Fix for sslyze breaking changes

echudow · Jul 21, 2019 · c2f427b · c2f427b
1 parent 74c4244
commit c2f427b
Showing 1 changed file with 45 additions and 26 deletions.
diff --git a/pshtt/pshtt.py b/pshtt/pshtt.py
@@ -701,7 +701,16 @@ def https_check(endpoint):
         public_not_trusted_string = ""
         validation_results = cert_plugin_result.path_validation_result_list
         for result in validation_results:
-            if result.is_certificate_trusted:
+            is_trusted = True
+            functions = dir(result)
+            if "is_certificate_trusted" in functions:
+                is_trusted = result.is_certificate_trusted
+            elif "was_validation_successful" in functions:
+                is_trusted = result.was_validation_successful
+            else: 
+                logging.warning("{}: Can't test trust because sslyze missing needed function.".format(endpoint.url))
+                raise Exception("Missing sslyze function for testing certificate trust")
+            if is_trusted:
                 # We're assuming that it is trusted to start with
                 pass
             else:
@@ -809,32 +818,42 @@ def https_check(endpoint):
             endpoint.https_bad_hostname = True
 
     try:
-        endpoint.https_cert_chain_len = len(cert_plugin_result.certificate_chain)
-        if (
-                endpoint.https_self_signed_cert is False and (
-                    len(cert_plugin_result.certificate_chain) < 2
-                )
-        ):
-            # *** TODO check that it is not a bad hostname and that the root cert is trusted before suggesting that it is an intermediate cert issue.
-            endpoint.https_missing_intermediate_cert = True
-            if(cert_plugin_result.successful_trust_store is None):
-                logging.warning("{}: Untrusted certificate chain, probably due to missing intermediate certificate.".format(endpoint.url))
-                utils.debug("{}: Only {} certificates in certificate chain received.".format(endpoint.url, cert_plugin_result.certificate_chain.__len__()))
-            elif(custom_trust is True and public_trust is False):
-                # recheck public trust using custom public trust store with manually added intermediate certificates
-                if(PT_INT_CA_FILE is not None):
-                    try:
-                        cert_plugin_result = None
-                        command = sslyze.plugins.certificate_info_plugin.CertificateInfoScanCommand(ca_file=PT_INT_CA_FILE)
-                        cert_plugin_result = scanner.run_scan_command(server_info, command)
-                        if(cert_plugin_result.successful_trust_store is not None):
-                            public_trust = True
-                            endpoint.https_public_trusted = public_trust
-                            logging.warning("{}: Trusted by special public trust store with intermediate certificates.".format(endpoint.url))
-                    except Exception:
-                        pass
+        certificate_chain = None
+        functions = dir(cert_plugin_result)
+        if "certificate_chain" in functions:
+            certificate_chain = cert_plugin_result.certificate_chain
+        elif "received_certificate_chain" in functions:
+            certificate_chain = cert_plugin_result.received_certificate_chain
         else:
-            endpoint.https_missing_intermediate_cert = False
+            logging.warning("{}: Missing sslyze function to check for missing intermediate certificate.".format(endpoint.url))
+            utils.debug("{}: Missing sslyze certificate_chain or received_certificate_chain function".format(endpoint.url))
+        if certificate_chain:
+            endpoint.https_cert_chain_len = len(certificate_chain)
+            if (
+                    endpoint.https_self_signed_cert is False and (
+                        endpoint.https_cert_chain_len < 2
+                    )
+            ):
+                # *** TODO check that it is not a bad hostname and that the root cert is trusted before suggesting that it is an intermediate cert issue.
+                endpoint.https_missing_intermediate_cert = True
+                if(cert_plugin_result.successful_trust_store is None):
+                    logging.warning("{}: Untrusted certificate chain, probably due to missing intermediate certificate.".format(endpoint.url))
+                    utils.debug("{}: Only {} certificates in certificate chain received.".format(endpoint.url, endpoint.https_cert_chain_len))
+                elif(custom_trust is True and public_trust is False):
+                    # recheck public trust using custom public trust store with manually added intermediate certificates
+                    if(PT_INT_CA_FILE is not None):
+                        try:
+                            cert_plugin_result = None
+                            command = sslyze.plugins.certificate_info_plugin.CertificateInfoScanCommand(ca_file=PT_INT_CA_FILE)
+                            cert_plugin_result = scanner.run_scan_command(server_info, command)
+                            if(cert_plugin_result.successful_trust_store is not None):
+                                public_trust = True
+                                endpoint.https_public_trusted = public_trust
+                                logging.warning("{}: Trusted by special public trust store with intermediate certificates.".format(endpoint.url))
+                        except Exception:
+                            pass
+            else:
+                endpoint.https_missing_intermediate_cert = False
     except Exception:
         # Squash exceptions
         pass