mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-09-28 23:53:41 +02:00
Olivier Paroz
commit
8f5eb93fd9
10
README.md
10
README.md
@ -8,15 +8,18 @@ On Linux x86_64 run: ./cipherscan www.google.com:443
|
||||
On any other *nix or *tux run: ./cipherscan -o /path/to/openssl www.google.com:443
|
||||
and watch.
|
||||
|
||||
The newer your version of openssl, the better results you'll get. Versions
|
||||
of OpenSSL below 1.0.1 don't support TLS1.2 ciphers, elliptic curves, etc... Build your own or test what your system's OpenSSL supports.
|
||||
On FreeBSD, you will need the following ports: textproc/gnugrep and sysutils/coreutils
|
||||
|
||||
The newer your version of openssl, the better results you'll get. Versions of OpenSSL below 1.0.1 don't support TLS1.2 ciphers, elliptic curves, etc...
|
||||
Version 1.0.2 gives extra information about the ciphers used for the key exchange.
|
||||
Build your own or test what your system's OpenSSL supports.
|
||||
|
||||
Cipherscan should work fine on Linux, Mac OS X, Solaris, Illumos, SmartOS, OpenIndiana if you specify a an openssl binary with -o.
|
||||
|
||||
Build OpenSSL with ChaCha20-Poly1305 support (Optional)
|
||||
-------------------------------------------------------
|
||||
|
||||
The OpenSSL binary in this repository is built for 64bit Linux. If you wish to build a version with the same features for your own platform, [the snapshot from the OpenSSL gitweb view](http://git.openssl.org/gitweb/?p=openssl.git;a=tree;h=161b23361778c155f9c174694b1db2506a2e0b52;hb=9a8646510b) and build it like this:
|
||||
The OpenSSL binary in this repository is built for 64bit Linux. If you wish to build a version with the same features for your own platform, you can use [this snapshot from the OpenSSL gitweb view](http://git.openssl.org/gitweb/?p=openssl.git;a=tree;h=161b23361778c155f9c174694b1db2506a2e0b52;hb=9a8646510b) or [this Github repository](https://github.com/PeterMosmans/openssl) and build it like this:
|
||||
|
||||
```
|
||||
./config no-shared
|
||||
@ -226,3 +229,4 @@ Contributors
|
||||
* Pepi Zawodsky <git@maclemon.at>
|
||||
* Michael Zeltner <m@niij.org>
|
||||
* Simon Deziel <simon.deziel@gmail.com>
|
||||
* Olivier Paroz <opa-github@interfasys.ch>
|
||||
|
||||
26
cipherscan
26
cipherscan
@ -4,9 +4,19 @@
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
# Author: Julien Vehent [:ulfr] - 2013
|
||||
#
|
||||
# Modified by Olivier Paroz in September 2014
|
||||
#
|
||||
# On FreeBSD, you will need the following ports: textproc/gnugrep and sysutils/coreutils
|
||||
#
|
||||
|
||||
OS=`uname`
|
||||
DOBENCHMARK=0
|
||||
BENCHMARKITER=30
|
||||
TIMEOUTBIN=timeout
|
||||
if [ "${OS}" = "FreeBSD" ]; then
|
||||
TIMEOUTBIN=gtimeout
|
||||
fi
|
||||
OPENSSLBIN="$(dirname $0)/openssl"
|
||||
if [ -z "$CACERTS" ]; then
|
||||
for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
|
||||
@ -33,10 +43,14 @@ TIMEOUT=10
|
||||
|
||||
usage() {
|
||||
echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
|
||||
usage: $0 -h|--help
|
||||
usage: $0 -h|--help
|
||||
|
||||
$0 attempts to connect to a target site using all the ciphersuites it knows.
|
||||
Julien Vehent [:ulfr] - https://github.com/jvehent/cipherscan
|
||||
|
||||
Original script by Julien Vehent. [:ulfr] - https://github.com/jvehent/cipherscan
|
||||
FreeBSD version by Olivier Paroz. [:ulfr] - https://github.com/oparoz/cipherscan
|
||||
|
||||
On FreeBSD, you will need the following ports on FreeBSD: textproc/gnugrep and sysutils/coreutils
|
||||
|
||||
Port defaults to 443
|
||||
|
||||
@ -165,7 +179,7 @@ test_cipher_on_target() {
|
||||
# Calculate the average handshake time for a specific ciphersuite
|
||||
bench_cipher() {
|
||||
local ciphersuite="$1"
|
||||
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||
local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||
local t="$(date +%s%N)"
|
||||
verbose "Benchmarking handshake on '$TARGET' with ciphersuite '$ciphersuite'"
|
||||
for i in $(seq 1 $BENCHMARKITER); do
|
||||
@ -189,9 +203,9 @@ get_cipher_pref() {
|
||||
[ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.'
|
||||
local ciphersuite="$1"
|
||||
if [ -e $CACERTS ]; then
|
||||
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||
local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||
else
|
||||
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||
local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||
fi
|
||||
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
|
||||
test_cipher_on_target "$sslcommand"
|
||||
@ -410,7 +424,7 @@ if [ $ALLCIPHERS -gt 0 ]; then
|
||||
echo; echo "All accepted ciphersuites"
|
||||
for c in $($OPENSSLBIN ciphers -v ALL:COMPLEMENTOFALL 2>/dev/null |awk '{print $1}'|sort|uniq); do
|
||||
r="fail"
|
||||
osslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $c"
|
||||
osslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $c"
|
||||
test_cipher_on_target "$osslcommand"
|
||||
if [ $? -eq 0 ]; then
|
||||
r="pass"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user