Closed msuliq closed 3 months ago
Hi,
You can use the --certinfo_ca_file <trust_store.pem>
option when running SSLyze to pass it any trust store that you want.
@nabla-c0d3 I have tried running it with the optional flag --certinfo_ca_file
but the response is still against the oracle_java
I ran sslyze --certinfo cloudpkis.com --certinfo_ca_file /Users/msuliq/SSL/sslyze/sslyze/plugins/certificate_info/trust_stores/pem_files/openjdk.pem
and the output for trust stores is
Android CA Store (14.0.0_r9): OK - Certificate is trusted
Apple CA Store (iOS 17, iPadOS 17, macOS 14, tvOS 17, and watchOS 10):OK - Certificate is trusted
Java CA Store (jdk-13.0.2): FAILED - Certificate is NOT Trusted: validation failed: CandidatesExhausted(Other("chain construction exceeds max depth"))
Mozilla CA Store (2024-02-04): OK - Certificate is trusted
Supplied CA file CA Store (N/A): OK - Certificate is trusted
Windows CA Store (2023-12-11): OK - Certificate is trusted
If I manually edit sslyze/plugins/certificate_info/trust_stores/trust_store_repository.py
and replace trust store, then the response correctly shows trusted by openjdk
.
The result of the validation using the supplied --certinfo_ca_file
is available in the Supplied CA file CA Store
entry in the output.
Ok, but this not what my initial issue was about. I was wondering if there is any config option to use openjdk
instead of oracle_java
? So that in the output the line Java CA Store
will be referring to the openjdk
trust store
No there isn't
Hi, By default the library is using
oracle_java
trust store butopenjdk
is also present in the trust store files. Considering that there are differences between the two trust stores, is there a way to configuresslyze
to useopenjdk
trust store instead of theoracle_java
? Or should this be done with a monkey patch? There is nothing about this in the documentation and I have not found any other similar issue on the internet. Thank you