2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-04 23:13:41 +01:00

collect TLS ticket lifetime hints

This commit is contained in:
Hubert Kario 2014-05-16 16:55:19 +02:00
parent 1a78172936
commit 0777682aa6
2 changed files with 36 additions and 6 deletions

View File

@ -84,6 +84,10 @@ test_cipher_on_target() {
if [ -z $current_pubkey ]; then
current_pubkey=0
fi
current_tickethint=$(grep 'ticket lifetime hint' <<<"$tmp"|awk '{print $6 }')
if [ -z $current_tickethint ]; then
current_tickethint=None
fi
current_sigalg=$(${OPENSSLBIN} x509 -noout -text 2>/dev/null <<<"$tmp"|grep Signature\ Algorithm | head -n 1 | awk '{print $3}') || current_sigalg="None"
grep 'Verify return code: 0 ' <<<"$tmp" >/dev/null
if [ $? -eq 0 ]; then
@ -117,6 +121,7 @@ test_cipher_on_target() {
pubkey=$current_pubkey
sigalg=$current_sigalg
trusted=$current_trusted
tickethint=$current_tickethint
# grab the cipher and PFS key size
done
# if cipher is empty, that means none of the TLS version worked with
@ -128,13 +133,13 @@ test_cipher_on_target() {
# if cipher contains NONE, the cipher wasn't accepted
elif [ "$cipher" == '(NONE) ' ]; then
result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs"
verbose "handshake failed, server returned ciphersuite '$result'"
return 1
# the connection succeeded
else
result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs"
verbose "handshake succeeded, server returned ciphersuite '$result'"
return 0
fi
@ -192,6 +197,7 @@ display_results_in_terminal() {
local pubkey
local sigalg
local trusted
local tickethint
local different=False
for cipher in "${cipherspref[@]}"; do
pciph=$(echo $cipher|awk '{print $1}')
@ -205,6 +211,7 @@ display_results_in_terminal() {
pubkey=$(awk '{print $3}' <<<$cipher)
sigalg=$(awk '{print $4}' <<<$cipher)
trusted=$(awk '{print $5}' <<<$cipher)
tickethint=$(awk '{print $6}' <<<$cipher)
else
if [ "$pubkey" != "$(awk '{print $3}' <<<$cipher)" ]; then
different=True
@ -215,6 +222,9 @@ display_results_in_terminal() {
if [ "$trusted" != "$(awk '{print $5}' <<<$cipher)" ]; then
different=True
fi
if [ "$tickethint" != "$(awk '{print $6}' <<<$cipher)" ]; then
different=True
fi
fi
results=("${results[@]}" "$r")
ctr=$((ctr+1))
@ -222,13 +232,13 @@ display_results_in_terminal() {
if [ $DOBENCHMARK -eq 1 ]; then
if [ $different == "True" ]; then
header="prio ciphersuite protocols pubkey_size signature_algoritm trusted pfs_keysize avg_handshake_microsec"
header="prio ciphersuite protocols pubkey_size signature_algoritm trusted ticket_hint pfs_keysize avg_handshake_microsec"
else
header="prio ciphersuite protocols pfs_keysize avg_handshake_microsec"
fi
else
if [ $different == "True" ]; then
header="prio ciphersuite protocols pubkey_size signature_algorithm trusted pfs_keysize"
header="prio ciphersuite protocols pubkey_size signature_algorithm trusted ticket_hint pfs_keysize"
else
header="prio ciphersuite protocols pfs_keysize"
fi
@ -242,7 +252,8 @@ display_results_in_terminal() {
if [ $different == "True" ]; then
echo $result|grep -v '(NONE)'
else
echo $result|grep -v '(NONE)'|awk '{print $1 " " $2 " " $3 " " $7}'
# prints priority, ciphersuite, protocols and pfs_keysize
echo $result|grep -v '(NONE)'|awk '{print $1 " " $2 " " $3 " " $8}'
fi
done|column -t
echo
@ -252,6 +263,7 @@ display_results_in_terminal() {
else
echo "Certificate: UNTRUSTED, $pubkey bit, $sigalg signature"
fi
echo "TLS ticket lifetime hint: $tickethint"
fi
}
@ -267,7 +279,8 @@ display_results_in_json() {
echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"],"
echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"],"
echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\","
pfs=$(echo $cipher|awk '{print $6}')
echo -n "\"ticket_hint\":\"$(echo $cipher|awk '{print $6}')\","
pfs=$(echo $cipher|awk '{print $7}')
[ "$pfs" == "" ] && pfs="None"
echo -n "\"pfs\":\"$pfs\"}"
ctr=$((ctr+1))

View File

@ -17,6 +17,7 @@ protocolstats = defaultdict(int)
handshakestats = defaultdict(int)
keysize = defaultdict(int)
sigalg = defaultdict(int)
tickethint = defaultdict(int)
dsarsastack = 0
total = 0
for r,d,flist in os.walk(path):
@ -29,6 +30,7 @@ for r,d,flist in os.walk(path):
tempecckeystats = {}
tempdsakeystats = {}
tempsigstats = {}
tempticketstats = {}
ciphertypes = 0
AESGCM = False
AES = False
@ -127,6 +129,9 @@ for r,d,flist in os.walk(path):
""" save key signatures size """
tempsigstats[entry['sigalg'][0]] = 1
""" save tls ticket hint """
tempticketstats[entry['ticket_hint']] = 1
""" store the versions of TLS supported """
for protocol in entry['protocols']:
if protocol == 'SSLv2':
@ -169,6 +174,12 @@ for r,d,flist in os.walk(path):
for s in tempsigstats:
sigalg[s] += 1
if len(tempticketstats) == 1:
for s in tempticketstats:
tickethint[s + " only"] += 1
for s in tempticketstats:
tickethint[s] += 1
""" store cipher stats """
if AESGCM:
cipherstats['AES-GCM'] += 1
@ -273,6 +284,12 @@ for stat in sorted(pfsstats):
pfspercent = round(pfsstats[stat] / handshakestats['DHE'] * 100, 4)
sys.stdout.write(stat.ljust(25) + " " + str(pfsstats[stat]).ljust(10) + str(percent).ljust(9) + str(pfspercent) + "\n")
print("\nTLS session ticket hint Count Percent ")
print("-------------------------+---------+--------")
for stat in sorted(tickethint):
percent = round(tickethint[stat] / total * 100, 4)
sys.stdout.write(stat.ljust(25) + " " + str(tickethint[stat]).ljust(10) + str(percent).ljust(9) + "\n")
print("\nCertificate sig alg Count Percent ")
print("-------------------------+---------+--------")
for stat in sorted(sigalg):