From f04567d40edf65007aefacb18432d99eaa88a530 Mon Sep 17 00:00:00 2001 From: Hubert Kario Date: Sat, 5 Apr 2014 19:36:51 +0200 Subject: [PATCH] check if certificate used by server is trused Use system trust anchors to check if certificate chain used by server is actually valid. --- cipherscan | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/cipherscan b/cipherscan index aa3c202..43469b2 100755 --- a/cipherscan +++ b/cipherscan @@ -8,6 +8,10 @@ DOBENCHMARK=0 BENCHMARKITER=30 OPENSSLBIN="$(dirname $0)/openssl" +CACERTS=${CACERTS:-/etc/pki/tls/certs/ca-bundle.crt} +if [ ! -e "$CACERTS" ]; then + echo "Warning: CA Certificates not found at $CACERTS, export CACERTS variable with location of your trust anchors" 1>&2 +fi CIPHERSUITE="ALL:COMPLEMENTOFALL" DEBUG=0 VERBOSE=0 @@ -77,6 +81,12 @@ test_cipher_on_target() { current_pubkey=0 fi current_sigalg=$(openssl x509 -noout -text 2>/dev/null <<<"$tmp"|grep Signature\ Algorithm | head -n 1 | awk '{print $3}') || current_sigalg="None" + grep 'Verify return code: 0 ' <<<"$tmp" >/dev/null + if [ $? -eq 0 ]; then + current_trusted="True" + else + current_trusted="False" + fi if [ -z $current_sigalg ]; then current_sigalg=None fi @@ -102,6 +112,7 @@ test_cipher_on_target() { pfs=$current_pfs pubkey=$current_pubkey sigalg=$current_sigalg + trusted=$current_trusted # grab the cipher and PFS key size done # if cipher is empty, that means none of the TLS version worked with @@ -113,13 +124,13 @@ test_cipher_on_target() { # if cipher contains NONE, the cipher wasn't accepted elif [ "$cipher" == '(NONE) ' ]; then - result="$cipher $protocols $pubkey $sigalg $pfs" + result="$cipher $protocols $pubkey $sigalg $trusted $pfs" verbose "handshake failed, server returned ciphersuite '$result'" return 1 # the connection succeeded else - result="$cipher $protocols $pubkey $sigalg $pfs" + result="$cipher $protocols $pubkey $sigalg $trusted $pfs" verbose "handshake succeeded, server returned ciphersuite '$result'" return 0 fi @@ -152,7 +163,11 @@ bench_cipher() { get_cipher_pref() { [ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.' local ciphersuite="$1" - local sslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" + if [ -e $CACERTS ]; then + local sslcommand="$OPENSSLBIN s_client -CAfile $CACERTS $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" + else + local sslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" + fi verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'" test_cipher_on_target "$sslcommand" local success=$? @@ -183,9 +198,9 @@ display_results_in_terminal() { done if [ $DOBENCHMARK -eq 1 ]; then - header="prio ciphersuite protocols pubkey_size signature_algoritm pfs_keysize avg_handshake_microsec" + header="prio ciphersuite protocols pubkey_size signature_algoritm trusted pfs_keysize avg_handshake_microsec" else - header="prio ciphersuite protocols pubkey_size signature_algorithm pfs_keysize" + header="prio ciphersuite protocols pubkey_size signature_algorithm trusted pfs_keysize" fi ctr=0 for result in "${results[@]}"; do @@ -208,7 +223,8 @@ display_results_in_json() { echo -n "\"protocols\":[\"$(echo $cipher|awk '{print $2}'|sed 's/,/","/g')\"]," echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"]," echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"]," - pfs=$(echo $cipher|awk '{print $5}') + echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\"," + pfs=$(echo $cipher|awk '{print $6}') [ "$pfs" == "" ] && pfs="None" echo -n "\"pfs\":\"$pfs\"}" ctr=$((ctr+1))