2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-04 23:13:41 +01:00

ask for OCSP stapling by default

for now, no option to disable
This commit is contained in:
Hubert Kario 2014-05-16 17:31:44 +02:00
parent 0777682aa6
commit 4e94d95bd8
2 changed files with 40 additions and 5 deletions

View File

@ -77,6 +77,13 @@ test_cipher_on_target() {
do
debug echo \"Q\" \| $sslcommand $tls_version
local tmp=$(echo "Q" | $sslcommand $tls_version 1>/dev/stdout 2>/dev/null)
if grep 'OCSP Response Data' <<<"$tmp" >/dev/null; then
current_ocspstaple="True"
else
current_ocspstaple="False"
fi
# filter out the OCSP server certificate
tmp=$(awk 'BEGIN { pr="yes" } /^======================================/ { if ( pr=="yes" ) pr="no"; else pr="yes" } { if ( pr == "yes" ) print }' <<<"$tmp")
current_cipher=$(grep "New, " <<<"$tmp"|awk '{print $5}')
current_pfs=$(grep 'Server Temp Key' <<<"$tmp"|awk '{print $4$5$6$7}')
current_protocol=$(egrep "^\s+Protocol\s+:" <<<"$tmp"|awk '{print $3}')
@ -122,6 +129,7 @@ test_cipher_on_target() {
sigalg=$current_sigalg
trusted=$current_trusted
tickethint=$current_tickethint
ocspstaple=$current_ocspstaple
# grab the cipher and PFS key size
done
# if cipher is empty, that means none of the TLS version worked with
@ -133,13 +141,13 @@ test_cipher_on_target() {
# if cipher contains NONE, the cipher wasn't accepted
elif [ "$cipher" == '(NONE) ' ]; then
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs"
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs"
verbose "handshake failed, server returned ciphersuite '$result'"
return 1
# the connection succeeded
else
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs"
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs"
verbose "handshake succeeded, server returned ciphersuite '$result'"
return 0
fi
@ -173,9 +181,9 @@ get_cipher_pref() {
[ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.'
local ciphersuite="$1"
if [ -e $CACERTS ]; then
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
else
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
fi
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
test_cipher_on_target "$sslcommand"
@ -198,6 +206,7 @@ display_results_in_terminal() {
local sigalg
local trusted
local tickethint
local ocspstaple
local different=False
for cipher in "${cipherspref[@]}"; do
pciph=$(echo $cipher|awk '{print $1}')
@ -212,6 +221,7 @@ display_results_in_terminal() {
sigalg=$(awk '{print $4}' <<<$cipher)
trusted=$(awk '{print $5}' <<<$cipher)
tickethint=$(awk '{print $6}' <<<$cipher)
ocspstaple=$(awk '{print $7}' <<<$cipher)
else
if [ "$pubkey" != "$(awk '{print $3}' <<<$cipher)" ]; then
different=True
@ -265,6 +275,11 @@ display_results_in_terminal() {
fi
echo "TLS ticket lifetime hint: $tickethint"
fi
if [[ $ocspstaple == "True" ]]; then
echo "OCSP stapling: supported"
else
echo "OCSP stapling: not supported"
fi
}
@ -280,7 +295,8 @@ display_results_in_json() {
echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"],"
echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\","
echo -n "\"ticket_hint\":\"$(echo $cipher|awk '{print $6}')\","
pfs=$(echo $cipher|awk '{print $7}')
echo -n "\"ocsp_stapling\":\"$(echo $cipher|awk '{print $7}')\","
pfs=$(echo $cipher|awk '{print $8}')
[ "$pfs" == "" ] && pfs="None"
echo -n "\"pfs\":\"$pfs\"}"
ctr=$((ctr+1))

View File

@ -18,6 +18,7 @@ handshakestats = defaultdict(int)
keysize = defaultdict(int)
sigalg = defaultdict(int)
tickethint = defaultdict(int)
ocspstaple = defaultdict(int)
dsarsastack = 0
total = 0
for r,d,flist in os.walk(path):
@ -49,6 +50,7 @@ for r,d,flist in os.walk(path):
dualstack = False
ECDSA = False
trusted = False
ocsp_stapling = False
""" process the file """
f_abs = os.path.join(r,f)
@ -132,6 +134,12 @@ for r,d,flist in os.walk(path):
""" save tls ticket hint """
tempticketstats[entry['ticket_hint']] = 1
""" check if OCSP stapling is supported """
if entry['ocsp_stapling'] == 'True':
ocsp_stapling=True
else:
ocsp_stapling=False
""" store the versions of TLS supported """
for protocol in entry['protocols']:
if protocol == 'SSLv2':
@ -180,6 +188,11 @@ for r,d,flist in os.walk(path):
for s in tempticketstats:
tickethint[s] += 1
if ocsp_stapling:
ocspstaple['Supported'] += 1
else:
ocspstaple['Unsupported'] += 1
""" store cipher stats """
if AESGCM:
cipherstats['AES-GCM'] += 1
@ -304,6 +317,12 @@ for stat in sorted(keysize):
sys.stdout.write("RSA/ECDSA Dual Stack".ljust(25) + " " + str(dsarsastack).ljust(10) + str(round(dsarsastack/total * 100, 4)) + "\n")
print("\nOCSP stapling Count Percent ")
print("-------------------------+---------+--------")
for stat in sorted(ocspstaple):
percent = round(ocspstaple[stat] / total * 100, 4)
sys.stdout.write(stat.ljust(25) + " " + str(ocspstaple[stat]).ljust(10) + str(percent).ljust(9) + "\n")
print("\nSupported Protocols Count Percent")
print("-------------------------+---------+-------")
for stat in sorted(protocolstats):