2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 14:23:41 +01:00

First shot at ordering analysis. Not yet perfect, but somewhat useful...

This commit is contained in:
Julien Vehent 2014-10-10 20:30:27 -04:00
parent a46e474337
commit 1c9d52c94c

View File

@ -223,8 +223,28 @@ def is_modern(results):
failures[lvl].append("consider enabling OCSP Stapling")
return modern
def is_ordered(results, ciphersuite):
return True
def is_ordered(results, ref_ciphersuite, lvl):
ordered = True
previous_pos = 0
# iterate through the list of ciphers returned by the target
for conn in results['ciphersuite']:
pos = 0
# compare against each cipher of the reference ciphersuite
for ref_cipher in ref_ciphersuite:
# if the target cipher matches the reference ciphersuite,
# look for its position against the reference and flag cipher
# that violate the reference ordering
if conn['cipher'] == ref_cipher:
logging.debug("{0} found in reference ciphersuite at position {1}".format(conn['cipher'], pos))
if pos < previous_pos:
failures[lvl].append("increase priority of {0} over {1}".format(conn['cipher'], ref_ciphersuite[previous_pos]))
ordered = False
# save current position
previous_pos = pos
pos += 1
if not ordered:
failures[lvl].append("fix ciphersuite ordering, use recommended " + lvl + " ciphersuite")
return ordered
def evaluate_all(results):
status = "obscure unknown ssl"
@ -233,21 +253,18 @@ def evaluate_all(results):
return "no ssl"
if is_modern(results):
if is_ordered(results, modern_ciphers):
status = "modern tls"
else:
if not is_ordered(results, modern_ciphers, "modern"):
status = "modern tls with bad ordering"
if is_intermediate(results):
if is_ordered(results, intermediate_ciphers):
status = "intermediate tls"
else:
if not is_ordered(results, intermediate_ciphers, "intermediate"):
status = "intermediate tls with bad ordering"
if is_old(results):
if is_ordered(results, old_ciphers):
status = "old ssl"
else:
if not is_ordered(results, old_ciphers, "old"):
status = "old ssl with bad ordering"
if is_fubar(results):
@ -275,7 +292,7 @@ def process_results(data, level=None):
pass
if len(failures['fubar']) > 0:
print("\nSome things that are really FUBAR:")
print("\nThings that are really FUBAR:")
for failure in failures['fubar']:
print("* " + failure)
@ -302,9 +319,10 @@ def build_ciphers_lists(opensslbin):
'AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA' \
'384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AE' \
'S128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-' \
'AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HI' \
'GH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-R' \
'SA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
'AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES' \
'256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!R' \
'C4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-S' \
'HA'
intC = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-S' \
'HA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM' \
'-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-' \