search

sesh / ready

Are you production ready?
ISC License
26 stars 4 forks source link

SSL expiry tests fail on IPv6-only domains #23

Closed mejofi closed 5 months ago

mejofi commented 5 months ago

When testing against domains that are only available over IPv6, such as ipv6.ur.nl, the SSL expiry tests fail with None days;

[FAIL] SSL expiry should be less than one year (None days)
[FAIL] SSL expiry should be greater than five days (None days)
[ OK ] SSL certificate should be trusted

I am not sure where this goes wrong, perhaps the test expects to make the request over IPv4 instead? Compare with the same test for ipv4.ur.nl, for example, which is issued at the same time;

[ OK ] SSL expiry should be less than one year (48 days)
[ OK ] SSL expiry should be greater than five days (48 days)
[ OK ] SSL certificate should be trusted
sesh commented 5 months ago

I've fixed this by adding a check for whether the domain is IPv6 only. This is determined by having AAAA records but no A records.

If it's IPv6 only we connect using socket.AF_INET6 instead of the regular socket.AF_INET connection.