Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add option to skip certificate validation #6

Closed
gl4nce opened this issue Sep 11, 2023 · 6 comments
Closed

Add option to skip certificate validation #6

gl4nce opened this issue Sep 11, 2023 · 6 comments
Assignees
Labels
enhancement New feature or request

Comments

@gl4nce
Copy link

gl4nce commented Sep 11, 2023

I couldn't find any switch to disable certificate validation. Would be nice to have. I.e. if used with proxy tools like burp or proxychains.

@rfc-st
Copy link
Owner

rfc-st commented Sep 11, 2023

Hi,

SSL Cert Verification is disabled by default; I defined it this way to avoid errors with self-signed certificates or when testing the tool against development environment URLs:

r = requests.get(URL, verify=False, headers=c_headers, timeout=15)

@gl4nce
Copy link
Author

gl4nce commented Sep 11, 2023

Thanks for your reply. :)

I see. It's related to ipapi.co which you are already stating in https://github.com/rfc-st/humble#caveats. Always better to read the manual first hehe.

A switch for disabling that behaviour would be nice. Of course it's no problem to edit the source code for such seldom cases. But especially for humble installed as OS package, a switch would be the prefered solution I think.

Feel free to close this issue, if you are think there is no switch needed. :)

@rfc-st
Copy link
Owner

rfc-st commented Sep 11, 2023

I will take a look at it this week to see what might be the best solution, without relying on more parameters. At first sight, maybe add also 'verify=False' in the call to ipapi.co, to avoid errors in certificate validation.

Thanks for your suggestion!,

@rfc-st rfc-st self-assigned this Sep 14, 2023
@rfc-st rfc-st added the enhancement New feature or request label Sep 14, 2023
rfc-st added a commit that referenced this issue Sep 15, 2023
@rfc-st
Copy link
Owner

rfc-st commented Sep 15, 2023

Hello!,

Have a look at this recent commit: 1c99b73

  • In case of any error associated with the request to ipapi.co (e.g. the URL is not accessible) the analysis will now continue as normal, without the need for the end user to modify the code beforehand.

  • Additionally, I have added 'verify=False' in that request to disable certificate validation.

  • Finally, I have removed the 'Caveats' part in the README; it is no longer needed.

I've done a couple of tests and everything seems fine. If you agree, confirm it with me and I'll close this issue.

Thanks!.

@gl4nce
Copy link
Author

gl4nce commented Sep 15, 2023

Hi rfc-st,

thanks a lot. Just tested latest master and works fine for me. :)

proxychains python3 humble.py -u https://web.site -o html -r
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain  ...  127.0.0.1:8080  ...  ipapi.co:443  ...  OK

 Analyzing URL and saving the report, please wait ...

 Report saved to /home/vagrant/Downloads/humble-master/web.site_headers_20230915.html

By the way: I noticed, the tool does not recognize empty/failed responses by the webserver. Instead the tool lists all headers as missing, which does not make really sense in such cases. Would be better to display an error like no response or something else. But this is another issue and shouldn't be stated here. I just wanted to let you know. :)

So again. Thanks for fixing and improving this peace of software. Issue can be closed. :)

@rfc-st
Copy link
Owner

rfc-st commented Sep 16, 2023

Thanks for your confirmation!. On the other point, I will take a look at it later.

@rfc-st rfc-st closed this as completed Sep 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants