UNPKG

@passmarked/ssl

Version:

Rules that relate to checking the SSL configuration of each individual resolved server from the domain to ensure locked down config with the broadest compatibility

github.com/passmarked/ssl

passmarked/ssl

162 lines (114 loc) 3.46 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
const tls = require('tls'); const net = require('net'); const request = require('request'); const url = require('url'); const S = require('string'); const _ = require('underscore'); const moment = require('moment'); const async = require('async'); const fs = require('fs'); const util = require('util'); const spawn = require('child_process').spawn; const pem = require('pem'); const Constants = require('../../constants'); const OpenSSL = require('../../certificates'); // require our methods to run const chainTestFuncs = [ require('./missing'), require('./order'), require('./root'), require('./signature') ]; /** * Check the valid date of a certificate **/ module.exports = exports = function(payload, options, fn) { // pull out the params we can use var address = options.address; var algorithm = options.algorithm; var client = options.client; // get the data var data = payload.getData(); // sanity check if(!client) return fn(null); // get the certificate var cert = client.getPeerCertificate(true); // just in case the peer does not provide a certificate ... if(!cert) return fn(null); // get the SSL var ssl = new OpenSSL(payload); // the variables we need to work with var downloadedPath = []; var downloadedErr = null; var suppliedPath = []; var suppliedErr = null; // download both paths async.parallel([ /** * Generate our own path with path building **/ function(cb) { // download path ssl.downloadPath(cert, 0, function(err, certs) { // parse the path given by the client if(certs) downloadedPath = certs; // set the error downloadedErr = err; // finish cb(null); }); }, /** * Generates and parses certificates that have been passed * by the server which SSL will try and use and we will check. **/ function(cb) { // first get all the certificates ssl.getPeerCertificates(cert, function(err, peers) { // set the error suppliedErr = err; // handle error if any if(err) return cb(null); // download path ssl.parseCertificates(peers, function(err, certs) { // parse the path given by the client if(certs) suppliedPath = certs; // set the error suppliedErr = err; // finish cb(null); }); }); } ], function(err) { // did we get a error ? if(err) { // output stderr payload.debug('checks', 'Problem downloading and walking paths of certificates', err); // done return fn(err); } // we need atleast one given certificate to check the chain ... if(suppliedPath.length === 0) { // nope out of here return fn(null); } // right so make a presentable chain we can use var presentableChain = ssl.buildPresentableChain(downloadedPath, suppliedPath); // run each of the rules async.each(chainTestFuncs, function(testFunc, cb) { // run the test testFunc(payload, _.extend({}, options, { expected: downloadedPath, supplied: suppliedPath, merged: presentableChain, address: address }), cb); }, function(err) { // finish fn(null); }); }); };