LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 14:23:41 +01:00
Code Issues Releases Wiki Activity

add some fubar recommentations

Browse Source
This commit is contained in:
Julien Vehent 2014-10-10 19:07:31 -04:00
parent f4d0d598c7
commit a46e474337
1 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
analyze.py
View File

@ -12,24 +12,42 @@ from collections import namedtuple
# and looks for reasons to think otherwise. it will return True if # and looks for reasons to think otherwise. it will return True if
# it finds one of these reason # it finds one of these reason
def is_fubar(results): def is_fubar(results):
lvl = 'fubar'
fubar = False fubar = False
has_ssl2 = False
has_wrong_pubkey = False
has_md5_sig = False
has_untrust_cert = False
fubar_ciphers = set(all_ciphers) - set(old_ciphers) fubar_ciphers = set(all_ciphers) - set(old_ciphers)
for conn in results['ciphersuite']: for conn in results['ciphersuite']:
if conn['cipher'] in fubar_ciphers: if conn['cipher'] in fubar_ciphers:
failures[lvl].append("remove cipher " + conn['cipher'])
logging.debug(conn['cipher'] + ' is in the list of fubar ciphers') logging.debug(conn['cipher'] + ' is in the list of fubar ciphers')
fubar = True fubar = True
if 'SSLv2' in conn['protocols']: if 'SSLv2' in conn['protocols']:
has_ssl2 = True
logging.debug('SSLv2 is in the list of fubar protocols') logging.debug('SSLv2 is in the list of fubar protocols')
fubar = True fubar = True
if conn['pubkey'] < 2048: if conn['pubkey'] < 2048:
has_wrong_pubkey = True
logging.debug(conn['pubkey'] + ' is a fubar pubkey size') logging.debug(conn['pubkey'] + ' is a fubar pubkey size')
fubar = True fubar = True
if 'md5WithRSAEncryption' in conn['sigalg']: if 'md5WithRSAEncryption' in conn['sigalg']:
has_md5_sig = True
logging.debug(conn['sigalg']+ ' is a fubar cert signature') logging.debug(conn['sigalg']+ ' is a fubar cert signature')
fubar = True fubar = True
if conn['trusted'] == 'False': if conn['trusted'] == 'False':
has_untrust_cert = True
logging.debug('The certificate is not trusted, which is quite fubar') logging.debug('The certificate is not trusted, which is quite fubar')
fubar = True fubar = True
if has_ssl2:
failures[lvl].append("disable SSLv2")
if has_md5_sig:
failures[lvl].append("don't use a cert with a MD5 signature")
if has_wrong_pubkey:
failures[lvl].append("don't use a public key smaller than 2048 bits")
if has_untrust_cert:
failures[lvl].append("don't use an untrusted or self-signed certificate")
return fubar return fubar
# is_old assumes a configuration *is* old, and will return False if # is_old assumes a configuration *is* old, and will return False if
@ -242,6 +260,7 @@ def process_results(data, level=None):
# initialize the failures struct # initialize the failures struct
global failures global failures
failures = dict() failures = dict()
failures['fubar'] = []
failures['old'] = [] failures['old'] = []
failures['intermediate'] = [] failures['intermediate'] = []
failures['modern'] = [] failures['modern'] = []
@ -255,6 +274,11 @@ def process_results(data, level=None):
except TypeError, e: except TypeError, e:
pass pass
if len(failures['fubar']) > 0:
print("\nSome things that are really FUBAR:")
for failure in failures['fubar']:
print("* " + failure)
# print failures # print failures
if level: if level:
if len(failures[level]) > 0: if len(failures[level]) > 0:
@ -300,7 +324,7 @@ def build_ciphers_lists(opensslbin):
blackhole = open(os.devnull, 'w') blackhole = open(os.devnull, 'w')
# use system openssl if not on linux 64 # use system openssl if not on linux 64
if opensslbin == '': if not opensslbin:
if platform.system() == 'Linux' and platform.architecture()[0] == '64bit': if platform.system() == 'Linux' and platform.architecture()[0] == '64bit':
opensslbin='./openssl' opensslbin='./openssl'
else: else: