From 9952d90cf42165b4d6c1a68a6554b0812919c8ad Mon Sep 17 00:00:00 2001 From: Julien Vehent Date: Fri, 18 Sep 2015 13:14:11 -0400 Subject: [PATCH 1/5] Enable Server Name Indication by default --- cipherscan | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/cipherscan b/cipherscan index 45da476..23c37b3 100755 --- a/cipherscan +++ b/cipherscan @@ -184,6 +184,8 @@ TIMEOUT=30 SAVECRT="" TEST_CURVES="True" has_curves="False" +TEST_TOLERANCE="True" +SNI="True" # openssl formated list of curves that will cause server to select ECC suite ecc_ciphers="" unset known_certs @@ -227,6 +229,8 @@ Use one of the options below: -o | --openssl path/to/your/openssl binary you want to use. --savecrt path where to save untrusted and leaf certificates --[no-]curves test ECC curves supported by server (req. OpenSSL 1.0.2) +--[no-]tolerance test TLS tolerance +--no-sni don't use Server Name Indication -v | --verbose Increase verbosity. The rest of the arguments will be interpreted as openssl s_client argument. @@ -1375,6 +1379,18 @@ do TEST_CURVES="False" shift 1 ;; + --tolerance) + TEST_TOLERANCE="True" + shift 1 + ;; + --no-tolerance) + TEST_TOLERANCE="False" + shift 1 + ;; + --no-sni) + SNI="False" + shift 1 + ;; --) # End of all options shift break @@ -1414,7 +1430,13 @@ if [[ -z $TARGET || $TARGET =~ ^[-:] || $TARGET =~ :.*[^0-9] ]]; then exit 1 fi if ! [[ $TARGET =~ : ]]; then + sni_target=$TARGET TARGET="${TARGET}:443" +else + # strip the port for the sni_target + if [[ "$TARGET" =~ (.*):([0-9]{1,5}) ]]; then + sni_target="${BASH_REMATCH[1]}" + fi fi debug "target: $TARGET" @@ -1463,6 +1485,9 @@ if [[ $VERBOSE != 0 ]] ; then fi SCLIENTARGS="${PARAMS[*]}" +if [[ $SNI == "True" ]]; then + SCLIENTARGS="$SCLIENTARGS -servername $sni_target" +fi debug "sclientargs: $SCLIENTARGS" From 7a697e28bc30db662847344b280ea07ea43e7623 Mon Sep 17 00:00:00 2001 From: Julien Vehent Date: Fri, 18 Sep 2015 13:36:09 -0400 Subject: [PATCH 2/5] Enable SNI by default only if target is a fqdn and -servername not supplied --- cipherscan | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cipherscan b/cipherscan index 23c37b3..00f67aa 100755 --- a/cipherscan +++ b/cipherscan @@ -1485,7 +1485,10 @@ if [[ $VERBOSE != 0 ]] ; then fi SCLIENTARGS="${PARAMS[*]}" -if [[ $SNI == "True" ]]; then +# only append the SNI: +# if the target is a hostname by validating the tld +# if -servername was not supplied by the user +if [[ $SNI == "True" && $sni_target =~ \.[a-z]{1,20}$ && ! $SCLIENTARGS =~ servername ]]; then SCLIENTARGS="$SCLIENTARGS -servername $sni_target" fi debug "sclientargs: $SCLIENTARGS" From 72e2b4f6e9ae2760a4e16bb010a573cdbf00df56 Mon Sep 17 00:00:00 2001 From: Julien Vehent Date: Fri, 18 Sep 2015 13:14:11 -0400 Subject: [PATCH 3/5] Enable Server Name Indication by default --- cipherscan | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/cipherscan b/cipherscan index 0f680eb..1cb26d1 100755 --- a/cipherscan +++ b/cipherscan @@ -204,6 +204,7 @@ SAVECRT="" TEST_CURVES="True" has_curves="False" TEST_TOLERANCE="True" +SNI="True" # openssl formated list of curves that will cause server to select ECC suite ecc_ciphers="" unset known_certs @@ -248,6 +249,7 @@ Use one of the options below: --savecrt path where to save untrusted and leaf certificates --[no-]curves test ECC curves supported by server (req. OpenSSL 1.0.2) --[no-]tolerance test TLS tolerance +--no-sni don't use Server Name Indication --no-colors don't use terminal colors -v | --verbose Increase verbosity. @@ -1426,6 +1428,10 @@ do USECOLORS="False" shift 1 ;; + --no-sni) + SNI="False" + shift 1 + ;; --) # End of all options shift break @@ -1470,7 +1476,13 @@ if [[ -z $TARGET || $TARGET =~ ^[-:] || $TARGET =~ :.*[^0-9] ]]; then exit 1 fi if ! [[ $TARGET =~ : ]]; then + sni_target=$TARGET TARGET="${TARGET}:443" +else + # strip the port for the sni_target + if [[ "$TARGET" =~ (.*):([0-9]{1,5}) ]]; then + sni_target="${BASH_REMATCH[1]}" + fi fi debug "target: $TARGET" @@ -1519,6 +1531,9 @@ if [[ $VERBOSE != 0 ]] ; then fi SCLIENTARGS="${PARAMS[*]}" +if [[ $SNI == "True" ]]; then + SCLIENTARGS="$SCLIENTARGS -servername $sni_target" +fi debug "sclientargs: $SCLIENTARGS" From 5284dda0fbc43017d3537b57e3d00b9b931e37d3 Mon Sep 17 00:00:00 2001 From: Julien Vehent Date: Fri, 18 Sep 2015 13:36:09 -0400 Subject: [PATCH 4/5] Enable SNI by default only if target is a fqdn and -servername not supplied --- cipherscan | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cipherscan b/cipherscan index 1cb26d1..b560052 100755 --- a/cipherscan +++ b/cipherscan @@ -1531,7 +1531,10 @@ if [[ $VERBOSE != 0 ]] ; then fi SCLIENTARGS="${PARAMS[*]}" -if [[ $SNI == "True" ]]; then +# only append the SNI: +# if the target is a hostname by validating the tld +# if -servername was not supplied by the user +if [[ $SNI == "True" && $sni_target =~ \.[a-z]{1,20}$ && ! $SCLIENTARGS =~ servername ]]; then SCLIENTARGS="$SCLIENTARGS -servername $sni_target" fi debug "sclientargs: $SCLIENTARGS" From 3131abb3331f005660c9ba814e08eba8e216f3e9 Mon Sep 17 00:00:00 2001 From: Julien Vehent Date: Fri, 18 Sep 2015 15:58:31 -0400 Subject: [PATCH 5/5] Add warning if target is not fqdn and SNI needs to be disabled --- cipherscan | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/cipherscan b/cipherscan index b560052..7d3f3c1 100755 --- a/cipherscan +++ b/cipherscan @@ -1534,8 +1534,12 @@ SCLIENTARGS="${PARAMS[*]}" # only append the SNI: # if the target is a hostname by validating the tld # if -servername was not supplied by the user -if [[ $SNI == "True" && $sni_target =~ \.[a-z]{1,20}$ && ! $SCLIENTARGS =~ servername ]]; then - SCLIENTARGS="$SCLIENTARGS -servername $sni_target" +if [[ $SNI == "True" && ! $SCLIENTARGS =~ servername ]]; then + if [[ $sni_target =~ \.[a-zA-Z]{1,20}$ ]]; then + SCLIENTARGS="$SCLIENTARGS -servername $sni_target" + else + echo "Warning: target is not a FQDN. SNI was disabled. Use a FQDN or '-servername '" 1>&2 + fi fi debug "sclientargs: $SCLIENTARGS"