HTTPS-specific checks

[mnot]

RED should support HTTPS URLs as well.

This means changes in nbhttp as well as some modification of the caching logic.

[mnot]

Looking at the state of SSL support in Python, my hopes aren't high. Specifically, it looks like making it non-blocking is going to be challenging, although the Twisted folks have done it. May be easier with py3k.

[mnot]

Preliminary support is now in Thor; no changes needed in RED to take advantage of it.

Note that certificates are not checked, nor are any other SSL-specfic checks made (yet).

[mnot]

HTTPS-related checks:

• v2/v3/tls
• HttpOnly cookies
• cert validation (expiration, domain match, etc.)
• ca quality
• cipher strength
• HSTS

[mnot]

Also, suggest Cache-Control: public (as per UserVoice feedback)

[mnot]

See also: https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

[mnot]

Thor needs to catch SSL errors in handle_read; specifically:

<class 'ssl.SSLError'>: [Errno 1] _ssl.c:1347: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure args = (1, '_ssl.c:1347: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure') errno = 1 filename = None message = '' strerror = '_ssl.c:1347: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure'

[da2x]

Google seconds the recommendation (in some circumstances) to use Cache-Control: private for HTTPS. See https://developers.google.com/speed/docs/best-practices/caching

[mnot]

There are now a number of TLS-focused site checkers out there, and I don't think REDbot wants to compete with them; it's focused on HTTP semantics, so the only things that should be checked here are when they have HTTP semantic implications. Closing this (although more specific checks may still make sense).