2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 22:33:40 +01:00

in "no-untrusted mode": filter out ADH and AECDH suites

If server negotiates ADH or AECDH suite, openssl returns "ok" in
cert checking. Don't mark server as trusted because of that.

Don't collect statistics on servers that provide only untrusted
connections.
This commit is contained in:
Hubert Kario 2014-04-05 20:21:35 +02:00
parent 45dc1da3f6
commit faef8d692f

View File

@ -63,8 +63,11 @@ for r,d,flist in os.walk(path):
""" loop over list of ciphers """ """ loop over list of ciphers """
for entry in results['ciphersuite']: for entry in results['ciphersuite']:
if 'True' in entry['trusted']: # some servers return different certificates with different
trusted = True # ciphers, also we may become redirected to other server with
# different config (because over-reactive IPS)
if 'False' in entry['trusted'] and report_untrused == False:
continue
""" store the ciphers supported """ """ store the ciphers supported """
if 'AES-GCM' in entry['cipher']: if 'AES-GCM' in entry['cipher']:
@ -113,6 +116,9 @@ for r,d,flist in os.walk(path):
if ECDSA: if ECDSA:
dualstack = True dualstack = True
if 'True' in entry['trusted'] and not 'ADH' in entry['cipher'] and not 'AECDH' in entry['cipher']:
trusted = True
""" save key signatures size """ """ save key signatures size """
tempsigstats[entry['sigalg'][0]] = 1 tempsigstats[entry['sigalg'][0]] = 1
@ -216,6 +222,10 @@ for r,d,flist in os.walk(path):
# break # break
print("SSL/TLS survey of %i websites from Alexa's top 1 million" % total) print("SSL/TLS survey of %i websites from Alexa's top 1 million" % total)
if report_untrused == False:
print("Stats only from connections that did provide valid certificates")
print("(or anonymous DH from servers that do also have valid certificate installed)\n")
""" Display stats """ """ Display stats """
print("\nSupported Ciphers Count Percent") print("\nSupported Ciphers Count Percent")
print("-------------------------+---------+-------") print("-------------------------+---------+-------")