// SessionResumeScan tests that host is able to resume sessions across all addresses.
func sessionResumeScan(addr, hostname string) (grade Grade, output Output, err error) {
config := defaultTLSConfig(hostname)
config.ClientSessionCache = tls.NewLRUClientSessionCache(1)
conn, err := tls.DialWithDialer(Dialer, Network, addr, config)
if err != nil {
return
}
if err = conn.Close(); err != nil {
return
}
return multiscan(addr, func(addrport string) (g Grade, o Output, e error) {
var conn *tls.Conn
if conn, e = tls.DialWithDialer(Dialer, Network, addrport, config); e != nil {
return
}
conn.Close()
if o = conn.ConnectionState().DidResume; o.(bool) {
g = Good
}
return
})
}
// SessionResumeScan tests that host is able to resume sessions across all addresses.
func sessionResumeScan(host string) (grade Grade, output Output, err error) {
config := defaultTLSConfig(host)
config.ClientSessionCache = tls.NewLRUClientSessionCache(1)
conn, err := tls.DialWithDialer(Dialer, Network, host, config)
if err != nil {
return
}
if err = conn.Close(); err != nil {
return
}
return multiscan(host, func(addrport string) (g Grade, o Output, e error) {
g = Good
conn, e1 := tls.DialWithDialer(Dialer, Network, addrport, config)
if e1 != nil {
return
}
conn.Close()
o = conn.ConnectionState().DidResume
if !conn.ConnectionState().DidResume {
grade = Bad
}
return
})
}
// tlsDialScan tests that the host can perform a TLS Handshake.
func tlsDialScan(host string) (grade Grade, output Output, err error) {
conn, err := tls.DialWithDialer(Dialer, Network, host, defaultTLSConfig(host))
if err != nil {
return
}
conn.Close()
grade = Good
return
}
// tlsDialScan tests that the host can perform a TLS Handshake
// and warns if the server's certificate can't be verified.
func tlsDialScan(addr, hostname string) (grade Grade, output Output, err error) {
var conn *tls.Conn
config := defaultTLSConfig(hostname)
if conn, err = tls.DialWithDialer(Dialer, Network, addr, config); err != nil {
return
}
conn.Close()
config.InsecureSkipVerify = false
if conn, err = tls.DialWithDialer(Dialer, Network, addr, config); err != nil {
grade = Warning
return
}
conn.Close()
grade = Good
return
}
// intermediateCAScan scans for new intermediate CAs not in the trust store.
func intermediateCAScan(addr, hostname string) (grade Grade, output Output, err error) {
cidr, port, _ := net.SplitHostPort(addr)
_, ipnet, err := net.ParseCIDR(cidr)
if err != nil {
return Skipped, nil, nil
}
b, err := bundler.NewBundler(caBundleFile, intBundleFile)
if err != nil {
return
}
var wg sync.WaitGroup
wg.Add(numWorkers)
dialer := &net.Dialer{Timeout: timeout}
config := &tls.Config{InsecureSkipVerify: true}
addrs := make(chan string)
chains := make(chan []*x509.Certificate, numWorkers)
go func() {
for chain := range chains {
b.Bundle(chain, nil, bundler.Force)
}
}()
for i := 0; i < numWorkers; i++ {
go func() {
for addr := range addrs {
conn, err := tls.DialWithDialer(dialer, Network, addr, config)
if err != nil {
continue
}
conn.Close()
if conn.ConnectionState().HandshakeComplete {
chains <- conn.ConnectionState().PeerCertificates
}
}
wg.Done()
}()
}
for ip := ipnet.IP.To16(); ipnet.Contains(ip); incrementBytes(ip) {
addrs <- net.JoinHostPort(ip.String(), port)
}
close(addrs)
wg.Wait()
close(chains)
grade = Good
return
}
// getChain is a helper function that retreives the host's certificate chain.
func getChain(addr string, config *tls.Config) (chain []*x509.Certificate, err error) {
var conn *tls.Conn
conn, err = tls.DialWithDialer(Dialer, Network, addr, config)
if err != nil {
return
}
err = conn.Close()
if err != nil {
return
}
chain = conn.ConnectionState().PeerCertificates
if len(chain) == 0 {
err = fmt.Errorf("%s returned empty certificate chain", addr)
}
return
}
