LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2026-02-06 07:05:15 +01:00
Code Issues Releases Wiki Activity

ask for OCSP stapling by default

Browse Source 
for now, no option to disable
This commit is contained in:
Hubert Kario
2014-05-16 17:31:44 +02:00
parent 0777682aa6
commit 4e94d95bd8
2 changed files with 40 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
cipherscan
View File

@@ -77,6 +77,13 @@ test_cipher_on_target() {
do
debug echo \"Q\" \| $sslcommand $tls_version
local tmp=$(echo "Q" | $sslcommand $tls_version 1>/dev/stdout 2>/dev/null)
if grep 'OCSP Response Data' <<<"$tmp" >/dev/null; then
current_ocspstaple="True"
else
current_ocspstaple="False"
fi
# filter out the OCSP server certificate
tmp=$(awk 'BEGIN { pr="yes" } /^======================================/ { if ( pr=="yes" ) pr="no"; else pr="yes" } { if ( pr == "yes" ) print }' <<<"$tmp")
current_cipher=$(grep "New, " <<<"$tmp"|awk '{print $5}')
current_pfs=$(grep 'Server Temp Key' <<<"$tmp"|awk '{print $4$5$6$7}')
current_protocol=$(egrep "^\s+Protocol\s+:" <<<"$tmp"|awk '{print $3}')
@@ -122,6 +129,7 @@ test_cipher_on_target() {
sigalg=$current_sigalg
trusted=$current_trusted
tickethint=$current_tickethint
ocspstaple=$current_ocspstaple
# grab the cipher and PFS key size
done
# if cipher is empty, that means none of the TLS version worked with
@@ -133,13 +141,13 @@ test_cipher_on_target() {
# if cipher contains NONE, the cipher wasn't accepted
elif [ "$cipher" == '(NONE) ' ]; then
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs"
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs"
verbose "handshake failed, server returned ciphersuite '$result'"
return 1
# the connection succeeded
else
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $pfs"
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs"
verbose "handshake succeeded, server returned ciphersuite '$result'"
return 0
fi
@@ -173,9 +181,9 @@ get_cipher_pref() {
[ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.'
local ciphersuite="$1"
if [ -e $CACERTS ]; then
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
else
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
fi
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
test_cipher_on_target "$sslcommand"
@@ -198,6 +206,7 @@ display_results_in_terminal() {
local sigalg
local trusted
local tickethint
local ocspstaple
local different=False
for cipher in "${cipherspref[@]}"; do
pciph=$(echo $cipher|awk '{print $1}')
@@ -212,6 +221,7 @@ display_results_in_terminal() {
sigalg=$(awk '{print $4}' <<<$cipher)
trusted=$(awk '{print $5}' <<<$cipher)
tickethint=$(awk '{print $6}' <<<$cipher)
ocspstaple=$(awk '{print $7}' <<<$cipher)
else
if [ "$pubkey" != "$(awk '{print $3}' <<<$cipher)" ]; then
different=True
@@ -265,6 +275,11 @@ display_results_in_terminal() {
fi
echo "TLS ticket lifetime hint: $tickethint"
fi
if [[ $ocspstaple == "True" ]]; then
echo "OCSP stapling: supported"
else
echo "OCSP stapling: not supported"
fi
}
@@ -280,7 +295,8 @@ display_results_in_json() {
echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"],"
echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\","
echo -n "\"ticket_hint\":\"$(echo $cipher|awk '{print $6}')\","
pfs=$(echo $cipher|awk '{print $7}')
echo -n "\"ocsp_stapling\":\"$(echo $cipher|awk '{print $7}')\","
pfs=$(echo $cipher|awk '{print $8}')
[ "$pfs" == "" ] && pfs="None"
echo -n "\"pfs\":\"$pfs\"}"
ctr=$((ctr+1))