mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-22 14:23:41 +01:00
Merge pull request #4 from mzeltner/master
Support s_client args, give -starttls example. Contributed by mzeltner.
This commit is contained in:
commit
1f92094b3d
13
README.md
13
README.md
@ -20,7 +20,7 @@ Use '-a' to force openssl to test every single cipher it know.
|
|||||||
|
|
||||||
Use '-json' to output the results in json format
|
Use '-json' to output the results in json format
|
||||||
```
|
```
|
||||||
$ ./cipherscan www.google.com:443 -json
|
$ ./cipherscan -json www.google.com:443
|
||||||
```
|
```
|
||||||
|
|
||||||
Example
|
Example
|
||||||
@ -48,4 +48,15 @@ prio ciphersuite protocols pfs_keysize
|
|||||||
16 ECDHE-RSA-AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
|
16 ECDHE-RSA-AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
|
||||||
17 AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
17 AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
||||||
18 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
18 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
||||||
|
$ ./cipherscan -starttls xmpp jabber.ccc.de:5222
|
||||||
|
.........
|
||||||
|
prio ciphersuite protocols pfs_keysize
|
||||||
|
1 DHE-RSA-AES256-SHA SSLv3,TLSv1 DH,1024bits
|
||||||
|
2 AES256-SHA SSLv3,TLSv1
|
||||||
|
3 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1 DH,1024bits
|
||||||
|
4 DES-CBC3-SHA SSLv3,TLSv1
|
||||||
|
5 DHE-RSA-AES128-SHA SSLv3,TLSv1 DH,1024bits
|
||||||
|
6 AES128-SHA SSLv3,TLSv1
|
||||||
|
7 RC4-SHA SSLv3,TLSv1
|
||||||
|
8 RC4-MD5 SSLv3,TLSv1
|
||||||
```
|
```
|
||||||
|
34
cipherscan
34
cipherscan
@ -10,7 +10,13 @@ BENCHMARKITER=30
|
|||||||
OPENSSLBIN="$(dirname $0)/openssl"
|
OPENSSLBIN="$(dirname $0)/openssl"
|
||||||
TIMEOUT=10
|
TIMEOUT=10
|
||||||
CIPHERSUITE="ALL:COMPLEMENTOFALL"
|
CIPHERSUITE="ALL:COMPLEMENTOFALL"
|
||||||
TARGET=$1
|
HOST=$(sed -e 's/:.*//'<<<"${@: -1}")
|
||||||
|
PORT=$(sed -e 's/.*://'<<<"${@: -1}")
|
||||||
|
if [ "$HOST" = "$PORT" ]; then
|
||||||
|
PORT=443
|
||||||
|
fi
|
||||||
|
TARGET=$HOST:$PORT
|
||||||
|
SCLIENTARGS=$(sed -e "s/${@: -1}//" -e "s/-v//" -e "s/-a//" -e "s/-json//" <<<"$@")
|
||||||
VERBOSE=0
|
VERBOSE=0
|
||||||
ALLCIPHERS=0
|
ALLCIPHERS=0
|
||||||
OUTPUTFORMAT="terminal"
|
OUTPUTFORMAT="terminal"
|
||||||
@ -23,18 +29,25 @@ Connection: close
|
|||||||
|
|
||||||
|
|
||||||
usage() {
|
usage() {
|
||||||
echo -e "usage: $0 <target:port>
|
echo -e "usage: $0 [-a|-v|-json] [openssl s_client args] <target:port>
|
||||||
|
|
||||||
$0 attempts to connect to a target site using all the ciphersuites it knowns.
|
$0 attempts to connect to a target site using all the ciphersuites it knowns.
|
||||||
Julien Vehent [:ulfr] - https://github.com/jvehent/cipherscan
|
Julien Vehent [:ulfr] - https://github.com/jvehent/cipherscan
|
||||||
|
|
||||||
|
Port defaults to 443
|
||||||
|
|
||||||
example: $ $0 www.google.com:443
|
example: $ $0 www.google.com:443
|
||||||
|
|
||||||
Use only one of the options below:
|
Use one of the options below as the first argument:
|
||||||
-v increase verbosity
|
-v increase verbosity
|
||||||
-a test all known ciphers individually at the end
|
-a test all known ciphers individually at the end
|
||||||
-json output results in json format
|
-json output results in json format
|
||||||
|
|
||||||
|
The rest of the arguments will be interpreted as openssl s_client argument.
|
||||||
|
This enables checking smtp/imap/pop3/ftp/xmpp via -starttls
|
||||||
|
|
||||||
|
example: $0 -starttls xmpp jabber.ccc.de:5222
|
||||||
|
|
||||||
OpenSSL path can be changed in the OPENSSLBIN variable
|
OpenSSL path can be changed in the OPENSSLBIN variable
|
||||||
Benchmarking can be enabled in the DOBENCHMARK variable
|
Benchmarking can be enabled in the DOBENCHMARK variable
|
||||||
"
|
"
|
||||||
@ -105,7 +118,7 @@ EOF
|
|||||||
# Calculate the average handshake time for a specific ciphersuite
|
# Calculate the average handshake time for a specific ciphersuite
|
||||||
bench_cipher() {
|
bench_cipher() {
|
||||||
local ciphersuite="$1"
|
local ciphersuite="$1"
|
||||||
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite"
|
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||||
local t="$(date +%s%N)"
|
local t="$(date +%s%N)"
|
||||||
verbose "Benchmarking handshake on '$TARGET' with ciphersuite '$ciphersuite'"
|
verbose "Benchmarking handshake on '$TARGET' with ciphersuite '$ciphersuite'"
|
||||||
for i in $(seq 1 $BENCHMARKITER); do
|
for i in $(seq 1 $BENCHMARKITER); do
|
||||||
@ -129,7 +142,7 @@ EOF
|
|||||||
get_cipher_pref() {
|
get_cipher_pref() {
|
||||||
[ "$OUTPUTFORMAT" == "terminal" ] && echo -n '.'
|
[ "$OUTPUTFORMAT" == "terminal" ] && echo -n '.'
|
||||||
local ciphersuite="$1"
|
local ciphersuite="$1"
|
||||||
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite"
|
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||||
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
|
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
|
||||||
test_cipher_on_target "$sslcommand"
|
test_cipher_on_target "$sslcommand"
|
||||||
local success=$?
|
local success=$?
|
||||||
@ -193,17 +206,14 @@ display_results_in_json() {
|
|||||||
|
|
||||||
[[ -z $1 || "$1" == "-h" || "$1" == "--help" ]] && usage
|
[[ -z $1 || "$1" == "-h" || "$1" == "--help" ]] && usage
|
||||||
if [ ! -z $2 ]; then
|
if [ ! -z $2 ]; then
|
||||||
if [ "$2" == "-v" ]; then
|
if [ "$1" == "-v" ]; then
|
||||||
VERBOSE=1
|
VERBOSE=1
|
||||||
echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))"
|
echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))"
|
||||||
$OPENSSLBIN ciphers ALL 2>/dev/null
|
$OPENSSLBIN ciphers ALL 2>/dev/null
|
||||||
elif [ "$2" == "-a" ]; then
|
elif [ "$1" == "-a" ]; then
|
||||||
ALLCIPHERS=1
|
ALLCIPHERS=1
|
||||||
elif [ "$2" == "-json" ]; then
|
elif [ "$1" == "-json" ]; then
|
||||||
OUTPUTFORMAT="json"
|
OUTPUTFORMAT="json"
|
||||||
else
|
|
||||||
echo "ERROR: unknown option '$2'"; echo
|
|
||||||
usage
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -225,7 +235,7 @@ if [ $ALLCIPHERS -gt 0 ]; then
|
|||||||
echo; echo "All accepted ciphersuites"
|
echo; echo "All accepted ciphersuites"
|
||||||
for c in $($OPENSSLBIN ciphers -v ALL:COMPLEMENTOFALL 2>/dev/null |awk '{print $1}'|sort|uniq); do
|
for c in $($OPENSSLBIN ciphers -v ALL:COMPLEMENTOFALL 2>/dev/null |awk '{print $1}'|sort|uniq); do
|
||||||
r="fail"
|
r="fail"
|
||||||
osslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $c"
|
osslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $c"
|
||||||
test_cipher_on_target "$osslcommand"
|
test_cipher_on_target "$osslcommand"
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
r="pass"
|
r="pass"
|
||||||
|
Loading…
Reference in New Issue
Block a user