From 99a0b6be0700e1885af55b0d7878566f18fa4ccc Mon Sep 17 00:00:00 2001 From: Hubert Kario Date: Sat, 1 Nov 2014 21:06:23 +0100 Subject: [PATCH] collect stats about compression and renegotiation since no support for compression and support for renegotiation are necessary for the server to have a secure configuration, collect and report those two too --- cipherscan | 59 ++++++++++++++++++++++++++++++++++++++++++ top1m/parse_results.py | 29 +++++++++++++++++++++ 2 files changed, 88 insertions(+) diff --git a/cipherscan b/cipherscan index b7d0d1a..5b0908c 100755 --- a/cipherscan +++ b/cipherscan @@ -195,6 +195,8 @@ declare -A sigalgs_fallback # array with preferred sigalgs for aRSA and aECDSA ciphers declare -a sigalgs_preferred_rsa declare -a sigalgs_preferred_ecdsa +renegotiation="" +compression="" # because running external commands like sleep incurs a fork penalty, we # first check if it is necessary @@ -359,6 +361,8 @@ parse_openssl_output() { current_pubkey=0 current_trusted="False" current_sigalg="None" + current_renegotiation="False" + current_compression="" certs_found=0 current_raw_certificates=() @@ -388,6 +392,19 @@ parse_openssl_output() { continue fi + # renegotiation support + if [[ $line =~ Secure\ Renegotiation\ IS\ supported ]]; then + current_renegotiation="secure" + fi + if [[ $line =~ Secure\ Renegotiation\ IS\ NOT\ supported ]]; then + current_renegotiation="insecure" + fi + + # compression settings + if [[ $line =~ Compression:\ (.*) ]]; then + current_compression="${BASH_REMATCH[1]}" + fi + # extract the signing algorithm used in TLSv1.2 ephemeral kex if [[ $line =~ Peer\ signing\ digest ]]; then local match=($line) @@ -840,6 +857,26 @@ display_results_in_terminal() { fi echo -e "Curves ordering: $curvesordering - fallback: $fallback_supported" fi + if [[ $renegotiation ]]; then + if [[ $renegotiation == "secure" ]]; then + echo -e "Server ${c_green}supports${c_reset} secure renegotiation" + else + echo -e "Server ${c_red}DOESN'T${c_reset} support secure renegotiation" + fi + else + echo "Renegotiation test error" + fi + if [[ $compression ]]; then + if [[ $compression != "NONE" ]]; then + color="${c_red}" + else + color="${c_green}" + fi + echo -e "Server supported compression methods:" \ + "${color}$compression${c_reset}" + else + echo -e "Supported compression methods ${c_red}test error${c_reset}" + fi if [[ $TEST_KEX_SIGALG == "True" ]]; then echo @@ -948,6 +985,18 @@ display_results_in_json() { echo -n ",\"curves_fallback\":\"$fallback_supported\"" fi + if [[ $renegotiation ]]; then + echo -n ",\"renegotiation\":\"$renegotiation\"" + else + echo -n ",\"renegotiation\":\"False\"" + fi + + if [[ $compression ]]; then + echo -n ",\"compression\":\"$compression\"" + else + echo -n ",\"compression\":\"False\"" + fi + if [[ $TEST_KEX_SIGALG == "True" ]]; then echo -n ',"sigalgs":{' echo -n "\"ordering\":\"${sigalgs_ordering}\"," @@ -1260,6 +1309,16 @@ test_tls_tolerance() { tls_tolerance[$version]="False" else tls_tolerance[$version]="True $current_protocol $current_cipher $current_trusted" + + # collect renegotiation info + if [[ $current_renegotiation != "False" ]]; then + renegotiation="$current_renegotiation" + fi + + # collect compression info + if [[ $version == "big-TLSv1.2" || -z $compression ]]; then + compression="$current_compression" + fi fi done diff --git a/top1m/parse_results.py b/top1m/parse_results.py index bcdebbe..6350bb4 100644 --- a/top1m/parse_results.py +++ b/top1m/parse_results.py @@ -138,6 +138,8 @@ fallback_ids[' '] = i pfssigalgfallback = defaultdict(int) pfssigalgs = defaultdict(int) pfssigalgsordering = defaultdict(int) +compression = defaultdict(int) +renegotiation = defaultdict(int) dsarsastack = 0 total = 0 for r,d,flist in os.walk(path): @@ -161,6 +163,8 @@ for r,d,flist in os.walk(path): temppfssigalgordering = {} temppfssigalgfallback = {} temppfssigalgs = {} + tempcompression = {} + temprenegotiation = {} ciphertypes = 0 AESGCM = False AESCBC = False @@ -324,6 +328,13 @@ for r,d,flist in os.walk(path): except KeyError: pass + """ get some extra data about server """ + if 'renegotiation' in results: + temprenegotiation[results['renegotiation']] = 1 + + if 'compression' in results: + tempcompression[results['compression']] = 1 + """ loop over list of ciphers """ for entry in results['ciphersuite']: @@ -538,6 +549,12 @@ for r,d,flist in os.walk(path): for s in tempsigstats: sigalg[s] += 1 + for s in temprenegotiation: + renegotiation[s] += 1 + + for s in tempcompression: + compression[s] += 1 + if len(tempticketstats) == 1: for s in tempticketstats: tickethint[s + " only"] += 1 @@ -785,6 +802,18 @@ for stat in sorted(pfssigalgfallback): percent = round(pfssigalgfallback[stat] / total * 100, 4) sys.stdout.write(stat.ljust(30) + " " + str(pfssigalgfallback[stat]).ljust(10) + str(percent).ljust(9) + "\n") +print("\nRenegotiation Count Percent ") +print("-------------------------+---------+--------") +for stat in natural_sort(renegotiation): + percent = round(renegotiation[stat] / total * 100, 4) + sys.stdout.write(stat.ljust(25) + " " + str(renegotiation[stat]).ljust(10) + str(percent).ljust(9) + "\n") + +print("\nCompression Count Percent ") +print("-------------------------+---------+--------") +for stat in natural_sort(compression): + percent = round(compression[stat] / total * 100, 4) + sys.stdout.write(stat.ljust(25) + " " + str(compression[stat]).ljust(10) + str(percent).ljust(9) + "\n") + print("\nTLS session ticket hint Count Percent ") print("-------------------------+---------+--------") for stat in natural_sort(tickethint):