Closed OJ closed 7 years ago
gehaxelt
commented
8 years ago Is this still an issue?
I just tested it with two sites where curl reported curl: (51) SSL: no alternative certificate subject name matches target host name ..., but gobuster correctly identified the files.
My guess is that this has been fixed with the following three lines:
https://github.com/OJ/gobuster/blob/master/main.go#L374-L376
OJ
commented
8 years ago Yes I do remember shoving this in at some point. I am thinking before I close this ticket off I should make this configurable on the command line? By default, we should probably validate certificates, and have an option to turn it off.
gehaxelt
commented
8 years ago I don't think that we need another command line flag for this or at least set the default to ignore invalid certificates to reduce the command length, because I don't see any cons about ignoring the certificate by default, do you?
OJ
commented
8 years ago Well, some people do care about MITM and/or hitting the wrong site, even when doing this kind of stuff. I think there are valid reasons for it in the same way there are valid reasons for verifying that the server is coughing up a valid cert.
OJ
commented
7 years ago This was closed via #37.
At the moment, gobuster indicates that it can't connect to sites if they don't have valid certs. This needs to be sorted.