Closed lanrat closed 6 years ago
AGWA
commented
6 years ago Is the -bygonessl flag necessary? It seems like that behavior should be implied by the presence of issued_before in the watch list.
Also, I've realized that issued_before is a misnomer. The behavior is actually that the certificate was valid at a particular point at time, so perhaps valid_at would be more appropriate.
Other than that, looks good!
lanrat
commented
6 years ago The behavior with and without the -bygonessl flag is different when issued_before is present.
When a domain is provided an issued_before date, a bygonessl check will be performed on matching certificates. However, when the -bygonessl flag is provided, only certificates that match and are valid before the issued_before will be shown. Additionally, when running without the flag you can mix certificates with and without the issued_before option, but when running with the flag all certificates must have an issued_before date. It provides additional flexibility.
I agree valid_at is a better name. It has been changed.
AGWA
commented
6 years ago My concern is that the behavior isn't very intuitive. As a user, I'd expect that the following watch list:
example.com
example.org valid_at:2017-07-14would match all example.com certificates, and all example.org certificates that were valid at 2017-07-14.
Currently, without the -bygonessl flag, it will match example.org certificates regardless of the validity time. With the -bygonessl flag, it will error out because example.com doesn't have a valid_at parameter.
My preference would be to drop the -bygonessl flag, and have it work like described above.
lanrat
commented
6 years ago That makes sense. I've updated the behavior to be as you described.
Add support for detecting SSL certificates that belonged to a domain's previous owner.
Also includes support for a -http flag to use http CT servers. I found this very useful for testing local CT servers that are not behind an SSL terminating reverse proxy.