
returns a 'depth' value, which, when a site is less than2
deep, is a strong indication intermediate certs are not served, making the chain incomplete. If depth<2 and the certificate is not trusted in the Mozilla store, this seems to indicate an incomplete chain, while depth>=2 seems to indicate an untrusted root.The text was updated successfully, but these errors were encountered: