From 249b3be23d35d7fb4b321e87a8b99337a2636b78 Mon Sep 17 00:00:00 2001 From: Julien Vehent Date: Fri, 18 Sep 2015 12:35:17 -0400 Subject: [PATCH 1/6] Rephrase TLS tolerance output in terminal --- cipherscan | 36 +++++++++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/cipherscan b/cipherscan index 45da476..74a8782 100755 --- a/cipherscan +++ b/cipherscan @@ -184,6 +184,7 @@ TIMEOUT=30 SAVECRT="" TEST_CURVES="True" has_curves="False" +TEST_TOLERANCE="True" # openssl formated list of curves that will cause server to select ECC suite ecc_ciphers="" unset known_certs @@ -227,6 +228,7 @@ Use one of the options below: -o | --openssl path/to/your/openssl binary you want to use. --savecrt path where to save untrusted and leaf certificates --[no-]curves test ECC curves supported by server (req. OpenSSL 1.0.2) +--[no-]tolerance test TLS tolerance -v | --verbose Increase verbosity. The rest of the arguments will be interpreted as openssl s_client argument. @@ -771,16 +773,22 @@ display_results_in_terminal() { echo "Curves fallback: $fallback_supported" fi - echo - echo "Fallbacks required:" - for test_name in "${!tls_tolerance[@]}"; do - if [[ ${tls_tolerance[$test_name]} == "False" ]]; then - echo "$test_name config not supported, connection failed" + if [[ $TEST_TOLERANCE == "True" ]]; then + if [[ $tls_tolerance['big-TLSv1.2'] =~ TLSv1.2 ]]; then + echo "TLS Tolerance: True [OK]" else - local res=(${tls_tolerance[$test_name]}) - echo "$test_name no fallback req, connected: ${res[1]} ${res[2]}" + echo "TLS Tolerance: False [KO]" + echo "Fallbacks required:" + for test_name in "${!tls_tolerance[@]}"; do + if [[ ${tls_tolerance[$test_name]} == "False" ]]; then + echo "$test_name config not supported, connection failed" + else + local res=(${tls_tolerance[$test_name]}) + echo "$test_name no fallback req, connected: ${res[1]} ${res[2]}" + fi + done | sort fi - done | sort + fi } display_results_in_json() { @@ -1375,6 +1383,14 @@ do TEST_CURVES="False" shift 1 ;; + --tolerance) + TEST_TOLERANCE="True" + shift 1 + ;; + --no-tolerance) + TEST_TOLERANCE="False" + shift 1 + ;; --) # End of all options shift break @@ -1489,7 +1505,9 @@ if [[ ${#cipherspref[@]} -eq 0 ]] || [[ ${pref[1]} == "SSLv2" ]]; then get_cipher_pref "$CIPHERS" fi -test_tls_tolerance +if [[ $TEST_TOLERANCE == "True" ]]; then + test_tls_tolerance +fi test_serverside_ordering From 55918f3afb2a094298f2a78a4c89feea03db89a2 Mon Sep 17 00:00:00 2001 From: Julien Vehent Date: Fri, 18 Sep 2015 12:36:26 -0400 Subject: [PATCH 2/6] Add OK/KO flags in terminal output --- cipherscan | 45 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 34 insertions(+), 11 deletions(-) diff --git a/cipherscan b/cipherscan index 74a8782..4a99ef6 100755 --- a/cipherscan +++ b/cipherscan @@ -750,27 +750,50 @@ display_results_in_terminal() { fi done|column -t echo - if [[ $different != "True" ]]; then - if [[ "$trusted" == "True" ]]; then - echo "Certificate: trusted, $pubkey bit, $sigalg signature" - else - echo "Certificate: UNTRUSTED, $pubkey bit, $sigalg signature" + pubkey_eval="KO" + if [[ ! -z $pubkey ]]; then + if (( $pubkey > 2047 )); then + pubkey_eval="OK" fi + fi + sigalg_eval="OK" + if [[ $sigalg =~ md5|sha1 ]]; then + sigalg_eval="KO" + fi + if [[ $trusted == "True" ]]; then + trusted="trusted [OK]" + else + trusted="untrusted [KO]" + fi + if [[ $different != "True" ]]; then + echo "Certificate: $trusted, $pubkey bit [$pubkey_eval], $sigalg signature [$sigalg_eval]" echo "TLS ticket lifetime hint: $tickethint" fi if [[ $ocspstaple == "True" ]]; then - echo "OCSP stapling: supported" + echo "OCSP stapling: supported [OK]" else - echo "OCSP stapling: not supported" + echo "OCSP stapling: not supported [KO]" fi if [[ $serverside == "True" ]]; then - echo "Cipher ordering: server" + echo "Cipher ordering: server [OK]" else - echo "Cipher ordering: client" + echo "Cipher ordering: client [KO]" fi if [[ $TEST_CURVES == "True" ]]; then - echo "Curves ordering: $curvesordering" - echo "Curves fallback: $fallback_supported" + if [[ $curvesordering == "server" ]]; then + curvesordering="$curvesordering [OK]" + else + if [[ $curvesordering == "" ]]; then + curvesordering="none" + fi + curvesordering="$curvesordering [KO]" + fi + if [[ $fallback_supported == "True" ]]; then + fallback_supported="$fallback_supported [OK]" + else + fallback_supported="$fallback_supported [KO]" + fi + echo "Curves ordering: $curvesordering - fallback: $fallback_supported" fi if [[ $TEST_TOLERANCE == "True" ]]; then From 3dd0f58f4c2cb69ec8ff935c043cc195f3748e1f Mon Sep 17 00:00:00 2001 From: Julien Vehent Date: Fri, 18 Sep 2015 12:36:41 -0400 Subject: [PATCH 3/6] When in JSON mode, run curve and tolerance tests --- cipherscan | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cipherscan b/cipherscan index 4a99ef6..d6e9b25 100755 --- a/cipherscan +++ b/cipherscan @@ -1366,6 +1366,8 @@ do ;; -j | -json | --json | --JSON) OUTPUTFORMAT="json" + TEST_CURVES="True" + TEST_TOLERANCE="True" shift ;; -b | --benchmark) From 8a03b8d4e71d43892cf334f71e5ba4246db0d212 Mon Sep 17 00:00:00 2001 From: Julien Vehent Date: Fri, 18 Sep 2015 14:49:51 -0400 Subject: [PATCH 4/6] fix pubkey quality test --- cipherscan | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cipherscan b/cipherscan index d6e9b25..a2d1756 100755 --- a/cipherscan +++ b/cipherscan @@ -751,10 +751,9 @@ display_results_in_terminal() { done|column -t echo pubkey_eval="KO" - if [[ ! -z $pubkey ]]; then - if (( $pubkey > 2047 )); then pubkey_eval="OK" fi + if [[ ($sigalg =~ RSA && $pubkey -gt 2047) || ($sigalg =~ DSA && $pubkey -gt 255) ]]; then fi sigalg_eval="OK" if [[ $sigalg =~ md5|sha1 ]]; then From 5d5568f03aa6d03a0b7af447d90efc22b796434d Mon Sep 17 00:00:00 2001 From: Julien Vehent Date: Fri, 18 Sep 2015 14:50:00 -0400 Subject: [PATCH 5/6] use colors instead of ok/ko --- cipherscan | 61 ++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 41 insertions(+), 20 deletions(-) diff --git a/cipherscan b/cipherscan index a2d1756..2ce8744 100755 --- a/cipherscan +++ b/cipherscan @@ -179,6 +179,7 @@ DELAY=0 ALLCIPHERS=0 OUTPUTFORMAT="terminal" TIMEOUT=30 +USECOLORS="True" # place where to put the found intermediate CA certificates and where # trust anchors are stored SAVECRT="" @@ -229,6 +230,7 @@ Use one of the options below: --savecrt path where to save untrusted and leaf certificates --[no-]curves test ECC curves supported by server (req. OpenSSL 1.0.2) --[no-]tolerance test TLS tolerance +--no-colors don't use terminal colors -v | --verbose Increase verbosity. The rest of the arguments will be interpreted as openssl s_client argument. @@ -675,6 +677,19 @@ display_results_in_terminal() { local ocspstaple local curvesordering local different=False + # Configure colors, if terminal supports them + if [[ $USECOLORS == "True" && -x /usr/bin/tput ]] && tput setaf 1 >&/dev/null; then + c_blue="\033[0;34m" + c_green="\033[0;32m" + c_red="\033[0;31m" + c_reset="\033[0m" + else + c_reset= + c_blue= + c_green= + c_red= + fi + echo "Target: $TARGET"; echo for cipher in "${cipherspref[@]}"; do # get first in array @@ -750,56 +765,58 @@ display_results_in_terminal() { fi done|column -t echo - pubkey_eval="KO" - pubkey_eval="OK" - fi + if [[ ($sigalg =~ RSA && $pubkey -gt 2047) || ($sigalg =~ DSA && $pubkey -gt 255) ]]; then + pubkey="${c_green}${pubkey}${c_reset}" + else + pubkey="${c_red}${pubkey}${c_reset}" fi - sigalg_eval="OK" if [[ $sigalg =~ md5|sha1 ]]; then - sigalg_eval="KO" + sigalg="${c_red}${sigalg}${c_reset}" + else + sigalg="${c_green}${sigalg}${c_reset}" fi if [[ $trusted == "True" ]]; then - trusted="trusted [OK]" + trusted="${c_green}trusted${c_reset}" else - trusted="untrusted [KO]" + trusted="${c_green}untrusted${c_reset}" fi if [[ $different != "True" ]]; then - echo "Certificate: $trusted, $pubkey bit [$pubkey_eval], $sigalg signature [$sigalg_eval]" + echo -e "Certificate: $trusted, $pubkey bits, $sigalg signature" echo "TLS ticket lifetime hint: $tickethint" fi if [[ $ocspstaple == "True" ]]; then - echo "OCSP stapling: supported [OK]" + echo -e "OCSP stapling: ${c_green}supported${c_reset}" else - echo "OCSP stapling: not supported [KO]" + echo -e "OCSP stapling: ${c_red}not supported${c_reset}" fi if [[ $serverside == "True" ]]; then - echo "Cipher ordering: server [OK]" + echo -e "Cipher ordering: ${c_green}server${c_reset}" else - echo "Cipher ordering: client [KO]" + echo -e "Cipher ordering: ${c_red}client${c_reset}" fi if [[ $TEST_CURVES == "True" ]]; then if [[ $curvesordering == "server" ]]; then - curvesordering="$curvesordering [OK]" + curvesordering="${c_green}${curvesordering}${c_reset}" else if [[ $curvesordering == "" ]]; then - curvesordering="none" + curvesordering="${c_red}none" fi - curvesordering="$curvesordering [KO]" + curvesordering="${c_red}${curvesordering}${c_reset}" fi if [[ $fallback_supported == "True" ]]; then - fallback_supported="$fallback_supported [OK]" + fallback_supported="${c_green}yes${c_reset}" else - fallback_supported="$fallback_supported [KO]" + fallback_supported="${c_red}no${c_reset}" fi - echo "Curves ordering: $curvesordering - fallback: $fallback_supported" + echo -e "Curves ordering: $curvesordering - fallback: $fallback_supported" fi if [[ $TEST_TOLERANCE == "True" ]]; then if [[ $tls_tolerance['big-TLSv1.2'] =~ TLSv1.2 ]]; then - echo "TLS Tolerance: True [OK]" + echo -e "TLS Tolerance: ${c_green}yes${c_reset}" else - echo "TLS Tolerance: False [KO]" + echo "TLS Tolerance: ${c_red}no${c_reset}" echo "Fallbacks required:" for test_name in "${!tls_tolerance[@]}"; do if [[ ${tls_tolerance[$test_name]} == "False" ]]; then @@ -1415,6 +1432,10 @@ do TEST_TOLERANCE="False" shift 1 ;; + --no-colors) + USECOLORS="False" + shift 1 + ;; --) # End of all options shift break From f11a0e3594b6542c9aafdb86228f133ebbf30f98 Mon Sep 17 00:00:00 2001 From: Julien Vehent Date: Fri, 18 Sep 2015 14:50:03 -0400 Subject: [PATCH 6/6] Revert "When in JSON mode, run curve and tolerance tests" This reverts commit 3dd0f58f4c2cb69ec8ff935c043cc195f3748e1f. --- cipherscan | 2 -- 1 file changed, 2 deletions(-) diff --git a/cipherscan b/cipherscan index 2ce8744..b98fd16 100755 --- a/cipherscan +++ b/cipherscan @@ -1382,8 +1382,6 @@ do ;; -j | -json | --json | --JSON) OUTPUTFORMAT="json" - TEST_CURVES="True" - TEST_TOLERANCE="True" shift ;; -b | --benchmark)