jmhodges / howsmyssl Goto Github PK
View Code? Open in Web Editor NEWThe web app running howsmyssl.com
License: MIT License
The web app running howsmyssl.com
License: MIT License
Test case using the Excon Ruby client:
$ EXCON_DEBUG=true irb -r excon
irb(main):001:0> Excon.get "https://www.howsmyssl.com/a/check"
excon.request {:chunk_size=>1048576, :ciphers=>"HIGH:!SSLv2:!aNULL:!eNULL:!3DES", :connect_timeout=>60, :debug_request=>false, :debug_response=>false, :headers=>{"User-Agent"=>"excon/0.31.0", "Host"=>"www.howsmyssl.com:443"}, :idempotent=>false, :instrumentor_name=>"excon", :middlewares=>[Excon::Middleware::ResponseParser, Excon::Middleware::Expects, Excon::Middleware::Idempotent, Excon::Middleware::Instrumentor, Excon::Middleware::Mock], :mock=>false, :nonblock=>true, :omit_default_port=>false, :persistent=>false, :read_timeout=>60, :retry_limit=>4, :ssl_verify_peer=>true, :tcp_nodelay=>false, :uri_parser=>URI, :write_timeout=>60, :host=>"www.howsmyssl.com", :path=>"/a/check", :port=>443, :query=>nil, :scheme=>"https", :user=>nil, :password=>"REDACTED", :instrumentor=>Excon::StandardInstrumentor, :method=>:get, :retries_remaining=>4, :connection=>#<Excon::Connection:7fb5a188bc98 @data={:chunk_size=>1048576, :ciphers=>"HIGH:!SSLv2:!aNULL:!eNULL:!3DES", :connect_timeout=>60, :debug_request=>false, :debug_response=>false, :headers=>{"User-Agent"=>"excon/0.31.0"}, :idempotent=>false, :instrumentor_name=>"excon", :middlewares=>[Excon::Middleware::ResponseParser, Excon::Middleware::Expects, Excon::Middleware::Idempotent, Excon::Middleware::Instrumentor, Excon::Middleware::Mock], :mock=>false, :nonblock=>true, :omit_default_port=>false, :persistent=>false, :read_timeout=>60, :retry_limit=>4, :ssl_verify_peer=>true, :tcp_nodelay=>false, :uri_parser=>URI, :write_timeout=>60, :host=>"www.howsmyssl.com", :path=>"/a/check", :port=>443, :query=>nil, :scheme=>"https", :user=>nil, :password=>nil, :instrumentor=>Excon::StandardInstrumentor} @socket_key="https://www.howsmyssl.com:443">, :stack=>#<Excon::Middleware::ResponseParser:0x007fb5a188acd0 @stack=#<Excon::Middleware::Expects:0x007fb5a188acf8 @stack=#<Excon::Middleware::Idempotent:0x007fb5a188ad20 @stack=#<Excon::Middleware::Instrumentor:0x007fb5a188ad48 @stack=#<Excon::Middleware::Mock:0x007fb5a188ad98 @stack=#<Excon::Connection:7fb5a188bc98 @data={:chunk_size=>1048576, :ciphers=>"HIGH:!SSLv2:!aNULL:!eNULL:!3DES", :connect_timeout=>60, :debug_request=>false, :debug_response=>false, :headers=>{"User-Agent"=>"excon/0.31.0"}, :idempotent=>false, :instrumentor_name=>"excon", :middlewares=>[Excon::Middleware::ResponseParser, Excon::Middleware::Expects, Excon::Middleware::Idempotent, Excon::Middleware::Instrumentor, Excon::Middleware::Mock], :mock=>false, :nonblock=>true, :omit_default_port=>false, :persistent=>false, :read_timeout=>60, :retry_limit=>4, :ssl_verify_peer=>true, :tcp_nodelay=>false, :uri_parser=>URI, :write_timeout=>60, :host=>"www.howsmyssl.com", :path=>"/a/check", :port=>443, :query=>nil, :scheme=>"https", :user=>nil, :password=>nil, :instrumentor=>Excon::StandardInstrumentor} @socket_key="https://www.howsmyssl.com:443">>>>>>}
excon.response {:body=>"<a href=\"https://www.howsmyssl.com/a/check\">Moved Permanently</a>.\n\n", :headers=>{"Location"=>"https://www.howsmyssl.com/a/check", "Strict-Transport-Security"=>"max-age=631138519; includeSubdomains", "Date"=>"Thu, 30 Jan 2014 17:17:15 GMT", "Content-Length"=>"68", "Content-Type"=>"text/html; charset=utf-8", "Connection"=>"close"}, :status=>301, :remote_ip=>"54.245.96.51"}
=> #<Excon::Response:0x007fb5a3a32978 @data={:body=>"<a href=\"https://www.howsmyssl.com/a/check\">Moved Permanently</a>.\n\n", :headers=>{"Location"=>"https://www.howsmyssl.com/a/check", "Strict-Transport-Security"=>"max-age=631138519; includeSubdomains", "Date"=>"Thu, 30 Jan 2014 17:17:15 GMT", "Content-Length"=>"68", "Content-Type"=>"text/html; charset=utf-8", "Connection"=>"close"}, :status=>301, :remote_ip=>"54.245.96.51"}, @body="<a href=\"https://www.howsmyssl.com/a/check\">Moved Permanently</a>.\n\n", @headers={"Location"=>"https://www.howsmyssl.com/a/check", "Strict-Transport-Security"=>"max-age=631138519; includeSubdomains", "Date"=>"Thu, 30 Jan 2014 17:17:15 GMT", "Content-Length"=>"68", "Content-Type"=>"text/html; charset=utf-8", "Connection"=>"close"}, @status=301, @remote_ip="54.245.96.51">
irb(main):002:0> Excon.get "https://www.howsmyssl.com/a/check", omit_default_port: true
excon.request {:chunk_size=>1048576, :ciphers=>"HIGH:!SSLv2:!aNULL:!eNULL:!3DES", :connect_timeout=>60, :debug_request=>false, :debug_response=>false, :headers=>{"User-Agent"=>"excon/0.31.0", "Host"=>"www.howsmyssl.com"}, :idempotent=>false, :instrumentor_name=>"excon", :middlewares=>[Excon::Middleware::ResponseParser, Excon::Middleware::Expects, Excon::Middleware::Idempotent, Excon::Middleware::Instrumentor, Excon::Middleware::Mock], :mock=>false, :nonblock=>true, :omit_default_port=>true, :persistent=>false, :read_timeout=>60, :retry_limit=>4, :ssl_verify_peer=>true, :tcp_nodelay=>false, :uri_parser=>URI, :write_timeout=>60, :host=>"www.howsmyssl.com", :path=>"/a/check", :port=>443, :query=>nil, :scheme=>"https", :user=>nil, :password=>"REDACTED", :instrumentor=>Excon::StandardInstrumentor, :method=>:get, :retries_remaining=>4, :connection=>#<Excon::Connection:7fb5a3a19b58 @data={:chunk_size=>1048576, :ciphers=>"HIGH:!SSLv2:!aNULL:!eNULL:!3DES", :connect_timeout=>60, :debug_request=>false, :debug_response=>false, :headers=>{"User-Agent"=>"excon/0.31.0"}, :idempotent=>false, :instrumentor_name=>"excon", :middlewares=>[Excon::Middleware::ResponseParser, Excon::Middleware::Expects, Excon::Middleware::Idempotent, Excon::Middleware::Instrumentor, Excon::Middleware::Mock], :mock=>false, :nonblock=>true, :omit_default_port=>true, :persistent=>false, :read_timeout=>60, :retry_limit=>4, :ssl_verify_peer=>true, :tcp_nodelay=>false, :uri_parser=>URI, :write_timeout=>60, :host=>"www.howsmyssl.com", :path=>"/a/check", :port=>443, :query=>nil, :scheme=>"https", :user=>nil, :password=>nil, :instrumentor=>Excon::StandardInstrumentor} @socket_key="https://www.howsmyssl.com">, :stack=>#<Excon::Middleware::ResponseParser:0x007fb5a3a18b90 @stack=#<Excon::Middleware::Expects:0x007fb5a3a18bb8 @stack=#<Excon::Middleware::Idempotent:0x007fb5a3a18be0 @stack=#<Excon::Middleware::Instrumentor:0x007fb5a3a18c08 @stack=#<Excon::Middleware::Mock:0x007fb5a3a18c58 @stack=#<Excon::Connection:7fb5a3a19b58 @data={:chunk_size=>1048576, :ciphers=>"HIGH:!SSLv2:!aNULL:!eNULL:!3DES", :connect_timeout=>60, :debug_request=>false, :debug_response=>false, :headers=>{"User-Agent"=>"excon/0.31.0"}, :idempotent=>false, :instrumentor_name=>"excon", :middlewares=>[Excon::Middleware::ResponseParser, Excon::Middleware::Expects, Excon::Middleware::Idempotent, Excon::Middleware::Instrumentor, Excon::Middleware::Mock], :mock=>false, :nonblock=>true, :omit_default_port=>true, :persistent=>false, :read_timeout=>60, :retry_limit=>4, :ssl_verify_peer=>true, :tcp_nodelay=>false, :uri_parser=>URI, :write_timeout=>60, :host=>"www.howsmyssl.com", :path=>"/a/check", :port=>443, :query=>nil, :scheme=>"https", :user=>nil, :password=>nil, :instrumentor=>Excon::StandardInstrumentor} @socket_key="https://www.howsmyssl.com">>>>>>}
excon.response {:body=>"{\"given_cipher_suites\":[\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\",\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384\",\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\",\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA\",\"TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA\",\"TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA\",\"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384\",\"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256\",\"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256\",\"TLS_DHE_RSA_WITH_AES_256_CBC_SHA\",\"TLS_DHE_DSS_WITH_AES_256_CBC_SHA\",\"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA\",\"TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA\",\"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384\",\"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384\",\"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA\",\"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA\",\"TLS_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_RSA_WITH_AES_256_CBC_SHA256\",\"TLS_RSA_WITH_AES_256_CBC_SHA\",\"TLS_RSA_WITH_CAMELLIA_256_CBC_SHA\",\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256\",\"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\",\"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA\",\"TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA\",\"TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA\",\"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256\",\"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256\",\"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256\",\"TLS_DHE_RSA_WITH_AES_128_CBC_SHA\",\"TLS_DHE_DSS_WITH_AES_128_CBC_SHA\",\"TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA\",\"TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA\",\"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256\",\"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256\",\"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA\",\"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA\",\"TLS_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"TLS_RSA_WITH_AES_128_CBC_SHA\",\"TLS_RSA_WITH_CAMELLIA_128_CBC_SHA\",\"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"],\"ephemeral_keys_supported\":true,\"session_ticket_supported\":true,\"tls_compression_supported\":true,\"unknown_cipher_suite_supported\":false,\"beast_vuln\":false,\"able_to_detect_n_minus_one_splitting\":false,\"insecure_cipher_suites\":{},\"tls_version\":\"TLS 1.2\",\"rating\":\"Bad\"}", :headers=>{"Content-Length"=>"2306", "Connection"=>"close", "Content-Type"=>"application/json", "Date"=>"Thu, 30 Jan 2014 17:17:19 GMT", "Strict-Transport-Security"=>"max-age=631138519; includeSubdomains"}, :status=>200, :remote_ip=>"54.245.96.51"}
=> #<Excon::Response:0x007fb5a39e2a68 @data={:body=>"{\"given_cipher_suites\":[\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\",\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384\",\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\",\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA\",\"TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA\",\"TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA\",\"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384\",\"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256\",\"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256\",\"TLS_DHE_RSA_WITH_AES_256_CBC_SHA\",\"TLS_DHE_DSS_WITH_AES_256_CBC_SHA\",\"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA\",\"TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA\",\"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384\",\"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384\",\"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA\",\"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA\",\"TLS_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_RSA_WITH_AES_256_CBC_SHA256\",\"TLS_RSA_WITH_AES_256_CBC_SHA\",\"TLS_RSA_WITH_CAMELLIA_256_CBC_SHA\",\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256\",\"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\",\"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA\",\"TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA\",\"TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA\",\"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256\",\"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256\",\"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256\",\"TLS_DHE_RSA_WITH_AES_128_CBC_SHA\",\"TLS_DHE_DSS_WITH_AES_128_CBC_SHA\",\"TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA\",\"TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA\",\"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256\",\"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256\",\"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA\",\"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA\",\"TLS_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"TLS_RSA_WITH_AES_128_CBC_SHA\",\"TLS_RSA_WITH_CAMELLIA_128_CBC_SHA\",\"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"],\"ephemeral_keys_supported\":true,\"session_ticket_supported\":true,\"tls_compression_supported\":true,\"unknown_cipher_suite_supported\":false,\"beast_vuln\":false,\"able_to_detect_n_minus_one_splitting\":false,\"insecure_cipher_suites\":{},\"tls_version\":\"TLS 1.2\",\"rating\":\"Bad\"}", :headers=>{"Content-Length"=>"2306", "Connection"=>"close", "Content-Type"=>"application/json", "Date"=>"Thu, 30 Jan 2014 17:17:19 GMT", "Strict-Transport-Security"=>"max-age=631138519; includeSubdomains"}, :status=>200, :remote_ip=>"54.245.96.51"}, @body="{\"given_cipher_suites\":[\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\",\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384\",\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\",\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA\",\"TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA\",\"TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA\",\"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384\",\"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256\",\"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256\",\"TLS_DHE_RSA_WITH_AES_256_CBC_SHA\",\"TLS_DHE_DSS_WITH_AES_256_CBC_SHA\",\"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA\",\"TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA\",\"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384\",\"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384\",\"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA\",\"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA\",\"TLS_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_RSA_WITH_AES_256_CBC_SHA256\",\"TLS_RSA_WITH_AES_256_CBC_SHA\",\"TLS_RSA_WITH_CAMELLIA_256_CBC_SHA\",\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256\",\"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\",\"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA\",\"TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA\",\"TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA\",\"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256\",\"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256\",\"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256\",\"TLS_DHE_RSA_WITH_AES_128_CBC_SHA\",\"TLS_DHE_DSS_WITH_AES_128_CBC_SHA\",\"TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA\",\"TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA\",\"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256\",\"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256\",\"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA\",\"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA\",\"TLS_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"TLS_RSA_WITH_AES_128_CBC_SHA\",\"TLS_RSA_WITH_CAMELLIA_128_CBC_SHA\",\"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"],\"ephemeral_keys_supported\":true,\"session_ticket_supported\":true,\"tls_compression_supported\":true,\"unknown_cipher_suite_supported\":false,\"beast_vuln\":false,\"able_to_detect_n_minus_one_splitting\":false,\"insecure_cipher_suites\":{},\"tls_version\":\"TLS 1.2\",\"rating\":\"Bad\"}", @headers={"Content-Length"=>"2306", "Connection"=>"close", "Content-Type"=>"application/json", "Date"=>"Thu, 30 Jan 2014 17:17:19 GMT", "Strict-Transport-Security"=>"max-age=631138519; includeSubdomains"}, @status=200, @remote_ip="54.245.96.51">
Note in the first request (which redirects) the debug output shows that the request headers are {"User-Agent"=>"excon/0.31.0", "Host"=>"www.howsmyssl.com:443"}
and in the second one (which works as expected), they are: {"User-Agent"=>"excon/0.31.0", "Host"=>"www.howsmyssl.com"}
.
According to the Host header section of the HTTP/1.1 spec:
Host = "Host" ":" host [ ":" port ] ; Section 3.2.2
A "host" without any trailing port information implies the default port for the service requested (e.g., "80" for an HTTP URL).
Clearly, a port in the Host
header is allowed but if missing it is assumed to be 80 for HTTP and 443 for HTTPS. Roughly, I read that to mean: treat Host: example.com
as Host: example.com:80
for HTTP requests and Host: example.com:443
for HTTPS requests.
Currently, just defining it in client_info.go
"Good Your client doesn't use any cipher suites that are known to be insecure."
...
TLS_RSA_WITH_RC4_128_MD5
http://en.wikipedia.org/wiki/MD5#Security - tl;dr "severely compromised"
http://en.wikipedia.org/wiki/RC4#Security - tl;dr "compromised"
- However, the modern security environment has pushed us to TLS 1.2. Clients using it will be marked down to at least Improvable.
+ However, the modern security environment has pushed us to TLS 1.2. Clients using TLS 1.1 will be marked down to at least Improvable.
Edit: Oh and BTW great initiative, thanks!
The Google Cloud API client libraries for Go are making some breaking changes:
google.golang.org/cloud/...
tocloud.google.com/go/...
. For example, if your code imports the BigQuery clientimport "google.golang.org/cloud/bigquery"
import "cloud.google.com/go/bigquery"
google.golang.org/cloud
togoogle.golang.org/api/option
. Two have also been renamed:
WithBaseGRPC
is now WithGRPCConn
WithBaseHTTP
is now WithHTTPClient
cloud.WithContext
and cloud.NewContext
methods are gone, as are theClient
You should make these changes before September 12, 2016, when the packages at
google.golang.org/cloud
will go away.
Build in a way to shutdown the process gracefully as possible.
We can't use only other people's libraries because they all just take Hijack'ed connections out of their counts as soon as they are hijacked.
Don't want to hit your servers from all my clients. Instead, I wanted to build my own. Understand that API is built for Go. Questions:
After this revelations.
https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/
it would be probably a good idea to add a warning for this as suggested by:
https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH
I just tested the howsmyssl.com domain with Qualys' SSL Labs tester and it raised multiple issues. Full results are here: https://www.ssllabs.com/ssltest/analyze.html?d=howsmyssl.com
The howsmyssl.com site itself is great and very helpful - thanks for making it available - but I wonder if these points should be addressed?
These may not be important enough to fix right away but following Mozilla's Server Side TLS documentation could get you an easy 'A' grade and boost the security of your website.
.NET WebClient with security forced to SSL3 cannot connect to www.howsmyssl.com.
I think that site that is testing status of client SSL/TLS should support connection via obsolete protocols..
Would be great to be able to detect the recently discovered GNUTLS issue:
It tells me my TLS version is bad because I have TLS 1.3 enabled. I'd suggest to either either ignore higher versions of TLS or explicitly handle 1.3.
Not strictly security, but it's critical for scaling / deployment.
Even though this is aimed at client-side SSL, and Heartbleed attention has been focused on vulnerable servers, client-side attacks are a real thing:
http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed
Hi guys,
First, thanks for this project. It has been great!
We've been getting a lot of site slowdowns because we're using the functions to test for TLS settings. The anecdotal evidence is that the page takes forever to render because we're waiting on the TLS check to complete (we have to show a warning if the browser doesn't pass muster).
Using fiddler I have occasionally seen 502 errors.
Can you let me know if you're under heavy load or something is amiss?
Thanks!
From teh session tickets section:
That trade-off between is why How's My SSL will [...]
EXP1024-RC4-MD5
and EXP1024-RC2-CBC-MD5
are shown as unknown ciphers (0x0060
and 0x0061
, respectively). They are very weak, and should be marked as weak because they use 56-bit encryption.
(Originally mentioned in issue 4, but that's been closed with provision of server support for secure renegotiation, which is reasonable.)
The webapp should report whether the connected client supports RFC 5746 secure renegotiation. This involves looking for a special ClientHello extension token and ciphersuite value. See specifically section 3.4 of the RFC for what to look for.
Requires sending back a CBC suite on TLS 1.0 or lower. Chrome and Firefox do this.
The site presently does not support RFC 5746 secure renegotiation at all. Ironically, this means extra-paranoid clients -- the very ones the site should be encouraging the existence of -- will refuse even to connect. For more information, see the original writeup of the exploit (PDF) and Mozilla's summary of the issue and description of its (transitional) client behavior.
A proper fix has two facets:
howsmyssl says that SRP ciphers do not authenticate the server. As far as I can tell, this is not the case.
openssl used to classify SRP ciphers as aNULL, but that was a bug that is now fixed:
https://rt.openssl.org/Ticket/Display.html?id=3396&user=guest&pass=guest
Think about how to make an api with multiple ports work well.
I really don't think this will be easy to automate what with some many "successes" needing to be failures to connect in the client that we just can't test.
Given the recent Logjam announcement it would be helpful to understand the maximum DH Parameter size supported by each tested client. The current recommendation is to use 2048 bit DH parameters but some clients, most notably Java 6/7, only support 1024 bit DH.
Hi,
Please make the testing site secure.
See security report @ https://www.ssllabs.com/ssltest/analyze.html?d=howsmyssl.com
You should run the tests on other subdomains, just in case they get hacked.
Like how https://rc4.io/ does it. The tests on run on different subdomains.
Thanks,
Will
The site does not mention SSL safe negotiation or the lack thereof. It does appear to be doing unsafe negotiation and breaks when safe is required.
To reproduce in Firefox:
about:config
security.ssl.require_safe_negotiation
to True
security.ssl.treat_unsafe_negotiation_as_broken
to True
It's great to see what's broken, but it'd be even better to see how to fix it.
If you could add advice on how to fix certain issues (if they can be fixed) on the client, that'd make this so much more useful.
I asked @agl for his opinion on how to talk about RC4 in the text:
"From the client's point of view, it can know that [Chrome] has record splitting against the BEAST attack, but not if the server has been Lucky13 patched. So, I don't know. Both CBC and RC4 are shitty and I'm not sure whether one is clearly worse than the other."
Neither do I. Currently, I'm punting on the problem by not talking about it. Perhaps saying something if it's the first or in the first few ciphers (and all others before are secure) is worth something.
Not strictly security, but it's going to be required for HTTP/2.
Feature Request:
There seemingly isn't any good test server for SSL with client certificates. Support in howsmyssl for client certificates would be useful when testing with smartcards etc.
This is possible with openssl s_server -verify or -Verify.
It seems like the go tls supports it, but it just isn't possible for the server to request or shown anywhere in the output.
Calling https://www.howsmyssl.com/a/check from an IE8 browser is failing because of an SSL certificate error, which unfortunately makes this tool ineffective for IE8. (Sorry if this is not the right forum to report this since it's not a code bug.)
If I visit https://www.howsmyssl.com in IE8 I get this warning:
When I continue past the warning and look at the certificate error, I see that IE8 thinks the cert is for a different site.
The cert looks fine to me and does not generate an error in IE 11 or other modern browsers. Possibly a problem with IE8 not recognizing modern certs?
libsoup-based web browsers like Epiphany receive a bad rating from howsmyssl.com because:
"Your client supports cipher suites that are known to be insecure:
TLS_DHE_DSS_WITH_RC4_128_SHA: This cipher uses keys smaller than 128 bits in its encryption."
libsoup indirectly uses GnuTLS, and the GnuTLS developers believe this to be a secure cipher suite [1].
It looks like this may already have been fixed by [2], but perhaps not deployed?
I don't know how possible this is considering there's only really one connection from the client to howsmyssl, rather than the other way around (like with SSL Labs's server test), but it would be great if there was a way to figure out the status for each SSL/TLS protocol to see which are enabled (or not).
Perhaps you could use some type of TLS fallback negotiation to help better figure out which SSL/TLS protocol versions are enabled? or could you have it go through a series of redirects that lower the possible SSL/TLS protocol for each new connection? Just brainstorming to see what might be possible.
Probably a lot more is possible if you're using AJAX, but that makes the API side much harder, which is honestly the more useful option.
I have the following integration test that calls out to howsmyssl.com, so that users can call out and verify that their TLS configuration is correct: https://www.playframework.com/documentation/2.3.x/TestingSSL
Right now, this fails on JDK 1.8 with
New I/O worker #1, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
Further investigation showed that JSSE is looking for "GeoTrust SSL CA - G2", an intermediate certificate, and not finding it:
null: SunCertPathBuilder.depthFirstSearchForward(CN=GeoTrust SSL CA - G2, O=GeoTrust Inc., C=US, State [
issuerDN of last cert: CN=GeoTrust SSL CA - G2, O=GeoTrust Inc., C=US
traversedCACerts: 0
init: false
keyParamsNeeded: false
subjectNamesTraversed:
[CN=howsmyssl.com, O=Darkish Green, L=San Francisco, ST=California, C=US, DNSName: www.howsmytls.com, DNSName: howsmytls.com, DNSName: howsmyssl.com, DNSName: www.howsmyssl.com]]
)
It is not included in the trust store /Library/Java/JavaVirtualMachines/jdk1.8.0_05.jdk/Contents/Home/jre/lib/security/cacerts.
Looking at https://www.ssllabs.com/ssltest/analyze.html?d=howsmyssl.com&s=54.214.47.180 shows that GeoTrust SSL CA - G2 is not included in the certificate chain, so the chain is incomplete.
extra download GeoTrust SSL CA - G2
SHA1: 4f56644858829ffb85a770171accf9f8407a137b
RSA 2048 bits / SHA1withRSA
WEAK SIGNATURE
Causing PKIX to fail, because it can't find the intermediate certificate (as described here http://sim.ivi.co/2011/06/best-practice-to-include-compelete.html).
What I can do in the mean time is specifically add the intermediate certificate to the integration test:
"WS" should {
"verify common behavior" in {
val geoTrustPem =
"""-----BEGIN CERTIFICATE-----
|MIIEWTCCA0GgAwIBAgIDAjpjMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYT
|AlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVz
|dCBHbG9iYWwgQ0EwHhcNMTIwODI3MjA0MDQwWhcNMjIwNTIwMjA0MDQwWjBE
|MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UE
|AxMUR2VvVHJ1c3QgU1NMIENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
|DwAwggEKAoIBAQC5J/lP2Pa3FT+Pzc7WjRxr/X/aVCFOA9jK0HJSFbjJgltY
|eYT/JHJv8ml/vJbZmnrDPqnPUCITDoYZ2+hJ74vm1kfy/XNFCK6PrF62+J58
|9xD/kkNm7xzU7qFGiBGJSXl6Jc5LavDXHHYaKTzJ5P0ehdzgMWUFRxasCgdL
|LnBeawanazpsrwUSxLIRJdY+lynwg2xXHNil78zs/dYS8T/bQLSuDxjTxa9A
|kl0HXk7+Yhc3iemLdCai7bgK52wVWzWQct3YTSHUQCNcj+6AMRaraFX0DjtU
|6QRN8MxOgV7pb1JpTr6mFm1C9VH/4AtWPJhPc48Obxoj8cnI2d+87FLXAgMB
|AAGjggFUMIIBUDAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjAd
|BgNVHQ4EFgQUEUrQcznVW2kIXLo9v2SaqIscVbwwEgYDVR0TAQH/BAgwBgEB
|/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov
|L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUH
|AQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20w
|TAYDVR0gBEUwQzBBBgpghkgBhvhFAQc2MDMwMQYIKwYBBQUHAgEWJWh0dHA6
|Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNlcy9jcHMwKgYDVR0RBCMwIaQf
|MB0xGzAZBgNVBAMTElZlcmlTaWduTVBLSS0yLTI1NDANBgkqhkiG9w0BAQUF
|AAOCAQEAPOU9WhuiNyrjRs82lhg8e/GExVeGd0CdNfAS8HgY+yKk3phLeIHm
|TYbjkQ9C47ncoNb/qfixeZeZ0cNsQqWSlOBdDDMYJckrlVPg5akMfUf+f1Ex
|RF73Kh41opQy98nuwLbGmqzemSFqI6A4ZO6jxIhzMjtQzr+t03UepvTp+UJr
|YLLdRf1dVwjOLVDmEjIWE4rylKKbR6iGf9mY5ffldnRk2JG8hBYo2CVEMH6C
|2Kyx5MDkFWzbtiQnAioBEoW6MYhYR3TjuNJkpsMyWS4pS0XxW4lJLoKaxhgV
|RNAuZAEVaDj59vlmAwxVG52/AECu8EgnTOCAXi25KhV6vGb4NQ==
|-----END CERTIFICATE-----
""".stripMargin
val configString = """
|ws.ssl.debug=["certpath", "ssl", "trustmanager"]
|ws.ssl.protocol="TLSv1.2"
|ws.ssl.enabledProtocols=["TLSv1.2"]
|
|ws.ssl.trustManager = {
| stores = [
| { path: ${java.home}/lib/security/cacerts, password = "changeit" },
| { type: "PEM", data = ${geotrust.pem} }
| ]
|}
""".stripMargin
val rawConfig = ConfigFactory.parseString(configString)
val configWithPem = rawConfig.withValue("geotrust.pem", ConfigValueFactory.fromAnyRef(geoTrustPem))
val configWithSystemProperties = ConfigFactory.load(configWithPem)
val playConfiguration = play.api.Configuration(configWithSystemProperties)
val client = createClient(playConfiguration)
val response = await(client.url("https://www.howsmyssl.com/a/check").get())(5.seconds)
response.status must be_==(200)
val jsonOutput = response.json
val result = (jsonOutput \ "tls_version").validate[String]
result must beLike {
case JsSuccess(value, path) =>
value must contain("TLS 1.2")
}
}
}
but it would be nice if the certificate chain included everything up to (but not including) the root certificate.
this should be fixed for a service "that tells you how secure your TLS client is".
see also: https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation
A new Google exploit allows an attacker to read the plaintext of a ssl v3 attack. http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
If possible, howsmyssl should warn about this protocol.
What about supporting the following ciphersuites?
CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM = {0xC0,0xAC}
CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CCM = {0xC0,0xAD}
CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = {0xC0,0xAE}
CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = {0xC0,0xAF}
As defined by this https://tools.ietf.org/html/rfc7251
This memo describes the use of the Advanced Encryption Standard (AES)
in the Counter and CBC-MAC Mode (CCM) of operation within Transport
Layer Security (TLS) to provide confidentiality and data-origin
authentication. The AES-CCM algorithm is amenable to compact
implementations, making it suitable for constrained environments,
while at the same time providing a high level of security. The
cipher suites defined in this document use Elliptic Curve
Cryptography (ECC) and are advantageous in networks with limited
bandwidth.
I have a mbedTLS-based client (the ReactOS secure sockets support layer) which shows up as bad because you guys haven't filled the look-up arrays with these high-security ciphers for embedded clients.
Test cert validation by the client, to catch the apple dup line bug, as well as other problems.
This came up in the ietf saag wg meeting in London; apparently NIST has a repository of tests along this line.
Bonus points for subjectaltname checks and other parts of webpki.
When I load the page in Firefox 24.0 on Mac OS X 10.8.5 and refresh it several times, I sometimes get this message:
BEAST Vulnerability
Good Your client is not vulnerable to the BEAST attack because it's using a TLS protocol newer than TLS 1.0...
and sometimes this one:
BEAST Vulnerability
Good Your client is not vulnerable to the BEAST attack. While it's using TLS 1.0 in conjunction with Cipher-Block Chaining cipher suites...
% http https://www.howsmyssl.com/a/check
http: error: SSLError: [Errno 1] _ssl.c:504: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
Great service!
It'd be great if this worked for remote URLs and not just clients. Could be handy for sysadmins.
Your SSL client is Probably Okay.
I'd bet our TLS clients are all insecure, vulnerable to attacks that haven't been published yet. A more accurate message might be:
Your SSL client is okay—so far as we know
Just a musing. I don't expect any change. Great project.
Hi ,
we are using "https://www.howsmyssl.com/a/check?callback=parseTLSinfo" in javascript.
to get the TLS version to verify the user using correct browser or not in our website.but i am getting
this error "429- Too Many Requests" .may i know how do i fix it?
Thanks & Regards
Senthilnathan
Somewhere, somehow, when howsmyssl is running on our server (and we call it with javascript), our site URL is getting hijacked because a 301 response code is happening. We're using IIS for our main site (and the 301 is not in the IIS log-file, so I'm assuming it's coming from howsmyssl).
I found a redirect in howsmyssl.go that looks like this:
func commonRedirect(redirectHost string) http.Handler {
hf := func(w http.ResponseWriter, r *http.Request) {
commonRedirects.Add(1)
if r.Header.Get(xForwardedProto) == "https" {
w.Header().Set("Strict-Transport-Security", hstsHeaderValue)
}
u := r.URL
// Never set by the Go HTTP library.
u.Scheme = "https"
u.Host = redirectHost
http.Redirect(w, r, u.String(), http.StatusMovedPermanently)
}
return http.HandlerFunc(hf)
}
However, after chaning the StatusMovedPermanently to StatusFound, nothing changed: I'm still getting a 301 from somewhere.
Thoughts?
--Owen
Please take a look here: https://www.ssllabs.com/ssltest/analyze.html?d=howsmyssl.com
Is it right for howsmyssl.com to only get a C? Does the site have to accept SSL3 and be vulnurable to test the visitor for it? And what about adding TLS_FALLBACK_SCSV to prevent protocol downgrade attacks? Sorry if this is a dumb question.
Hi,
This rest url is very useful for us, because of CORS, we can't access it by ajax in our pages, so do you consider publish a jsonp url?
It would be kind of cool to have a quick reference diagram for TSL support on the various browsers/OS combinations - Firefox's score is notably disappointing, while IE's is expected. Additionally, there were some oddities between the OSes I tested - Chrome (and Chromium) on Linux apparently only support TLS 1.1 while Chrome on Windows supports 1.2. I don't have immediate access to OSX, but there may be differences there as well (for example, Windows Safari only supports TLS 1.0 but is probably not a high priority project).
Having this data immediately accessible would also allow for the site to recommend the browser(s) with the best TLS support for a given visitor's platform in the event that the one they're using is insecure.
This is because of the new codepoints which were assigned for ChaCha20Poly1305 suites:
https://boringssl.googlesource.com/boringssl/+/master/ssl/ssl_cipher.c#587
TLS 1.3, now remembered by howsmyssl as A Good Thing to support, specifies some new ciphers that browsers already do support. What’s new about these new ciphers is that they use previous session information, stored at the client side and sent to the server for resuming a previous encrypted session without going through full handshake. This reduces the overhead of session startup considerably and also reduces the time it takes for the session to be up.
Appendix A.4, Cipher Suites of the latest draft of TLS 1.3 specification, defines five new ciphers of which some are even declared as mandatory for TLS compliance. Note that they only make sense for use if the client already remembers previous session information which can be resumed with. Firefox, for example, gets a ‘probably good’ indication on first connection with https://www.howsmyssl.com, but on a subsequent connection the browser can enable its declaration of PSK cipher suites 0x1301, 0x1303, and 0x1302. howsmyssl marks that as ‘bad’, as unknown ciphers appear.
Please fix the code such that the new ciphers are considered valid and good instead of unknown and bad.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.