Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pshtt and sslyze appear to be inconsistent with respect to certificate expiration #181

Open
jsf9k opened this issue Jan 15, 2019 · 1 comment
Open

pshtt and sslyze appear to be inconsistent with respect to certificate expiration #181

jsf9k opened this issue Jan 15, 2019 · 1 comment
Labels
bug This issue or pull request addresses broken functionality

Comments

@jsf9k
Copy link
Member

jsf9k commented Jan 15, 2019

@dav3r noticed that if he performs the MongoDB queries db.https_scan.find({'latest':True, 'https_expired_cert':True}) and db.sslyze_scan.find({'latest':True, 'not_after':{'$lte':util.utcnow()}}) then he gets different answers. Specifically, the first query returns more results.

While sslyze is just saving the "not after" data directly from the certificate, pshtt is performing a bit of analysis to obtain its result. One thought is that perhaps this logic causes https_expired_cert to be True when there is an expired cert up the chain. Even if this logic is valid, this discrepancy between pshtt and sslyze needs to be understood.

CC: @dav3r, @KyleEvers
@jsf9k jsf9k added the bug This issue or pull request addresses broken functionality label Jan 15, 2019
@jsf9k jsf9k pinned this issue Jan 15, 2019
@arcsector
Copy link
Contributor

I'm seeing this behavior too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue or pull request addresses broken functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jsf9k @arcsector