crypt/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-01-23 07:20:55 +03:00
Code Activity
Files
b00a3cf96317e89bc380c02e7ee1a738694ef2ea
certbot/letsencrypt/validator.py
Brad Warren 303f7ffe32 Added validator code
2015-07-22 13:47:09 -07:00

78 lines
2.6 KiB
Python
Raw Blame History

"""Validators to determine the current webserver configuration"""
import requests
import zope.interface
from letsencrypt import errors
from letsencrypt import interfaces
class Validator(object):
# pylint: disable=no-self-use
"""Collection of functions to test a live webserver's configuration"""
zope.interface.implements(interfaces.IValidator)
def redirect(self, hostname, port=80, headers=None):
"""Test whether webserver redirects to secure connection."""
response = _get("http", hostname, port, headers)
if response.status_code not in (301, 303):
return False
redirect_location = response.headers.get("location", "")
if not redirect_location.startswith("https://"):
return False
if response.status_code != 301:
error_msg = "Server did not redirect with permanent code."
raise errors.ValidationError(error_msg)
return True
def https(self, hostname, port=443, headers=None):
"""Test whether webserver supports HTTPS"""
_get("https", hostname, port, headers)
return True
def hsts(self, hostname):
"""Test for HTTP Strict Transport Security header"""
headers = requests.get("https://" + hostname).headers
hsts_header = headers.get("strict-transport-security")
if not hsts_header:
return False
# Split directives following RFC6797, section 6.1
directives = [d.split("=") for d in hsts_header.split(";")]
max_age = [d for d in directives if d[0] == "max-age"]
if not max_age:
error_msg = "Server responded with invalid HSTS header field."
raise errors.ValidationError(error_msg)
try:
_, max_age_value = max_age[0]
max_age_value = int(max_age_value)
except ValueError:
error_msg = "Server responded with invalid HSTS header field."
raise errors.ValidationError(error_msg)
# Test whether HSTS does not expire for at least two weeks.
if max_age_value <= (2 * 7 * 24 * 3600):
error_msg = "HSTS should not expire in less than two weeks."
raise errors.ValidationError(error_msg)
return True
def ocsp_stapling(self, name):
"""Verify ocsp stapling for domain."""
raise NotImplementedError()
def _get(scheme, hostname, port, headers, **kwargs):
"""Makes a GET request for specified resource"""
url = "{0}://{1}:{2}".format(scheme, hostname, port)
if headers:
return requests.get(url, headers=headers, **kwargs)
else:
return requests.get(url, **kwargs)
View Git Blame Copy Permalink