From 7ad980888cedf8bac2af4002de72e588738f6326 Mon Sep 17 00:00:00 2001 From: Brenton Cleeland Date: Tue, 24 Jun 2025 09:30:14 +1000 Subject: [PATCH 1/2] fix: remove checks related to ocsp --- ready/checks/ssl.py | 64 --------------------------------------------- ready/ready.py | 4 --- test/test_ready.py | 58 ---------------------------------------- 3 files changed, 126 deletions(-) delete mode 100644 test/test_ready.py diff --git a/ready/checks/ssl.py b/ready/checks/ssl.py index 2a3ca76..8b1aa20 100644 --- a/ready/checks/ssl.py +++ b/ready/checks/ssl.py @@ -216,67 +216,3 @@ def check_dns_caa_record_should_include_validationmethods(responses, **kwargs): warn_on_fail=True, **kwargs, ) - - -# Check: SSL certificate must provide OCSP URI -def check_ssl_certificate_must_include_ocsp_uri(responses, **kwargs): - certificate = get_ssl_certificate(kwargs["domain"], ipv6=kwargs["is_ipv6"]) - if not certificate: - ocsp = None - else: - ocsp = certificate.get("OCSP", None) - - return result( - ocsp and all([("https://" in r or "http://" in r) for r in ocsp]), - f"SSL certificate must provide OCSP URI ({ocsp})", - "ssl_provide_ocsp_uri", - **kwargs, - ) - - -# Check: SSL certificate should provide OCSP must-staple -def check_ssl_certificate_should_provide_ocsp_must_staple(responses, **kwargs): - try: - from cryptography import x509 - except ImportError: - return result( - False, - f"SSL certificate should provide OCSP must-staple (cryptography not installed)", - "ssl_ocsp_must_staple", - warn_on_fail=True, - **kwargs, - ) - - certificate = get_ssl_certificate(kwargs["domain"], ipv6=kwargs["is_ipv6"], binary=True) - if not certificate: - return result( - False, - f"SSL certificate should provide OCSP must-staple (failed to load certificate)", - "ssl_ocsp_must_staple", - **kwargs, - ) - - loaded = x509.load_der_x509_certificate(certificate) - - has_must_staple_extension = False - msg = "missing extension" - - lifetime_days = (loaded.not_valid_after - loaded.not_valid_before).days - if lifetime_days < 10: - has_must_staple_exension = True - msg = "certificate is short-lived; missing extension" - - else: - for extension in loaded.extensions: - # see https://github.com/sesh/ready/issues/15 for details - if extension.oid.dotted_string == "1.3.6.1.5.5.7.1.24": - has_must_staple_extension = True - msg = "includes extension" - - return result( - has_must_staple_extension, - f"Long-lived SSL certificate should provide OCSP must-staple ({msg})", - "ssl_ocsp_must_staple", - warn_on_fail=True, - **kwargs, - ) diff --git a/ready/ready.py b/ready/ready.py index e2175fb..6cc2914 100644 --- a/ready/ready.py +++ b/ready/ready.py @@ -91,8 +91,6 @@ check_ssl_connection_fails_with_tls_1_1, check_ssl_expiry_should_be_greater_than_five_days, check_ssl_expiry_should_be_less_than_one_year, - check_ssl_certificate_must_include_ocsp_uri, - check_ssl_certificate_should_provide_ocsp_must_staple, ) from ready.checks.status import check_http_response_should_be_200 from ready.checks.swagger import check_swagger_should_not_return_200 @@ -303,8 +301,6 @@ def ready( check_ssl_certificate_should_be_trusted, check_ssl_connection_fails_with_tls_1_1, check_ssl_connection_fails_with_tls_1_0, - check_ssl_certificate_must_include_ocsp_uri, - check_ssl_certificate_should_provide_ocsp_must_staple, check_dns_caa_record_should_exist, check_dns_caa_record_should_include_accounturi, check_dns_caa_record_should_include_validationmethods, diff --git a/test/test_ready.py b/test/test_ready.py deleted file mode 100644 index 635a1d3..0000000 --- a/test/test_ready.py +++ /dev/null @@ -1,58 +0,0 @@ -import os -from unittest import TestCase, skipIf - -from ready.ready import ready - -try: - import bs4 - import tld - import cryptography - - SKIP_READY_CHECKS = os.environ.get("READY_SKIP_E2E", "") == "1" -except ImportError as e: - print(e) - SKIP_READY_CHECKS = True - - -if SKIP_READY_CHECKS: - print("Skipping end to end tests") - - -@skipIf(SKIP_READY_CHECKS, "Skipping because not all dependencies are available") -class ReadyTestCase(TestCase): - def test_brntn(self): - results = ready("brntn.me", hide_output=True) - failures = [r.check for r in results if not r.passed] - self.assertEqual(failures, ["ssl_dns_caa_accounturi", "ssl_dns_caa_validationmethods"]) - - def test_basehtml(self): - results = ready("basehtml.xyz", hide_output=True) - - failures = [r.check for r in results if not r.passed] - - self.assertEqual( - failures, - [ - "redirect_http", - "ssl_hsts_preload", - "csp_upgrade_insecure_requests", - "csp_valid_directives", - "report_to", - "wellknown_robots", - "wellknown_security", - "wellknown_security_not_expired", - "http_corp", - "http_coop", - "http_coep", - "leaky_headers", - "ssl_ocsp_must_staple", - "ssl_dns_caa", - "ssl_dns_caa_accounturi", - "ssl_dns_caa_validationmethods", - "email_dmarc_exists", - "email_dmarc_none", - "html_rel_icon", - "html_unnecessary_entities", - "html_x_dns_prefetch", - ], - ) From e037e0ab9635c874a523196ed82a8b74dce55746 Mon Sep 17 00:00:00 2001 From: Brenton Cleeland Date: Tue, 24 Jun 2025 09:34:23 +1000 Subject: [PATCH 2/2] release: bump version --- ready/ready.py | 2 +- setup.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ready/ready.py b/ready/ready.py index 6cc2914..6457501 100644 --- a/ready/ready.py +++ b/ready/ready.py @@ -7,7 +7,7 @@ from importlib import resources from . import checks as checks_module -VERSION = "1.6.1" +VERSION = "1.7.0" from ready.checks.bad_response import ( check_bad_response_cloudflare, diff --git a/setup.cfg b/setup.cfg index 06da62e..8f30be4 100644 --- a/setup.cfg +++ b/setup.cfg @@ -1,6 +1,6 @@ [metadata] name = ready-check -version = 1.6.1 +version = 1.7.0 author = Brenton Cleeland author_email = brenton@brntn.me description = A developer-friendly web scanning tool