2024-05-24

bin/web

• Implement error coloration for endpoints.

• This ended up being an adventure to clean up the CSS, properly scoping styles and applying some basic variable support.

• This article from MDN has a great overview of how selectors work and how to write nesting properly.

• This article has some interesting ideas on how to embed icons directly in CSS, instead of rendering them as markup. Kinda like that, honestly.

  • I’ve implemented this for all the icons, and removed the dependency on gomponents-heroicons. This site has some nice tools for copying the base64 data URLs for this technique to work.

  • In the process of doing this, I’ve learned how to get the damn icons to vertically align with the text in, say, an infobox. Turns out, you need to apply the vertical-align: middle to the IMAGE (or other block element), instead of the text or container element like I was assuming. Don’t know why I didn’t try that.

  • Still need to figure out how to colorize the SVG icons when they are being used like this, but that’s a minor issue and one I can figure out later.

• Figure out how to deal with the endpoint tabs being too long.

• This ended up being the style attribute I was adding- since it restricted the height of the element to 24px, it would not reflow content correctly if the number of tabs exceeded the screen width. Removing the style makes this do The Right Thing™️.

• Figure out why cert checks seem to be duplicated according to the number of checks.

• OK, this is about what I expected. Since we’re executing the same check multiple times per cert in a scan with multiple endpoints, it records multiple results. I ended up solving this by only selecting the first check for each one:

SELECT id, title, pass FROM (
        SELECT id, title, pass, ROW_NUMBER() OVER (PARTITION BY title) rn
        FROM data_scan_checks WHERE scan_id = $1 AND cert_id = $2
    ) a WHERE rn = 1;

A longer-term fix would also be to de-duplicate check results as they are inserted into the database, but I’ve done this on the display end to make sure it always happens.

lib/tls/basic

• Fix the incorrect parsing of ciphersuite hex bytes.

• This ended up being that I was representing them wrong in my struct definitions, creating an extra layer of struct where there didn’t need to be one. The working definition looks like this:

type embeddedData struct {
    Ciphersuites []map[string]cipherInfo `json:"ciphersuites"`
}

• Aside: I’m very impressed with how FAST the ciphersuite determination is- for a basic scan of he.net I can complete the two endpoints for it in less than a second, with the time for all other checks included. Beat that, SSLabs!

lib/data

• Properly mark scans as done when all tasks are finished.

• Need to find something like a sql.NullDuration type? I wonder if pgx has one.

  • Looks like using a pointer to a pointer works for pgx.

bin/worker/task

• Fixed a small bug where if TLS 1.0 or 1.1 were not supported, the check would exit with no output.

• Added a link to ciphersuite.info to the “Insecure TLS 1.2 Ciphers” check so people know where we get our information from.