LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2026-02-06 15:15:16 +01:00
Code Issues Releases Wiki Activity

add support for testing supported curves

Browse Source 
since early versions of 1.0.2 openssl supports -curves command line
option, it allows us to set the curves advertised as supported

use the same approach to testing: advertise all, check what server
accepts, remove the accepted from list, repeat. When server aborts
connection or selects non ECC cipher, we know that we've tested all.
This commit is contained in:
Hubert Kario
2014-11-06 01:43:05 +01:00
committed by Julien Vehent
parent 800eff19ce
commit c52e008347
3 changed files with 321 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
top1m/parse_results.py
View File

@@ -72,6 +72,9 @@ handshakestats = defaultdict(int)
keysize = defaultdict(int)
sigalg = defaultdict(int)
tickethint = defaultdict(int)
eccfallback = defaultdict(int)
eccordering = defaultdict(int)
ecccurve = defaultdict(int)
ocspstaple = defaultdict(int)
dsarsastack = 0
total = 0
@@ -86,6 +89,9 @@ for r,d,flist in os.walk(path):
tempdsakeystats = {}
tempsigstats = {}
tempticketstats = {}
tempeccfallback = "unknown"
tempeccordering = "unknown"
tempecccurve = {}
""" supported ciphers by the server under scan """
tempcipherstats = {}
ciphertypes = 0
@@ -141,6 +147,17 @@ for r,d,flist in os.walk(path):
if len(results['ciphersuite']) < 1:
continue
""" save ECC curve stats """
if 'curve_fallback' in results:
tempeccfallback = results['curve_fallback']
if 'curve_ordering' in results:
tempeccordering = results['curve_ordering']
if 'curve' in results:
for curve in results['curve']:
tempecccurve[curve] = 1
if len(results['curve']) == 1:
tempecccurve[curve + ' Only'] = 1
""" loop over list of ciphers """
for entry in results['ciphersuite']:
@@ -329,6 +346,11 @@ for r,d,flist in os.walk(path):
for s in tempticketstats:
tickethint[s] += 1
eccfallback[tempeccfallback] += 1
eccordering[tempeccordering] += 1
for s in tempecccurve:
ecccurve[s] += 1
if ocsp_stapling is None:
ocspstaple['Unknown'] += 1
elif ocsp_stapling:
@@ -518,6 +540,24 @@ for stat in sorted(pfsstats):
pfspercent = round(pfsstats[stat] / handshakestats['DHE'] * 100, 4)
sys.stdout.write(stat.ljust(25) + " " + str(pfsstats[stat]).ljust(10) + str(percent).ljust(9) + str(pfspercent) + "\n")
print("\nSupported ECC curves Count Percent ")
print("-------------------------+---------+--------")
for stat in sorted(ecccurve):
percent = round(ecccurve[stat] / total * 100, 4)
sys.stdout.write(stat.ljust(25) + " " + str(ecccurve[stat]).ljust(10) + str(percent).ljust(9) + "\n")
print("\nUnsupported curve fallback Count Percent ")
print("------------------------------+---------+--------")
for stat in sorted(eccfallback):
percent = round(eccfallback[stat] / total * 100,4)
sys.stdout.write(stat.ljust(30) + " " + str(eccfallback[stat]).ljust(10) + str(percent).ljust(9) + "\n")
print("\nECC curve ordering Count Percent ")
print("-------------------------+---------+--------")
for stat in sorted(eccordering):
percent = round(eccordering[stat] / total * 100, 4)
sys.stdout.write(stat.ljust(25) + " " + str(eccordering[stat]).ljust(10) + str(percent).ljust(9) + "\n")
print("\nTLS session ticket hint Count Percent ")
print("-------------------------+---------+--------")
for stat in natural_sort(tickethint):

4
top1m/testtop1m.sh
View File

@@ -68,7 +68,7 @@ function scan_host() {
if [ $? -gt 0 ]; then
return
fi
../cipherscan --capath ca_files --saveca --savecrt certs --delay 2 -json -servername $1 $2:443 > results/$1@$2
../cipherscan --capath ca_files --saveca --curves --savecrt certs --delay 2 -json -servername $1 $2:443 > results/$1@$2
}
function scan_host_no_sni() {
@@ -80,7 +80,7 @@ function scan_host_no_sni() {
if [ $? -gt 0 ]; then
return
fi
../cipherscan --capath ca_files --saveca --savecrt certs --delay 2 -json $1:443 > results/$1
../cipherscan --capath ca_files --saveca --curves --savecrt certs --delay 2 -json $1:443 > results/$1
}
function scan_hostname() {