UNPKG

@passmarked/ssl

Version:

Rules that relate to checking the SSL configuration of each individual resolved server from the domain to ensure locked down config with the broadest compatibility

github.com/passmarked/ssl

passmarked/ssl

124 lines (88 loc) 2.86 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
// pull in our modules const url = require('url'); const childProcess = require('child_process'); const S = require('string'); const OpenSSL = require('../certificates'); /** * Parse the regex **/ var verificationRegex = new RegExp(/peer\s+signing\s+digest:\s+(.*)/gi); /** * Pulls the certificate and checks ge **/ module.exports = exports = function(payload, options, fn) { // pull out the params we can use var address = options.address; var algorithm = options.algorithm; var client = options.client; var socket = options.client; // get the data var data = payload.getData(); // only if SSL if(S( data.url.toLowerCase() ).startsWith("https") == false) return fn(null); // get the SSL var ssl = new OpenSSL(payload, address, socket); // parse the url var uri = url.parse( data.url ); // build the commands to send var args = [ 'echo', 'QUIT', '|', ssl.getExecutable(), 's_client', '-CApath', '/etc/ssl/certs', '-connect', address + ':' + (uri.port || 443), '-servername', uri.hostname ]; // execute the actual process ssl.exec(args.join(' '), function(err, stdout, stderr) { // check for a error if(err) { // output to stderr payload.debug('checks', 'Something went wrong while trying to verify the SSL certificate'); // done return fn(null); } // to string just in case stdout = (stdout || '').toString(); stderr = (stderr || '').toString(); // get the output var output = stdout + '\n' + stderr; // check if client connected if(output.toLowerCase().indexOf('connected(') == -1) return fn(null); // get the matches var matches = output.match(/peer\s+signing\s+digest:\s+(.*)/gi); // verificationRegex.exec(output); // were we able to parse out a connection ? if(!matches) return fn(null); // get the code and message var hashLevel = S( (matches[0] || '').toLowerCase().split(':')[1] ).trim().s; // if anything else than "0", signalling a unverified SSL certificate if(hashLevel == 'sha1') { // split up the lines var lines = output.split('\n'); // build a code sample var build = payload.getSnippetManager().build(lines, -1, function(line) { return line.indexOf('peer signing digest') != -1; }); // add the vunerable rule payload.addRule({ type: 'error', key: 'sha1', message: 'SSL certificate signed using SHA1' }, { display: 'code', message: 'The certificate supplied by $ was signed by SHA1', code: build, identifiers: [ address ] }); } // done ! fn(null) }); };