2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-05 23:43:40 +01:00

Merge pull request #100 from tomato42/compress-and-renego-info

Add testing for renegotiation and compression
This commit is contained in:
Julien Vehent 2015-10-17 09:10:08 -04:00
commit b03320887f
2 changed files with 107 additions and 5 deletions

View File

@ -195,6 +195,8 @@ declare -A sigalgs_fallback
# array with preferred sigalgs for aRSA and aECDSA ciphers
declare -a sigalgs_preferred_rsa
declare -a sigalgs_preferred_ecdsa
renegotiation=""
compression=""
# because running external commands like sleep incurs a fork penalty, we
# first check if it is necessary
@ -210,12 +212,15 @@ usage() {
[-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
usage: $0 -h|--help
$0 attempts to connect to a target site using all the ciphersuites it knows.
Julien Vehent [:ulfr] - https://github.com/jvehent/cipherscan
$0 attempts to connect to a target site using all the ciphersuites known
to OpenSSL it is using.
Julien Vehent [:ulfr] and others (see README.md)
https://github.com/jvehent/cipherscan
Port defaults to 443
example: $ $0 www.google.com:443
example: $ $0 www.google.com
Use one of the options below:
@ -239,9 +244,20 @@ Use one of the options below:
-v | --verbose Increase verbosity.
The rest of the arguments will be interpreted as openssl s_client argument.
This enables checking smtp/imap/pop3/ftp/xmpp via -starttls
EXAMPLES: $0 -starttls xmpp jabber.ccc.de:5222
Some useful OpenSSL options:
-starttls [smtp|imap|pop3|ftp|xmpp] Enable support and testing of the protocols
that require turning TLS after initial protocol specific
hello
-servername name Request SNI support for connections
-verify_hostname name Request host name verification in connection
(req. OpenSSL 1.0.2)
-verify_ip ip Request host name verification for an IP address, usually
not specified in certificates (req. OpenSSL 1.0.2)
EXAMPLES:
$0 -starttls xmpp jabber.ccc.de:5222
$0 -servername youtube.com youtube.com:443
"
}
@ -359,6 +375,8 @@ parse_openssl_output() {
current_pubkey=0
current_trusted="False"
current_sigalg="None"
current_renegotiation="False"
current_compression=""
certs_found=0
current_raw_certificates=()
@ -388,6 +406,19 @@ parse_openssl_output() {
continue
fi
# renegotiation support
if [[ $line =~ Secure\ Renegotiation\ IS\ supported ]]; then
current_renegotiation="secure"
fi
if [[ $line =~ Secure\ Renegotiation\ IS\ NOT\ supported ]]; then
current_renegotiation="insecure"
fi
# compression settings
if [[ $line =~ Compression:\ (.*) ]]; then
current_compression="${BASH_REMATCH[1]}"
fi
# extract the signing algorithm used in TLSv1.2 ephemeral kex
if [[ $line =~ Peer\ signing\ digest ]]; then
local match=($line)
@ -840,6 +871,26 @@ display_results_in_terminal() {
fi
echo -e "Curves ordering: $curvesordering - fallback: $fallback_supported"
fi
if [[ $renegotiation ]]; then
if [[ $renegotiation == "secure" ]]; then
echo -e "Server ${c_green}supports${c_reset} secure renegotiation"
else
echo -e "Server ${c_red}DOESN'T${c_reset} support secure renegotiation"
fi
else
echo "Renegotiation test error"
fi
if [[ $compression ]]; then
if [[ $compression != "NONE" ]]; then
color="${c_red}"
else
color="${c_green}"
fi
echo -e "Server supported compression methods:" \
"${color}$compression${c_reset}"
else
echo -e "Supported compression methods ${c_red}test error${c_reset}"
fi
if [[ $TEST_KEX_SIGALG == "True" ]]; then
echo
@ -948,6 +999,18 @@ display_results_in_json() {
echo -n ",\"curves_fallback\":\"$fallback_supported\""
fi
if [[ $renegotiation ]]; then
echo -n ",\"renegotiation\":\"$renegotiation\""
else
echo -n ",\"renegotiation\":\"False\""
fi
if [[ $compression ]]; then
echo -n ",\"compression\":\"$compression\""
else
echo -n ",\"compression\":\"False\""
fi
if [[ $TEST_KEX_SIGALG == "True" ]]; then
echo -n ',"sigalgs":{'
echo -n "\"ordering\":\"${sigalgs_ordering}\","
@ -1260,6 +1323,16 @@ test_tls_tolerance() {
tls_tolerance[$version]="False"
else
tls_tolerance[$version]="True $current_protocol $current_cipher $current_trusted"
# collect renegotiation info
if [[ $current_renegotiation != "False" ]]; then
renegotiation="$current_renegotiation"
fi
# collect compression info
if [[ $version == "big-TLSv1.2" || -z $compression ]]; then
compression="$current_compression"
fi
fi
done

View File

@ -138,6 +138,8 @@ fallback_ids[' '] = i
pfssigalgfallback = defaultdict(int)
pfssigalgs = defaultdict(int)
pfssigalgsordering = defaultdict(int)
compression = defaultdict(int)
renegotiation = defaultdict(int)
dsarsastack = 0
total = 0
for r,d,flist in os.walk(path):
@ -161,6 +163,8 @@ for r,d,flist in os.walk(path):
temppfssigalgordering = {}
temppfssigalgfallback = {}
temppfssigalgs = {}
tempcompression = {}
temprenegotiation = {}
ciphertypes = 0
AESGCM = False
AESCBC = False
@ -324,6 +328,13 @@ for r,d,flist in os.walk(path):
except KeyError:
pass
""" get some extra data about server """
if 'renegotiation' in results:
temprenegotiation[results['renegotiation']] = 1
if 'compression' in results:
tempcompression[results['compression']] = 1
""" loop over list of ciphers """
for entry in results['ciphersuite']:
@ -538,6 +549,12 @@ for r,d,flist in os.walk(path):
for s in tempsigstats:
sigalg[s] += 1
for s in temprenegotiation:
renegotiation[s] += 1
for s in tempcompression:
compression[s] += 1
if len(tempticketstats) == 1:
for s in tempticketstats:
tickethint[s + " only"] += 1
@ -785,6 +802,18 @@ for stat in sorted(pfssigalgfallback):
percent = round(pfssigalgfallback[stat] / total * 100, 4)
sys.stdout.write(stat.ljust(30) + " " + str(pfssigalgfallback[stat]).ljust(10) + str(percent).ljust(9) + "\n")
print("\nRenegotiation Count Percent ")
print("-------------------------+---------+--------")
for stat in natural_sort(renegotiation):
percent = round(renegotiation[stat] / total * 100, 4)
sys.stdout.write(stat.ljust(25) + " " + str(renegotiation[stat]).ljust(10) + str(percent).ljust(9) + "\n")
print("\nCompression Count Percent ")
print("-------------------------+---------+--------")
for stat in natural_sort(compression):
percent = round(compression[stat] / total * 100, 4)
sys.stdout.write(stat.ljust(25) + " " + str(compression[stat]).ljust(10) + str(percent).ljust(9) + "\n")
print("\nTLS session ticket hint Count Percent ")
print("-------------------------+---------+--------")
for stat in natural_sort(tickethint):