LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 14:23:41 +01:00
Code Issues Releases Wiki Activity

Added protocol

Browse Source
This commit is contained in:
Julien Vehent 2013-08-07 10:40:03 -04:00
parent d2b82ed871
commit 4a51ef71d6
2 changed files with 178 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
CiphersScan.sh
View File

@ -26,13 +26,13 @@ test_cipher_on_target() {
$REQUEST $REQUEST
EOF EOF
# Parse the result # Parse the result
result=$(grep "New, " $tmp|awk '{print $5}') result="$(grep "New, " $tmp|awk '{print $5}') $(grep -E "^\s+Protocol\s+:" $tmp|awk '{print $3}')"
rm "$tmp" rm "$tmp"
if [ -z $result ]; then if [ -z "$result" ]; then
verbose "handshake failed, no ciphersuite was returned" verbose "handshake failed, no ciphersuite was returned"
result='ConnectionFailure' result='ConnectionFailure'
return 2 return 2
elif [ "$result" == '(NONE)' ]; then elif [ "$result" == '(NONE) ' ]; then
verbose "handshake failed, server returned ciphersuite '$result'" verbose "handshake failed, server returned ciphersuite '$result'"
return 1 return 1
else else
@ -74,7 +74,8 @@ get_cipher_pref() {
cipherspref=("${cipherspref[@]}" "$result") cipherspref=("${cipherspref[@]}" "$result")
# If the connection succeeded with the current cipher, benchmark and store # If the connection succeeded with the current cipher, benchmark and store
if [ $success -eq 0 ]; then if [ $success -eq 0 ]; then
get_cipher_pref "!$result:$ciphersuite" pciph=$(echo $result|awk '{print $1}')
get_cipher_pref "!$pciph:$ciphersuite"
return 0 return 0
fi fi
} }
@ -108,8 +109,9 @@ results=()
get_cipher_pref "ALL" get_cipher_pref "ALL"
ctr=1 ctr=1
for cipher in "${cipherspref[@]}"; do for cipher in "${cipherspref[@]}"; do
pciph=$(echo $cipher|awk '{print $1}')
if [ $DOBENCHMARK -eq 1 ]; then if [ $DOBENCHMARK -eq 1 ]; then
bench_cipher "$cipher" bench_cipher "$pciph"
r="$ctr $cipher $cipherbenchms" r="$ctr $cipher $cipherbenchms"
else else
r="$ctr $cipher" r="$ctr $cipher"
@ -119,9 +121,9 @@ for cipher in "${cipherspref[@]}"; do
done done
if [ $DOBENCHMARK -eq 1 ]; then if [ $DOBENCHMARK -eq 1 ]; then
header="prio ciphersuite avg_handshake_microsec" header="prio ciphersuite protocol avg_handshake_microsec"
else else
header="prio ciphersuite" header="prio ciphersuite protocol"
fi fi
ctr=0 ctr=0
for result in "${results[@]}"; do for result in "${results[@]}"; do

191
README.md
View File

@ -2,38 +2,185 @@ CipherScan
========== ==========
A very simple way to find out which SSL ciphersuites are supported by a target. A very simple way to find out which SSL ciphersuites are supported by a target.
Run: ./CipherScan.sh www.google.com:443 -v Run: ./CipherScan.sh www.google.com:443
And watch. And watch.
Edit the script if you need more (disable benchmarking by setting DOBENCHMARK to 0).
The newer your version of openssl, the better results you'll get. Older versions The newer your version of openssl, the better results you'll get. Older versions
of OpenSSL don't support TLS1.2 ciphers, elliptic curves, etc... Build Your Own! of OpenSSL don't support TLS1.2 ciphers, elliptic curves, etc... Build Your Own!
Options
-------
Enable benchmarking by setting DOBENCHMARK to 1 at the top of the script.
Use '-v' to get more stuff to read.
Use '-a' to force openssl to test every single cipher it know.
Example Example
------- -------
``` ```
$ ./CiphersScan.sh www.google.com:443 $ ./CiphersScan.sh www.google.com:443 -a
prio ciphersuite protocol
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2
2 ECDHE-RSA-RC4-SHA TLSv1.2
3 ECDHE-RSA-AES128-SHA TLSv1.2
4 AES128-GCM-SHA256 TLSv1.2
5 RC4-SHA TLSv1.2
6 RC4-MD5 TLSv1.2
7 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2
8 ECDHE-RSA-AES256-SHA384 TLSv1.2
9 ECDHE-RSA-AES256-SHA TLSv1.2
10 AES256-GCM-SHA384 TLSv1.2
11 AES256-SHA256 TLSv1.2
12 AES256-SHA TLSv1.2
13 ECDHE-RSA-DES-CBC3-SHA TLSv1.2
14 DES-CBC3-SHA TLSv1.2
15 ECDHE-RSA-AES128-SHA256 TLSv1.2
16 AES128-SHA256 TLSv1.2
17 AES128-SHA TLSv1.2
18 (NONE)
prio ciphersuite avg_handshake_ms All accepted ciphersuites
1 ECDHE-RSA-AES128-GCM-SHA256 392 KO ADH-AES128-GCM-SHA256
2 ECDHE-RSA-RC4-SHA 412 KO ADH-AES128-SHA
3 ECDHE-RSA-AES128-SHA 415 KO ADH-AES128-SHA256
4 AES128-GCM-SHA256 428 KO ADH-AES256-GCM-SHA384
5 RC4-SHA 404 KO ADH-AES256-SHA
6 RC4-MD5 399 KO ADH-AES256-SHA256
7 ECDHE-RSA-AES256-GCM-SHA384 389 KO ADH-CAMELLIA128-SHA
8 ECDHE-RSA-AES256-SHA384 388 KO ADH-CAMELLIA256-SHA
9 ECDHE-RSA-AES256-SHA 394 KO ADH-DES-CBC3-SHA
10 AES256-GCM-SHA384 388 KO ADH-DES-CBC-SHA
11 AES256-SHA256 389 KO ADH-RC4-MD5
12 AES256-SHA 389 KO ADH-SEED-SHA
13 ECDHE-RSA-DES-CBC3-SHA 392 KO AECDH-AES128-SHA
14 DES-CBC3-SHA 391 KO AECDH-AES256-SHA
15 ECDHE-RSA-AES128-SHA256 394 KO AECDH-DES-CBC3-SHA
16 AES128-SHA256 391 KO AECDH-NULL-SHA
17 AES128-SHA 389 KO AECDH-RC4-SHA
OK AES128-GCM-SHA256
OK AES128-SHA
OK AES128-SHA256
OK AES256-GCM-SHA384
OK AES256-SHA
OK AES256-SHA256
KO CAMELLIA128-SHA
KO CAMELLIA256-SHA
KO DES-CBC3-MD5
OK DES-CBC3-SHA
KO DES-CBC-MD5
KO DES-CBC-SHA
KO DH-DSS-AES128-GCM-SHA256
KO DH-DSS-AES128-SHA
KO DH-DSS-AES128-SHA256
KO DH-DSS-AES256-GCM-SHA384
KO DH-DSS-AES256-SHA
KO DH-DSS-AES256-SHA256
KO DH-DSS-CAMELLIA128-SHA
KO DH-DSS-CAMELLIA256-SHA
KO DH-DSS-DES-CBC3-SHA
KO DH-DSS-DES-CBC-SHA
KO DH-DSS-SEED-SHA
KO DHE-DSS-AES128-GCM-SHA256
KO DHE-DSS-AES128-SHA
KO DHE-DSS-AES128-SHA256
KO DHE-DSS-AES256-GCM-SHA384
KO DHE-DSS-AES256-SHA
KO DHE-DSS-AES256-SHA256
KO DHE-DSS-CAMELLIA128-SHA
KO DHE-DSS-CAMELLIA256-SHA
KO DHE-DSS-SEED-SHA
KO DHE-RSA-AES128-GCM-SHA256
KO DHE-RSA-AES128-SHA
KO DHE-RSA-AES128-SHA256
KO DHE-RSA-AES256-GCM-SHA384
KO DHE-RSA-AES256-SHA
KO DHE-RSA-AES256-SHA256
KO DHE-RSA-CAMELLIA128-SHA
KO DHE-RSA-CAMELLIA256-SHA
KO DHE-RSA-SEED-SHA
KO DH-RSA-AES128-GCM-SHA256
KO DH-RSA-AES128-SHA
KO DH-RSA-AES128-SHA256
KO DH-RSA-AES256-GCM-SHA384
KO DH-RSA-AES256-SHA
KO DH-RSA-AES256-SHA256
KO DH-RSA-CAMELLIA128-SHA
KO DH-RSA-CAMELLIA256-SHA
KO DH-RSA-DES-CBC3-SHA
KO DH-RSA-DES-CBC-SHA
KO DH-RSA-SEED-SHA
KO ECDH-ECDSA-AES128-GCM-SHA256
KO ECDH-ECDSA-AES128-SHA
KO ECDH-ECDSA-AES128-SHA256
KO ECDH-ECDSA-AES256-GCM-SHA384
KO ECDH-ECDSA-AES256-SHA
KO ECDH-ECDSA-AES256-SHA384
KO ECDH-ECDSA-DES-CBC3-SHA
KO ECDH-ECDSA-NULL-SHA
KO ECDH-ECDSA-RC4-SHA
KO ECDHE-ECDSA-AES128-GCM-SHA256
KO ECDHE-ECDSA-AES128-SHA
KO ECDHE-ECDSA-AES128-SHA256
KO ECDHE-ECDSA-AES256-GCM-SHA384
KO ECDHE-ECDSA-AES256-SHA
KO ECDHE-ECDSA-AES256-SHA384
KO ECDHE-ECDSA-DES-CBC3-SHA
KO ECDHE-ECDSA-NULL-SHA
KO ECDHE-ECDSA-RC4-SHA
OK ECDHE-RSA-AES128-GCM-SHA256
OK ECDHE-RSA-AES128-SHA
OK ECDHE-RSA-AES128-SHA256
OK ECDHE-RSA-AES256-GCM-SHA384
OK ECDHE-RSA-AES256-SHA
OK ECDHE-RSA-AES256-SHA384
OK ECDHE-RSA-DES-CBC3-SHA
KO ECDHE-RSA-NULL-SHA
OK ECDHE-RSA-RC4-SHA
KO ECDH-RSA-AES128-GCM-SHA256
KO ECDH-RSA-AES128-SHA
KO ECDH-RSA-AES128-SHA256
KO ECDH-RSA-AES256-GCM-SHA384
KO ECDH-RSA-AES256-SHA
KO ECDH-RSA-AES256-SHA384
KO ECDH-RSA-DES-CBC3-SHA
KO ECDH-RSA-NULL-SHA
KO ECDH-RSA-RC4-SHA
KO EDH-DSS-DES-CBC3-SHA
KO EDH-DSS-DES-CBC-SHA
KO EDH-RSA-DES-CBC3-SHA
KO EDH-RSA-DES-CBC-SHA
KO EXP-ADH-DES-CBC-SHA
KO EXP-ADH-RC4-MD5
KO EXP-DES-CBC-SHA
KO EXP-DH-DSS-DES-CBC-SHA
KO EXP-DH-RSA-DES-CBC-SHA
KO EXP-EDH-DSS-DES-CBC-SHA
KO EXP-EDH-RSA-DES-CBC-SHA
KO EXP-RC2-CBC-MD5
KO EXP-RC4-MD5
KO IDEA-CBC-MD5
KO IDEA-CBC-SHA
KO NULL-MD5
KO NULL-SHA
KO NULL-SHA256
KO PSK-3DES-EDE-CBC-SHA
KO PSK-AES128-CBC-SHA
KO PSK-AES256-CBC-SHA
KO PSK-RC4-SHA
KO RC2-CBC-MD5
OK RC4-MD5
OK RC4-SHA
KO SEED-SHA
KO SRP-3DES-EDE-CBC-SHA
KO SRP-AES-128-CBC-SHA
KO SRP-AES-256-CBC-SHA
KO SRP-DSS-3DES-EDE-CBC-SHA
KO SRP-DSS-AES-128-CBC-SHA
KO SRP-DSS-AES-256-CBC-SHA
KO SRP-RSA-3DES-EDE-CBC-SHA
KO SRP-RSA-AES-128-CBC-SHA
KO SRP-RSA-AES-256-CBC-SHA
``` ```