LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 14:23:41 +01:00
Code Issues Releases Wiki Activity

add ability to also save leaf certificates and untrusted ones

Browse Source
This commit is contained in:
Hubert Kario 2014-10-11 15:18:48 +02:00 committed by Hubert Kario
parent 826f7b5541
commit 3e37517c96
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
cipherscan
View File

@ -47,6 +47,7 @@ TIMEOUT=30
# place where to put the found intermediate CA certificates and where # place where to put the found intermediate CA certificates and where
# trust anchors are stored # trust anchors are stored
CAPATH="" CAPATH=""
SAVECRT=""
# because running external commands like sleep incurs a fork penalty, we # because running external commands like sleep incurs a fork penalty, we
# first check if it is necessary # first check if it is necessary
@ -57,7 +58,7 @@ ratelimit() {
} }
usage() { usage() {
echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [--saveca] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port> echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [--saveca] [--savecrt directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
usage: $0 -h|--help usage: $0 -h|--help
$0 attempts to connect to a target site using all the ciphersuites it knows. $0 attempts to connect to a target site using all the ciphersuites it knows.
@ -78,6 +79,7 @@ Use one of the options below:
-h | --help Shows this help text. -h | --help Shows this help text.
-j | --json Output results in JSON format. -j | --json Output results in JSON format.
-o | --openssl path/to/your/openssl binary you want to use. -o | --openssl path/to/your/openssl binary you want to use.
--savecrt path where to save untrusted and leaf certificates
-v | --verbose Increase verbosity. -v | --verbose Increase verbosity.
The rest of the arguments will be interpreted as openssl s_client argument. The rest of the arguments will be interpreted as openssl s_client argument.
@ -209,6 +211,7 @@ test_cipher_on_target() {
# check if the certificate is actually trusted (server may present # check if the certificate is actually trusted (server may present
# unrelated certificates that are not trusted (including self # unrelated certificates that are not trusted (including self
# signed ones) # signed ones)
local saved="False"
if ${OPENSSLBIN} verify "${trust_source[@]}" \ if ${OPENSSLBIN} verify "${trust_source[@]}" \
-untrusted <(echo "$tmp") <(echo "$cert") 2>/dev/null | \ -untrusted <(echo "$tmp") <(echo "$cert") 2>/dev/null | \
grep 'OK$' >/dev/null; then grep 'OK$' >/dev/null; then
@ -220,6 +223,12 @@ test_cipher_on_target() {
echo "$cert" > "$CAPATH/${sha256sum}.pem" echo "$cert" > "$CAPATH/${sha256sum}.pem"
c_hash "$CAPATH" "${sha256sum}.pem" c_hash "$CAPATH" "${sha256sum}.pem"
fi fi
saved="True"
fi
fi
if [[ -n $SAVECRT ]] && [[ $saved == "False" ]]; then
if [[ ! -e $SAVECRT/${sha256sum}.pem ]]; then
echo "$cert" > "$SAVECRT/${sha256sum}.pem"
fi fi
fi fi
# save the sha sum for reporting # save the sha sum for reporting
@ -538,6 +547,10 @@ do
SAVECA="True" SAVECA="True"
shift 1 shift 1
;; ;;
--savecrt)
SAVECRT="$2"
shift 2
;;
--) # End of all options --) # End of all options
shift shift
break break