detect some TLS intolerancies

buggy servers may choke on large ClientHello's, TLSv1.2 ClientHello's, etc. try to detect such failures and report them among tried connections are TLS1.2, TLS1.1, TLS1.0 and SSLv3 with ability to downgrade to lower protocol versions as well as a size limited client hello, both TLS1.2 and TLS1.0 version
2026-02-05 22:55:15 +01:00 · 2014-11-06 23:50:35 +01:00
parent 0ab0575274
commit a71bfe5ebd
2 changed files with 358 additions and 1 deletions
--- a/top1m/parse_results.py
+++ b/top1m/parse_results.py
@@ -13,6 +13,7 @@ path = "./results/"
 import json
 import sys
 from collections import defaultdict
+import operator
 import os
 import re

@@ -94,6 +95,44 @@ eccfallback = defaultdict(int)
 eccordering = defaultdict(int)
 ecccurve = defaultdict(int)
 ocspstaple = defaultdict(int)
+fallbacks = defaultdict(int)
+# array with indexes of fallback names for the matrix report
+fallback_ids = defaultdict(int)
+i=0
+fallback_ids['big-SSLv3'] = i
+i+=1
+fallback_ids['big-TLSv1.0'] = i
+i+=1
+fallback_ids['big-TLSv1.1'] = i
+i+=1
+fallback_ids['big-TLSv1.2'] = i
+i+=1
+# padding space
+fallback_ids[' '] = i
+i+=1
+fallback_ids['small-SSLv3'] = i
+i+=1
+fallback_ids['small-TLSv1.0'] = i
+i+=1
+fallback_ids['small-TLSv1.1'] = i
+i+=1
+fallback_ids['small-TLSv1.2'] = i
+i+=1
+# 2nd padding space
+fallback_ids['  '] = i
+i+=1
+fallback_ids['v2-small-SSLv3'] = i
+i+=1
+fallback_ids['v2-small-TLSv1.0'] = i
+i+=1
+fallback_ids['v2-small-TLSv1.1'] = i
+i+=1
+fallback_ids['v2-small-TLSv1.2'] = i
+i+=1
+fallback_ids['v2-big-TLSv1.2'] = i
+i+=1
+# 3rd padding space
+fallback_ids['   '] = i
 dsarsastack = 0
 total = 0
 for r,d,flist in os.walk(path):
@@ -111,6 +150,7 @@ for r,d,flist in os.walk(path):
        tempeccfallback = "unknown"
        tempeccordering = "unknown"
        tempecccurve = {}
+        tempfallbacks = {}
        """ supported ciphers by the server under scan """
        tempcipherstats = {}
        ciphertypes = 0
@@ -165,8 +205,31 @@ for r,d,flist in os.walk(path):
            except ValueError:
                continue

+
            """ discard files with empty results """
            if len(results['ciphersuite']) < 1:
+                # if there are no results from regular scan but there are
+                # from fallback attempts that means that the scan of a host
+                # is inconclusive
+                if 'configs' in results:
+                    tolerance = [' '] * len(fallback_ids)
+                    for entry in results['configs']:
+                        config = results['configs'][entry]
+                        if config['tolerant'] == "True" and \
+                                config['trusted'] == "True":
+
+                            # save which protocols passed
+                            if entry in fallback_ids:
+                                tolerance[fallback_ids[entry]] = 'v'
+                            else:
+                                fallback_ids[entry] = len(fallback_ids)
+                                tolerance.insert(fallback_ids[entry], 'v')
+
+                    # analysis of host won't be continued, so we have to add
+                    # results to the permanent, not temporary table, but
+                    # do that only when there actually were detected values
+                    if "".join(tolerance).strip():
+                        fallbacks["".join(tolerance).rstrip()] += 1
                continue

            """ save ECC fallback (new format) """
@@ -184,6 +247,21 @@ for r,d,flist in os.walk(path):
                if len(results['curve']) == 1:
                    tempecccurve[curve + ' Only'] = 1

+            if 'configs' in results:
+                tolerance = [' '] * len(fallback_ids)
+                for entry in results['configs']:
+                    config = results['configs'][entry]
+
+                    if not entry in fallback_ids:
+                        fallback_ids[entry] = len(fallback_ids)
+                        tolerance.insert(fallback_ids[entry], ' ')
+
+                    if config['tolerant'] == "True":
+                        tolerance[fallback_ids[entry]] = 'v'
+                    else:
+                        tolerance[fallback_ids[entry]] = 'X'
+                tempfallbacks["".join(tolerance).rstrip()] = 1
+
            """ loop over list of ciphers """
            for entry in results['ciphersuite']:

@@ -392,6 +470,9 @@ for r,d,flist in os.walk(path):
                                client_RC4_Pref[client_name] = True
                            break

+        for s in tempfallbacks:
+            fallbacks[s] += 1
+
        for s in tempsigstats:
            sigalg[s] += 1

@@ -650,3 +731,17 @@ print("-------------------------+---------+-------")
 for stat in sorted(protocolstats):
    percent = round(protocolstats[stat] / total * 100, 4)
    sys.stdout.write(stat.ljust(25) + " " + str(protocolstats[stat]).ljust(10) + str(percent).ljust(4) + "\n")
+
+print("\nRequired fallbacks                       Count     Percent")
+print("----------------------------------------+---------+-------")
+print("big  smal v2   ")
+print("----+----+-----+------------------------+---------+-------")
+for stat in sorted(fallbacks):
+    percent = round(fallbacks[stat] / total * 100, 4)
+    sys.stdout.write(stat.ljust(40) + " " + str(fallbacks[stat]).ljust(10) + str(percent).ljust(4) + "\n")
+
+print("\nFallback column names")
+print("------------------------")
+fallback_ids_sorted=sorted(fallback_ids.items(), key=operator.itemgetter(1))
+for touple in fallback_ids_sorted:
+    print(str(touple[1]+1).rjust(3) + "  " + str(touple[0]))