Now slowloris works with untrusted/invalid certificate.

[C3l1n]

If remote server use invalid certificate or unsigned by trusted CA slowloris fails silently and create zero socets. Now it's fixed.

[gkbrk]

The PR contains a lot of unrelated changes, I cannot merge it in this state.

As an aside, I thought by default Python didn't check certificates. Maybe it only ignores for certificate chain errors and still checks if the hostnames match. I'll have to investigate this.

[C3l1n]

Hi gkbrk,

Accidentally I created PR for master in my fork instead of for specific commit. After that I added other changes. Now i refactor code on master. If you want to make slowloris better tool you have two option:

1. Use current master of my repo- it will fix slowloris with servers using untrusted certificate and add two features. First is ability to use client certificate (for servers that force mutual TLS client connection) - options --cert, --key and --password. Second is for specific sitiuation when attacked server has request waiting for body/header timeout set to low value i.e. in nginx you can set timeout for waiting for header or body of request and slowloris wont work without my fix but there is still possible way to attack such server when keep-alive is set to big value. But slowloris has to make full request in open connection. It is added by option --makerequest.
2. Just add fix for untrusted server certificate - merge with commit C3l1n@f27c838 from my repo :).

If you want I can make other PR or sth.

ps. great tool

Best regards.

[RaduNico]

Would really love to see f27c838 merged. There is little use for certificate checking, plus the tool fails silently to make any connections to the webserver.

[gkbrk]

Merged the untrusted/invalid cert commit. I will push a release to PyPI and investigate the other commits later.