mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-22 22:33:40 +01:00
report if server uses client side or server side cipher ordering
This commit is contained in:
parent
a7ae42b08e
commit
189460da9e
62
cipherscan
62
cipherscan
@ -297,13 +297,18 @@ display_results_in_terminal() {
|
|||||||
else
|
else
|
||||||
echo "OCSP stapling: not supported"
|
echo "OCSP stapling: not supported"
|
||||||
fi
|
fi
|
||||||
|
if [[ $serverside == "True" ]]; then
|
||||||
|
echo "Server side cipher ordering"
|
||||||
|
else
|
||||||
|
echo "Client side cipher ordering"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
display_results_in_json() {
|
display_results_in_json() {
|
||||||
# Display the results in json
|
# Display the results in json
|
||||||
ctr=0
|
ctr=0
|
||||||
echo -n "{\"target\":\"$TARGET\",\"date\":\"$(date -R)\",\"ciphersuite\": ["
|
echo -n "{\"target\":\"$TARGET\",\"date\":\"$(date -R)\",\"serverside\":\"${serverside}\",\"ciphersuite\": ["
|
||||||
for cipher in "${cipherspref[@]}"; do
|
for cipher in "${cipherspref[@]}"; do
|
||||||
[ $ctr -gt 0 ] && echo -n ','
|
[ $ctr -gt 0 ] && echo -n ','
|
||||||
echo -n "{\"cipher\":\"$(echo $cipher|awk '{print $1}')\","
|
echo -n "{\"cipher\":\"$(echo $cipher|awk '{print $1}')\","
|
||||||
@ -321,6 +326,59 @@ display_results_in_json() {
|
|||||||
echo ']}'
|
echo ']}'
|
||||||
}
|
}
|
||||||
|
|
||||||
|
test_serverside_ordering() {
|
||||||
|
|
||||||
|
local ciphersuite=""
|
||||||
|
local prefered=""
|
||||||
|
# server supports only one cipher or no ciphers, so it effectively uses server side ordering...
|
||||||
|
if [[ ${#cipherspref[@]} -lt 2 ]]; then
|
||||||
|
serverside="True"
|
||||||
|
return 0
|
||||||
|
# server supports just two ciphers, so rotate them, that should be enough
|
||||||
|
elif [[ ${#cipherspref[@]} -eq 2 ]]; then
|
||||||
|
|
||||||
|
local cipher=$(awk '{print $1}' <<< ${cipherspref[1]})
|
||||||
|
prefered="$cipher"
|
||||||
|
ciphersuite=$cipher
|
||||||
|
|
||||||
|
cipher=$(awk '{print $1}' <<< ${cipherspref[0]})
|
||||||
|
ciphersuite+=":$cipher"
|
||||||
|
|
||||||
|
# server supports 3 or more ciphers, rotate all three. This is necessary because google does
|
||||||
|
# select first client provided cipher, if it is either CDHE-RSA-AES128-GCM-SHA256 or
|
||||||
|
# ECDHE-RSA-CHACHA20-POLY1305
|
||||||
|
else
|
||||||
|
local cipher=$(awk '{print $1}' <<< ${cipherspref[2]})
|
||||||
|
prefered="$cipher"
|
||||||
|
ciphersuite="$cipher"
|
||||||
|
|
||||||
|
cipher=$(awk '{print $1}' <<< ${cipherspref[1]})
|
||||||
|
ciphersuite+=":$cipher"
|
||||||
|
|
||||||
|
cipher=$(awk '{print $1}' <<< ${cipherspref[0]})
|
||||||
|
ciphersuite+=":$cipher"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [ -e $CACERTS ]; then
|
||||||
|
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||||
|
else
|
||||||
|
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||||
|
fi
|
||||||
|
|
||||||
|
test_cipher_on_target "$sslcommand"
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
serverside="True"
|
||||||
|
else
|
||||||
|
local selected=$(awk '{print $1}' <<< $result)
|
||||||
|
if [[ $selected == $prefered ]]; then
|
||||||
|
serverside="False"
|
||||||
|
else
|
||||||
|
serverside="True"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
# UNKNOWNOPTIONS=""
|
# UNKNOWNOPTIONS=""
|
||||||
while :
|
while :
|
||||||
do
|
do
|
||||||
@ -407,6 +465,8 @@ results=()
|
|||||||
# Call to the recursive loop that retrieves the cipher preferences
|
# Call to the recursive loop that retrieves the cipher preferences
|
||||||
get_cipher_pref $CIPHERSUITE
|
get_cipher_pref $CIPHERSUITE
|
||||||
|
|
||||||
|
test_serverside_ordering
|
||||||
|
|
||||||
if [ "$OUTPUTFORMAT" == "json" ]; then
|
if [ "$OUTPUTFORMAT" == "json" ]; then
|
||||||
display_results_in_json
|
display_results_in_json
|
||||||
else
|
else
|
||||||
|
Loading…
Reference in New Issue
Block a user