mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-21 22:13:40 +01:00
Merge pull request #100 from tomato42/compress-and-renego-info
Add testing for renegotiation and compression
This commit is contained in:
commit
b03320887f
83
cipherscan
83
cipherscan
@ -195,6 +195,8 @@ declare -A sigalgs_fallback
|
|||||||
# array with preferred sigalgs for aRSA and aECDSA ciphers
|
# array with preferred sigalgs for aRSA and aECDSA ciphers
|
||||||
declare -a sigalgs_preferred_rsa
|
declare -a sigalgs_preferred_rsa
|
||||||
declare -a sigalgs_preferred_ecdsa
|
declare -a sigalgs_preferred_ecdsa
|
||||||
|
renegotiation=""
|
||||||
|
compression=""
|
||||||
|
|
||||||
# because running external commands like sleep incurs a fork penalty, we
|
# because running external commands like sleep incurs a fork penalty, we
|
||||||
# first check if it is necessary
|
# first check if it is necessary
|
||||||
@ -210,12 +212,15 @@ usage() {
|
|||||||
[-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
|
[-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
|
||||||
usage: $0 -h|--help
|
usage: $0 -h|--help
|
||||||
|
|
||||||
$0 attempts to connect to a target site using all the ciphersuites it knows.
|
$0 attempts to connect to a target site using all the ciphersuites known
|
||||||
Julien Vehent [:ulfr] - https://github.com/jvehent/cipherscan
|
to OpenSSL it is using.
|
||||||
|
|
||||||
|
Julien Vehent [:ulfr] and others (see README.md)
|
||||||
|
https://github.com/jvehent/cipherscan
|
||||||
|
|
||||||
Port defaults to 443
|
Port defaults to 443
|
||||||
|
|
||||||
example: $ $0 www.google.com:443
|
example: $ $0 www.google.com
|
||||||
|
|
||||||
Use one of the options below:
|
Use one of the options below:
|
||||||
|
|
||||||
@ -239,9 +244,20 @@ Use one of the options below:
|
|||||||
-v | --verbose Increase verbosity.
|
-v | --verbose Increase verbosity.
|
||||||
|
|
||||||
The rest of the arguments will be interpreted as openssl s_client argument.
|
The rest of the arguments will be interpreted as openssl s_client argument.
|
||||||
This enables checking smtp/imap/pop3/ftp/xmpp via -starttls
|
|
||||||
|
|
||||||
EXAMPLES: $0 -starttls xmpp jabber.ccc.de:5222
|
Some useful OpenSSL options:
|
||||||
|
-starttls [smtp|imap|pop3|ftp|xmpp] Enable support and testing of the protocols
|
||||||
|
that require turning TLS after initial protocol specific
|
||||||
|
hello
|
||||||
|
-servername name Request SNI support for connections
|
||||||
|
-verify_hostname name Request host name verification in connection
|
||||||
|
(req. OpenSSL 1.0.2)
|
||||||
|
-verify_ip ip Request host name verification for an IP address, usually
|
||||||
|
not specified in certificates (req. OpenSSL 1.0.2)
|
||||||
|
|
||||||
|
EXAMPLES:
|
||||||
|
$0 -starttls xmpp jabber.ccc.de:5222
|
||||||
|
$0 -servername youtube.com youtube.com:443
|
||||||
"
|
"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -359,6 +375,8 @@ parse_openssl_output() {
|
|||||||
current_pubkey=0
|
current_pubkey=0
|
||||||
current_trusted="False"
|
current_trusted="False"
|
||||||
current_sigalg="None"
|
current_sigalg="None"
|
||||||
|
current_renegotiation="False"
|
||||||
|
current_compression=""
|
||||||
|
|
||||||
certs_found=0
|
certs_found=0
|
||||||
current_raw_certificates=()
|
current_raw_certificates=()
|
||||||
@ -388,6 +406,19 @@ parse_openssl_output() {
|
|||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# renegotiation support
|
||||||
|
if [[ $line =~ Secure\ Renegotiation\ IS\ supported ]]; then
|
||||||
|
current_renegotiation="secure"
|
||||||
|
fi
|
||||||
|
if [[ $line =~ Secure\ Renegotiation\ IS\ NOT\ supported ]]; then
|
||||||
|
current_renegotiation="insecure"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# compression settings
|
||||||
|
if [[ $line =~ Compression:\ (.*) ]]; then
|
||||||
|
current_compression="${BASH_REMATCH[1]}"
|
||||||
|
fi
|
||||||
|
|
||||||
# extract the signing algorithm used in TLSv1.2 ephemeral kex
|
# extract the signing algorithm used in TLSv1.2 ephemeral kex
|
||||||
if [[ $line =~ Peer\ signing\ digest ]]; then
|
if [[ $line =~ Peer\ signing\ digest ]]; then
|
||||||
local match=($line)
|
local match=($line)
|
||||||
@ -840,6 +871,26 @@ display_results_in_terminal() {
|
|||||||
fi
|
fi
|
||||||
echo -e "Curves ordering: $curvesordering - fallback: $fallback_supported"
|
echo -e "Curves ordering: $curvesordering - fallback: $fallback_supported"
|
||||||
fi
|
fi
|
||||||
|
if [[ $renegotiation ]]; then
|
||||||
|
if [[ $renegotiation == "secure" ]]; then
|
||||||
|
echo -e "Server ${c_green}supports${c_reset} secure renegotiation"
|
||||||
|
else
|
||||||
|
echo -e "Server ${c_red}DOESN'T${c_reset} support secure renegotiation"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "Renegotiation test error"
|
||||||
|
fi
|
||||||
|
if [[ $compression ]]; then
|
||||||
|
if [[ $compression != "NONE" ]]; then
|
||||||
|
color="${c_red}"
|
||||||
|
else
|
||||||
|
color="${c_green}"
|
||||||
|
fi
|
||||||
|
echo -e "Server supported compression methods:" \
|
||||||
|
"${color}$compression${c_reset}"
|
||||||
|
else
|
||||||
|
echo -e "Supported compression methods ${c_red}test error${c_reset}"
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ $TEST_KEX_SIGALG == "True" ]]; then
|
if [[ $TEST_KEX_SIGALG == "True" ]]; then
|
||||||
echo
|
echo
|
||||||
@ -948,6 +999,18 @@ display_results_in_json() {
|
|||||||
echo -n ",\"curves_fallback\":\"$fallback_supported\""
|
echo -n ",\"curves_fallback\":\"$fallback_supported\""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ $renegotiation ]]; then
|
||||||
|
echo -n ",\"renegotiation\":\"$renegotiation\""
|
||||||
|
else
|
||||||
|
echo -n ",\"renegotiation\":\"False\""
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ $compression ]]; then
|
||||||
|
echo -n ",\"compression\":\"$compression\""
|
||||||
|
else
|
||||||
|
echo -n ",\"compression\":\"False\""
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ $TEST_KEX_SIGALG == "True" ]]; then
|
if [[ $TEST_KEX_SIGALG == "True" ]]; then
|
||||||
echo -n ',"sigalgs":{'
|
echo -n ',"sigalgs":{'
|
||||||
echo -n "\"ordering\":\"${sigalgs_ordering}\","
|
echo -n "\"ordering\":\"${sigalgs_ordering}\","
|
||||||
@ -1260,6 +1323,16 @@ test_tls_tolerance() {
|
|||||||
tls_tolerance[$version]="False"
|
tls_tolerance[$version]="False"
|
||||||
else
|
else
|
||||||
tls_tolerance[$version]="True $current_protocol $current_cipher $current_trusted"
|
tls_tolerance[$version]="True $current_protocol $current_cipher $current_trusted"
|
||||||
|
|
||||||
|
# collect renegotiation info
|
||||||
|
if [[ $current_renegotiation != "False" ]]; then
|
||||||
|
renegotiation="$current_renegotiation"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# collect compression info
|
||||||
|
if [[ $version == "big-TLSv1.2" || -z $compression ]]; then
|
||||||
|
compression="$current_compression"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
@ -138,6 +138,8 @@ fallback_ids[' '] = i
|
|||||||
pfssigalgfallback = defaultdict(int)
|
pfssigalgfallback = defaultdict(int)
|
||||||
pfssigalgs = defaultdict(int)
|
pfssigalgs = defaultdict(int)
|
||||||
pfssigalgsordering = defaultdict(int)
|
pfssigalgsordering = defaultdict(int)
|
||||||
|
compression = defaultdict(int)
|
||||||
|
renegotiation = defaultdict(int)
|
||||||
dsarsastack = 0
|
dsarsastack = 0
|
||||||
total = 0
|
total = 0
|
||||||
for r,d,flist in os.walk(path):
|
for r,d,flist in os.walk(path):
|
||||||
@ -161,6 +163,8 @@ for r,d,flist in os.walk(path):
|
|||||||
temppfssigalgordering = {}
|
temppfssigalgordering = {}
|
||||||
temppfssigalgfallback = {}
|
temppfssigalgfallback = {}
|
||||||
temppfssigalgs = {}
|
temppfssigalgs = {}
|
||||||
|
tempcompression = {}
|
||||||
|
temprenegotiation = {}
|
||||||
ciphertypes = 0
|
ciphertypes = 0
|
||||||
AESGCM = False
|
AESGCM = False
|
||||||
AESCBC = False
|
AESCBC = False
|
||||||
@ -324,6 +328,13 @@ for r,d,flist in os.walk(path):
|
|||||||
except KeyError:
|
except KeyError:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
""" get some extra data about server """
|
||||||
|
if 'renegotiation' in results:
|
||||||
|
temprenegotiation[results['renegotiation']] = 1
|
||||||
|
|
||||||
|
if 'compression' in results:
|
||||||
|
tempcompression[results['compression']] = 1
|
||||||
|
|
||||||
""" loop over list of ciphers """
|
""" loop over list of ciphers """
|
||||||
for entry in results['ciphersuite']:
|
for entry in results['ciphersuite']:
|
||||||
|
|
||||||
@ -538,6 +549,12 @@ for r,d,flist in os.walk(path):
|
|||||||
for s in tempsigstats:
|
for s in tempsigstats:
|
||||||
sigalg[s] += 1
|
sigalg[s] += 1
|
||||||
|
|
||||||
|
for s in temprenegotiation:
|
||||||
|
renegotiation[s] += 1
|
||||||
|
|
||||||
|
for s in tempcompression:
|
||||||
|
compression[s] += 1
|
||||||
|
|
||||||
if len(tempticketstats) == 1:
|
if len(tempticketstats) == 1:
|
||||||
for s in tempticketstats:
|
for s in tempticketstats:
|
||||||
tickethint[s + " only"] += 1
|
tickethint[s + " only"] += 1
|
||||||
@ -785,6 +802,18 @@ for stat in sorted(pfssigalgfallback):
|
|||||||
percent = round(pfssigalgfallback[stat] / total * 100, 4)
|
percent = round(pfssigalgfallback[stat] / total * 100, 4)
|
||||||
sys.stdout.write(stat.ljust(30) + " " + str(pfssigalgfallback[stat]).ljust(10) + str(percent).ljust(9) + "\n")
|
sys.stdout.write(stat.ljust(30) + " " + str(pfssigalgfallback[stat]).ljust(10) + str(percent).ljust(9) + "\n")
|
||||||
|
|
||||||
|
print("\nRenegotiation Count Percent ")
|
||||||
|
print("-------------------------+---------+--------")
|
||||||
|
for stat in natural_sort(renegotiation):
|
||||||
|
percent = round(renegotiation[stat] / total * 100, 4)
|
||||||
|
sys.stdout.write(stat.ljust(25) + " " + str(renegotiation[stat]).ljust(10) + str(percent).ljust(9) + "\n")
|
||||||
|
|
||||||
|
print("\nCompression Count Percent ")
|
||||||
|
print("-------------------------+---------+--------")
|
||||||
|
for stat in natural_sort(compression):
|
||||||
|
percent = round(compression[stat] / total * 100, 4)
|
||||||
|
sys.stdout.write(stat.ljust(25) + " " + str(compression[stat]).ljust(10) + str(percent).ljust(9) + "\n")
|
||||||
|
|
||||||
print("\nTLS session ticket hint Count Percent ")
|
print("\nTLS session ticket hint Count Percent ")
|
||||||
print("-------------------------+---------+--------")
|
print("-------------------------+---------+--------")
|
||||||
for stat in natural_sort(tickethint):
|
for stat in natural_sort(tickethint):
|
||||||
|
Loading…
Reference in New Issue
Block a user