From 4e94d95bd8c50c28fd0e6fd5195591cfae891158 Mon Sep 17 00:00:00 2001 From: Hubert Kario Date: Fri, 16 May 2014 17:31:44 +0200 Subject: [PATCH] ask for OCSP stapling by default for now, no option to disable --- cipherscan | 26 +++++++++++++++++++++----- top1m/parse_results.py | 19 +++++++++++++++++++ 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/cipherscan b/cipherscan index 0c81cb7..ff748fa 100755 --- a/cipherscan +++ b/cipherscan @@ -77,6 +77,13 @@ test_cipher_on_target() { do debug echo \"Q\" \| $sslcommand $tls_version local tmp=$(echo "Q" | $sslcommand $tls_version 1>/dev/stdout 2>/dev/null) + if grep 'OCSP Response Data' <<<"$tmp" >/dev/null; then + current_ocspstaple="True" + else + current_ocspstaple="False" + fi + # filter out the OCSP server certificate + tmp=$(awk 'BEGIN { pr="yes" } /^======================================/ { if ( pr=="yes" ) pr="no"; else pr="yes" } { if ( pr == "yes" ) print }' <<<"$tmp") current_cipher=$(grep "New, " <<<"$tmp"|awk '{print $5}') current_pfs=$(grep 'Server Temp Key' <<<"$tmp"|awk '{print $4$5$6$7}') current_protocol=$(egrep "^\s+Protocol\s+:" <<<"$tmp"|awk '{print $3}') @@ -122,6 +129,7 @@ test_cipher_on_target() { sigalg=$current_sigalg trusted=$current_trusted tickethint=$current_tickethint + ocspstaple=$current_ocspstaple # grab the cipher and PFS key size done # if cipher is empty, that means none of the TLS version worked with @@ -133,13 +141,13 @@ test_cipher_on_target() { # if cipher contains NONE, the cipher wasn't accepted elif [ "$cipher" == '(NONE) ' ]; then - result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs" + result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs" verbose "handshake failed, server returned ciphersuite '$result'" return 1 # the connection succeeded else - result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs" + result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs" verbose "handshake succeeded, server returned ciphersuite '$result'" return 0 fi @@ -173,9 +181,9 @@ get_cipher_pref() { [ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.' local ciphersuite="$1" if [ -e $CACERTS ]; then - local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" + local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" else - local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" + local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" fi verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'" test_cipher_on_target "$sslcommand" @@ -198,6 +206,7 @@ display_results_in_terminal() { local sigalg local trusted local tickethint + local ocspstaple local different=False for cipher in "${cipherspref[@]}"; do pciph=$(echo $cipher|awk '{print $1}') @@ -212,6 +221,7 @@ display_results_in_terminal() { sigalg=$(awk '{print $4}' <<<$cipher) trusted=$(awk '{print $5}' <<<$cipher) tickethint=$(awk '{print $6}' <<<$cipher) + ocspstaple=$(awk '{print $7}' <<<$cipher) else if [ "$pubkey" != "$(awk '{print $3}' <<<$cipher)" ]; then different=True @@ -265,6 +275,11 @@ display_results_in_terminal() { fi echo "TLS ticket lifetime hint: $tickethint" fi + if [[ $ocspstaple == "True" ]]; then + echo "OCSP stapling: supported" + else + echo "OCSP stapling: not supported" + fi } @@ -280,7 +295,8 @@ display_results_in_json() { echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"]," echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\"," echo -n "\"ticket_hint\":\"$(echo $cipher|awk '{print $6}')\"," - pfs=$(echo $cipher|awk '{print $7}') + echo -n "\"ocsp_stapling\":\"$(echo $cipher|awk '{print $7}')\"," + pfs=$(echo $cipher|awk '{print $8}') [ "$pfs" == "" ] && pfs="None" echo -n "\"pfs\":\"$pfs\"}" ctr=$((ctr+1)) diff --git a/top1m/parse_results.py b/top1m/parse_results.py index 3f5344f..e4119fc 100644 --- a/top1m/parse_results.py +++ b/top1m/parse_results.py @@ -18,6 +18,7 @@ handshakestats = defaultdict(int) keysize = defaultdict(int) sigalg = defaultdict(int) tickethint = defaultdict(int) +ocspstaple = defaultdict(int) dsarsastack = 0 total = 0 for r,d,flist in os.walk(path): @@ -49,6 +50,7 @@ for r,d,flist in os.walk(path): dualstack = False ECDSA = False trusted = False + ocsp_stapling = False """ process the file """ f_abs = os.path.join(r,f) @@ -132,6 +134,12 @@ for r,d,flist in os.walk(path): """ save tls ticket hint """ tempticketstats[entry['ticket_hint']] = 1 + """ check if OCSP stapling is supported """ + if entry['ocsp_stapling'] == 'True': + ocsp_stapling=True + else: + ocsp_stapling=False + """ store the versions of TLS supported """ for protocol in entry['protocols']: if protocol == 'SSLv2': @@ -180,6 +188,11 @@ for r,d,flist in os.walk(path): for s in tempticketstats: tickethint[s] += 1 + if ocsp_stapling: + ocspstaple['Supported'] += 1 + else: + ocspstaple['Unsupported'] += 1 + """ store cipher stats """ if AESGCM: cipherstats['AES-GCM'] += 1 @@ -304,6 +317,12 @@ for stat in sorted(keysize): sys.stdout.write("RSA/ECDSA Dual Stack".ljust(25) + " " + str(dsarsastack).ljust(10) + str(round(dsarsastack/total * 100, 4)) + "\n") +print("\nOCSP stapling Count Percent ") +print("-------------------------+---------+--------") +for stat in sorted(ocspstaple): + percent = round(ocspstaple[stat] / total * 100, 4) + sys.stdout.write(stat.ljust(25) + " " + str(ocspstaple[stat]).ljust(10) + str(percent).ljust(9) + "\n") + print("\nSupported Protocols Count Percent") print("-------------------------+---------+-------") for stat in sorted(protocolstats):