mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-22 22:33:40 +01:00
add ability to also save leaf certificates and untrusted ones
This commit is contained in:
parent
605a1b85fe
commit
7087bdb5a0
15
cipherscan
15
cipherscan
@ -47,6 +47,7 @@ TIMEOUT=30
|
|||||||
# place where to put the found intermediate CA certificates and where
|
# place where to put the found intermediate CA certificates and where
|
||||||
# trust anchors are stored
|
# trust anchors are stored
|
||||||
CAPATH=""
|
CAPATH=""
|
||||||
|
SAVECRT=""
|
||||||
|
|
||||||
# because running external commands like sleep incurs a fork penalty, we
|
# because running external commands like sleep incurs a fork penalty, we
|
||||||
# first check if it is necessary
|
# first check if it is necessary
|
||||||
@ -57,7 +58,7 @@ ratelimit() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
usage() {
|
usage() {
|
||||||
echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [--saveca] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
|
echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [--saveca] [--savecrt directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
|
||||||
usage: $0 -h|--help
|
usage: $0 -h|--help
|
||||||
|
|
||||||
$0 attempts to connect to a target site using all the ciphersuites it knows.
|
$0 attempts to connect to a target site using all the ciphersuites it knows.
|
||||||
@ -78,6 +79,7 @@ Use one of the options below:
|
|||||||
-h | --help Shows this help text.
|
-h | --help Shows this help text.
|
||||||
-j | --json Output results in JSON format.
|
-j | --json Output results in JSON format.
|
||||||
-o | --openssl path/to/your/openssl binary you want to use.
|
-o | --openssl path/to/your/openssl binary you want to use.
|
||||||
|
--savecrt path where to save untrusted and leaf certificates
|
||||||
-v | --verbose Increase verbosity.
|
-v | --verbose Increase verbosity.
|
||||||
|
|
||||||
The rest of the arguments will be interpreted as openssl s_client argument.
|
The rest of the arguments will be interpreted as openssl s_client argument.
|
||||||
@ -209,6 +211,7 @@ test_cipher_on_target() {
|
|||||||
# check if the certificate is actually trusted (server may present
|
# check if the certificate is actually trusted (server may present
|
||||||
# unrelated certificates that are not trusted (including self
|
# unrelated certificates that are not trusted (including self
|
||||||
# signed ones)
|
# signed ones)
|
||||||
|
local saved="False"
|
||||||
if ${OPENSSLBIN} verify "${trust_source[@]}" \
|
if ${OPENSSLBIN} verify "${trust_source[@]}" \
|
||||||
-untrusted <(echo "$tmp") <(echo "$cert") 2>/dev/null | \
|
-untrusted <(echo "$tmp") <(echo "$cert") 2>/dev/null | \
|
||||||
grep 'OK$' >/dev/null; then
|
grep 'OK$' >/dev/null; then
|
||||||
@ -220,6 +223,12 @@ test_cipher_on_target() {
|
|||||||
echo "$cert" > "$CAPATH/${sha256sum}.pem"
|
echo "$cert" > "$CAPATH/${sha256sum}.pem"
|
||||||
c_hash "$CAPATH" "${sha256sum}.pem"
|
c_hash "$CAPATH" "${sha256sum}.pem"
|
||||||
fi
|
fi
|
||||||
|
saved="True"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [[ -n $SAVECRT ]] && [[ $saved == "False" ]]; then
|
||||||
|
if [[ ! -e $SAVECRT/${sha256sum}.pem ]]; then
|
||||||
|
echo "$cert" > "$SAVECRT/${sha256sum}.pem"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
# save the sha sum for reporting
|
# save the sha sum for reporting
|
||||||
@ -538,6 +547,10 @@ do
|
|||||||
SAVECA="True"
|
SAVECA="True"
|
||||||
shift 1
|
shift 1
|
||||||
;;
|
;;
|
||||||
|
--savecrt)
|
||||||
|
SAVECRT="$2"
|
||||||
|
shift 2
|
||||||
|
;;
|
||||||
--) # End of all options
|
--) # End of all options
|
||||||
shift
|
shift
|
||||||
break
|
break
|
||||||
|
Loading…
Reference in New Issue
Block a user