From 0662fa61d8f04c94a2631bf144fb65d7a9e33f32 Mon Sep 17 00:00:00 2001 From: Olivier Paroz Date: Mon, 15 Sep 2014 17:06:59 +0200 Subject: [PATCH 1/3] FreeBSD compatible Detect the OS and use gtimeout from sysutils/coreutils --- cipherscan | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/cipherscan b/cipherscan index eb91255..8196bae 100755 --- a/cipherscan +++ b/cipherscan @@ -4,9 +4,19 @@ # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. # Author: Julien Vehent [:ulfr] - 2013 +# +# Modified by Olivier Paroz in September 2014 +# +# On FreeBSD, you will need the following ports: textproc/gnugrep and sysutils/coreutils +# +OS=`uname` DOBENCHMARK=0 BENCHMARKITER=30 +TIMEOUTBIN=timeout +if [ "${OS}" = "FreeBSD" ]; then + TIMEOUTBIN=gtimeout +fi OPENSSLBIN="$(dirname $0)/openssl" if [ -z "$CACERTS" ]; then for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do @@ -33,10 +43,14 @@ TIMEOUT=10 usage() { echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] - usage: $0 -h|--help +usage: $0 -h|--help $0 attempts to connect to a target site using all the ciphersuites it knows. -Julien Vehent [:ulfr] - https://github.com/jvehent/cipherscan + +Original script by Julien Vehent. [:ulfr] - https://github.com/jvehent/cipherscan +FreeBSD version by Olivier Paroz. [:ulfr] - https://github.com/oparoz/cipherscan + +OpenSSL 1.0.2 is a REQUIREMENT and you will also need the following ports on FreeBSD: textproc/gnugrep and sysutils/coreutils Port defaults to 443 @@ -165,7 +179,7 @@ test_cipher_on_target() { # Calculate the average handshake time for a specific ciphersuite bench_cipher() { local ciphersuite="$1" - local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" + local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" local t="$(date +%s%N)" verbose "Benchmarking handshake on '$TARGET' with ciphersuite '$ciphersuite'" for i in $(seq 1 $BENCHMARKITER); do @@ -189,9 +203,9 @@ get_cipher_pref() { [ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.' local ciphersuite="$1" if [ -e $CACERTS ]; then - local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" + local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" else - local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" + local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" fi verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'" test_cipher_on_target "$sslcommand" @@ -410,7 +424,7 @@ if [ $ALLCIPHERS -gt 0 ]; then echo; echo "All accepted ciphersuites" for c in $($OPENSSLBIN ciphers -v ALL:COMPLEMENTOFALL 2>/dev/null |awk '{print $1}'|sort|uniq); do r="fail" - osslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $c" + osslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $c" test_cipher_on_target "$osslcommand" if [ $? -eq 0 ]; then r="pass" From d3b2c48e13408654f7264bbee973c2294f5360b0 Mon Sep 17 00:00:00 2001 From: Olivier Paroz Date: Mon, 15 Sep 2014 17:31:06 +0200 Subject: [PATCH 2/3] FreeBSD + extra chacha20 repo I've found another repository which offers 1.0.2 with chacha20 I've added some extra instructions for FreeBSD users --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3953659..48535e0 100644 --- a/README.md +++ b/README.md @@ -8,15 +8,18 @@ On Linux x86_64 run: ./cipherscan www.google.com:443 On any other *nix or *tux run: ./cipherscan -o /path/to/openssl www.google.com:443 and watch. -The newer your version of openssl, the better results you'll get. Versions -of OpenSSL below 1.0.1 don't support TLS1.2 ciphers, elliptic curves, etc... Build your own or test what your system's OpenSSL supports. +On FreeBSD, you will need the following ports: textproc/gnugrep and sysutils/coreutils + +The newer your version of openssl, the better results you'll get. Versions of OpenSSL below 1.0.1 don't support TLS1.2 ciphers, elliptic curves, etc... +Version 1.0.2 gives extra information about the ciphers used for the key exchange. +Build your own or test what your system's OpenSSL supports. Cipherscan should work fine on Linux, Mac OS X, Solaris, Illumos, SmartOS, OpenIndiana if you specify a an openssl binary with -o. Build OpenSSL with ChaCha20-Poly1305 support (Optional) ------------------------------------------------------- -The OpenSSL binary in this repository is built for 64bit Linux. If you wish to build a version with the same features for your own platform, [the snapshot from the OpenSSL gitweb view](http://git.openssl.org/gitweb/?p=openssl.git;a=tree;h=161b23361778c155f9c174694b1db2506a2e0b52;hb=9a8646510b) and build it like this: +The OpenSSL binary in this repository is built for 64bit Linux. If you wish to build a version with the same features for your own platform, you can use [this snapshot from the OpenSSL gitweb view](http://git.openssl.org/gitweb/?p=openssl.git;a=tree;h=161b23361778c155f9c174694b1db2506a2e0b52;hb=9a8646510b) or [this Github repository](https://github.com/PeterMosmans/openssl) and build it like this: ``` ./config no-shared @@ -226,3 +229,4 @@ Contributors * Pepi Zawodsky * Michael Zeltner * Simon Deziel +* Olivier Paroz From 9438d647622be4663a74bf4a5e051dc27cb5590f Mon Sep 17 00:00:00 2001 From: Olivier Paroz Date: Mon, 15 Sep 2014 17:38:47 +0200 Subject: [PATCH 3/3] OpenSSL 1.0.2 is not a requirement Back when egrep wasn't working, I tried to fix various things and 1.0.2 was allowing the script to go further without breaking. After having installed a more recent version of GNU grep, things were back to normal and 1.0.1 works fine --- cipherscan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cipherscan b/cipherscan index 8196bae..0b48c11 100755 --- a/cipherscan +++ b/cipherscan @@ -50,7 +50,7 @@ $0 attempts to connect to a target site using all the ciphersuites it knows. Original script by Julien Vehent. [:ulfr] - https://github.com/jvehent/cipherscan FreeBSD version by Olivier Paroz. [:ulfr] - https://github.com/oparoz/cipherscan -OpenSSL 1.0.2 is a REQUIREMENT and you will also need the following ports on FreeBSD: textproc/gnugrep and sysutils/coreutils +On FreeBSD, you will need the following ports on FreeBSD: textproc/gnugrep and sysutils/coreutils Port defaults to 443