ssllabs-scan: implement TLS configuration check using sslabs-scan

parent ce8731f4
......@@ -5,6 +5,8 @@ use Devel::StackTrace;
use File::Basename qw(basename);
use Getopt::Long;
use HTTP::Request::Common;
use IPC::Open3;
use JSON;
use List::MoreUtils qw(any);
use Net::DNS::Domain;
use Net::DNS;
......@@ -97,12 +99,60 @@ sub check_gtld_conformance {
# Implementation Guide - RDAP Protocol - 1.2: The RDAP service MUST be provided over HTTPS only.
fail("URL must use HTTPS") unless ('https' eq $url->scheme);
my $host = $url->host.'.';
# Implementation Guide - RDAP Protocol - 1.3: An RDAP server MUST use the best practices for secure use of TLS as described in​ ​RFC7525​ or its successors.
# TODO - inspect headers added by LWP to check ciphers/algorithms/key sizes, etc
warning('TLS best practices validation is not currently available');
#
# use the command-line interface to the Qualys SSLLabs scanner, server must score at least A-
#
note('running TLS configuration check - this may take a while unless a cached result is available');
my $pid = open3(undef, \*OUT, \*ERR, 'ssllabs-scan', '-quiet', '-grade', '-usecache', $host);
undef $/;
my $out = <OUT>;
my $err = <ERR>;
waitpid($pid, 0);
if (abs($? >> 8) > 0) {
fail(
'Unable to perform TLS check',
[ split(/\n/, $err) ]
);
} else {
my $json = from_json('{'.$out.'}');
#
# str is a a test score, such as "A+", "C-", "F", etc
#
my $str = uc($json->{$host});
# generate an integer based on the first character (its ASCII value, minus 64, x 3)
my $grade = 3 * (ord(substr($str, 0, 1)) - 64);
#
# increment if it's a "minus" grade
#
$grade++ if ('-' eq substr($str, 1, 1));
#
# decrement if it's a "plus" grade
#
$grade-- if ('+' eq substr($str, 1, 1));
my $msg = sprintf('TLS configuration grade is "%s"', $str);
# 4 is "A-":
if ($grade > 4) {
fail($msg);
} else {
pass($msg);
}
}
# Implementation Guide - RDAP Protocol - 1.4: An RDAP client SHOULD be able to successfully validate the TLS certificate used for the RDAP service with a ​TLSA​ record from the DNS (​RFC6698​ and RFC7671​) published by the RDAP service provider. The certificate(s) for the RDAP service associated by DNS-Based Authentication of Named Entities (DANE) SHOULD satisfy the requirements of section 1.5.
my $host = $url->host.'.';
my $answer = $resolver->query(sprintf('_443._tcp.%s.', $url->host), 'TLSA');
if (!$answer) {
fail(sprintf('No answer to TLSA query for %s', uc($url->host)));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment