2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 14:23:41 +01:00

use CApath for certificates and store certificates (v2)

CApath is about 20% faster than CAfile so use it, also
save the received certificates from the servers for later analysis
(proper hostname checking, looking for certificates sharing private key,
etc.)

Use the mechanism from cipherscan to find location of ca cert bundle
This commit is contained in:
Hubert Kario 2014-10-11 14:15:59 +02:00 committed by Hubert Kario
parent 62808a33c8
commit 68da6f00b6

View File

@ -9,6 +9,42 @@ if [ $(ulimit -u) -lt $((10*absolute_max_bg)) ]; then
exit 1
fi
[ ! -e "results" ] && mkdir results
[ ! -e "certs" ] && mkdir certs
if [ -z "$CACERTS" ]; then
for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
if [ -e "$f" ]; then
CACERTS="$f"
break
fi
done
fi
if [ ! -e "$CACERTS" ]; then
echo "file with CA certificates does not exist, please export CACERTS variable with location"
exit 1
fi
if [ ! -e "ca_files" ]; then
mkdir ca_files
pushd ca_files >/dev/null
awk '
split_after == 1 {n++;split_after=0}
/-----END CERTIFICATE-----/ {split_after=1}
{print > "cert" n ".pem"}' < "$CACERTS"
for i in *; do
h=$(../../openssl x509 -hash -noout -in "$i" 2>/dev/null)
for num in `seq 0 100`; do
if [[ $h.$num -ef $i ]]; then
# file already linked, ignore
break
fi
if [[ ! -e $h.$num ]]; then
# file doesn't exist, create a link
ln -s "$i" "$h.$num"
break
fi
done
done
popd >/dev/null
fi
function wait_for_jobs() {
local no_jobs
@ -32,7 +68,7 @@ function scan_host() {
if [ $? -gt 0 ]; then
return
fi
../cipherscan --delay 2 -json -servername $1 $2:443 > results/$1@$2
../cipherscan --capath ca_files --saveca --savecrt certs --delay 2 -json -servername $1 $2:443 > results/$1@$2
}
function scan_host_no_sni() {
@ -44,7 +80,7 @@ function scan_host_no_sni() {
if [ $? -gt 0 ]; then
return
fi
../cipherscan --delay 2 -json $1:443 > results/$1
../cipherscan --capath ca_files --saveca --savecrt certs --delay 2 -json $1:443 > results/$1
}
function scan_hostname() {