mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-22 14:23:41 +01:00
First shot at ordering analysis. Not yet perfect, but somewhat useful...
This commit is contained in:
parent
a46e474337
commit
1c9d52c94c
54
analyze.py
54
analyze.py
@ -223,8 +223,28 @@ def is_modern(results):
|
|||||||
failures[lvl].append("consider enabling OCSP Stapling")
|
failures[lvl].append("consider enabling OCSP Stapling")
|
||||||
return modern
|
return modern
|
||||||
|
|
||||||
def is_ordered(results, ciphersuite):
|
def is_ordered(results, ref_ciphersuite, lvl):
|
||||||
return True
|
ordered = True
|
||||||
|
previous_pos = 0
|
||||||
|
# iterate through the list of ciphers returned by the target
|
||||||
|
for conn in results['ciphersuite']:
|
||||||
|
pos = 0
|
||||||
|
# compare against each cipher of the reference ciphersuite
|
||||||
|
for ref_cipher in ref_ciphersuite:
|
||||||
|
# if the target cipher matches the reference ciphersuite,
|
||||||
|
# look for its position against the reference and flag cipher
|
||||||
|
# that violate the reference ordering
|
||||||
|
if conn['cipher'] == ref_cipher:
|
||||||
|
logging.debug("{0} found in reference ciphersuite at position {1}".format(conn['cipher'], pos))
|
||||||
|
if pos < previous_pos:
|
||||||
|
failures[lvl].append("increase priority of {0} over {1}".format(conn['cipher'], ref_ciphersuite[previous_pos]))
|
||||||
|
ordered = False
|
||||||
|
# save current position
|
||||||
|
previous_pos = pos
|
||||||
|
pos += 1
|
||||||
|
if not ordered:
|
||||||
|
failures[lvl].append("fix ciphersuite ordering, use recommended " + lvl + " ciphersuite")
|
||||||
|
return ordered
|
||||||
|
|
||||||
def evaluate_all(results):
|
def evaluate_all(results):
|
||||||
status = "obscure unknown ssl"
|
status = "obscure unknown ssl"
|
||||||
@ -233,22 +253,19 @@ def evaluate_all(results):
|
|||||||
return "no ssl"
|
return "no ssl"
|
||||||
|
|
||||||
if is_modern(results):
|
if is_modern(results):
|
||||||
if is_ordered(results, modern_ciphers):
|
status = "modern tls"
|
||||||
status = "modern tls"
|
if not is_ordered(results, modern_ciphers, "modern"):
|
||||||
else:
|
status = "modern tls with bad ordering"
|
||||||
status = "modern tls with bad ordering"
|
|
||||||
|
|
||||||
if is_intermediate(results):
|
if is_intermediate(results):
|
||||||
if is_ordered(results, intermediate_ciphers):
|
status = "intermediate tls"
|
||||||
status = "intermediate tls"
|
if not is_ordered(results, intermediate_ciphers, "intermediate"):
|
||||||
else:
|
status = "intermediate tls with bad ordering"
|
||||||
status = "intermediate tls with bad ordering"
|
|
||||||
|
|
||||||
if is_old(results):
|
if is_old(results):
|
||||||
if is_ordered(results, old_ciphers):
|
status = "old ssl"
|
||||||
status = "old ssl"
|
if not is_ordered(results, old_ciphers, "old"):
|
||||||
else:
|
status = "old ssl with bad ordering"
|
||||||
status = "old ssl with bad ordering"
|
|
||||||
|
|
||||||
if is_fubar(results):
|
if is_fubar(results):
|
||||||
status = "bad ssl"
|
status = "bad ssl"
|
||||||
@ -275,7 +292,7 @@ def process_results(data, level=None):
|
|||||||
pass
|
pass
|
||||||
|
|
||||||
if len(failures['fubar']) > 0:
|
if len(failures['fubar']) > 0:
|
||||||
print("\nSome things that are really FUBAR:")
|
print("\nThings that are really FUBAR:")
|
||||||
for failure in failures['fubar']:
|
for failure in failures['fubar']:
|
||||||
print("* " + failure)
|
print("* " + failure)
|
||||||
|
|
||||||
@ -302,9 +319,10 @@ def build_ciphers_lists(opensslbin):
|
|||||||
'AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA' \
|
'AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA' \
|
||||||
'384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AE' \
|
'384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AE' \
|
||||||
'S128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-' \
|
'S128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-' \
|
||||||
'AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HI' \
|
'AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES' \
|
||||||
'GH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-R' \
|
'256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!R' \
|
||||||
'SA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
|
'C4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-S' \
|
||||||
|
'HA'
|
||||||
intC = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-S' \
|
intC = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-S' \
|
||||||
'HA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM' \
|
'HA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM' \
|
||||||
'-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-' \
|
'-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-' \
|
||||||
|
Loading…
Reference in New Issue
Block a user