Check OCSP for revocation status

kirei / sslyze

Fast and full-featured SSL scanner

GNU General Public License v2.0

4 stars 0 forks source link

Check OCSP for revocation status #4

Open jschlyter opened 10 years ago

secworks commented 10 years ago

Ready for test.

jschlyter commented 10 years ago

Test case

python sslyze.py --certinfo=full --ocsp \
    www.kirei.se:443 idp.kirei.se:443 admin.kirei.se:443 test-sspev.verisign.com:2443

jschlyter commented 10 years ago

python sslyze.py --certinfo=full --ocsp admin.kirei.se:443

kaboom...

secworks commented 10 years ago

Trying to access admin.kirei.se:443 witth Chrome:

SSL connection error Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error code: ERR_SSL_PROTOCOL_ERROR

However, the error is weird. We should have caught this earlier in the chain: exceptions.KeyError - 'CAIssuers'

That is, it can't get the CAIssuers field.

I add an error message for this.

secworks commented 10 years ago

Update is now in master branch.

Test cases for ocsp:

OCSP responder, cert not revoked: python sslyze.py --ocsp --certinfo=basic www.kirei.se

Test for cURL based transport of request. python sslyze.py --ocsp --certinfo=basic idp.kirei.se

No OCSP-responder in cert: python sslyze.py --ocsp --certinfo=basic www.google.com

OCSP responder in cert. Cert revoked. python sslyze.py --ocsp --certinfo=basic test-sspev.verisign.com:2443

Self signed cert without CAIssuers field python sslyze.py --certinfo=basic --ocsp admin.kirei.se:443

secworks commented 10 years ago

Polished OCSP XML generation so it correctly reports revoed, validated, problems talking to the responder and certs without ocsp fields etc.