2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 22:33:40 +01:00

add support for CApath

capath for relatively small cert sets (~300) makes scanning about 5%
faster

also do a little clean up of the command-to-run generation code
This commit is contained in:
Hubert Kario 2014-07-03 19:02:33 +02:00 committed by Hubert Kario
parent 30d0839df6
commit 7f5743620b

View File

@ -29,10 +29,12 @@ DELAY=0
ALLCIPHERS=0 ALLCIPHERS=0
OUTPUTFORMAT="terminal" OUTPUTFORMAT="terminal"
TIMEOUT=10 TIMEOUT=10
# place where to put the found intermediate CA certificates and where
# trust anchors are stored
CAPATH=""
usage() { usage() {
echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port> echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
usage: $0 -h|--help usage: $0 -h|--help
$0 attempts to connect to a target site using all the ciphersuites it knows. $0 attempts to connect to a target site using all the ciphersuites it knows.
@ -46,6 +48,7 @@ Use one of the options below:
-a | --allciphers Test all known ciphers individually at the end. -a | --allciphers Test all known ciphers individually at the end.
-b | --benchmark Activate benchmark mode. -b | --benchmark Activate benchmark mode.
--capath use CAs from directory
-d | --delay Pause for n seconds between connections -d | --delay Pause for n seconds between connections
-D | --debug Output ALL the information. -D | --debug Output ALL the information.
-h | --help Shows this help text. -h | --help Shows this help text.
@ -197,11 +200,15 @@ bench_cipher() {
get_cipher_pref() { get_cipher_pref() {
[ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.' [ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.'
local ciphersuite="$1" local ciphersuite="$1"
if [ -e $CACERTS ]; then
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client"
else if [ -n "$CAPATH" ]; then
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" sslcommand+=" -CApath $CAPATH"
elif [ -e $CACERTS ]; then
sslcommand+=" -CAfile $CACERTS"
fi fi
sslcommand+=" -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'" verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
test_cipher_on_target "$sslcommand" test_cipher_on_target "$sslcommand"
local success=$? local success=$?
@ -363,12 +370,13 @@ test_serverside_ordering() {
ciphersuite+=":$cipher" ciphersuite+=":$cipher"
fi fi
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client"
if [ -e $CACERTS ]; then if [ -n "$CAPATH" ]; then
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" sslcommand+=" -CApath $CAPATH"
else elif [ -e "$CACERTS" ]; then
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" sslcommand+=" -CAfile $CACERTS"
fi fi
sslcommand+=" -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
test_cipher_on_target "$sslcommand" test_cipher_on_target "$sslcommand"
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
@ -420,6 +428,10 @@ do
DELAY=$2 DELAY=$2
shift 2 shift 2
;; ;;
--capath)
CAPATH="$2"
shift 2
;;
--) # End of all options --) # End of all options
shift shift
break break