class TLSChecker::TLSACheckerFactory
Public Class Methods
new()
click to toggle source
# File lib/tls-checker/tlsa_checker_factory.rb, line 5 def initialize @resolver = Resolv::DNS.new end
Public Instance Methods
tlsa_checkers_for(certificate_checker)
click to toggle source
# File lib/tls-checker/tlsa_checker_factory.rb, line 9 def tlsa_checkers_for(certificate_checker) res = [] return res unless certificate_checker.certificate each_tlsa_end_entity_record(certificate_checker) do |record| checker = TLSAChecker.new(record, certificate_checker) # Since a single domain may have different certificates on different # addresses, we are not interested in reporting failures here: a server # with 3 certificates on 3 IP addresses is expected to have 3 TLSA # records in the DNS, each one being valid for a different certificate. # # By adding only valid certificates, we can still detect problems when # events expire. next unless checker.certificate_match_tlsa_record? res << checker end res end
Private Instance Methods
each_tlsa_end_entity_record(certificate_checker) { |record| ... }
click to toggle source
# File lib/tls-checker/tlsa_checker_factory.rb, line 32 def each_tlsa_end_entity_record(certificate_checker) each_tlsa_record(certificate_checker) do |record| next unless record.end_entity? yield(record) end end
each_tlsa_record(certificate_checker) { |record| ... }
click to toggle source
# File lib/tls-checker/tlsa_checker_factory.rb, line 40 def each_tlsa_record(certificate_checker) resource = "_#{certificate_checker.port}._tcp.#{certificate_checker.hostname}." @resolver.getresources(resource, Resolv::DNS::Resource::IN::ANY).each do |rr| # XXX: Should we check the RRSIG here, or can we assume that the resolver # should have failed if it could not verify the response? next unless rr.class.name == 'Resolv::DNS::Resource::Generic::Type52_Class1' record = Resolv::DNS::Resource::IN::TLSA.new(rr.data) yield(record) end end