mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-21 22:13:40 +01:00
Merge pull request #100 from tomato42/compress-and-renego-info
Add testing for renegotiation and compression
This commit is contained in:
commit
b03320887f
83
cipherscan
83
cipherscan
@ -195,6 +195,8 @@ declare -A sigalgs_fallback
|
||||
# array with preferred sigalgs for aRSA and aECDSA ciphers
|
||||
declare -a sigalgs_preferred_rsa
|
||||
declare -a sigalgs_preferred_ecdsa
|
||||
renegotiation=""
|
||||
compression=""
|
||||
|
||||
# because running external commands like sleep incurs a fork penalty, we
|
||||
# first check if it is necessary
|
||||
@ -210,12 +212,15 @@ usage() {
|
||||
[-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
|
||||
usage: $0 -h|--help
|
||||
|
||||
$0 attempts to connect to a target site using all the ciphersuites it knows.
|
||||
Julien Vehent [:ulfr] - https://github.com/jvehent/cipherscan
|
||||
$0 attempts to connect to a target site using all the ciphersuites known
|
||||
to OpenSSL it is using.
|
||||
|
||||
Julien Vehent [:ulfr] and others (see README.md)
|
||||
https://github.com/jvehent/cipherscan
|
||||
|
||||
Port defaults to 443
|
||||
|
||||
example: $ $0 www.google.com:443
|
||||
example: $ $0 www.google.com
|
||||
|
||||
Use one of the options below:
|
||||
|
||||
@ -239,9 +244,20 @@ Use one of the options below:
|
||||
-v | --verbose Increase verbosity.
|
||||
|
||||
The rest of the arguments will be interpreted as openssl s_client argument.
|
||||
This enables checking smtp/imap/pop3/ftp/xmpp via -starttls
|
||||
|
||||
EXAMPLES: $0 -starttls xmpp jabber.ccc.de:5222
|
||||
Some useful OpenSSL options:
|
||||
-starttls [smtp|imap|pop3|ftp|xmpp] Enable support and testing of the protocols
|
||||
that require turning TLS after initial protocol specific
|
||||
hello
|
||||
-servername name Request SNI support for connections
|
||||
-verify_hostname name Request host name verification in connection
|
||||
(req. OpenSSL 1.0.2)
|
||||
-verify_ip ip Request host name verification for an IP address, usually
|
||||
not specified in certificates (req. OpenSSL 1.0.2)
|
||||
|
||||
EXAMPLES:
|
||||
$0 -starttls xmpp jabber.ccc.de:5222
|
||||
$0 -servername youtube.com youtube.com:443
|
||||
"
|
||||
}
|
||||
|
||||
@ -359,6 +375,8 @@ parse_openssl_output() {
|
||||
current_pubkey=0
|
||||
current_trusted="False"
|
||||
current_sigalg="None"
|
||||
current_renegotiation="False"
|
||||
current_compression=""
|
||||
|
||||
certs_found=0
|
||||
current_raw_certificates=()
|
||||
@ -388,6 +406,19 @@ parse_openssl_output() {
|
||||
continue
|
||||
fi
|
||||
|
||||
# renegotiation support
|
||||
if [[ $line =~ Secure\ Renegotiation\ IS\ supported ]]; then
|
||||
current_renegotiation="secure"
|
||||
fi
|
||||
if [[ $line =~ Secure\ Renegotiation\ IS\ NOT\ supported ]]; then
|
||||
current_renegotiation="insecure"
|
||||
fi
|
||||
|
||||
# compression settings
|
||||
if [[ $line =~ Compression:\ (.*) ]]; then
|
||||
current_compression="${BASH_REMATCH[1]}"
|
||||
fi
|
||||
|
||||
# extract the signing algorithm used in TLSv1.2 ephemeral kex
|
||||
if [[ $line =~ Peer\ signing\ digest ]]; then
|
||||
local match=($line)
|
||||
@ -840,6 +871,26 @@ display_results_in_terminal() {
|
||||
fi
|
||||
echo -e "Curves ordering: $curvesordering - fallback: $fallback_supported"
|
||||
fi
|
||||
if [[ $renegotiation ]]; then
|
||||
if [[ $renegotiation == "secure" ]]; then
|
||||
echo -e "Server ${c_green}supports${c_reset} secure renegotiation"
|
||||
else
|
||||
echo -e "Server ${c_red}DOESN'T${c_reset} support secure renegotiation"
|
||||
fi
|
||||
else
|
||||
echo "Renegotiation test error"
|
||||
fi
|
||||
if [[ $compression ]]; then
|
||||
if [[ $compression != "NONE" ]]; then
|
||||
color="${c_red}"
|
||||
else
|
||||
color="${c_green}"
|
||||
fi
|
||||
echo -e "Server supported compression methods:" \
|
||||
"${color}$compression${c_reset}"
|
||||
else
|
||||
echo -e "Supported compression methods ${c_red}test error${c_reset}"
|
||||
fi
|
||||
|
||||
if [[ $TEST_KEX_SIGALG == "True" ]]; then
|
||||
echo
|
||||
@ -948,6 +999,18 @@ display_results_in_json() {
|
||||
echo -n ",\"curves_fallback\":\"$fallback_supported\""
|
||||
fi
|
||||
|
||||
if [[ $renegotiation ]]; then
|
||||
echo -n ",\"renegotiation\":\"$renegotiation\""
|
||||
else
|
||||
echo -n ",\"renegotiation\":\"False\""
|
||||
fi
|
||||
|
||||
if [[ $compression ]]; then
|
||||
echo -n ",\"compression\":\"$compression\""
|
||||
else
|
||||
echo -n ",\"compression\":\"False\""
|
||||
fi
|
||||
|
||||
if [[ $TEST_KEX_SIGALG == "True" ]]; then
|
||||
echo -n ',"sigalgs":{'
|
||||
echo -n "\"ordering\":\"${sigalgs_ordering}\","
|
||||
@ -1260,6 +1323,16 @@ test_tls_tolerance() {
|
||||
tls_tolerance[$version]="False"
|
||||
else
|
||||
tls_tolerance[$version]="True $current_protocol $current_cipher $current_trusted"
|
||||
|
||||
# collect renegotiation info
|
||||
if [[ $current_renegotiation != "False" ]]; then
|
||||
renegotiation="$current_renegotiation"
|
||||
fi
|
||||
|
||||
# collect compression info
|
||||
if [[ $version == "big-TLSv1.2" || -z $compression ]]; then
|
||||
compression="$current_compression"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
|
@ -138,6 +138,8 @@ fallback_ids[' '] = i
|
||||
pfssigalgfallback = defaultdict(int)
|
||||
pfssigalgs = defaultdict(int)
|
||||
pfssigalgsordering = defaultdict(int)
|
||||
compression = defaultdict(int)
|
||||
renegotiation = defaultdict(int)
|
||||
dsarsastack = 0
|
||||
total = 0
|
||||
for r,d,flist in os.walk(path):
|
||||
@ -161,6 +163,8 @@ for r,d,flist in os.walk(path):
|
||||
temppfssigalgordering = {}
|
||||
temppfssigalgfallback = {}
|
||||
temppfssigalgs = {}
|
||||
tempcompression = {}
|
||||
temprenegotiation = {}
|
||||
ciphertypes = 0
|
||||
AESGCM = False
|
||||
AESCBC = False
|
||||
@ -324,6 +328,13 @@ for r,d,flist in os.walk(path):
|
||||
except KeyError:
|
||||
pass
|
||||
|
||||
""" get some extra data about server """
|
||||
if 'renegotiation' in results:
|
||||
temprenegotiation[results['renegotiation']] = 1
|
||||
|
||||
if 'compression' in results:
|
||||
tempcompression[results['compression']] = 1
|
||||
|
||||
""" loop over list of ciphers """
|
||||
for entry in results['ciphersuite']:
|
||||
|
||||
@ -538,6 +549,12 @@ for r,d,flist in os.walk(path):
|
||||
for s in tempsigstats:
|
||||
sigalg[s] += 1
|
||||
|
||||
for s in temprenegotiation:
|
||||
renegotiation[s] += 1
|
||||
|
||||
for s in tempcompression:
|
||||
compression[s] += 1
|
||||
|
||||
if len(tempticketstats) == 1:
|
||||
for s in tempticketstats:
|
||||
tickethint[s + " only"] += 1
|
||||
@ -785,6 +802,18 @@ for stat in sorted(pfssigalgfallback):
|
||||
percent = round(pfssigalgfallback[stat] / total * 100, 4)
|
||||
sys.stdout.write(stat.ljust(30) + " " + str(pfssigalgfallback[stat]).ljust(10) + str(percent).ljust(9) + "\n")
|
||||
|
||||
print("\nRenegotiation Count Percent ")
|
||||
print("-------------------------+---------+--------")
|
||||
for stat in natural_sort(renegotiation):
|
||||
percent = round(renegotiation[stat] / total * 100, 4)
|
||||
sys.stdout.write(stat.ljust(25) + " " + str(renegotiation[stat]).ljust(10) + str(percent).ljust(9) + "\n")
|
||||
|
||||
print("\nCompression Count Percent ")
|
||||
print("-------------------------+---------+--------")
|
||||
for stat in natural_sort(compression):
|
||||
percent = round(compression[stat] / total * 100, 4)
|
||||
sys.stdout.write(stat.ljust(25) + " " + str(compression[stat]).ljust(10) + str(percent).ljust(9) + "\n")
|
||||
|
||||
print("\nTLS session ticket hint Count Percent ")
|
||||
print("-------------------------+---------+--------")
|
||||
for stat in natural_sort(tickethint):
|
||||
|
Loading…
Reference in New Issue
Block a user