At least in a naïve fashion, flagging likely incomplete chains from untrusted roots should be feasible by counting the number of certificates returned in "Certificate Chain Received" from sslyze. requests may also return something that could be useful.
I recallopenssl returns a 'depth' value, which, when a site is less than 2 deep, is a strong indication intermediate certs are not served, making the chain incomplete. If depth<2 and the certificate is not trusted in the Mozilla store, this seems to indicate an incomplete chain, while depth>=2 seems to indicate an untrusted root.
This remains a great idea, if we can somehow distinguish those things. I think it means going beyond sslyze's STDOUT output and digging into the (new) Python API in some way.
At least in a naïve fashion, flagging likely incomplete chains from untrusted roots should be feasible by counting the number of certificates returned in "Certificate Chain Received" from
sslyze
.requests
may also return something that could be useful.I recall
openssl
returns a 'depth' value, which, when a site is less than2
deep, is a strong indication intermediate certs are not served, making the chain incomplete. If depth<2 and the certificate is not trusted in the Mozilla store, this seems to indicate an incomplete chain, while depth>=2 seems to indicate an untrusted root.