testssl.sh icon indicating copy to clipboard operation
testssl.sh copied to clipboard
verified publisher icon drwetter

[Feature request] Make use of badkeys.info

Open drwetter opened this issue 3 years ago • 6 comments

Please check this repo whether this is a known feature request no

Which version are you referring to 3.3dev?

Describe your feature request (if it's a technical feature) Hanno provides a service @ https://badkeys.info/ which allows to check for a number of problems with certificates/keys. It would be great if testssl.sh could make use of it.

Describe the solution you'd like Probabaly a POST request with curl will do it. Don't know whether the constraint of using curl can be avoided

drwetter avatar May 05 '22 08:05 drwetter

There is no need in POST requests, it is FOSS and can be run locally: https://github.com/badkeys/badkeys

KOLANICH avatar Jun 03 '22 04:06 KOLANICH

Not sure I get this.

I haven’t tried whether GET works too.

But you’re pointing to a collection of python scripts which may work theoretically but is not on line with our requirements for portability (~no dependencies, ~pure bash)

Am 03.06.2022 um 06:12 schrieb KOLANICH @.***>:

There is no need in POST requests, it is FOSS and can be run locally: https://github.com/badkeys/badkeys

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.

drwetter avatar Jun 03 '22 06:06 drwetter

no dependencies pure bash depending on curl pure bash

If it is OK to depend on CLI tools like curl I see no reason not to depend on any other CLI tools, like python.

TBH, I think that writing such kind of tools in bash is a mistake. While it can be done, it doesn't mean it should be done. I don't want any remote code execution vulnerability through shell injection, in the proper languages it is achieved by just not passing anything received from untrusted sources as cli args, which is almost impossible to do in bash, which is built almost entirely around passing stuff as cli args.

KOLANICH avatar Jun 03 '22 07:06 KOLANICH

P.S. On my machine I do my "shell scripting" in python, when I need to call an external program, I use sh package which makes it convenient.

KOLANICH avatar Jun 03 '22 07:06 KOLANICH

After all those years and for the big project it’s not the time any more to discuss such basic things.

You’re free and can go ahead and make something different ;-)

Am 03.06.2022 um 09:03 schrieb KOLANICH @.***>:

no dependencies pure bash depending on curl pure bash

If it is OK to depend on CLI tools like curl I see no reason not to depend on any other CLI tools, like python.

TBH, I think that writing such kind of tools in bash is a mistake. While it can be done, it doesn't mean it should be done. I don't want any remote code execution vulnerability through shell injection, in the proper languages it is achieved by just not passing anything received from untrusted sources as cli args, which is almost impossible to do in bash, which is built almost entirely around passing stuff as cli args.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.

drwetter avatar Jun 03 '22 07:06 drwetter

You’re free and can go ahead and make something different ;-)

I don't have to, there are tools already using python.

KOLANICH avatar Jun 03 '22 20:06 KOLANICH