Skip to content
This repository has been archived by the owner on Jun 10, 2020. It is now read-only.

Sites which require HTTPS client cert auth always show as non-compliant #758

Open
PaulSD opened this issue Feb 23, 2018 · 2 comments
Open

Sites which require HTTPS client cert auth always show as non-compliant #758

PaulSD opened this issue Feb 23, 2018 · 2 comments
Labels
bug

Comments

@PaulSD
Copy link

PaulSD commented Feb 23, 2018

Not sure whether this is really a pulse issue or a pshtt issue...

Example: sdv.max.gov supports HTTP and HTTPS. All HTTP is redirected to HTTPS. But HTTPS requires client cert authentication, so without a valid client cert the SSL handshake will always fail.

pshtt returns these values:
Defaults to HTTPS: False
Strictly Forces HTTPS: False
Domain Supports HTTPS: False
Domain Enforces HTTPS: False

Pulse shows:
Compliant with M-15-13 and BOD 18-01: No
Enforces HTTPS: No

I think it is arguable whether these pshtt return values are appropriate in this case, but either way the pulse status is clearly not appropriate.
@konklone
Copy link
Contributor

@PaulSD Good find! I agree that we should definitely be able to detect and support client authentication, and I believe this should happen at the pshtt level.

@konklone konklone mentioned this issue Feb 23, 2018
Closed
@konklone
Copy link
Contributor

I'll leave this open until we've resolved the Pulse display issue one way or another, but moving all substantive discussion on resolution to cisagov/pshtt#153.

@konklone konklone added the bug label Apr 23, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@konklone @PaulSD