diff --git a/cipherscan b/cipherscan index 3421c13..51c326b 100755 --- a/cipherscan +++ b/cipherscan @@ -32,9 +32,10 @@ TIMEOUT=10 # place where to put the found intermediate CA certificates and where # trust anchors are stored CAPATH="" +SAVECRT="" usage() { - echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] + echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [--savecrt directory] [-v|--verbose] [-o|--openssl file] [openssl s_client args] usage: $0 -h|--help $0 attempts to connect to a target site using all the ciphersuites it knows. @@ -54,6 +55,7 @@ Use one of the options below: -h | --help Shows this help text. -j | --json Output results in JSON format. -o | --openssl path/to/your/openssl binary you want to use. +--savecrt path where to save untrusted and leaf certificates -v | --verbose Increase verbosity. The rest of the arguments will be interpreted as openssl s_client argument. @@ -184,6 +186,7 @@ test_cipher_on_target() { # check if the certificate is actually trusted (server may present # unrelated certificates that are not trusted (including self # signed ones) + local saved="False" if ${OPENSSLBIN} verify "${trust_source[@]}" \ -untrusted <(echo "$tmp") <(echo "$cert") 2>/dev/null | \ grep 'OK$' >/dev/null; then @@ -195,6 +198,12 @@ test_cipher_on_target() { echo "$cert" > "$CAPATH/${sha256sum}.pem" c_hash "$CAPATH" "${sha256sum}.pem" fi + saved="True" + fi + fi + if [[ -n $SAVECRT ]] && [[ $saved == "False" ]]; then + if [[ ! -e $SAVECRT/${sha256sum}.pem ]]; then + echo "$cert" > "$SAVECRT/${sha256sum}.pem" fi fi # save the sha sum for reporting @@ -518,6 +527,10 @@ do CAPATH="$2" shift 2 ;; + --savecrt) + SAVECRT="$2" + shift 2 + ;; --) # End of all options shift break