mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-22 06:13:42 +01:00
detect some TLS intolerancies
buggy servers may choke on large ClientHello's, TLSv1.2 ClientHello's, etc. try to detect such failures and report them among tried connections are TLS1.2, TLS1.1, TLS1.0 and SSLv3 with ability to downgrade to lower protocol versions as well as a size limited client hello, both TLS1.2 and TLS1.0 version
This commit is contained in:
parent
0ab0575274
commit
a71bfe5ebd
264
cipherscan
264
cipherscan
@ -63,6 +63,32 @@ fi
|
||||
# RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
|
||||
# (probably a result of a workaround for the bug in Apple implementation of ECDSA)
|
||||
CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
|
||||
# some servers are intolerant to large client hello, try a shorter list of
|
||||
# ciphers with them
|
||||
SHORTCIPHERSUITE=('ECDHE-ECDSA-AES128-GCM-SHA256'
|
||||
'ECDHE-RSA-AES128-GCM-SHA256'
|
||||
'ECDHE-RSA-AES256-GCM-SHA384'
|
||||
'ECDHE-ECDSA-AES256-SHA'
|
||||
'ECDHE-ECDSA-AES128-SHA'
|
||||
'ECDHE-RSA-AES128-SHA'
|
||||
'ECDHE-RSA-AES256-SHA'
|
||||
'ECDHE-RSA-DES-CBC3-SHA'
|
||||
'ECDHE-ECDSA-RC4-SHA'
|
||||
'ECDHE-RSA-RC4-SHA'
|
||||
'DHE-RSA-AES128-SHA'
|
||||
'DHE-DSS-AES128-SHA'
|
||||
'DHE-RSA-CAMELLIA128-SHA'
|
||||
'DHE-RSA-AES256-SHA'
|
||||
'DHE-DSS-AES256-SHA'
|
||||
'DHE-RSA-CAMELLIA256-SHA'
|
||||
'EDH-RSA-DES-CBC3-SHA'
|
||||
'AES128-SHA'
|
||||
'CAMELLIA128-SHA'
|
||||
'AES256-SHA'
|
||||
'CAMELLIA256-SHA'
|
||||
'DES-CBC3-SHA'
|
||||
'RC4-SHA'
|
||||
'RC4-MD5')
|
||||
# as some servers are intolerant to large client hello's (or ones that have
|
||||
# RC4 ciphers below position 64), use the following for cipher testing in case
|
||||
# of problems
|
||||
@ -119,6 +145,8 @@ unset known_certs
|
||||
declare -A known_certs
|
||||
unset cert_checksums
|
||||
declare -A cert_checksums
|
||||
# array with results of tolerance scans (TLS version, extensions, etc.)
|
||||
declare -A tls_tolerance
|
||||
|
||||
# because running external commands like sleep incurs a fork penalty, we
|
||||
# first check if it is necessary
|
||||
@ -685,6 +713,17 @@ display_results_in_terminal() {
|
||||
echo "Curves ordering: $curvesordering"
|
||||
echo "Curves fallback: $fallback_supported"
|
||||
fi
|
||||
|
||||
echo
|
||||
echo "Fallbacks required:"
|
||||
for test_name in "${!tls_tolerance[@]}"; do
|
||||
if [[ ${tls_tolerance[$test_name]} == "False" ]]; then
|
||||
echo "$test_name config not supported, connection failed"
|
||||
else
|
||||
local res=(${tls_tolerance[$test_name]})
|
||||
echo "$test_name no fallback req, connected: ${res[1]} ${res[2]}"
|
||||
fi
|
||||
done | sort
|
||||
}
|
||||
|
||||
display_results_in_json() {
|
||||
@ -722,7 +761,22 @@ display_results_in_json() {
|
||||
if [ $TEST_CURVES == "True" ]; then
|
||||
echo -n ",\"curves_fallback\":\"$fallback_supported\""
|
||||
fi
|
||||
echo '}'
|
||||
echo -n ',"configs":{'
|
||||
ctr=0
|
||||
for test_name in "${!tls_tolerance[@]}"; do
|
||||
local result=(${tls_tolerance[$test_name]})
|
||||
[ $ctr -gt 0 ] && echo -n ","
|
||||
echo -n "\"$test_name\":{"
|
||||
if [[ ${result[0]} == "False" ]]; then
|
||||
echo -n "\"tolerant\":\"False\""
|
||||
else
|
||||
echo -n "\"tolerant\":\"True\",\"proto\":\"${result[1]}\","
|
||||
echo -n "\"cipher\":\"${result[2]}\",\"trusted\":\"${result[3]}\""
|
||||
fi
|
||||
echo -n "}"
|
||||
ctr=$((ctr+1))
|
||||
done
|
||||
echo '}}'
|
||||
}
|
||||
|
||||
test_serverside_ordering() {
|
||||
@ -977,6 +1031,212 @@ test_curves_fallback() {
|
||||
done
|
||||
}
|
||||
|
||||
test_tls_tolerance() {
|
||||
|
||||
#
|
||||
# first test general version tolerance with all we've got (full list of
|
||||
# curves, full list of ciphers, NPN, ALPN
|
||||
#
|
||||
declare -A tls_vers_tests
|
||||
tls_vers_tests['big-TLSv1.2']=""
|
||||
tls_vers_tests['big-TLSv1.1']="-no_tls1_2"
|
||||
tls_vers_tests['big-TLSv1.0']="-no_tls1_2 -no_tls1_1"
|
||||
tls_vers_tests['big-SSLv3']="-no_tls1_2 -no_tls1_1 -no_tls1"
|
||||
|
||||
local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client"
|
||||
sslcommand+=" -status -nextprotoneg 'http/1.1'"
|
||||
sslcommand+=" $SCLIENTARGS -connect $TARGET -cipher $CIPHERSUITE"
|
||||
|
||||
for version in "${!tls_vers_tests[@]}"; do
|
||||
ratelimit
|
||||
verbose "Testing fallback with $sslcommand ${tls_vers_tests[$version]}"
|
||||
local tmp=$(echo Q | $sslcommand ${tls_vers_tests[$version]} 2>/dev/null)
|
||||
parse_openssl_output <<<"$tmp"
|
||||
verbose "Negotiated proto: $current_protocol, cipher: $current_cipher"
|
||||
if [[ -z $current_protocol || $current_cipher == "(NONE)" \
|
||||
|| $current_cipher == '0000' ]]; then
|
||||
tls_tolerance[$version]="False"
|
||||
else
|
||||
tls_tolerance[$version]="True $current_protocol $current_cipher $current_trusted"
|
||||
fi
|
||||
done
|
||||
|
||||
# if TLS1.2 didn't succeeded, try different fallbacks
|
||||
if [[ ${tls_tolerance['big-TLSv1.2']} == "False" ]]; then
|
||||
#
|
||||
# Try big client hello, but with a version 2 compatible format
|
||||
# (openssl automatically does that when there are SSLv2 ciphers in
|
||||
# cipher string and no options are specified)
|
||||
#
|
||||
local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client"
|
||||
if [ -n "$CAPATH" ]; then
|
||||
sslcommand+=" -CApath $CAPATH -showcerts"
|
||||
elif [ -e "$CACERTS" ]; then
|
||||
sslcommand+=" -CAfile $CACERTS"
|
||||
fi
|
||||
sslcommand+=" -connect $TARGET -cipher $CIPHERSUITE"
|
||||
|
||||
ratelimit
|
||||
verbose "Testing fallback with $sslcommand"
|
||||
local tmp=$(echo Q | $sslcommand 2>/dev/null)
|
||||
parse_openssl_output <<<"$tmp"
|
||||
verbose "Negotiated proto: $current_protocol, cipher: $current_cipher"
|
||||
if [[ -z $current_protocol || $current_cipher == "(NONE)" \
|
||||
|| $current_cipher == '0000' ]]; then
|
||||
tls_tolerance['v2-big-TLSv1.2']="False"
|
||||
else
|
||||
tls_tolerance['v2-big-TLSv1.2']="True $current_protocol $current_cipher $current_trusted"
|
||||
fi
|
||||
|
||||
#
|
||||
# try a smaller, but still v2 compatible Client Hello
|
||||
#
|
||||
OLDIFS="$IFS"
|
||||
IFS=":"
|
||||
local ciphers="${SHORTCIPHERSUITE[*]}"
|
||||
IFS="$OLDIFS"
|
||||
|
||||
local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client"
|
||||
if [ -n "$CAPATH" ]; then
|
||||
sslcommand+=" -CApath $CAPATH -showcerts"
|
||||
elif [ -e "$CACERTS" ]; then
|
||||
sslcommand+=" -CAfile $CACERTS"
|
||||
fi
|
||||
sslcommand+=" -connect $TARGET -cipher $ciphers"
|
||||
|
||||
ratelimit
|
||||
verbose "Testing fallback with $sslcommand"
|
||||
local tmp=$(echo Q | $sslcommand 2>/dev/null)
|
||||
parse_openssl_output <<<"$tmp"
|
||||
verbose "Negotiated proto: $current_protocol, cipher: $current_cipher"
|
||||
if [[ -z $current_protocol || $current_cipher == "(NONE)" \
|
||||
|| $current_cipher == '0000' ]]; then
|
||||
tls_tolerance['v2-small-TLSv1.2']="False"
|
||||
else
|
||||
tls_tolerance['v2-small-TLSv1.2']="True $current_protocol $current_cipher $current_trusted"
|
||||
fi
|
||||
|
||||
#
|
||||
# v2, small but with TLS1.1 as max version
|
||||
#
|
||||
ratelimit
|
||||
verbose "Testing fallback with $sslcommand -no_tls1_2"
|
||||
local tmp=$(echo Q | $sslcommand -no_tls1_2 2>/dev/null)
|
||||
parse_openssl_output <<<"$tmp"
|
||||
verbose "Negotiated proto: $current_protocol, cipher: $current_cipher"
|
||||
if [[ -z $current_protocol || $current_cipher == "(NONE)" \
|
||||
|| $current_cipher == '0000' ]]; then
|
||||
tls_tolerance['v2-small-TLSv1.1']="False"
|
||||
else
|
||||
tls_tolerance['v2-small-TLSv1.1']="True $current_protocol $current_cipher $current_trusted"
|
||||
fi
|
||||
|
||||
#
|
||||
# v2, small but with TLS1.0 as max version
|
||||
#
|
||||
ratelimit
|
||||
verbose "Testing fallback with $sslcommand -no_tls1_2 -no_tls1_1"
|
||||
local tmp=$(echo Q | $sslcommand -no_tls1_2 -no_tls1_1 2>/dev/null)
|
||||
parse_openssl_output <<<"$tmp"
|
||||
verbose "Negotiated proto: $current_protocol, cipher: $current_cipher"
|
||||
if [[ -z $current_protocol || $current_cipher == "(NONE)" \
|
||||
|| $current_cipher == '0000' ]]; then
|
||||
tls_tolerance['v2-small-TLSv1.0']="False"
|
||||
else
|
||||
tls_tolerance['v2-small-TLSv1.0']="True $current_protocol $current_cipher $current_trusted"
|
||||
fi
|
||||
|
||||
#
|
||||
# v2, small but with SSLv3 as max version
|
||||
#
|
||||
ratelimit
|
||||
verbose "Testing fallback with $sslcommand -no_tls1_2 -no_tls1_1 -no_tls1"
|
||||
local tmp=$(echo Q | $sslcommand -no_tls1_2 -no_tls1_1 -no_tls1 2>/dev/null)
|
||||
parse_openssl_output <<<"$tmp"
|
||||
verbose "Negotiated proto: $current_protocol, cipher: $current_cipher"
|
||||
if [[ -z $current_protocol || $current_cipher == "(NONE)" \
|
||||
|| $current_cipher == '0000' ]]; then
|
||||
tls_tolerance['v2-small-SSLv3']="False"
|
||||
else
|
||||
tls_tolerance['v2-small-SSLv3']="True $current_protocol $current_cipher $current_trusted"
|
||||
fi
|
||||
|
||||
|
||||
#
|
||||
# use v3 format TLSv1.2 hello, small cipher list
|
||||
#
|
||||
OLDIFS="$IFS"
|
||||
IFS=":"
|
||||
local ciphers="${SHORTCIPHERSUITE[*]}"
|
||||
IFS="$OLDIFS"
|
||||
|
||||
local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client"
|
||||
if [ -n "$CAPATH" ]; then
|
||||
sslcommand+=" -CApath $CAPATH -showcerts"
|
||||
elif [ -e "$CACERTS" ]; then
|
||||
sslcommand+=" -CAfile $CACERTS"
|
||||
fi
|
||||
sslcommand+=" $SCLIENTARGS -connect $TARGET -cipher $ciphers:!SSLv2"
|
||||
|
||||
ratelimit
|
||||
verbose "Testing fallback with $sslcommand"
|
||||
local tmp=$(echo Q | $sslcommand 2>/dev/null)
|
||||
parse_openssl_output <<<"$tmp"
|
||||
verbose "Negotiated proto: $current_protocol, cipher: $current_cipher"
|
||||
if [[ -z $current_protocol || $current_cipher == "(NONE)" \
|
||||
|| $current_cipher == '0000' ]]; then
|
||||
tls_tolerance['small-TLSv1.2']="False"
|
||||
else
|
||||
tls_tolerance['small-TLSv1.2']="True $current_protocol $current_cipher $current_trusted"
|
||||
fi
|
||||
|
||||
#
|
||||
# v3 format TLSv1.1 hello, small cipher list
|
||||
#
|
||||
ratelimit
|
||||
verbose "Testing fallback with $sslcommand -no_tls1_2"
|
||||
local tmp=$(echo Q | $sslcommand -no_tls1_2 2>/dev/null)
|
||||
parse_openssl_output <<<"$tmp"
|
||||
verbose "Negotiated proto: $current_protocol, cipher: $current_cipher"
|
||||
if [[ -z $current_protocol || $current_cipher == "(NONE)" \
|
||||
|| $current_cipher == '0000' ]]; then
|
||||
tls_tolerance['small-TLSv1.1']="False"
|
||||
else
|
||||
tls_tolerance['small-TLSv1.1']="True $current_protocol $current_cipher $current_trusted"
|
||||
fi
|
||||
|
||||
#
|
||||
# v3 format TLSv1.0 hello, small cipher list
|
||||
#
|
||||
ratelimit
|
||||
verbose "Testing fallback with $sslcommand -no_tls1_2 -no_tls1_1"
|
||||
local tmp=$(echo Q | $sslcommand -no_tls1_2 -no_tls1_1 2>/dev/null)
|
||||
parse_openssl_output <<<"$tmp"
|
||||
verbose "Negotiated proto: $current_protocol, cipher: $current_cipher"
|
||||
if [[ -z $current_protocol || $current_cipher == "(NONE)" \
|
||||
|| $current_cipher == '0000' ]]; then
|
||||
tls_tolerance['small-TLSv1.0']="False"
|
||||
else
|
||||
tls_tolerance['small-TLSv1.0']="True $current_protocol $current_cipher $current_trusted"
|
||||
fi
|
||||
|
||||
#
|
||||
# v3 format SSLv3 hello, small cipher list
|
||||
#
|
||||
ratelimit
|
||||
verbose "Testing fallback with $sslcommand -no_tls1_2 -no_tls1_1 -no_tls1"
|
||||
local tmp=$(echo Q | $sslcommand -no_tls1_2 -no_tls1_1 -no_tls1 2>/dev/null)
|
||||
parse_openssl_output <<<"$tmp"
|
||||
verbose "Negotiated proto: $current_protocol, cipher: $current_cipher"
|
||||
if [[ -z $current_protocol || $current_cipher == "(NONE)" \
|
||||
|| $current_cipher == '0000' ]]; then
|
||||
tls_tolerance['small-SSLv3']="False"
|
||||
else
|
||||
tls_tolerance['small-SSLv3']="True $current_protocol $current_cipher $current_trusted"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# If no options are given, give usage information and exit (with error code)
|
||||
if [ $# -eq 0 ]; then
|
||||
usage;
|
||||
@ -1120,6 +1380,8 @@ if [[ ${#cipherspref[@]} -eq 0 ]] || [[ ${pref[1]} == "SSLv2" ]]; then
|
||||
get_cipher_pref "$CIPHERS"
|
||||
fi
|
||||
|
||||
test_tls_tolerance
|
||||
|
||||
test_serverside_ordering
|
||||
|
||||
if [[ $TEST_CURVES == "True" ]]; then
|
||||
|
@ -13,6 +13,7 @@ path = "./results/"
|
||||
import json
|
||||
import sys
|
||||
from collections import defaultdict
|
||||
import operator
|
||||
import os
|
||||
import re
|
||||
|
||||
@ -94,6 +95,44 @@ eccfallback = defaultdict(int)
|
||||
eccordering = defaultdict(int)
|
||||
ecccurve = defaultdict(int)
|
||||
ocspstaple = defaultdict(int)
|
||||
fallbacks = defaultdict(int)
|
||||
# array with indexes of fallback names for the matrix report
|
||||
fallback_ids = defaultdict(int)
|
||||
i=0
|
||||
fallback_ids['big-SSLv3'] = i
|
||||
i+=1
|
||||
fallback_ids['big-TLSv1.0'] = i
|
||||
i+=1
|
||||
fallback_ids['big-TLSv1.1'] = i
|
||||
i+=1
|
||||
fallback_ids['big-TLSv1.2'] = i
|
||||
i+=1
|
||||
# padding space
|
||||
fallback_ids[' '] = i
|
||||
i+=1
|
||||
fallback_ids['small-SSLv3'] = i
|
||||
i+=1
|
||||
fallback_ids['small-TLSv1.0'] = i
|
||||
i+=1
|
||||
fallback_ids['small-TLSv1.1'] = i
|
||||
i+=1
|
||||
fallback_ids['small-TLSv1.2'] = i
|
||||
i+=1
|
||||
# 2nd padding space
|
||||
fallback_ids[' '] = i
|
||||
i+=1
|
||||
fallback_ids['v2-small-SSLv3'] = i
|
||||
i+=1
|
||||
fallback_ids['v2-small-TLSv1.0'] = i
|
||||
i+=1
|
||||
fallback_ids['v2-small-TLSv1.1'] = i
|
||||
i+=1
|
||||
fallback_ids['v2-small-TLSv1.2'] = i
|
||||
i+=1
|
||||
fallback_ids['v2-big-TLSv1.2'] = i
|
||||
i+=1
|
||||
# 3rd padding space
|
||||
fallback_ids[' '] = i
|
||||
dsarsastack = 0
|
||||
total = 0
|
||||
for r,d,flist in os.walk(path):
|
||||
@ -111,6 +150,7 @@ for r,d,flist in os.walk(path):
|
||||
tempeccfallback = "unknown"
|
||||
tempeccordering = "unknown"
|
||||
tempecccurve = {}
|
||||
tempfallbacks = {}
|
||||
""" supported ciphers by the server under scan """
|
||||
tempcipherstats = {}
|
||||
ciphertypes = 0
|
||||
@ -165,8 +205,31 @@ for r,d,flist in os.walk(path):
|
||||
except ValueError:
|
||||
continue
|
||||
|
||||
|
||||
""" discard files with empty results """
|
||||
if len(results['ciphersuite']) < 1:
|
||||
# if there are no results from regular scan but there are
|
||||
# from fallback attempts that means that the scan of a host
|
||||
# is inconclusive
|
||||
if 'configs' in results:
|
||||
tolerance = [' '] * len(fallback_ids)
|
||||
for entry in results['configs']:
|
||||
config = results['configs'][entry]
|
||||
if config['tolerant'] == "True" and \
|
||||
config['trusted'] == "True":
|
||||
|
||||
# save which protocols passed
|
||||
if entry in fallback_ids:
|
||||
tolerance[fallback_ids[entry]] = 'v'
|
||||
else:
|
||||
fallback_ids[entry] = len(fallback_ids)
|
||||
tolerance.insert(fallback_ids[entry], 'v')
|
||||
|
||||
# analysis of host won't be continued, so we have to add
|
||||
# results to the permanent, not temporary table, but
|
||||
# do that only when there actually were detected values
|
||||
if "".join(tolerance).strip():
|
||||
fallbacks["".join(tolerance).rstrip()] += 1
|
||||
continue
|
||||
|
||||
""" save ECC fallback (new format) """
|
||||
@ -184,6 +247,21 @@ for r,d,flist in os.walk(path):
|
||||
if len(results['curve']) == 1:
|
||||
tempecccurve[curve + ' Only'] = 1
|
||||
|
||||
if 'configs' in results:
|
||||
tolerance = [' '] * len(fallback_ids)
|
||||
for entry in results['configs']:
|
||||
config = results['configs'][entry]
|
||||
|
||||
if not entry in fallback_ids:
|
||||
fallback_ids[entry] = len(fallback_ids)
|
||||
tolerance.insert(fallback_ids[entry], ' ')
|
||||
|
||||
if config['tolerant'] == "True":
|
||||
tolerance[fallback_ids[entry]] = 'v'
|
||||
else:
|
||||
tolerance[fallback_ids[entry]] = 'X'
|
||||
tempfallbacks["".join(tolerance).rstrip()] = 1
|
||||
|
||||
""" loop over list of ciphers """
|
||||
for entry in results['ciphersuite']:
|
||||
|
||||
@ -392,6 +470,9 @@ for r,d,flist in os.walk(path):
|
||||
client_RC4_Pref[client_name] = True
|
||||
break
|
||||
|
||||
for s in tempfallbacks:
|
||||
fallbacks[s] += 1
|
||||
|
||||
for s in tempsigstats:
|
||||
sigalg[s] += 1
|
||||
|
||||
@ -650,3 +731,17 @@ print("-------------------------+---------+-------")
|
||||
for stat in sorted(protocolstats):
|
||||
percent = round(protocolstats[stat] / total * 100, 4)
|
||||
sys.stdout.write(stat.ljust(25) + " " + str(protocolstats[stat]).ljust(10) + str(percent).ljust(4) + "\n")
|
||||
|
||||
print("\nRequired fallbacks Count Percent")
|
||||
print("----------------------------------------+---------+-------")
|
||||
print("big smal v2 ")
|
||||
print("----+----+-----+------------------------+---------+-------")
|
||||
for stat in sorted(fallbacks):
|
||||
percent = round(fallbacks[stat] / total * 100, 4)
|
||||
sys.stdout.write(stat.ljust(40) + " " + str(fallbacks[stat]).ljust(10) + str(percent).ljust(4) + "\n")
|
||||
|
||||
print("\nFallback column names")
|
||||
print("------------------------")
|
||||
fallback_ids_sorted=sorted(fallback_ids.items(), key=operator.itemgetter(1))
|
||||
for touple in fallback_ids_sorted:
|
||||
print(str(touple[1]+1).rjust(3) + " " + str(touple[0]))
|
||||
|
Loading…
Reference in New Issue
Block a user