Closed lanrat closed 6 years ago
Is the -bygonessl
flag necessary? It seems like that behavior should be implied by the presence of issued_before
in the watch list.
Also, I've realized that issued_before
is a misnomer. The behavior is actually that the certificate was valid at a particular point at time, so perhaps valid_at
would be more appropriate.
Other than that, looks good!
The behavior with and without the -bygonessl
flag is different when issued_before
is present.
When a domain is provided an issued_before
date, a bygonessl check will be performed on matching certificates. However, when the -bygonessl
flag is provided, only certificates that match and are valid before the issued_before
will be shown. Additionally, when running without the flag you can mix certificates with and without the issued_before
option, but when running with the flag all certificates must have an issued_before
date. It provides additional flexibility.
I agree valid_at
is a better name. It has been changed.
My concern is that the behavior isn't very intuitive. As a user, I'd expect that the following watch list:
example.com
example.org valid_at:2017-07-14
would match all example.com certificates, and all example.org certificates that were valid at 2017-07-14.
Currently, without the -bygonessl
flag, it will match example.org certificates regardless of the validity time. With the -bygonessl
flag, it will error out because example.com doesn't have a valid_at parameter.
My preference would be to drop the -bygonessl
flag, and have it work like described above.
That makes sense. I've updated the behavior to be as you described.
Add support for detecting SSL certificates that belonged to a domain's previous owner.
Also includes support for a -http flag to use http CT servers. I found this very useful for testing local CT servers that are not behind an SSL terminating reverse proxy.