From 0777682aa60901569fa7fbccd53eef353a89d85a Mon Sep 17 00:00:00 2001 From: Hubert Kario Date: Fri, 16 May 2014 16:55:19 +0200 Subject: [PATCH] collect TLS ticket lifetime hints --- cipherscan | 25 +++++++++++++++++++------ top1m/parse_results.py | 17 +++++++++++++++++ 2 files changed, 36 insertions(+), 6 deletions(-) diff --git a/cipherscan b/cipherscan index 1de97d6..0c81cb7 100755 --- a/cipherscan +++ b/cipherscan @@ -84,6 +84,10 @@ test_cipher_on_target() { if [ -z $current_pubkey ]; then current_pubkey=0 fi + current_tickethint=$(grep 'ticket lifetime hint' <<<"$tmp"|awk '{print $6 }') + if [ -z $current_tickethint ]; then + current_tickethint=None + fi current_sigalg=$(${OPENSSLBIN} x509 -noout -text 2>/dev/null <<<"$tmp"|grep Signature\ Algorithm | head -n 1 | awk '{print $3}') || current_sigalg="None" grep 'Verify return code: 0 ' <<<"$tmp" >/dev/null if [ $? -eq 0 ]; then @@ -117,6 +121,7 @@ test_cipher_on_target() { pubkey=$current_pubkey sigalg=$current_sigalg trusted=$current_trusted + tickethint=$current_tickethint # grab the cipher and PFS key size done # if cipher is empty, that means none of the TLS version worked with @@ -128,13 +133,13 @@ test_cipher_on_target() { # if cipher contains NONE, the cipher wasn't accepted elif [ "$cipher" == '(NONE) ' ]; then - result="$cipher $protocols $pubkey $sigalg $trusted $pfs" + result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs" verbose "handshake failed, server returned ciphersuite '$result'" return 1 # the connection succeeded else - result="$cipher $protocols $pubkey $sigalg $trusted $pfs" + result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs" verbose "handshake succeeded, server returned ciphersuite '$result'" return 0 fi @@ -192,6 +197,7 @@ display_results_in_terminal() { local pubkey local sigalg local trusted + local tickethint local different=False for cipher in "${cipherspref[@]}"; do pciph=$(echo $cipher|awk '{print $1}') @@ -205,6 +211,7 @@ display_results_in_terminal() { pubkey=$(awk '{print $3}' <<<$cipher) sigalg=$(awk '{print $4}' <<<$cipher) trusted=$(awk '{print $5}' <<<$cipher) + tickethint=$(awk '{print $6}' <<<$cipher) else if [ "$pubkey" != "$(awk '{print $3}' <<<$cipher)" ]; then different=True @@ -215,6 +222,9 @@ display_results_in_terminal() { if [ "$trusted" != "$(awk '{print $5}' <<<$cipher)" ]; then different=True fi + if [ "$tickethint" != "$(awk '{print $6}' <<<$cipher)" ]; then + different=True + fi fi results=("${results[@]}" "$r") ctr=$((ctr+1)) @@ -222,13 +232,13 @@ display_results_in_terminal() { if [ $DOBENCHMARK -eq 1 ]; then if [ $different == "True" ]; then - header="prio ciphersuite protocols pubkey_size signature_algoritm trusted pfs_keysize avg_handshake_microsec" + header="prio ciphersuite protocols pubkey_size signature_algoritm trusted ticket_hint pfs_keysize avg_handshake_microsec" else header="prio ciphersuite protocols pfs_keysize avg_handshake_microsec" fi else if [ $different == "True" ]; then - header="prio ciphersuite protocols pubkey_size signature_algorithm trusted pfs_keysize" + header="prio ciphersuite protocols pubkey_size signature_algorithm trusted ticket_hint pfs_keysize" else header="prio ciphersuite protocols pfs_keysize" fi @@ -242,7 +252,8 @@ display_results_in_terminal() { if [ $different == "True" ]; then echo $result|grep -v '(NONE)' else - echo $result|grep -v '(NONE)'|awk '{print $1 " " $2 " " $3 " " $7}' + # prints priority, ciphersuite, protocols and pfs_keysize + echo $result|grep -v '(NONE)'|awk '{print $1 " " $2 " " $3 " " $8}' fi done|column -t echo @@ -252,6 +263,7 @@ display_results_in_terminal() { else echo "Certificate: UNTRUSTED, $pubkey bit, $sigalg signature" fi + echo "TLS ticket lifetime hint: $tickethint" fi } @@ -267,7 +279,8 @@ display_results_in_json() { echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"]," echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"]," echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\"," - pfs=$(echo $cipher|awk '{print $6}') + echo -n "\"ticket_hint\":\"$(echo $cipher|awk '{print $6}')\"," + pfs=$(echo $cipher|awk '{print $7}') [ "$pfs" == "" ] && pfs="None" echo -n "\"pfs\":\"$pfs\"}" ctr=$((ctr+1)) diff --git a/top1m/parse_results.py b/top1m/parse_results.py index c4876c5..3f5344f 100644 --- a/top1m/parse_results.py +++ b/top1m/parse_results.py @@ -17,6 +17,7 @@ protocolstats = defaultdict(int) handshakestats = defaultdict(int) keysize = defaultdict(int) sigalg = defaultdict(int) +tickethint = defaultdict(int) dsarsastack = 0 total = 0 for r,d,flist in os.walk(path): @@ -29,6 +30,7 @@ for r,d,flist in os.walk(path): tempecckeystats = {} tempdsakeystats = {} tempsigstats = {} + tempticketstats = {} ciphertypes = 0 AESGCM = False AES = False @@ -127,6 +129,9 @@ for r,d,flist in os.walk(path): """ save key signatures size """ tempsigstats[entry['sigalg'][0]] = 1 + """ save tls ticket hint """ + tempticketstats[entry['ticket_hint']] = 1 + """ store the versions of TLS supported """ for protocol in entry['protocols']: if protocol == 'SSLv2': @@ -169,6 +174,12 @@ for r,d,flist in os.walk(path): for s in tempsigstats: sigalg[s] += 1 + if len(tempticketstats) == 1: + for s in tempticketstats: + tickethint[s + " only"] += 1 + for s in tempticketstats: + tickethint[s] += 1 + """ store cipher stats """ if AESGCM: cipherstats['AES-GCM'] += 1 @@ -273,6 +284,12 @@ for stat in sorted(pfsstats): pfspercent = round(pfsstats[stat] / handshakestats['DHE'] * 100, 4) sys.stdout.write(stat.ljust(25) + " " + str(pfsstats[stat]).ljust(10) + str(percent).ljust(9) + str(pfspercent) + "\n") +print("\nTLS session ticket hint Count Percent ") +print("-------------------------+---------+--------") +for stat in sorted(tickethint): + percent = round(tickethint[stat] / total * 100, 4) + sys.stdout.write(stat.ljust(25) + " " + str(tickethint[stat]).ljust(10) + str(percent).ljust(9) + "\n") + print("\nCertificate sig alg Count Percent ") print("-------------------------+---------+--------") for stat in sorted(sigalg):