2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-05 07:23:42 +01:00
cipherscan/analyze.py

517 lines
23 KiB
Python
Raw Normal View History

#!/usr/bin/env python
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Contributor: Julien Vehent jvehent@mozilla.com [:ulfr]
2015-05-30 15:46:26 +02:00
from __future__ import print_function
import sys, os, json, subprocess, logging, argparse, platform
2014-10-09 15:35:59 +02:00
from collections import namedtuple
from datetime import datetime
from copy import deepcopy
def str_compat(data):
if sys.version_info >= (3,0):
data = str(data, 'utf-8')
return data
# has_good_pfs compares a given PFS configuration with a target
# dh parameter a target elliptic curve, and return true if good
# if `must_match` is True, the exact values are expected, if not
# larger pfs values than the targets are acceptable
def has_good_pfs(pfs, target_dh, target_ecc, must_match=False):
if 'ECDH,' in pfs:
# split string, expected format is 'ECDH,P-256,256bits'
ecc = pfs.split(',')[2].split('b')[0]
if int(ecc) < target_ecc:
return False
if must_match and int(ecc) != target_ecc:
return False
elif 'DH,' in pfs:
dhparam = pfs.split(',')[1].split('b')[0]
if int(dhparam) < target_dh:
return False
if must_match and int(dhparam) != target_dh:
return False
return True
2014-10-09 15:35:59 +02:00
# is_fubar assumes that a configuration is not completely messed up
# and looks for reasons to think otherwise. it will return True if
# it finds one of these reason
def is_fubar(results):
2014-10-11 01:07:31 +02:00
lvl = 'fubar'
2014-10-09 15:35:59 +02:00
fubar = False
2014-10-11 01:07:31 +02:00
has_ssl2 = False
has_wrong_pubkey = False
has_md5_sig = False
has_untrust_cert = False
has_wrong_pfs = False
fubar_ciphers = set(all_ciphers) - set(old_ciphers)
for conn in results['ciphersuite']:
if conn['cipher'] in fubar_ciphers:
2014-10-11 01:07:31 +02:00
failures[lvl].append("remove cipher " + conn['cipher'])
2014-10-09 15:35:59 +02:00
logging.debug(conn['cipher'] + ' is in the list of fubar ciphers')
fubar = True
if 'SSLv2' in conn['protocols']:
2014-10-11 01:07:31 +02:00
has_ssl2 = True
2014-10-09 15:35:59 +02:00
logging.debug('SSLv2 is in the list of fubar protocols')
fubar = True
2015-05-30 19:48:56 +02:00
if int(conn['pubkey'][0]) < 2048:
2014-10-11 01:07:31 +02:00
has_wrong_pubkey = True
2014-10-09 15:35:59 +02:00
logging.debug(conn['pubkey'] + ' is a fubar pubkey size')
fubar = True
2014-10-17 17:20:25 +02:00
if conn['pfs'] != 'None':
2014-10-18 13:23:24 +02:00
if not has_good_pfs(conn['pfs'], 1024, 160):
logging.debug(conn['pfs']+ ' is a fubar PFS parameters')
2014-10-17 17:20:25 +02:00
fubar = True
has_wrong_pfs = True
2014-10-09 15:35:59 +02:00
if 'md5WithRSAEncryption' in conn['sigalg']:
2014-10-11 01:07:31 +02:00
has_md5_sig = True
logging.debug(conn['sigalg'][0] + ' is a fubar cert signature')
2014-10-09 15:35:59 +02:00
fubar = True
if conn['trusted'] == 'False':
2014-10-11 01:07:31 +02:00
has_untrust_cert = True
2014-10-09 15:35:59 +02:00
logging.debug('The certificate is not trusted, which is quite fubar')
fubar = True
2014-10-11 01:07:31 +02:00
if has_ssl2:
failures[lvl].append("disable SSLv2")
if has_md5_sig:
failures[lvl].append("don't use a cert with a MD5 signature")
if has_wrong_pubkey:
failures[lvl].append("don't use a public key smaller than 2048 bits")
if has_untrust_cert:
failures[lvl].append("don't use an untrusted or self-signed certificate")
if has_wrong_pfs:
2014-10-18 13:23:24 +02:00
failures[lvl].append("don't use DHE smaller than 1024bits or ECC smaller than 160bits")
2014-10-09 15:35:59 +02:00
return fubar
2014-10-09 15:35:59 +02:00
# is_old assumes a configuration *is* old, and will return False if
# the parameters of an old configuration are not found. Those parameters
# are defined in https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
def is_old(results):
2014-10-09 15:35:59 +02:00
lvl = 'old'
old = True
has_sslv3 = False
has_3des = False
has_sha1 = True
has_pfs = True
2014-10-09 15:35:59 +02:00
has_ocsp = True
all_proto = []
for conn in results['ciphersuite']:
2014-10-09 15:35:59 +02:00
# flag unwanted ciphers
if conn['cipher'] not in old_ciphers:
2014-10-09 15:35:59 +02:00
logging.debug(conn['cipher'] + ' is not in the list of old ciphers')
failures[lvl].append("remove cipher " + conn['cipher'])
old = False
# verify required 3des cipher is present
if conn['cipher'] == 'DES-CBC3-SHA':
has_3des = True
# verify required ssl3 protocol is present
if 'SSLv3' in conn['protocols']:
has_sslv3 = True
for proto in conn['protocols']:
if proto not in all_proto:
all_proto.append(proto)
# verify required sha1 signature is used
if 'sha1WithRSAEncryption' not in conn['sigalg']:
2014-10-09 15:35:59 +02:00
logging.debug(conn['sigalg'][0] + ' is a not an old signature')
old = False
has_sha1 = False
# verify required pfs parameter is used
2014-10-17 17:20:25 +02:00
if conn['pfs'] != 'None':
if not has_good_pfs(conn['pfs'], 1024, 256, True):
logging.debug(conn['pfs']+ ' is not a good PFS parameter for the old configuration')
2014-10-09 15:35:59 +02:00
old = False
has_pfs = False
2014-10-09 15:35:59 +02:00
if conn['ocsp_stapling'] == 'False':
has_ocsp = False
extra_proto = set(all_proto) - set(['SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2'])
for proto in extra_proto:
logging.debug("found protocol not wanted in the old configuration:" + proto)
failures[lvl].append('disable ' + proto)
modern = False
missing_proto = set(['SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2']) - set(all_proto)
for proto in missing_proto:
logging.debug("missing protocol wanted in the old configuration:" + proto)
2014-10-09 15:57:40 +02:00
failures[lvl].append('consider enabling ' + proto)
2014-10-09 15:35:59 +02:00
if not has_sslv3:
logging.debug("SSLv3 is not supported and required by the old configuration")
old = False
if not has_3des:
logging.debug("DES-CBC3-SHA is not supported and required by the old configuration")
failures[lvl].append("add cipher DES-CBC3-SHA")
old = False
if not has_sha1:
failures[lvl].append("use a certificate with sha1WithRSAEncryption signature")
old = False
if not has_pfs:
failures[lvl].append("use DHE of 1024bits and ECC of 256bits")
2014-10-09 15:35:59 +02:00
old = False
if not has_ocsp:
2014-10-09 15:57:40 +02:00
failures[lvl].append("consider enabling OCSP Stapling")
if results['serverside'] != 'True':
failures[lvl].append("enforce server side ordering")
2014-10-09 15:35:59 +02:00
return old
2014-10-09 15:35:59 +02:00
# is_intermediate is similar to is_old but for intermediate configuration from
# https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
def is_intermediate(results):
2014-10-09 15:35:59 +02:00
lvl = 'intermediate'
inter = True
has_tls1 = False
has_aes = False
has_pfs = True
2014-10-09 15:35:59 +02:00
has_sha256 = True
has_ocsp = True
all_proto = []
for conn in results['ciphersuite']:
if conn['cipher'] not in intermediate_ciphers:
2014-10-09 15:35:59 +02:00
logging.debug(conn['cipher'] + ' is not in the list of intermediate ciphers')
failures[lvl].append("remove cipher " + conn['cipher'])
inter = False
if conn['cipher'] == 'AES128-SHA':
has_aes = True
for proto in conn['protocols']:
if proto not in all_proto:
all_proto.append(proto)
if 'TLSv1' in conn['protocols']:
has_tls1 = True
if conn['sigalg'][0] not in ['sha256WithRSAEncryption', 'sha384WithRSAEncryption', 'sha512WithRSAEncryption']:
2014-10-09 15:35:59 +02:00
logging.debug(conn['sigalg'][0] + ' is a not an intermediate signature')
has_sha256 = False
2014-10-17 17:20:25 +02:00
if conn['pfs'] != 'None':
if not has_good_pfs(conn['pfs'], 2048, 256):
logging.debug(conn['pfs']+ ' is not a good PFS parameter for the intermediate configuration')
has_pfs = False
2014-10-09 15:35:59 +02:00
if conn['ocsp_stapling'] == 'False':
has_ocsp = False
extra_proto = set(all_proto) - set(['TLSv1', 'TLSv1.1', 'TLSv1.2'])
for proto in extra_proto:
logging.debug("found protocol not wanted in the intermediate configuration:" + proto)
failures[lvl].append('disable ' + proto)
2014-10-17 17:09:42 +02:00
inter = False
2014-10-09 15:35:59 +02:00
missing_proto = set(['TLSv1', 'TLSv1.1', 'TLSv1.2']) - set(all_proto)
for proto in missing_proto:
logging.debug("missing protocol wanted in the intermediate configuration:" + proto)
2014-10-09 15:57:40 +02:00
failures[lvl].append('consider enabling ' + proto)
2014-10-09 15:35:59 +02:00
if not has_tls1:
logging.debug("TLSv1 is not supported and required by the old configuration")
inter = False
if not has_aes:
logging.debug("AES128-SHA is not supported and required by the intermediate configuration")
failures[lvl].append("add cipher AES128-SHA")
inter = False
if not has_sha256:
failures[lvl].append("consider using a SHA-256 certificate")
if not has_pfs:
failures[lvl].append("consider using DHE of at least 2048bits and ECC of at least 256bits")
2014-10-09 15:35:59 +02:00
if not has_ocsp:
2014-10-09 15:57:40 +02:00
failures[lvl].append("consider enabling OCSP Stapling")
if results['serverside'] != 'True':
failures[lvl].append("enforce server side ordering")
2014-10-09 15:35:59 +02:00
return inter
2014-10-09 15:35:59 +02:00
# is_modern is similar to is_old but for modern configuration from
# https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
def is_modern(results):
2014-10-09 15:35:59 +02:00
lvl = 'modern'
modern = True
has_pfs = True
2014-10-09 15:35:59 +02:00
has_sha256 = True
has_ocsp = True
all_proto = []
for conn in results['ciphersuite']:
if conn['cipher'] not in modern_ciphers:
2014-10-09 15:35:59 +02:00
logging.debug(conn['cipher'] + ' is not in the list of modern ciphers')
failures[lvl].append("remove cipher " + conn['cipher'])
modern = False
for proto in conn['protocols']:
if proto not in all_proto:
all_proto.append(proto)
if conn['sigalg'][0] not in ['sha256WithRSAEncryption', 'sha384WithRSAEncryption', 'sha512WithRSAEncryption']:
logging.debug(conn['sigalg'][0] + ' is a not an modern signature')
modern = False
2014-10-09 15:35:59 +02:00
has_sha256 = False
2014-10-17 17:20:25 +02:00
if conn['pfs'] != 'None':
if not has_good_pfs(conn['pfs'], 2048, 256):
logging.debug(conn['pfs']+ ' is not a good PFS parameter for the modern configuration')
modern = False
has_pfs = False
2014-10-09 15:35:59 +02:00
if conn['ocsp_stapling'] == 'False':
has_ocsp = False
extra_proto = set(all_proto) - set(['TLSv1.1', 'TLSv1.2'])
for proto in extra_proto:
logging.debug("found protocol not wanted in the modern configuration:" + proto)
failures[lvl].append('disable ' + proto)
modern = False
missing_proto = set(['TLSv1.1', 'TLSv1.2']) - set(all_proto)
for proto in missing_proto:
logging.debug("missing protocol wanted in the modern configuration:" + proto)
2014-10-09 15:57:40 +02:00
failures[lvl].append('consider enabling ' + proto)
2014-10-09 15:35:59 +02:00
if not has_sha256:
failures[lvl].append("use a SHA-256 certificate")
2014-10-09 15:35:59 +02:00
modern = False
if not has_pfs:
failures[lvl].append("use DHE of at least 2048bits and ECC of at least 256bits")
2014-10-09 15:35:59 +02:00
modern = False
if not has_ocsp:
2014-10-09 15:57:40 +02:00
failures[lvl].append("consider enabling OCSP Stapling")
if results['serverside'] != 'True':
failures[lvl].append("enforce server side ordering")
2014-10-09 15:35:59 +02:00
return modern
def is_ordered(results, ref_ciphersuite, lvl):
ordered = True
previous_pos = 0
# iterate through the list of ciphers returned by the target
for conn in results['ciphersuite']:
pos = 0
# compare against each cipher of the reference ciphersuite
for ref_cipher in ref_ciphersuite:
# if the target cipher matches the reference ciphersuite,
# look for its position against the reference and flag cipher
# that violate the reference ordering
if conn['cipher'] == ref_cipher:
logging.debug("{0} found in reference ciphersuite at position {1}".format(conn['cipher'], pos))
if pos < previous_pos:
failures[lvl].append("increase priority of {0} over {1}".format(conn['cipher'], ref_ciphersuite[previous_pos]))
ordered = False
# save current position
previous_pos = pos
pos += 1
if not ordered:
failures[lvl].append("fix ciphersuite ordering, use recommended " + lvl + " ciphersuite")
return ordered
2014-10-09 15:35:59 +02:00
def evaluate_all(results):
status = "obscure or unknown"
if len(results['ciphersuite']) == 0:
return "no"
if is_old(results):
status = "old"
if not is_ordered(results, old_ciphers, "old"):
status = "old with bad ordering"
if is_intermediate(results):
status = "intermediate"
if not is_ordered(results, intermediate_ciphers, "intermediate"):
status = "intermediate with bad ordering"
if is_modern(results):
status = "modern"
if not is_ordered(results, modern_ciphers, "modern"):
status = "modern with bad ordering"
if is_fubar(results):
status = "bad"
return status
2014-12-23 14:51:50 +01:00
def process_results(data, level=None, do_json=False, do_nagios=False):
exit_status = 0
results = dict()
2014-10-09 15:35:59 +02:00
# initialize the failures struct
global failures
json_output = dict()
2014-10-09 15:35:59 +02:00
failures = dict()
2014-10-11 01:07:31 +02:00
failures['fubar'] = []
2014-10-09 15:35:59 +02:00
failures['old'] = []
failures['intermediate'] = []
failures['modern'] = []
if not level:
level='none'
try:
results = json.loads(data)
2015-05-30 15:46:26 +02:00
except ValueError as e:
print("invalid json data: " + str(e))
try:
if results:
if do_json:
json_output['target'] = results['target']
d = datetime.utcnow()
json_output['utctimestamp'] = d.isoformat("T") + "Z"
json_output['level'] = evaluate_all(results)
json_output['target_level'] = level
json_output['compliance'] = False
2014-10-12 05:08:35 +02:00
if json_output['target_level'] in json_output['level']:
json_output['compliance'] = True
2014-10-12 02:52:18 +02:00
if operator:
json_output['operator'] = operator
else:
measured_lvl = evaluate_all(results)
print(results['target'] + " has " + measured_lvl + " ssl/tls")
if level != 'none':
if level in measured_lvl:
print("and complies with the '" + level + "' level")
else:
print("and DOES NOT comply with the '" + level + "' level")
2015-05-30 15:46:26 +02:00
except TypeError as e:
print("Error processing data: " + str(e))
return False
if do_json:
json_output['failures'] = deepcopy(failures)
2015-05-30 15:46:26 +02:00
print(json.dumps(json_output))
return True
2014-10-11 01:07:31 +02:00
if len(failures['fubar']) > 0:
print("\nThings that are bad:")
2014-10-11 01:07:31 +02:00
for failure in failures['fubar']:
print("* " + failure)
2014-12-23 14:51:50 +01:00
if do_nagios:
exit_status = 2
2014-10-11 01:07:31 +02:00
2014-10-09 15:35:59 +02:00
# print failures
if level != 'none':
2014-10-09 15:35:59 +02:00
if len(failures[level]) > 0:
2014-10-09 16:09:44 +02:00
print("\nChanges needed to match the " + level + " level:")
2014-10-09 15:35:59 +02:00
for failure in failures[level]:
print("* " + failure)
2014-12-23 14:51:50 +01:00
if do_nagios and exit_status < 2:
exit_status = 1
2014-10-09 15:35:59 +02:00
else:
for lvl in ['old', 'intermediate', 'modern']:
if len(failures[lvl]) > 0:
2014-10-09 16:09:44 +02:00
print("\nChanges needed to match the " + lvl + " level:")
2014-10-09 15:35:59 +02:00
for failure in failures[lvl]:
print("* " + failure)
2014-12-23 14:51:50 +01:00
if do_nagios and exit_status < 2:
exit_status = 1
return exit_status
2014-10-09 15:35:59 +02:00
def build_ciphers_lists(opensslbin):
global all_ciphers, old_ciphers, intermediate_ciphers, modern_ciphers, errors
2014-10-09 15:35:59 +02:00
# from https://wiki.mozilla.org/Security/Server_Side_TLS
allC = 'ALL:COMPLEMENTOFALL:+aRSA'
oldC = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-S' \
'HA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM' \
'-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-' \
'AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA' \
'384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AE' \
'S128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-' \
'AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES' \
'256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SH' \
'A:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!E' \
'DH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
2014-10-09 15:35:59 +02:00
intC = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-S' \
'HA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM' \
'-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-' \
'AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA' \
'384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AE' \
'S128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-' \
'AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES12' \
'8-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:' \
'!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
2014-10-09 15:35:59 +02:00
modernC = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-S' \
'HA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM' \
'-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-' \
'AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA' \
'384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AE' \
'S128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-' \
'AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'
2014-10-09 15:54:30 +02:00
blackhole = open(os.devnull, 'w')
# use system openssl if not on linux 64
2014-10-11 01:07:31 +02:00
if not opensslbin:
if platform.system() == 'Linux' and platform.architecture()[0] == '64bit':
opensslbin = mypath + '/openssl'
elif platform.system() == 'Darwin' and platform.architecture()[0] == '64bit':
opensslbin = mypath + '/openssl-darwin64'
else:
opensslbin='openssl'
print("warning: analyze.py is using system's openssl, which may limit the tested ciphers and recommendations")
2014-10-09 15:35:59 +02:00
logging.debug('Loading all ciphers: ' + allC)
all_ciphers = subprocess.Popen([opensslbin, 'ciphers', allC],
2015-05-30 15:46:26 +02:00
stderr=blackhole, stdout=subprocess.PIPE).communicate()[0].rstrip()
all_ciphers = str_compat(all_ciphers)
2015-05-30 15:46:26 +02:00
all_ciphers = str(all_ciphers).split(":")
2014-10-09 15:35:59 +02:00
logging.debug('Loading old ciphers: ' + oldC)
old_ciphers = subprocess.Popen([opensslbin, 'ciphers', oldC],
2015-05-30 15:46:26 +02:00
stderr=blackhole, stdout=subprocess.PIPE).communicate()[0].rstrip()
old_ciphers = str_compat(old_ciphers)
2015-05-30 15:46:26 +02:00
old_ciphers = str(old_ciphers).split(':')
2014-10-09 15:35:59 +02:00
logging.debug('Loading intermediate ciphers: ' + intC)
intermediate_ciphers = subprocess.Popen([opensslbin, 'ciphers', intC],
2015-05-30 15:46:26 +02:00
stderr=blackhole, stdout=subprocess.PIPE).communicate()[0].rstrip()
intermediate_ciphers = str_compat(intermediate_ciphers)
2015-05-30 15:46:26 +02:00
intermediate_ciphers = str(intermediate_ciphers).split(':')
2014-10-09 15:35:59 +02:00
logging.debug('Loading modern ciphers: ' + modernC)
modern_ciphers = subprocess.Popen([opensslbin, 'ciphers', modernC],
2015-05-30 15:46:26 +02:00
stderr=blackhole, stdout=subprocess.PIPE).communicate()[0].rstrip()
modern_ciphers = str_compat(modern_ciphers)
2015-05-30 15:46:26 +02:00
modern_ciphers = str(modern_ciphers).split(':')
2014-10-09 15:54:30 +02:00
blackhole.close()
2014-10-09 15:35:59 +02:00
def main():
parser = argparse.ArgumentParser(
description='Analyze cipherscan results and provides guidelines to improve configuration.',
usage='\n* Analyze a single target, invokes cipherscan: $ ./analyze.py -t [target]' \
'\n* Evaluate json results passed through stdin: $ python analyze.py < target_results.json' \
'\nexample: ./analyze.py mozilla.org',
epilog='Julien Vehent [:ulfr] - 2014')
parser.add_argument('-d', dest='debug', action='store_true',
help='debug output')
parser.add_argument('infile', nargs='?', type=argparse.FileType('r'),
default=sys.stdin, help='cipherscan json results')
parser.add_argument('outfile', nargs='?', type=argparse.FileType('w'),
default=sys.stdout, help='json formatted analysis')
parser.add_argument('-l', dest='level',
help='target configuration level [old, intermediate, modern]')
parser.add_argument('-t', dest='target',
help='analyze a <target>, invokes cipherscan')
parser.add_argument('-o', dest='openssl',
help='path to openssl binary, if you don\'t like the default')
parser.add_argument('-j', dest='json', action='store_true',
help='output results in json format')
2014-10-12 02:52:18 +02:00
parser.add_argument('--ops', dest='operator',
help='optional name of the operator\'s team added into the JSON output (for database insertion)')
2014-12-23 14:51:50 +01:00
parser.add_argument('--nagios', dest='nagios', action='store_true',
help='use nagios-conformant exit codes')
2014-10-09 15:35:59 +02:00
args = parser.parse_args()
2014-12-26 09:49:52 +01:00
global mypath
mypath = os.path.dirname(os.path.realpath(sys.argv[0]))
2014-10-09 15:35:59 +02:00
if args.debug:
logging.basicConfig(stream=sys.stderr, level=logging.DEBUG)
else:
logging.basicConfig(stream=sys.stderr, level=logging.INFO)
2014-10-12 02:52:18 +02:00
global operator
operator=''
if args.operator:
operator=args.operator
build_ciphers_lists(args.openssl)
2014-10-09 15:35:59 +02:00
if args.target:
# evaluate target specified as argument
2014-10-09 15:35:59 +02:00
logging.debug('Invoking cipherscan with target: ' + args.target)
data=''
if args.openssl:
data = subprocess.check_output([mypath + '/cipherscan', '-o', args.openssl, '-j', args.target])
else:
data = subprocess.check_output([mypath + '/cipherscan', '-j', args.target])
data = str_compat(data)
2015-05-30 15:46:26 +02:00
exit_status=process_results(str(data), args.level, args.json, args.nagios)
else:
2014-10-09 15:35:59 +02:00
if os.fstat(args.infile.fileno()).st_size < 2:
logging.error("invalid input file")
parser.print_help()
2014-12-23 14:51:50 +01:00
if args.nagios:
sys.exit(3)
else:
sys.exit(1)
2014-10-09 15:35:59 +02:00
data = args.infile.readline()
logging.debug('Evaluating results from stdin: ' + data)
2014-12-23 14:51:50 +01:00
exit_status=process_results(data, args.level, args.json, args.nagios)
sys.exit(exit_status)
if __name__ == "__main__":
main()