Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Distinguish incomplete chains from untrusted roots #25

Open
h-m-f-t opened this issue Aug 22, 2016 · 1 comment
Open

Distinguish incomplete chains from untrusted roots #25

h-m-f-t opened this issue Aug 22, 2016 · 1 comment

Comments

@h-m-f-t
Copy link
Member

h-m-f-t commented Aug 22, 2016

At least in a naïve fashion, flagging likely incomplete chains from untrusted roots should be feasible by counting the number of certificates returned in "Certificate Chain Received" from sslyze. requests may also return something that could be useful.

I recallopenssl returns a 'depth' value, which, when a site is less than 2 deep, is a strong indication intermediate certs are not served, making the chain incomplete. If depth<2 and the certificate is not trusted in the Mozilla store, this seems to indicate an incomplete chain, while depth>=2 seems to indicate an untrusted root.

@konklone
Copy link
Collaborator

This remains a great idea, if we can somehow distinguish those things. I think it means going beyond sslyze's STDOUT output and digging into the (new) Python API in some way.

@hillaryj hillaryj removed the WSC label Dec 5, 2020
mcdonnnj pushed a commit that referenced this issue Mar 9, 2022
mcdonnnj pushed a commit that referenced this issue Mar 9, 2022
Add codeowners file with team OIS maintainers.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants