since the signature and hash algorithm in TLSv1.2 is selectable by server
and negotiated using TLS extensions, we can check what sig algs is
the server willing to perform and whatever it does honour client
selection
it also tests what happens if the client doesn't offer any sigalgs that
are necessary to use the ciphers selected by server
since early versions of 1.0.2 openssl supports -curves command line
option, it allows us to set the curves advertised as supported
use the same approach to testing: advertise all, check what server
accepts, remove the accepted from list, repeat. When server aborts
connection or selects non ECC cipher, we know that we've tested all.
CApath is about 20% faster than CAfile so use it, also
save the received certificates from the servers for later analysis
(proper hostname checking, looking for certificates sharing private key,
etc.)
Use the mechanism from cipherscan to find location of ca cert bundle
firstly, test_cipher_on_target() will try at least 4 connections before
incurring the sleep, for aggressive rate limiter on server side it may be
too much, so sleep before every connection
secondly, because running external commands like sleep incurs a fork
penalty, we first check if it is necessary
scan all the machines from top-1m.csv file, wait for completion
of all jobs
i=1 is an off-by-one-error
support top-1m.csv files with arbitrary number of sites
run scans for many hosts at a time, but don't run more than
specified amount
in case where default domain name doesn't resolve or doesn't have
port 443 open, retry with www. prefix
Hubert Kario
Hubert Kario
Julien Vehent