Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ports other than 443 result in null values where there shouldn't be null values #254

Open
arcsector opened this issue Jun 26, 2024 · 0 comments
Open

Ports other than 443 result in null values where there shouldn't be null values #254

arcsector opened this issue Jun 26, 2024 · 0 comments

Comments

@arcsector
Copy link
Contributor

arcsector commented Jun 26, 2024
edited
Loading

🐛 Summary

"HTTPS Custom Truststore Trusted" and "HTTPS Cert Chain Length" check results are null when specifying a port number with a URL. These should not be null, and should instead be representative of the actual values reflected.

To reproduce

Steps to reproduce the behavior:

  • Scan a normal website without a port number with a custom CA file: pshtt --timeout 2 --ca-file=custom_ca_file.pem google.com
  • Observe that these fields are not null
  • Scan the same website, but with the port number: pshtt --timeout 2 --ca-file=custom_ca_file.pem google.com:443
  • Observe that these fields are null
  • Scan any other website on any port specified: pshtt --timeout 2 --ca-file=custom_ca_file.pem example.com:9443
  • Observe that these fields are null

Expected behavior

These should not be null, and should instead be representative of the actual values reflected. SSLyze, for example, gets these values correct even when the port is provided, but PSHTT does not.

Any helpful log output or screenshots

Paste the results here:

arcsector@device ~/test pshtt> pshtt --timeout 2 --ca-file=google_root.pem google.com:443 --debug --json 2> /dev/null

-------------------------

Fetching Chrome preload list from source...
Starting new HTTPS connection (1): chromium.googlesource.com:443
https://chromium.googlesource.com:443 "GET /chromium/src/+/main/net/http/transport_security_state_static.json?format=TEXT HTTP/1.1" 200 None

-------------------------

Fetching hstspreload.org pending list...
Starting new HTTPS connection (1): hstspreload.org:443
https://hstspreload.org:443 "GET /api/v2/pending HTTP/1.1" 200 None

-------------------------

Pinging http://google.com:443...
Starting new HTTP connection (1): google.com:443
[
  {
    "Base Domain": "google.com:443",
    "Base Domain HSTS Preloaded": false,
    "Canonical URL": "https://www.google.com:443",
    "Defaults to HTTPS": true,
    "Domain": "google.com:443",
    "Domain Enforces HTTPS": true,
    "Domain Supports HTTPS": true,
    "Domain Uses Strong HSTS": false,
    "Downgrades HTTPS": false,
    "HSTS": false,
    "HSTS Entire Domain": false,
    "HSTS Header": null,
    "HSTS Max Age": null,
    "HSTS Preload Pending": false,
    "HSTS Preload Ready": false,
    "HSTS Preloaded": false,
    "HTTPS Bad Chain": false,
    "HTTPS Bad Hostname": false,
    "HTTPS Cert Chain Length": null, # <--- HERE
    "HTTPS Client Auth Required": false,
    "HTTPS Custom Truststore Trusted": null, # <--- HERE
    "HTTPS Expired Cert": false,
    "HTTPS Full Connection": true,
    "HTTPS Live": true,
    "HTTPS Probably Missing Intermediate Cert": false,
    "HTTPS Publicly Trusted": null,
    "HTTPS Self Signed Cert": false,
    "IP": null,
    "Live": true,
    "Notes": "",
    "Redirect": false,
    "Redirect To": null,
    "Server Header": "gws",
    "Server Version": null,
    "Strictly Forces HTTPS": true,
    "Unknown Error": true,
    "Valid HTTPS": true
    ...
  }
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@arcsector