2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 22:33:40 +01:00

report if server uses client side or server side cipher ordering

This commit is contained in:
Hubert Kario 2014-06-30 23:03:55 +02:00
parent 0ae9d76771
commit ab66f04e53

View File

@ -301,13 +301,18 @@ display_results_in_terminal() {
else else
echo "OCSP stapling: not supported" echo "OCSP stapling: not supported"
fi fi
if [[ $serverside == "True" ]]; then
echo "Server side cipher ordering"
else
echo "Client side cipher ordering"
fi
} }
display_results_in_json() { display_results_in_json() {
# Display the results in json # Display the results in json
ctr=0 ctr=0
echo -n "{\"target\":\"$TARGET\",\"date\":\"$(date -R)\",\"ciphersuite\": [" echo -n "{\"target\":\"$TARGET\",\"date\":\"$(date -R)\",\"serverside\":\"${serverside}\",\"ciphersuite\": ["
for cipher in "${cipherspref[@]}"; do for cipher in "${cipherspref[@]}"; do
[ $ctr -gt 0 ] && echo -n ',' [ $ctr -gt 0 ] && echo -n ','
echo -n "{\"cipher\":\"$(echo $cipher|awk '{print $1}')\"," echo -n "{\"cipher\":\"$(echo $cipher|awk '{print $1}')\","
@ -325,6 +330,59 @@ display_results_in_json() {
echo ']}' echo ']}'
} }
test_serverside_ordering() {
local ciphersuite=""
local prefered=""
# server supports only one cipher or no ciphers, so it effectively uses server side ordering...
if [[ ${#cipherspref[@]} -lt 2 ]]; then
serverside="True"
return 0
# server supports just two ciphers, so rotate them, that should be enough
elif [[ ${#cipherspref[@]} -eq 2 ]]; then
local cipher=$(awk '{print $1}' <<< ${cipherspref[1]})
prefered="$cipher"
ciphersuite=$cipher
cipher=$(awk '{print $1}' <<< ${cipherspref[0]})
ciphersuite+=":$cipher"
# server supports 3 or more ciphers, rotate all three. This is necessary because google does
# select first client provided cipher, if it is either CDHE-RSA-AES128-GCM-SHA256 or
# ECDHE-RSA-CHACHA20-POLY1305
else
local cipher=$(awk '{print $1}' <<< ${cipherspref[2]})
prefered="$cipher"
ciphersuite="$cipher"
cipher=$(awk '{print $1}' <<< ${cipherspref[1]})
ciphersuite+=":$cipher"
cipher=$(awk '{print $1}' <<< ${cipherspref[0]})
ciphersuite+=":$cipher"
fi
if [ -e $CACERTS ]; then
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
else
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
fi
test_cipher_on_target "$sslcommand"
if [ $? -ne 0 ]; then
serverside="True"
else
local selected=$(awk '{print $1}' <<< $result)
if [[ $selected == $prefered ]]; then
serverside="False"
else
serverside="True"
fi
fi
}
# UNKNOWNOPTIONS="" # UNKNOWNOPTIONS=""
while : while :
do do
@ -411,6 +469,8 @@ results=()
# Call to the recursive loop that retrieves the cipher preferences # Call to the recursive loop that retrieves the cipher preferences
get_cipher_pref $CIPHERSUITE get_cipher_pref $CIPHERSUITE
test_serverside_ordering
if [ "$OUTPUTFORMAT" == "json" ]; then if [ "$OUTPUTFORMAT" == "json" ]; then
display_results_in_json display_results_in_json
else else