mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-22 06:13:42 +01:00
collect TLS ticket lifetime hints
This commit is contained in:
Hubert Kario
parent
1a78172936
commit
0777682aa6
25
cipherscan
25
cipherscan
@ -84,6 +84,10 @@ test_cipher_on_target() {
|
|||||||
if [ -z $current_pubkey ]; then
|
if [ -z $current_pubkey ]; then
|
||||||
current_pubkey=0
|
current_pubkey=0
|
||||||
fi
|
fi
|
||||||
|
current_tickethint=$(grep 'ticket lifetime hint' <<<"$tmp"|awk '{print $6 }')
|
||||||
|
if [ -z $current_tickethint ]; then
|
||||||
|
current_tickethint=None
|
||||||
|
fi
|
||||||
current_sigalg=$(${OPENSSLBIN} x509 -noout -text 2>/dev/null <<<"$tmp"|grep Signature\ Algorithm | head -n 1 | awk '{print $3}') || current_sigalg="None"
|
current_sigalg=$(${OPENSSLBIN} x509 -noout -text 2>/dev/null <<<"$tmp"|grep Signature\ Algorithm | head -n 1 | awk '{print $3}') || current_sigalg="None"
|
||||||
grep 'Verify return code: 0 ' <<<"$tmp" >/dev/null
|
grep 'Verify return code: 0 ' <<<"$tmp" >/dev/null
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
@ -117,6 +121,7 @@ test_cipher_on_target() {
|
|||||||
pubkey=$current_pubkey
|
pubkey=$current_pubkey
|
||||||
sigalg=$current_sigalg
|
sigalg=$current_sigalg
|
||||||
trusted=$current_trusted
|
trusted=$current_trusted
|
||||||
|
tickethint=$current_tickethint
|
||||||
# grab the cipher and PFS key size
|
# grab the cipher and PFS key size
|
||||||
done
|
done
|
||||||
# if cipher is empty, that means none of the TLS version worked with
|
# if cipher is empty, that means none of the TLS version worked with
|
||||||
@ -128,13 +133,13 @@ test_cipher_on_target() {
|
|||||||
|
|
||||||
# if cipher contains NONE, the cipher wasn't accepted
|
# if cipher contains NONE, the cipher wasn't accepted
|
||||||
elif [ "$cipher" == '(NONE) ' ]; then
|
elif [ "$cipher" == '(NONE) ' ]; then
|
||||||
result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
|
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs"
|
||||||
verbose "handshake failed, server returned ciphersuite '$result'"
|
verbose "handshake failed, server returned ciphersuite '$result'"
|
||||||
return 1
|
return 1
|
||||||
|
|
||||||
# the connection succeeded
|
# the connection succeeded
|
||||||
else
|
else
|
||||||
result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
|
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs"
|
||||||
verbose "handshake succeeded, server returned ciphersuite '$result'"
|
verbose "handshake succeeded, server returned ciphersuite '$result'"
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
@ -192,6 +197,7 @@ display_results_in_terminal() {
|
|||||||
local pubkey
|
local pubkey
|
||||||
local sigalg
|
local sigalg
|
||||||
local trusted
|
local trusted
|
||||||
|
local tickethint
|
||||||
local different=False
|
local different=False
|
||||||
for cipher in "${cipherspref[@]}"; do
|
for cipher in "${cipherspref[@]}"; do
|
||||||
pciph=$(echo $cipher|awk '{print $1}')
|
pciph=$(echo $cipher|awk '{print $1}')
|
||||||
@ -205,6 +211,7 @@ display_results_in_terminal() {
|
|||||||
pubkey=$(awk '{print $3}' <<<$cipher)
|
pubkey=$(awk '{print $3}' <<<$cipher)
|
||||||
sigalg=$(awk '{print $4}' <<<$cipher)
|
sigalg=$(awk '{print $4}' <<<$cipher)
|
||||||
trusted=$(awk '{print $5}' <<<$cipher)
|
trusted=$(awk '{print $5}' <<<$cipher)
|
||||||
|
tickethint=$(awk '{print $6}' <<<$cipher)
|
||||||
else
|
else
|
||||||
if [ "$pubkey" != "$(awk '{print $3}' <<<$cipher)" ]; then
|
if [ "$pubkey" != "$(awk '{print $3}' <<<$cipher)" ]; then
|
||||||
different=True
|
different=True
|
||||||
@ -215,6 +222,9 @@ display_results_in_terminal() {
|
|||||||
if [ "$trusted" != "$(awk '{print $5}' <<<$cipher)" ]; then
|
if [ "$trusted" != "$(awk '{print $5}' <<<$cipher)" ]; then
|
||||||
different=True
|
different=True
|
||||||
fi
|
fi
|
||||||
|
if [ "$tickethint" != "$(awk '{print $6}' <<<$cipher)" ]; then
|
||||||
|
different=True
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
results=("${results[@]}" "$r")
|
results=("${results[@]}" "$r")
|
||||||
ctr=$((ctr+1))
|
ctr=$((ctr+1))
|
||||||
@ -222,13 +232,13 @@ display_results_in_terminal() {
|
|||||||
|
|
||||||
if [ $DOBENCHMARK -eq 1 ]; then
|
if [ $DOBENCHMARK -eq 1 ]; then
|
||||||
if [ $different == "True" ]; then
|
if [ $different == "True" ]; then
|
||||||
header="prio ciphersuite protocols pubkey_size signature_algoritm trusted pfs_keysize avg_handshake_microsec"
|
header="prio ciphersuite protocols pubkey_size signature_algoritm trusted ticket_hint pfs_keysize avg_handshake_microsec"
|
||||||
else
|
else
|
||||||
header="prio ciphersuite protocols pfs_keysize avg_handshake_microsec"
|
header="prio ciphersuite protocols pfs_keysize avg_handshake_microsec"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [ $different == "True" ]; then
|
if [ $different == "True" ]; then
|
||||||
header="prio ciphersuite protocols pubkey_size signature_algorithm trusted pfs_keysize"
|
header="prio ciphersuite protocols pubkey_size signature_algorithm trusted ticket_hint pfs_keysize"
|
||||||
else
|
else
|
||||||
header="prio ciphersuite protocols pfs_keysize"
|
header="prio ciphersuite protocols pfs_keysize"
|
||||||
fi
|
fi
|
||||||
@ -242,7 +252,8 @@ display_results_in_terminal() {
|
|||||||
if [ $different == "True" ]; then
|
if [ $different == "True" ]; then
|
||||||
echo $result|grep -v '(NONE)'
|
echo $result|grep -v '(NONE)'
|
||||||
else
|
else
|
||||||
echo $result|grep -v '(NONE)'|awk '{print $1 " " $2 " " $3 " " $7}'
|
# prints priority, ciphersuite, protocols and pfs_keysize
|
||||||
|
echo $result|grep -v '(NONE)'|awk '{print $1 " " $2 " " $3 " " $8}'
|
||||||
fi
|
fi
|
||||||
done|column -t
|
done|column -t
|
||||||
echo
|
echo
|
||||||
@ -252,6 +263,7 @@ display_results_in_terminal() {
|
|||||||
else
|
else
|
||||||
echo "Certificate: UNTRUSTED, $pubkey bit, $sigalg signature"
|
echo "Certificate: UNTRUSTED, $pubkey bit, $sigalg signature"
|
||||||
fi
|
fi
|
||||||
|
echo "TLS ticket lifetime hint: $tickethint"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -267,7 +279,8 @@ display_results_in_json() {
|
|||||||
echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"],"
|
echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"],"
|
||||||
echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"],"
|
echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"],"
|
||||||
echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\","
|
echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\","
|
||||||
pfs=$(echo $cipher|awk '{print $6}')
|
echo -n "\"ticket_hint\":\"$(echo $cipher|awk '{print $6}')\","
|
||||||
|
pfs=$(echo $cipher|awk '{print $7}')
|
||||||
[ "$pfs" == "" ] && pfs="None"
|
[ "$pfs" == "" ] && pfs="None"
|
||||||
echo -n "\"pfs\":\"$pfs\"}"
|
echo -n "\"pfs\":\"$pfs\"}"
|
||||||
ctr=$((ctr+1))
|
ctr=$((ctr+1))
|
||||||
|
|||||||
@ -17,6 +17,7 @@ protocolstats = defaultdict(int)
|
|||||||
handshakestats = defaultdict(int)
|
handshakestats = defaultdict(int)
|
||||||
keysize = defaultdict(int)
|
keysize = defaultdict(int)
|
||||||
sigalg = defaultdict(int)
|
sigalg = defaultdict(int)
|
||||||
|
tickethint = defaultdict(int)
|
||||||
dsarsastack = 0
|
dsarsastack = 0
|
||||||
total = 0
|
total = 0
|
||||||
for r,d,flist in os.walk(path):
|
for r,d,flist in os.walk(path):
|
||||||
@ -29,6 +30,7 @@ for r,d,flist in os.walk(path):
|
|||||||
tempecckeystats = {}
|
tempecckeystats = {}
|
||||||
tempdsakeystats = {}
|
tempdsakeystats = {}
|
||||||
tempsigstats = {}
|
tempsigstats = {}
|
||||||
|
tempticketstats = {}
|
||||||
ciphertypes = 0
|
ciphertypes = 0
|
||||||
AESGCM = False
|
AESGCM = False
|
||||||
AES = False
|
AES = False
|
||||||
@ -127,6 +129,9 @@ for r,d,flist in os.walk(path):
|
|||||||
""" save key signatures size """
|
""" save key signatures size """
|
||||||
tempsigstats[entry['sigalg'][0]] = 1
|
tempsigstats[entry['sigalg'][0]] = 1
|
||||||
|
|
||||||
|
""" save tls ticket hint """
|
||||||
|
tempticketstats[entry['ticket_hint']] = 1
|
||||||
|
|
||||||
""" store the versions of TLS supported """
|
""" store the versions of TLS supported """
|
||||||
for protocol in entry['protocols']:
|
for protocol in entry['protocols']:
|
||||||
if protocol == 'SSLv2':
|
if protocol == 'SSLv2':
|
||||||
@ -169,6 +174,12 @@ for r,d,flist in os.walk(path):
|
|||||||
for s in tempsigstats:
|
for s in tempsigstats:
|
||||||
sigalg[s] += 1
|
sigalg[s] += 1
|
||||||
|
|
||||||
|
if len(tempticketstats) == 1:
|
||||||
|
for s in tempticketstats:
|
||||||
|
tickethint[s + " only"] += 1
|
||||||
|
for s in tempticketstats:
|
||||||
|
tickethint[s] += 1
|
||||||
|
|
||||||
""" store cipher stats """
|
""" store cipher stats """
|
||||||
if AESGCM:
|
if AESGCM:
|
||||||
cipherstats['AES-GCM'] += 1
|
cipherstats['AES-GCM'] += 1
|
||||||
@ -273,6 +284,12 @@ for stat in sorted(pfsstats):
|
|||||||
pfspercent = round(pfsstats[stat] / handshakestats['DHE'] * 100, 4)
|
pfspercent = round(pfsstats[stat] / handshakestats['DHE'] * 100, 4)
|
||||||
sys.stdout.write(stat.ljust(25) + " " + str(pfsstats[stat]).ljust(10) + str(percent).ljust(9) + str(pfspercent) + "\n")
|
sys.stdout.write(stat.ljust(25) + " " + str(pfsstats[stat]).ljust(10) + str(percent).ljust(9) + str(pfspercent) + "\n")
|
||||||
|
|
||||||
|
print("\nTLS session ticket hint Count Percent ")
|
||||||
|
print("-------------------------+---------+--------")
|
||||||
|
for stat in sorted(tickethint):
|
||||||
|
percent = round(tickethint[stat] / total * 100, 4)
|
||||||
|
sys.stdout.write(stat.ljust(25) + " " + str(tickethint[stat]).ljust(10) + str(percent).ljust(9) + "\n")
|
||||||
|
|
||||||
print("\nCertificate sig alg Count Percent ")
|
print("\nCertificate sig alg Count Percent ")
|
||||||
print("-------------------------+---------+--------")
|
print("-------------------------+---------+--------")
|
||||||
for stat in sorted(sigalg):
|
for stat in sorted(sigalg):
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user