2015-07-22 16:47:09 -04:00
|
|
|
"""Validators to determine the current webserver configuration"""
|
2015-07-22 21:25:09 -04:00
|
|
|
import logging
|
|
|
|
|
import socket
|
2015-07-22 16:47:09 -04:00
|
|
|
import requests
|
|
|
|
|
import zope.interface
|
|
|
|
|
|
2015-07-22 21:25:09 -04:00
|
|
|
from acme import crypto_util
|
|
|
|
|
from acme import errors as acme_errors
|
2015-07-22 16:47:09 -04:00
|
|
|
from letsencrypt import interfaces
|
|
|
|
|
|
|
|
|
|
|
2015-07-22 21:25:09 -04:00
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
|
|
|
|
|
2015-07-22 16:47:09 -04:00
|
|
|
class Validator(object):
|
|
|
|
|
# pylint: disable=no-self-use
|
|
|
|
|
"""Collection of functions to test a live webserver's configuration"""
|
|
|
|
|
zope.interface.implements(interfaces.IValidator)
|
|
|
|
|
|
2015-07-22 21:25:09 -04:00
|
|
|
def certificate(self, cert, name, alt_host=None, port=443):
|
|
|
|
|
"""Verifies the certificate presented at name is cert"""
|
|
|
|
|
host = alt_host if alt_host else socket.gethostbyname(name)
|
|
|
|
|
try:
|
|
|
|
|
presented_cert = crypto_util.probe_sni(name, host, port)
|
|
|
|
|
except acme_errors.Error as error:
|
|
|
|
|
logger.exception(error)
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
return presented_cert.digest("sha256") == cert.digest("sha256")
|
|
|
|
|
|
|
|
|
|
def redirect(self, name, port=80, headers=None):
|
2015-07-22 16:47:09 -04:00
|
|
|
"""Test whether webserver redirects to secure connection."""
|
2015-07-22 21:25:09 -04:00
|
|
|
url = "http://{0}:{1}".format(name, port)
|
|
|
|
|
if headers:
|
|
|
|
|
response = requests.get(url, headers=headers, allow_redirects=False)
|
|
|
|
|
else:
|
|
|
|
|
response = requests.get(url, allow_redirects=False)
|
2015-07-22 16:47:09 -04:00
|
|
|
|
|
|
|
|
if response.status_code not in (301, 303):
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
redirect_location = response.headers.get("location", "")
|
|
|
|
|
if not redirect_location.startswith("https://"):
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
if response.status_code != 301:
|
2015-07-22 21:25:09 -04:00
|
|
|
logger.error("Server did not redirect with permanent code")
|
|
|
|
|
return False
|
2015-07-22 16:47:09 -04:00
|
|
|
|
|
|
|
|
return True
|
|
|
|
|
|
2015-07-22 21:25:09 -04:00
|
|
|
def hsts(self, name):
|
2015-07-22 16:47:09 -04:00
|
|
|
"""Test for HTTP Strict Transport Security header"""
|
2015-07-22 21:25:09 -04:00
|
|
|
headers = requests.get("https://" + name).headers
|
2015-07-22 16:47:09 -04:00
|
|
|
hsts_header = headers.get("strict-transport-security")
|
|
|
|
|
|
|
|
|
|
if not hsts_header:
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
# Split directives following RFC6797, section 6.1
|
|
|
|
|
directives = [d.split("=") for d in hsts_header.split(";")]
|
|
|
|
|
max_age = [d for d in directives if d[0] == "max-age"]
|
|
|
|
|
|
|
|
|
|
if not max_age:
|
2015-07-22 21:25:09 -04:00
|
|
|
logger.error("Server responded with invalid HSTS header field")
|
|
|
|
|
return False
|
2015-07-22 16:47:09 -04:00
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
_, max_age_value = max_age[0]
|
|
|
|
|
max_age_value = int(max_age_value)
|
|
|
|
|
except ValueError:
|
2015-07-22 21:25:09 -04:00
|
|
|
logger.error("Server responded with invalid HSTS header field")
|
|
|
|
|
return False
|
2015-07-22 16:47:09 -04:00
|
|
|
|
|
|
|
|
# Test whether HSTS does not expire for at least two weeks.
|
|
|
|
|
if max_age_value <= (2 * 7 * 24 * 3600):
|
2015-07-22 21:25:09 -04:00
|
|
|
logger.error("HSTS should not expire in less than two weeks")
|
|
|
|
|
return False
|
2015-07-22 16:47:09 -04:00
|
|
|
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
def ocsp_stapling(self, name):
|
|
|
|
|
"""Verify ocsp stapling for domain."""
|
|
|
|
|
raise NotImplementedError()
|
