From bc0409ca735164340fdd0f563729d32e8b00c9d9 Mon Sep 17 00:00:00 2001 From: Hubert Kario Date: Sat, 5 Apr 2014 20:21:35 +0200 Subject: [PATCH] in "no-untrusted mode": filter out ADH and AECDH suites If server negotiates ADH or AECDH suite, openssl returns "ok" in cert checking. Don't mark server as trusted because of that. Don't collect statistics on servers that provide only untrusted connections. --- top1m/parse_results.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/top1m/parse_results.py b/top1m/parse_results.py index 51b84c1..70cf39a 100644 --- a/top1m/parse_results.py +++ b/top1m/parse_results.py @@ -63,8 +63,11 @@ for r,d,flist in os.walk(path): """ loop over list of ciphers """ for entry in results['ciphersuite']: - if 'True' in entry['trusted']: - trusted = True + # some servers return different certificates with different + # ciphers, also we may become redirected to other server with + # different config (because over-reactive IPS) + if 'False' in entry['trusted'] and report_untrused == False: + continue; """ store the ciphers supported """ if 'AES-GCM' in entry['cipher']: @@ -113,6 +116,9 @@ for r,d,flist in os.walk(path): if ECDSA: dualstack = True + if 'True' in entry['trusted'] and not 'ADH' in entry['cipher'] and not 'AECDH' in entry['cipher']: + trusted = True + """ save key signatures size """ tempsigstats[entry['sigalg'][0]] = 1 @@ -216,6 +222,10 @@ for r,d,flist in os.walk(path): # break print("SSL/TLS survey of %i websites from Alexa's top 1 million" % total) +if report_untrused == False: + print("Stats only from connections that did provide valid certificates") + print("(or anonymous DH from servers that do also have valid certificate installed)\n") + """ Display stats """ print("\nSupported Ciphers Count Percent") print("-------------------------+---------+-------")