cryptcheck/lib/cryptcheck/tls/https/server.rb

require 'httparty'

module CryptCheck
	module Tls
		module Https
			class Server < Tls::TcpServer
				attr_reader :hsts

				def initialize(hostname, ip, family, port=443)
					super
					fetch_hsts
				end

				def fetch_hsts
					port = @port == 443 ? '' : ":#{@port}"

					begin
						response = ::HTTParty.head "https://#{@hostname}#{port}/",
												   {
														   follow_redirects: false,
														   verify:           false,
														   timeout: TLS_TIMEOUT,
														   ssl_version:      @supported_methods.first.to_sym,
														   ciphers:          Cipher::ALL
												   }
						if header = response.headers['strict-transport-security']
							name, value = header.split '='
							if name == 'max-age'
								@hsts = value.to_i
								Logger.info { 'HSTS : ' + @hsts.to_s.colorize(hsts_long? ? :good : nil) }
								return
							end
						end
					rescue
					end

					Logger.info { 'No HSTS'.colorize :warning }
					@hsts = nil
				end

				def hsts?
					!@hsts.nil?
				end

				LONG_HSTS = 6*30*24*60*60

				def hsts_long?
					hsts? and @hsts >= LONG_HSTS
				end

				def checks
					super + [
							[:hsts, -> (s) { s.hsts? }, :good],
							[:hsts_long, -> (s) { s.hsts_long? }, :perfect],
							#[:must_staple, -> (s) { s.must_staple? }, :best],
					]
				end
			end
		end
	end
end