mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-21 22:13:40 +01:00
collect TLS ticket lifetime hints
This commit is contained in:
parent
1a78172936
commit
0777682aa6
25
cipherscan
25
cipherscan
@ -84,6 +84,10 @@ test_cipher_on_target() {
|
||||
if [ -z $current_pubkey ]; then
|
||||
current_pubkey=0
|
||||
fi
|
||||
current_tickethint=$(grep 'ticket lifetime hint' <<<"$tmp"|awk '{print $6 }')
|
||||
if [ -z $current_tickethint ]; then
|
||||
current_tickethint=None
|
||||
fi
|
||||
current_sigalg=$(${OPENSSLBIN} x509 -noout -text 2>/dev/null <<<"$tmp"|grep Signature\ Algorithm | head -n 1 | awk '{print $3}') || current_sigalg="None"
|
||||
grep 'Verify return code: 0 ' <<<"$tmp" >/dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
@ -117,6 +121,7 @@ test_cipher_on_target() {
|
||||
pubkey=$current_pubkey
|
||||
sigalg=$current_sigalg
|
||||
trusted=$current_trusted
|
||||
tickethint=$current_tickethint
|
||||
# grab the cipher and PFS key size
|
||||
done
|
||||
# if cipher is empty, that means none of the TLS version worked with
|
||||
@ -128,13 +133,13 @@ test_cipher_on_target() {
|
||||
|
||||
# if cipher contains NONE, the cipher wasn't accepted
|
||||
elif [ "$cipher" == '(NONE) ' ]; then
|
||||
result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
|
||||
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs"
|
||||
verbose "handshake failed, server returned ciphersuite '$result'"
|
||||
return 1
|
||||
|
||||
# the connection succeeded
|
||||
else
|
||||
result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
|
||||
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs"
|
||||
verbose "handshake succeeded, server returned ciphersuite '$result'"
|
||||
return 0
|
||||
fi
|
||||
@ -192,6 +197,7 @@ display_results_in_terminal() {
|
||||
local pubkey
|
||||
local sigalg
|
||||
local trusted
|
||||
local tickethint
|
||||
local different=False
|
||||
for cipher in "${cipherspref[@]}"; do
|
||||
pciph=$(echo $cipher|awk '{print $1}')
|
||||
@ -205,6 +211,7 @@ display_results_in_terminal() {
|
||||
pubkey=$(awk '{print $3}' <<<$cipher)
|
||||
sigalg=$(awk '{print $4}' <<<$cipher)
|
||||
trusted=$(awk '{print $5}' <<<$cipher)
|
||||
tickethint=$(awk '{print $6}' <<<$cipher)
|
||||
else
|
||||
if [ "$pubkey" != "$(awk '{print $3}' <<<$cipher)" ]; then
|
||||
different=True
|
||||
@ -215,6 +222,9 @@ display_results_in_terminal() {
|
||||
if [ "$trusted" != "$(awk '{print $5}' <<<$cipher)" ]; then
|
||||
different=True
|
||||
fi
|
||||
if [ "$tickethint" != "$(awk '{print $6}' <<<$cipher)" ]; then
|
||||
different=True
|
||||
fi
|
||||
fi
|
||||
results=("${results[@]}" "$r")
|
||||
ctr=$((ctr+1))
|
||||
@ -222,13 +232,13 @@ display_results_in_terminal() {
|
||||
|
||||
if [ $DOBENCHMARK -eq 1 ]; then
|
||||
if [ $different == "True" ]; then
|
||||
header="prio ciphersuite protocols pubkey_size signature_algoritm trusted pfs_keysize avg_handshake_microsec"
|
||||
header="prio ciphersuite protocols pubkey_size signature_algoritm trusted ticket_hint pfs_keysize avg_handshake_microsec"
|
||||
else
|
||||
header="prio ciphersuite protocols pfs_keysize avg_handshake_microsec"
|
||||
fi
|
||||
else
|
||||
if [ $different == "True" ]; then
|
||||
header="prio ciphersuite protocols pubkey_size signature_algorithm trusted pfs_keysize"
|
||||
header="prio ciphersuite protocols pubkey_size signature_algorithm trusted ticket_hint pfs_keysize"
|
||||
else
|
||||
header="prio ciphersuite protocols pfs_keysize"
|
||||
fi
|
||||
@ -242,7 +252,8 @@ display_results_in_terminal() {
|
||||
if [ $different == "True" ]; then
|
||||
echo $result|grep -v '(NONE)'
|
||||
else
|
||||
echo $result|grep -v '(NONE)'|awk '{print $1 " " $2 " " $3 " " $7}'
|
||||
# prints priority, ciphersuite, protocols and pfs_keysize
|
||||
echo $result|grep -v '(NONE)'|awk '{print $1 " " $2 " " $3 " " $8}'
|
||||
fi
|
||||
done|column -t
|
||||
echo
|
||||
@ -252,6 +263,7 @@ display_results_in_terminal() {
|
||||
else
|
||||
echo "Certificate: UNTRUSTED, $pubkey bit, $sigalg signature"
|
||||
fi
|
||||
echo "TLS ticket lifetime hint: $tickethint"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -267,7 +279,8 @@ display_results_in_json() {
|
||||
echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"],"
|
||||
echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"],"
|
||||
echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\","
|
||||
pfs=$(echo $cipher|awk '{print $6}')
|
||||
echo -n "\"ticket_hint\":\"$(echo $cipher|awk '{print $6}')\","
|
||||
pfs=$(echo $cipher|awk '{print $7}')
|
||||
[ "$pfs" == "" ] && pfs="None"
|
||||
echo -n "\"pfs\":\"$pfs\"}"
|
||||
ctr=$((ctr+1))
|
||||
|
@ -17,6 +17,7 @@ protocolstats = defaultdict(int)
|
||||
handshakestats = defaultdict(int)
|
||||
keysize = defaultdict(int)
|
||||
sigalg = defaultdict(int)
|
||||
tickethint = defaultdict(int)
|
||||
dsarsastack = 0
|
||||
total = 0
|
||||
for r,d,flist in os.walk(path):
|
||||
@ -29,6 +30,7 @@ for r,d,flist in os.walk(path):
|
||||
tempecckeystats = {}
|
||||
tempdsakeystats = {}
|
||||
tempsigstats = {}
|
||||
tempticketstats = {}
|
||||
ciphertypes = 0
|
||||
AESGCM = False
|
||||
AES = False
|
||||
@ -127,6 +129,9 @@ for r,d,flist in os.walk(path):
|
||||
""" save key signatures size """
|
||||
tempsigstats[entry['sigalg'][0]] = 1
|
||||
|
||||
""" save tls ticket hint """
|
||||
tempticketstats[entry['ticket_hint']] = 1
|
||||
|
||||
""" store the versions of TLS supported """
|
||||
for protocol in entry['protocols']:
|
||||
if protocol == 'SSLv2':
|
||||
@ -169,6 +174,12 @@ for r,d,flist in os.walk(path):
|
||||
for s in tempsigstats:
|
||||
sigalg[s] += 1
|
||||
|
||||
if len(tempticketstats) == 1:
|
||||
for s in tempticketstats:
|
||||
tickethint[s + " only"] += 1
|
||||
for s in tempticketstats:
|
||||
tickethint[s] += 1
|
||||
|
||||
""" store cipher stats """
|
||||
if AESGCM:
|
||||
cipherstats['AES-GCM'] += 1
|
||||
@ -273,6 +284,12 @@ for stat in sorted(pfsstats):
|
||||
pfspercent = round(pfsstats[stat] / handshakestats['DHE'] * 100, 4)
|
||||
sys.stdout.write(stat.ljust(25) + " " + str(pfsstats[stat]).ljust(10) + str(percent).ljust(9) + str(pfspercent) + "\n")
|
||||
|
||||
print("\nTLS session ticket hint Count Percent ")
|
||||
print("-------------------------+---------+--------")
|
||||
for stat in sorted(tickethint):
|
||||
percent = round(tickethint[stat] / total * 100, 4)
|
||||
sys.stdout.write(stat.ljust(25) + " " + str(tickethint[stat]).ljust(10) + str(percent).ljust(9) + "\n")
|
||||
|
||||
print("\nCertificate sig alg Count Percent ")
|
||||
print("-------------------------+---------+--------")
|
||||
for stat in sorted(sigalg):
|
||||
|
Loading…
Reference in New Issue
Block a user