mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-26 07:53:41 +01:00
Added option to scan all known ciphers "-a"
This commit is contained in:
parent
f5ff56344a
commit
d2b82ed871
@ -1,8 +1,9 @@
|
|||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
DOBENCHMARK=1
|
DOBENCHMARK=0
|
||||||
BENCHMARKITER=30
|
BENCHMARKITER=30
|
||||||
OPENSSLBIN="./openssl"
|
OPENSSLBIN="./openssl"
|
||||||
|
TIMEOUT=10
|
||||||
REQUEST="GET / HTTP/1.1
|
REQUEST="GET / HTTP/1.1
|
||||||
Host: $TARGET
|
Host: $TARGET
|
||||||
|
|
||||||
@ -27,7 +28,11 @@ EOF
|
|||||||
# Parse the result
|
# Parse the result
|
||||||
result=$(grep "New, " $tmp|awk '{print $5}')
|
result=$(grep "New, " $tmp|awk '{print $5}')
|
||||||
rm "$tmp"
|
rm "$tmp"
|
||||||
if [ "$result" == '(NONE)' ]; then
|
if [ -z $result ]; then
|
||||||
|
verbose "handshake failed, no ciphersuite was returned"
|
||||||
|
result='ConnectionFailure'
|
||||||
|
return 2
|
||||||
|
elif [ "$result" == '(NONE)' ]; then
|
||||||
verbose "handshake failed, server returned ciphersuite '$result'"
|
verbose "handshake failed, server returned ciphersuite '$result'"
|
||||||
return 1
|
return 1
|
||||||
else
|
else
|
||||||
@ -40,13 +45,16 @@ EOF
|
|||||||
# Calculate the average handshake time for a specific ciphersuite
|
# Calculate the average handshake time for a specific ciphersuite
|
||||||
bench_cipher() {
|
bench_cipher() {
|
||||||
local ciphersuite="$1"
|
local ciphersuite="$1"
|
||||||
local sslcommand="$OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite"
|
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite"
|
||||||
local t="$(date +%s%N)"
|
local t="$(date +%s%N)"
|
||||||
verbose "Benchmarking handshake on '$TARGET' with ciphersuite '$ciphersuite'"
|
verbose "Benchmarking handshake on '$TARGET' with ciphersuite '$ciphersuite'"
|
||||||
for i in $(seq 1 $BENCHMARKITER); do
|
for i in $(seq 1 $BENCHMARKITER); do
|
||||||
$sslcommand 2>/dev/null 1>/dev/null << EOF
|
$sslcommand 2>/dev/null 1>/dev/null << EOF
|
||||||
$REQUEST
|
$REQUEST
|
||||||
EOF
|
EOF
|
||||||
|
if [ $? -gt 0 ]; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
# Time interval in nanoseconds
|
# Time interval in nanoseconds
|
||||||
local t="$(($(date +%s%N) - t))"
|
local t="$(($(date +%s%N) - t))"
|
||||||
@ -59,13 +67,13 @@ EOF
|
|||||||
# Connect to the target and retrieve the chosen cipher
|
# Connect to the target and retrieve the chosen cipher
|
||||||
get_cipher_pref() {
|
get_cipher_pref() {
|
||||||
local ciphersuite="$1"
|
local ciphersuite="$1"
|
||||||
local sslcommand="$OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite"
|
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite"
|
||||||
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
|
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
|
||||||
test_cipher_on_target "$sslcommand"
|
test_cipher_on_target "$sslcommand"
|
||||||
local success=$?
|
local success=$?
|
||||||
|
cipherspref=("${cipherspref[@]}" "$result")
|
||||||
# If the connection succeeded with the current cipher, benchmark and store
|
# If the connection succeeded with the current cipher, benchmark and store
|
||||||
if [ $success -eq 0 ]; then
|
if [ $success -eq 0 ]; then
|
||||||
cipherspref=("${cipherspref[@]}" "$result")
|
|
||||||
get_cipher_pref "!$result:$ciphersuite"
|
get_cipher_pref "!$result:$ciphersuite"
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
@ -83,12 +91,16 @@ jvehent - ulfr - 2013
|
|||||||
fi
|
fi
|
||||||
TARGET=$1
|
TARGET=$1
|
||||||
VERBOSE=0
|
VERBOSE=0
|
||||||
|
ALLCIPHERS=0
|
||||||
if [ ! -z $2 ]; then
|
if [ ! -z $2 ]; then
|
||||||
if [ "$2" == "-v" ]; then
|
if [ "$2" == "-v" ]; then
|
||||||
VERBOSE=1
|
VERBOSE=1
|
||||||
echo "Loading $($OPENSSLBIN ciphers -v ALL 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))"
|
echo "Loading $($OPENSSLBIN ciphers -v ALL 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))"
|
||||||
$OPENSSLBIN ciphers ALL 2>/dev/null
|
$OPENSSLBIN ciphers ALL 2>/dev/null
|
||||||
fi
|
fi
|
||||||
|
if [ "$2" == "-a" ]; then
|
||||||
|
ALLCIPHERS=1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cipherspref=();
|
cipherspref=();
|
||||||
@ -119,3 +131,18 @@ for result in "${results[@]}"; do
|
|||||||
fi
|
fi
|
||||||
echo $result
|
echo $result
|
||||||
done|column -t
|
done|column -t
|
||||||
|
|
||||||
|
if [ $ALLCIPHERS -gt 0 ]; then
|
||||||
|
echo; echo "All accepted ciphersuites"
|
||||||
|
for cipher in $($OPENSSLBIN ciphers -v ALL:COMPLEMENTOFALL 2>/dev/null |awk '{print $1}'|sort|uniq); do
|
||||||
|
osslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $cipher"
|
||||||
|
test_cipher_on_target "$osslcommand"
|
||||||
|
r=$?
|
||||||
|
if [ $r -eq 0 ]; then
|
||||||
|
echo -en '\E[40;32m'"OK"; tput sgr0
|
||||||
|
else
|
||||||
|
echo -en '\E[40;31m'"KO"; tput sgr0
|
||||||
|
fi
|
||||||
|
echo " $cipher"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user