mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-22 14:23:41 +01:00
check if certificate used by server is trused
Use system trust anchors to check if certificate chain used by server is actually valid.
This commit is contained in:
parent
946cc6a9ac
commit
f04567d40e
26
cipherscan
26
cipherscan
@ -8,6 +8,10 @@
|
||||
DOBENCHMARK=0
|
||||
BENCHMARKITER=30
|
||||
OPENSSLBIN="$(dirname $0)/openssl"
|
||||
CACERTS=${CACERTS:-/etc/pki/tls/certs/ca-bundle.crt}
|
||||
if [ ! -e "$CACERTS" ]; then
|
||||
echo "Warning: CA Certificates not found at $CACERTS, export CACERTS variable with location of your trust anchors" 1>&2
|
||||
fi
|
||||
CIPHERSUITE="ALL:COMPLEMENTOFALL"
|
||||
DEBUG=0
|
||||
VERBOSE=0
|
||||
@ -77,6 +81,12 @@ test_cipher_on_target() {
|
||||
current_pubkey=0
|
||||
fi
|
||||
current_sigalg=$(openssl x509 -noout -text 2>/dev/null <<<"$tmp"|grep Signature\ Algorithm | head -n 1 | awk '{print $3}') || current_sigalg="None"
|
||||
grep 'Verify return code: 0 ' <<<"$tmp" >/dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
current_trusted="True"
|
||||
else
|
||||
current_trusted="False"
|
||||
fi
|
||||
if [ -z $current_sigalg ]; then
|
||||
current_sigalg=None
|
||||
fi
|
||||
@ -102,6 +112,7 @@ test_cipher_on_target() {
|
||||
pfs=$current_pfs
|
||||
pubkey=$current_pubkey
|
||||
sigalg=$current_sigalg
|
||||
trusted=$current_trusted
|
||||
# grab the cipher and PFS key size
|
||||
done
|
||||
# if cipher is empty, that means none of the TLS version worked with
|
||||
@ -113,13 +124,13 @@ test_cipher_on_target() {
|
||||
|
||||
# if cipher contains NONE, the cipher wasn't accepted
|
||||
elif [ "$cipher" == '(NONE) ' ]; then
|
||||
result="$cipher $protocols $pubkey $sigalg $pfs"
|
||||
result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
|
||||
verbose "handshake failed, server returned ciphersuite '$result'"
|
||||
return 1
|
||||
|
||||
# the connection succeeded
|
||||
else
|
||||
result="$cipher $protocols $pubkey $sigalg $pfs"
|
||||
result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
|
||||
verbose "handshake succeeded, server returned ciphersuite '$result'"
|
||||
return 0
|
||||
fi
|
||||
@ -152,7 +163,11 @@ bench_cipher() {
|
||||
get_cipher_pref() {
|
||||
[ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.'
|
||||
local ciphersuite="$1"
|
||||
if [ -e $CACERTS ]; then
|
||||
local sslcommand="$OPENSSLBIN s_client -CAfile $CACERTS $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||
else
|
||||
local sslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||
fi
|
||||
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
|
||||
test_cipher_on_target "$sslcommand"
|
||||
local success=$?
|
||||
@ -183,9 +198,9 @@ display_results_in_terminal() {
|
||||
done
|
||||
|
||||
if [ $DOBENCHMARK -eq 1 ]; then
|
||||
header="prio ciphersuite protocols pubkey_size signature_algoritm pfs_keysize avg_handshake_microsec"
|
||||
header="prio ciphersuite protocols pubkey_size signature_algoritm trusted pfs_keysize avg_handshake_microsec"
|
||||
else
|
||||
header="prio ciphersuite protocols pubkey_size signature_algorithm pfs_keysize"
|
||||
header="prio ciphersuite protocols pubkey_size signature_algorithm trusted pfs_keysize"
|
||||
fi
|
||||
ctr=0
|
||||
for result in "${results[@]}"; do
|
||||
@ -208,7 +223,8 @@ display_results_in_json() {
|
||||
echo -n "\"protocols\":[\"$(echo $cipher|awk '{print $2}'|sed 's/,/","/g')\"],"
|
||||
echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"],"
|
||||
echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"],"
|
||||
pfs=$(echo $cipher|awk '{print $5}')
|
||||
echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\","
|
||||
pfs=$(echo $cipher|awk '{print $6}')
|
||||
[ "$pfs" == "" ] && pfs="None"
|
||||
echo -n "\"pfs\":\"$pfs\"}"
|
||||
ctr=$((ctr+1))
|
||||
|
Loading…
Reference in New Issue
Block a user