2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-05 07:23:42 +01:00

Added protocol

This commit is contained in:
Julien Vehent 2013-08-07 10:40:03 -04:00
parent d2b82ed871
commit 4a51ef71d6
2 changed files with 178 additions and 29 deletions

View File

@ -26,13 +26,13 @@ test_cipher_on_target() {
$REQUEST
EOF
# Parse the result
result=$(grep "New, " $tmp|awk '{print $5}')
result="$(grep "New, " $tmp|awk '{print $5}') $(grep -E "^\s+Protocol\s+:" $tmp|awk '{print $3}')"
rm "$tmp"
if [ -z $result ]; then
if [ -z "$result" ]; then
verbose "handshake failed, no ciphersuite was returned"
result='ConnectionFailure'
return 2
elif [ "$result" == '(NONE)' ]; then
elif [ "$result" == '(NONE) ' ]; then
verbose "handshake failed, server returned ciphersuite '$result'"
return 1
else
@ -74,7 +74,8 @@ get_cipher_pref() {
cipherspref=("${cipherspref[@]}" "$result")
# If the connection succeeded with the current cipher, benchmark and store
if [ $success -eq 0 ]; then
get_cipher_pref "!$result:$ciphersuite"
pciph=$(echo $result|awk '{print $1}')
get_cipher_pref "!$pciph:$ciphersuite"
return 0
fi
}
@ -108,8 +109,9 @@ results=()
get_cipher_pref "ALL"
ctr=1
for cipher in "${cipherspref[@]}"; do
pciph=$(echo $cipher|awk '{print $1}')
if [ $DOBENCHMARK -eq 1 ]; then
bench_cipher "$cipher"
bench_cipher "$pciph"
r="$ctr $cipher $cipherbenchms"
else
r="$ctr $cipher"
@ -119,9 +121,9 @@ for cipher in "${cipherspref[@]}"; do
done
if [ $DOBENCHMARK -eq 1 ]; then
header="prio ciphersuite avg_handshake_microsec"
header="prio ciphersuite protocol avg_handshake_microsec"
else
header="prio ciphersuite"
header="prio ciphersuite protocol"
fi
ctr=0
for result in "${results[@]}"; do

191
README.md
View File

@ -2,38 +2,185 @@ CipherScan
==========
A very simple way to find out which SSL ciphersuites are supported by a target.
Run: ./CipherScan.sh www.google.com:443 -v
Run: ./CipherScan.sh www.google.com:443
And watch.
Edit the script if you need more (disable benchmarking by setting DOBENCHMARK to 0).
The newer your version of openssl, the better results you'll get. Older versions
of OpenSSL don't support TLS1.2 ciphers, elliptic curves, etc... Build Your Own!
Options
-------
Enable benchmarking by setting DOBENCHMARK to 1 at the top of the script.
Use '-v' to get more stuff to read.
Use '-a' to force openssl to test every single cipher it know.
Example
-------
```
$ ./CiphersScan.sh www.google.com:443
$ ./CiphersScan.sh www.google.com:443 -a
prio ciphersuite protocol
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2
2 ECDHE-RSA-RC4-SHA TLSv1.2
3 ECDHE-RSA-AES128-SHA TLSv1.2
4 AES128-GCM-SHA256 TLSv1.2
5 RC4-SHA TLSv1.2
6 RC4-MD5 TLSv1.2
7 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2
8 ECDHE-RSA-AES256-SHA384 TLSv1.2
9 ECDHE-RSA-AES256-SHA TLSv1.2
10 AES256-GCM-SHA384 TLSv1.2
11 AES256-SHA256 TLSv1.2
12 AES256-SHA TLSv1.2
13 ECDHE-RSA-DES-CBC3-SHA TLSv1.2
14 DES-CBC3-SHA TLSv1.2
15 ECDHE-RSA-AES128-SHA256 TLSv1.2
16 AES128-SHA256 TLSv1.2
17 AES128-SHA TLSv1.2
18 (NONE)
prio ciphersuite avg_handshake_ms
1 ECDHE-RSA-AES128-GCM-SHA256 392
2 ECDHE-RSA-RC4-SHA 412
3 ECDHE-RSA-AES128-SHA 415
4 AES128-GCM-SHA256 428
5 RC4-SHA 404
6 RC4-MD5 399
7 ECDHE-RSA-AES256-GCM-SHA384 389
8 ECDHE-RSA-AES256-SHA384 388
9 ECDHE-RSA-AES256-SHA 394
10 AES256-GCM-SHA384 388
11 AES256-SHA256 389
12 AES256-SHA 389
13 ECDHE-RSA-DES-CBC3-SHA 392
14 DES-CBC3-SHA 391
15 ECDHE-RSA-AES128-SHA256 394
16 AES128-SHA256 391
17 AES128-SHA 389
All accepted ciphersuites
KO ADH-AES128-GCM-SHA256
KO ADH-AES128-SHA
KO ADH-AES128-SHA256
KO ADH-AES256-GCM-SHA384
KO ADH-AES256-SHA
KO ADH-AES256-SHA256
KO ADH-CAMELLIA128-SHA
KO ADH-CAMELLIA256-SHA
KO ADH-DES-CBC3-SHA
KO ADH-DES-CBC-SHA
KO ADH-RC4-MD5
KO ADH-SEED-SHA
KO AECDH-AES128-SHA
KO AECDH-AES256-SHA
KO AECDH-DES-CBC3-SHA
KO AECDH-NULL-SHA
KO AECDH-RC4-SHA
OK AES128-GCM-SHA256
OK AES128-SHA
OK AES128-SHA256
OK AES256-GCM-SHA384
OK AES256-SHA
OK AES256-SHA256
KO CAMELLIA128-SHA
KO CAMELLIA256-SHA
KO DES-CBC3-MD5
OK DES-CBC3-SHA
KO DES-CBC-MD5
KO DES-CBC-SHA
KO DH-DSS-AES128-GCM-SHA256
KO DH-DSS-AES128-SHA
KO DH-DSS-AES128-SHA256
KO DH-DSS-AES256-GCM-SHA384
KO DH-DSS-AES256-SHA
KO DH-DSS-AES256-SHA256
KO DH-DSS-CAMELLIA128-SHA
KO DH-DSS-CAMELLIA256-SHA
KO DH-DSS-DES-CBC3-SHA
KO DH-DSS-DES-CBC-SHA
KO DH-DSS-SEED-SHA
KO DHE-DSS-AES128-GCM-SHA256
KO DHE-DSS-AES128-SHA
KO DHE-DSS-AES128-SHA256
KO DHE-DSS-AES256-GCM-SHA384
KO DHE-DSS-AES256-SHA
KO DHE-DSS-AES256-SHA256
KO DHE-DSS-CAMELLIA128-SHA
KO DHE-DSS-CAMELLIA256-SHA
KO DHE-DSS-SEED-SHA
KO DHE-RSA-AES128-GCM-SHA256
KO DHE-RSA-AES128-SHA
KO DHE-RSA-AES128-SHA256
KO DHE-RSA-AES256-GCM-SHA384
KO DHE-RSA-AES256-SHA
KO DHE-RSA-AES256-SHA256
KO DHE-RSA-CAMELLIA128-SHA
KO DHE-RSA-CAMELLIA256-SHA
KO DHE-RSA-SEED-SHA
KO DH-RSA-AES128-GCM-SHA256
KO DH-RSA-AES128-SHA
KO DH-RSA-AES128-SHA256
KO DH-RSA-AES256-GCM-SHA384
KO DH-RSA-AES256-SHA
KO DH-RSA-AES256-SHA256
KO DH-RSA-CAMELLIA128-SHA
KO DH-RSA-CAMELLIA256-SHA
KO DH-RSA-DES-CBC3-SHA
KO DH-RSA-DES-CBC-SHA
KO DH-RSA-SEED-SHA
KO ECDH-ECDSA-AES128-GCM-SHA256
KO ECDH-ECDSA-AES128-SHA
KO ECDH-ECDSA-AES128-SHA256
KO ECDH-ECDSA-AES256-GCM-SHA384
KO ECDH-ECDSA-AES256-SHA
KO ECDH-ECDSA-AES256-SHA384
KO ECDH-ECDSA-DES-CBC3-SHA
KO ECDH-ECDSA-NULL-SHA
KO ECDH-ECDSA-RC4-SHA
KO ECDHE-ECDSA-AES128-GCM-SHA256
KO ECDHE-ECDSA-AES128-SHA
KO ECDHE-ECDSA-AES128-SHA256
KO ECDHE-ECDSA-AES256-GCM-SHA384
KO ECDHE-ECDSA-AES256-SHA
KO ECDHE-ECDSA-AES256-SHA384
KO ECDHE-ECDSA-DES-CBC3-SHA
KO ECDHE-ECDSA-NULL-SHA
KO ECDHE-ECDSA-RC4-SHA
OK ECDHE-RSA-AES128-GCM-SHA256
OK ECDHE-RSA-AES128-SHA
OK ECDHE-RSA-AES128-SHA256
OK ECDHE-RSA-AES256-GCM-SHA384
OK ECDHE-RSA-AES256-SHA
OK ECDHE-RSA-AES256-SHA384
OK ECDHE-RSA-DES-CBC3-SHA
KO ECDHE-RSA-NULL-SHA
OK ECDHE-RSA-RC4-SHA
KO ECDH-RSA-AES128-GCM-SHA256
KO ECDH-RSA-AES128-SHA
KO ECDH-RSA-AES128-SHA256
KO ECDH-RSA-AES256-GCM-SHA384
KO ECDH-RSA-AES256-SHA
KO ECDH-RSA-AES256-SHA384
KO ECDH-RSA-DES-CBC3-SHA
KO ECDH-RSA-NULL-SHA
KO ECDH-RSA-RC4-SHA
KO EDH-DSS-DES-CBC3-SHA
KO EDH-DSS-DES-CBC-SHA
KO EDH-RSA-DES-CBC3-SHA
KO EDH-RSA-DES-CBC-SHA
KO EXP-ADH-DES-CBC-SHA
KO EXP-ADH-RC4-MD5
KO EXP-DES-CBC-SHA
KO EXP-DH-DSS-DES-CBC-SHA
KO EXP-DH-RSA-DES-CBC-SHA
KO EXP-EDH-DSS-DES-CBC-SHA
KO EXP-EDH-RSA-DES-CBC-SHA
KO EXP-RC2-CBC-MD5
KO EXP-RC4-MD5
KO IDEA-CBC-MD5
KO IDEA-CBC-SHA
KO NULL-MD5
KO NULL-SHA
KO NULL-SHA256
KO PSK-3DES-EDE-CBC-SHA
KO PSK-AES128-CBC-SHA
KO PSK-AES256-CBC-SHA
KO PSK-RC4-SHA
KO RC2-CBC-MD5
OK RC4-MD5
OK RC4-SHA
KO SEED-SHA
KO SRP-3DES-EDE-CBC-SHA
KO SRP-AES-128-CBC-SHA
KO SRP-AES-256-CBC-SHA
KO SRP-DSS-3DES-EDE-CBC-SHA
KO SRP-DSS-AES-128-CBC-SHA
KO SRP-DSS-AES-256-CBC-SHA
KO SRP-RSA-3DES-EDE-CBC-SHA
KO SRP-RSA-AES-128-CBC-SHA
KO SRP-RSA-AES-256-CBC-SHA
```