mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-12-25 12:13:41 +01:00
ask for OCSP stapling by default
for now, no option to disable
This commit is contained in:
parent
0777682aa6
commit
4e94d95bd8
26
cipherscan
26
cipherscan
@ -77,6 +77,13 @@ test_cipher_on_target() {
|
||||
do
|
||||
debug echo \"Q\" \| $sslcommand $tls_version
|
||||
local tmp=$(echo "Q" | $sslcommand $tls_version 1>/dev/stdout 2>/dev/null)
|
||||
if grep 'OCSP Response Data' <<<"$tmp" >/dev/null; then
|
||||
current_ocspstaple="True"
|
||||
else
|
||||
current_ocspstaple="False"
|
||||
fi
|
||||
# filter out the OCSP server certificate
|
||||
tmp=$(awk 'BEGIN { pr="yes" } /^======================================/ { if ( pr=="yes" ) pr="no"; else pr="yes" } { if ( pr == "yes" ) print }' <<<"$tmp")
|
||||
current_cipher=$(grep "New, " <<<"$tmp"|awk '{print $5}')
|
||||
current_pfs=$(grep 'Server Temp Key' <<<"$tmp"|awk '{print $4$5$6$7}')
|
||||
current_protocol=$(egrep "^\s+Protocol\s+:" <<<"$tmp"|awk '{print $3}')
|
||||
@ -122,6 +129,7 @@ test_cipher_on_target() {
|
||||
sigalg=$current_sigalg
|
||||
trusted=$current_trusted
|
||||
tickethint=$current_tickethint
|
||||
ocspstaple=$current_ocspstaple
|
||||
# grab the cipher and PFS key size
|
||||
done
|
||||
# if cipher is empty, that means none of the TLS version worked with
|
||||
@ -133,13 +141,13 @@ test_cipher_on_target() {
|
||||
|
||||
# if cipher contains NONE, the cipher wasn't accepted
|
||||
elif [ "$cipher" == '(NONE) ' ]; then
|
||||
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs"
|
||||
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs"
|
||||
verbose "handshake failed, server returned ciphersuite '$result'"
|
||||
return 1
|
||||
|
||||
# the connection succeeded
|
||||
else
|
||||
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs"
|
||||
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs"
|
||||
verbose "handshake succeeded, server returned ciphersuite '$result'"
|
||||
return 0
|
||||
fi
|
||||
@ -173,9 +181,9 @@ get_cipher_pref() {
|
||||
[ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.'
|
||||
local ciphersuite="$1"
|
||||
if [ -e $CACERTS ]; then
|
||||
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||
else
|
||||
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||
fi
|
||||
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
|
||||
test_cipher_on_target "$sslcommand"
|
||||
@ -198,6 +206,7 @@ display_results_in_terminal() {
|
||||
local sigalg
|
||||
local trusted
|
||||
local tickethint
|
||||
local ocspstaple
|
||||
local different=False
|
||||
for cipher in "${cipherspref[@]}"; do
|
||||
pciph=$(echo $cipher|awk '{print $1}')
|
||||
@ -212,6 +221,7 @@ display_results_in_terminal() {
|
||||
sigalg=$(awk '{print $4}' <<<$cipher)
|
||||
trusted=$(awk '{print $5}' <<<$cipher)
|
||||
tickethint=$(awk '{print $6}' <<<$cipher)
|
||||
ocspstaple=$(awk '{print $7}' <<<$cipher)
|
||||
else
|
||||
if [ "$pubkey" != "$(awk '{print $3}' <<<$cipher)" ]; then
|
||||
different=True
|
||||
@ -265,6 +275,11 @@ display_results_in_terminal() {
|
||||
fi
|
||||
echo "TLS ticket lifetime hint: $tickethint"
|
||||
fi
|
||||
if [[ $ocspstaple == "True" ]]; then
|
||||
echo "OCSP stapling: supported"
|
||||
else
|
||||
echo "OCSP stapling: not supported"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -280,7 +295,8 @@ display_results_in_json() {
|
||||
echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"],"
|
||||
echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\","
|
||||
echo -n "\"ticket_hint\":\"$(echo $cipher|awk '{print $6}')\","
|
||||
pfs=$(echo $cipher|awk '{print $7}')
|
||||
echo -n "\"ocsp_stapling\":\"$(echo $cipher|awk '{print $7}')\","
|
||||
pfs=$(echo $cipher|awk '{print $8}')
|
||||
[ "$pfs" == "" ] && pfs="None"
|
||||
echo -n "\"pfs\":\"$pfs\"}"
|
||||
ctr=$((ctr+1))
|
||||
|
@ -18,6 +18,7 @@ handshakestats = defaultdict(int)
|
||||
keysize = defaultdict(int)
|
||||
sigalg = defaultdict(int)
|
||||
tickethint = defaultdict(int)
|
||||
ocspstaple = defaultdict(int)
|
||||
dsarsastack = 0
|
||||
total = 0
|
||||
for r,d,flist in os.walk(path):
|
||||
@ -49,6 +50,7 @@ for r,d,flist in os.walk(path):
|
||||
dualstack = False
|
||||
ECDSA = False
|
||||
trusted = False
|
||||
ocsp_stapling = False
|
||||
|
||||
""" process the file """
|
||||
f_abs = os.path.join(r,f)
|
||||
@ -132,6 +134,12 @@ for r,d,flist in os.walk(path):
|
||||
""" save tls ticket hint """
|
||||
tempticketstats[entry['ticket_hint']] = 1
|
||||
|
||||
""" check if OCSP stapling is supported """
|
||||
if entry['ocsp_stapling'] == 'True':
|
||||
ocsp_stapling=True
|
||||
else:
|
||||
ocsp_stapling=False
|
||||
|
||||
""" store the versions of TLS supported """
|
||||
for protocol in entry['protocols']:
|
||||
if protocol == 'SSLv2':
|
||||
@ -180,6 +188,11 @@ for r,d,flist in os.walk(path):
|
||||
for s in tempticketstats:
|
||||
tickethint[s] += 1
|
||||
|
||||
if ocsp_stapling:
|
||||
ocspstaple['Supported'] += 1
|
||||
else:
|
||||
ocspstaple['Unsupported'] += 1
|
||||
|
||||
""" store cipher stats """
|
||||
if AESGCM:
|
||||
cipherstats['AES-GCM'] += 1
|
||||
@ -304,6 +317,12 @@ for stat in sorted(keysize):
|
||||
|
||||
sys.stdout.write("RSA/ECDSA Dual Stack".ljust(25) + " " + str(dsarsastack).ljust(10) + str(round(dsarsastack/total * 100, 4)) + "\n")
|
||||
|
||||
print("\nOCSP stapling Count Percent ")
|
||||
print("-------------------------+---------+--------")
|
||||
for stat in sorted(ocspstaple):
|
||||
percent = round(ocspstaple[stat] / total * 100, 4)
|
||||
sys.stdout.write(stat.ljust(25) + " " + str(ocspstaple[stat]).ljust(10) + str(percent).ljust(9) + "\n")
|
||||
|
||||
print("\nSupported Protocols Count Percent")
|
||||
print("-------------------------+---------+-------")
|
||||
for stat in sorted(protocolstats):
|
||||
|
Loading…
Reference in New Issue
Block a user