LittleNellie
/
cipherscan
mirror of https://github.com/mozilla/cipherscan.git
2
0
Fork 0
Code Issues Releases Wiki Activity

check if certificate used by server is trused 

Use system trust anchors to check if certificate chain used by server
is actually valid.
This commit is contained in:
Hubert Kario 2014-04-05 19:36:51 +02:00
parent 946cc6a9ac
commit f04567d40e
1 changed files with 22 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
cipherscan
View File

@ -8,6 +8,10 @@
DOBENCHMARK=0 DOBENCHMARK=0
BENCHMARKITER=30 BENCHMARKITER=30
OPENSSLBIN="$(dirname $0)/openssl" OPENSSLBIN="$(dirname $0)/openssl"
CACERTS=${CACERTS:-/etc/pki/tls/certs/ca-bundle.crt}
if [ ! -e "$CACERTS" ]; then
echo "Warning: CA Certificates not found at $CACERTS, export CACERTS variable with location of your trust anchors" 1>&2
fi
CIPHERSUITE="ALL:COMPLEMENTOFALL" CIPHERSUITE="ALL:COMPLEMENTOFALL"
DEBUG=0 DEBUG=0
VERBOSE=0 VERBOSE=0
@ -77,6 +81,12 @@ test_cipher_on_target() {
current_pubkey=0 current_pubkey=0
fi fi
current_sigalg=$(openssl x509 -noout -text 2>/dev/null <<<"$tmp"|grep Signature\ Algorithm | head -n 1 | awk '{print $3}') || current_sigalg="None" current_sigalg=$(openssl x509 -noout -text 2>/dev/null <<<"$tmp"|grep Signature\ Algorithm | head -n 1 | awk '{print $3}') || current_sigalg="None"
grep 'Verify return code: 0 ' <<<"$tmp" >/dev/null
if [ $? -eq 0 ]; then
current_trusted="True"
else
current_trusted="False"
fi
if [ -z $current_sigalg ]; then if [ -z $current_sigalg ]; then
current_sigalg=None current_sigalg=None
fi fi
@ -102,6 +112,7 @@ test_cipher_on_target() {
pfs=$current_pfs pfs=$current_pfs
pubkey=$current_pubkey pubkey=$current_pubkey
sigalg=$current_sigalg sigalg=$current_sigalg
trusted=$current_trusted
# grab the cipher and PFS key size # grab the cipher and PFS key size
done done
# if cipher is empty, that means none of the TLS version worked with # if cipher is empty, that means none of the TLS version worked with
@ -113,13 +124,13 @@ test_cipher_on_target() {
# if cipher contains NONE, the cipher wasn't accepted # if cipher contains NONE, the cipher wasn't accepted
elif [ "$cipher" == '(NONE) ' ]; then elif [ "$cipher" == '(NONE) ' ]; then
result="$cipher $protocols $pubkey $sigalg $pfs" result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
verbose "handshake failed, server returned ciphersuite '$result'" verbose "handshake failed, server returned ciphersuite '$result'"
return 1 return 1
# the connection succeeded # the connection succeeded
else else
result="$cipher $protocols $pubkey $sigalg $pfs" result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
verbose "handshake succeeded, server returned ciphersuite '$result'" verbose "handshake succeeded, server returned ciphersuite '$result'"
return 0 return 0
fi fi
@ -152,7 +163,11 @@ bench_cipher() {
get_cipher_pref() { get_cipher_pref() {
[ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.' [ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.'
local ciphersuite="$1" local ciphersuite="$1"
local sslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" if [ -e $CACERTS ]; then
local sslcommand="$OPENSSLBIN s_client -CAfile $CACERTS $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
else
local sslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
fi
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'" verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
test_cipher_on_target "$sslcommand" test_cipher_on_target "$sslcommand"
local success=$? local success=$?
@ -183,9 +198,9 @@ display_results_in_terminal() {
done done
if [ $DOBENCHMARK -eq 1 ]; then if [ $DOBENCHMARK -eq 1 ]; then
header="prio ciphersuite protocols pubkey_size signature_algoritm pfs_keysize avg_handshake_microsec" header="prio ciphersuite protocols pubkey_size signature_algoritm trusted pfs_keysize avg_handshake_microsec"
else else
header="prio ciphersuite protocols pubkey_size signature_algorithm pfs_keysize" header="prio ciphersuite protocols pubkey_size signature_algorithm trusted pfs_keysize"
fi fi
ctr=0 ctr=0
for result in "${results[@]}"; do for result in "${results[@]}"; do
@ -208,7 +223,8 @@ display_results_in_json() {
echo -n "\"protocols\":[\"$(echo $cipher|awk '{print $2}'|sed 's/,/","/g')\"]," echo -n "\"protocols\":[\"$(echo $cipher|awk '{print $2}'|sed 's/,/","/g')\"],"
echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"]," echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"],"
echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"]," echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"],"
pfs=$(echo $cipher|awk '{print $5}') echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\","
pfs=$(echo $cipher|awk '{print $6}')
[ "$pfs" == "" ] && pfs="None" [ "$pfs" == "" ] && pfs="None"
echo -n "\"pfs\":\"$pfs\"}" echo -n "\"pfs\":\"$pfs\"}"
ctr=$((ctr+1)) ctr=$((ctr+1))