2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-25 23:43:42 +01:00

Support s_client args, give -starttls example

This commit is contained in:
Michael Zeltner 2014-02-02 15:41:16 +01:00
parent ae5d7ad15c
commit 5c07a6e552
No known key found for this signature in database
GPG Key ID: 4E35F65846C8F7DA
2 changed files with 34 additions and 13 deletions

View File

@ -20,7 +20,7 @@ Use '-a' to force openssl to test every single cipher it know.
Use '-json' to output the results in json format
```
$ ./cipherscan www.google.com:443 -json
$ ./cipherscan -json www.google.com:443
```
Example
@ -48,4 +48,15 @@ prio ciphersuite protocols pfs_keysize
16 ECDHE-RSA-AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
17 AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2
18 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
$ ./cipherscan -starttls xmpp jabber.ccc.de:5222
.........
prio ciphersuite protocols pfs_keysize
1 DHE-RSA-AES256-SHA SSLv3,TLSv1 DH,1024bits
2 AES256-SHA SSLv3,TLSv1
3 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1 DH,1024bits
4 DES-CBC3-SHA SSLv3,TLSv1
5 DHE-RSA-AES128-SHA SSLv3,TLSv1 DH,1024bits
6 AES128-SHA SSLv3,TLSv1
7 RC4-SHA SSLv3,TLSv1
8 RC4-MD5 SSLv3,TLSv1
```

View File

@ -10,7 +10,13 @@ BENCHMARKITER=30
OPENSSLBIN="$(dirname $0)/openssl"
TIMEOUT=10
CIPHERSUITE="ALL:COMPLEMENTOFALL"
TARGET=$1
HOST=$(sed -e 's/:.*//'<<<"${@: -1}")
PORT=$(sed -e 's/.*://'<<<"${@: -1}")
if [ "$HOST" = "$PORT" ]; then
PORT=443
fi
TARGET=$HOST:$PORT
SCLIENTARGS=$(sed -e "s/${@: -1}//" -e "s/-v//" -e "s/-a//" -e "s/-json//" <<<"$@")
VERBOSE=0
ALLCIPHERS=0
OUTPUTFORMAT="terminal"
@ -23,18 +29,25 @@ Connection: close
usage() {
echo -e "usage: $0 <target:port>
echo -e "usage: $0 [-a|-v|-json] [openssl s_client args] <target:port>
$0 attempts to connect to a target site using all the ciphersuites it knowns.
Julien Vehent [:ulfr] - https://github.com/jvehent/cipherscan
Port defaults to 443
example: $ $0 www.google.com:443
Use only one of the options below:
Use one of the options below as the first argument:
-v increase verbosity
-a test all known ciphers individually at the end
-json output results in json format
The rest of the arguments will be interpreted as openssl s_client argument.
This enables checking smtp/imap/pop3/ftp/xmpp via -starttls
example: $0 -starttls xmpp jabber.ccc.de:5222
OpenSSL path can be changed in the OPENSSLBIN variable
Benchmarking can be enabled in the DOBENCHMARK variable
"
@ -105,7 +118,7 @@ EOF
# Calculate the average handshake time for a specific ciphersuite
bench_cipher() {
local ciphersuite="$1"
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite"
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
local t="$(date +%s%N)"
verbose "Benchmarking handshake on '$TARGET' with ciphersuite '$ciphersuite'"
for i in $(seq 1 $BENCHMARKITER); do
@ -129,7 +142,7 @@ EOF
get_cipher_pref() {
[ "$OUTPUTFORMAT" == "terminal" ] && echo -n '.'
local ciphersuite="$1"
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite"
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
test_cipher_on_target "$sslcommand"
local success=$?
@ -193,17 +206,14 @@ display_results_in_json() {
[[ -z $1 || "$1" == "-h" || "$1" == "--help" ]] && usage
if [ ! -z $2 ]; then
if [ "$2" == "-v" ]; then
if [ "$1" == "-v" ]; then
VERBOSE=1
echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))"
$OPENSSLBIN ciphers ALL 2>/dev/null
elif [ "$2" == "-a" ]; then
elif [ "$1" == "-a" ]; then
ALLCIPHERS=1
elif [ "$2" == "-json" ]; then
elif [ "$1" == "-json" ]; then
OUTPUTFORMAT="json"
else
echo "ERROR: unknown option '$2'"; echo
usage
fi
fi
@ -225,7 +235,7 @@ if [ $ALLCIPHERS -gt 0 ]; then
echo; echo "All accepted ciphersuites"
for c in $($OPENSSLBIN ciphers -v ALL:COMPLEMENTOFALL 2>/dev/null |awk '{print $1}'|sort|uniq); do
r="fail"
osslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $c"
osslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $c"
test_cipher_on_target "$osslcommand"
if [ $? -eq 0 ]; then
r="pass"