cisagov / pshtt

Scan domains and return data based on HTTPS best practices

Creative Commons Zero v1.0 Universal

673 stars 81 forks source link

Sometimes returns None for Valid HTTPS #198

Open jsf9k opened 5 years ago

jsf9k commented 5 years ago

🐛 Bug Report

pshtt sometimes returns None for the Valid HTTPS field. Originally reported by @climber-girl.

To Reproduce

This error is difficult to reproduce. It happened with the following domains (and more) in the July 26-28 BOD scanning run:

icisairtestnode.epa.gov
icisbatchcdxtest.epa.gov
icisreportsxidev.epa.gov
icisstagenode.epa.gov
iciswsprod.epa.gov
iciswsstage.epa.gov
iciswstest.epa.gov

Expected behavior

The Valid HTTPS field should be True or False.

Any helpful log output

Cross-referencing the CloudWatch logs and the pshtt source code, I can see that the error is due to an exception thrown by sslyze when analyzing certificates.

jsf9k commented 5 years ago

See #197. I improved the exception logging in pshtt, so if this issue happens again I should be able to glean more information.

echudow commented 5 years ago

From looking at the code and a quick test of these domains, it looks like sometimes the sslyze certificate plugin times out even though the connectivity check earlier was successful. That is probably what is happening here. Since the certificate check couldn't get the cert data, and we try to do the sslyze check even in cases where requests determined that the certificate was not trusted, we don't know at this point whether https_valid should be True or False so it is explicitly set to None to mean Unknown. One thing that might fix this in some cases would be to store the earlier result from the requests check and use that for https_valid, but it will still not have a result in some cases if the website requires client authentication because requests will always be unable to connect to those websites.

treyperrone commented 4 years ago

I've recently run into an issue the past couple weeks where pshtt seems to not see the redirect and i get https_valid: null I have an AWS CloudFront redirect all http --> https which i think is similar to a rewrite method. I am getting some really odd behavior though. Even setup a new instance on GCP and grabbed pshtt 0.6.6 and it fails, then downgrade to 0.6.5 and it passes fine; upgrade back to 0.6.6 and it passes. Not sure if related or I should try and open a new issue, if thats helpful.