2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 22:33:40 +01:00

report key size used in server's certificate

Extend the report to show also server certificate key size:
prio  ciphersuite              protocols                    pubkey_size  pfs_keysize
1     ECDHE-RSA-AES128-SHA256  TLSv1.2                      2048         ECDH,P-256,256bits
2     ECDHE-ECDSA-AES128-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2  256          ECDH,P-256,256bits
3     AES128-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
4     RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
5     EXP-RC4-MD5              SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         RSA,512bits
This commit is contained in:
Hubert Kario 2014-04-05 19:09:05 +02:00
parent 32eba4e644
commit f9fdd62a59

View File

@ -72,6 +72,10 @@ test_cipher_on_target() {
current_cipher=$(grep "New, " <<<"$tmp"|awk '{print $5}') current_cipher=$(grep "New, " <<<"$tmp"|awk '{print $5}')
current_pfs=$(grep 'Server Temp Key' <<<"$tmp"|awk '{print $4$5$6$7}') current_pfs=$(grep 'Server Temp Key' <<<"$tmp"|awk '{print $4$5$6$7}')
current_protocol=$(egrep "^\s+Protocol\s+:" <<<"$tmp"|awk '{print $3}') current_protocol=$(egrep "^\s+Protocol\s+:" <<<"$tmp"|awk '{print $3}')
current_pubkey=$(grep 'Server public key is ' <<<"$tmp"|awk '{print $5}')
if [ -z $current_pubkey ]; then
current_pubkey=0
fi
if [[ -z "$current_protocol" || "$current_cipher" == '(NONE)' ]]; then if [[ -z "$current_protocol" || "$current_cipher" == '(NONE)' ]]; then
# connection failed, try again with next TLS version # connection failed, try again with next TLS version
continue continue
@ -92,6 +96,7 @@ test_cipher_on_target() {
fi fi
cipher=$current_cipher cipher=$current_cipher
pfs=$current_pfs pfs=$current_pfs
pubkey=$current_pubkey
# grab the cipher and PFS key size # grab the cipher and PFS key size
done done
# if cipher is empty, that means none of the TLS version worked with # if cipher is empty, that means none of the TLS version worked with
@ -103,13 +108,13 @@ test_cipher_on_target() {
# if cipher contains NONE, the cipher wasn't accepted # if cipher contains NONE, the cipher wasn't accepted
elif [ "$cipher" == '(NONE) ' ]; then elif [ "$cipher" == '(NONE) ' ]; then
result="$cipher $protocols $pfs" result="$cipher $protocols $pubkey $pfs"
verbose "handshake failed, server returned ciphersuite '$result'" verbose "handshake failed, server returned ciphersuite '$result'"
return 1 return 1
# the connection succeeded # the connection succeeded
else else
result="$cipher $protocols $pfs" result="$cipher $protocols $pubkey $pfs"
verbose "handshake succeeded, server returned ciphersuite '$result'" verbose "handshake succeeded, server returned ciphersuite '$result'"
return 0 return 0
fi fi
@ -173,9 +178,9 @@ display_results_in_terminal() {
done done
if [ $DOBENCHMARK -eq 1 ]; then if [ $DOBENCHMARK -eq 1 ]; then
header="prio ciphersuite protocols pfs_keysize avg_handshake_microsec" header="prio ciphersuite protocols pubkey_size pfs_keysize avg_handshake_microsec"
else else
header="prio ciphersuite protocols pfs_keysize" header="prio ciphersuite protocols pubkey_size pfs_keysize"
fi fi
ctr=0 ctr=0
for result in "${results[@]}"; do for result in "${results[@]}"; do
@ -196,7 +201,8 @@ display_results_in_json() {
[ $ctr -gt 0 ] && echo -n ',' [ $ctr -gt 0 ] && echo -n ','
echo -n "{\"cipher\":\"$(echo $cipher|awk '{print $1}')\"," echo -n "{\"cipher\":\"$(echo $cipher|awk '{print $1}')\","
echo -n "\"protocols\":[\"$(echo $cipher|awk '{print $2}'|sed 's/,/","/g')\"]," echo -n "\"protocols\":[\"$(echo $cipher|awk '{print $2}'|sed 's/,/","/g')\"],"
pfs=$(echo $cipher|awk '{print $3}') echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"],"
pfs=$(echo $cipher|awk '{print $4}')
[ "$pfs" == "" ] && pfs="None" [ "$pfs" == "" ] && pfs="None"
echo -n "\"pfs\":\"$pfs\"}" echo -n "\"pfs\":\"$pfs\"}"
ctr=$((ctr+1)) ctr=$((ctr+1))