Hubert Kario
0acd31af53
extend reporting of RC4-related stats
...
While preferring RC4 in TLS1.0 or SSL3 was recommended before,
it was always known that TLS1.1 and TLS1.2 were not vulnerable against
BEAST, so forcing RC4 there is a mistake. Report number of such servers.
2014-04-06 14:19:37 +02:00
Hubert Kario
010ebccd80
extend SSL stats
...
Two interesting server configurations are ones that support
only SSL3 or TLS1 only (old, but otherwise correctly configured servers)
and ones that support only TLS1.1 or up (brave admins that support
only new clients)
2014-04-06 14:17:24 +02:00
Hubert Kario
39c3e1978a
more detailed PFS report
...
Just because server supports some bad DH params, doesn't mean
it will force them on users. Report number of servers
that prefer specific DH params.
2014-04-06 14:15:32 +02:00
Hubert Kario
15d7762852
fix reporting of the TLS1.2 but not TLS1.1
...
Some servers may be configured to support only TLS1.2, it would
count them towards the number of servers affected by the OpenSSL bug
2014-04-06 14:13:44 +02:00
Hubert Kario
b2edb0e361
add support for Chacha20 based ciphers
...
Basically all Google servers support Chacha20 now and it is
not a bad choice, so report it as a regular cipher
2014-04-06 14:11:52 +02:00
Hubert Kario
1536064528
fix and extend reporting of AES-GCM ciphers
...
AES-GCM ciphers don't have "AES-GCM" substring in the openssl name
extend reporting of AES ciphers, split to AES-CBC, AES-GCM and
AES in general
2014-04-06 14:09:03 +02:00
Hubert Kario
fedf12dd5a
fix spelling in TLS stats (TLS1_1 vs TLS1.1)
2014-04-06 14:06:18 +02:00
Hubert Kario
bc0409ca73
in "no-untrusted mode": filter out ADH and AECDH suites
...
If server negotiates ADH or AECDH suite, openssl returns "ok" in
cert checking. Don't mark server as trusted because of that.
Don't collect statistics on servers that provide only untrusted
connections.
2014-04-06 14:04:43 +02:00
Hubert Kario
5d7ec3a714
add ability to ignore results from untrusted servers
2014-04-06 14:04:43 +02:00
Hubert Kario
167ef8b502
report number of servers that use ECDSA and RSA certificates
...
Since use of both ECDSA and RSA certificates is easy, it is
relatively simple to support both. Report the total number of
such servers
2014-04-05 20:00:09 +02:00
Hubert Kario
8b2b6f5916
parsing of signature algorithm and key size
...
add parsing of signature algorithm and key size from the individual
results, report summary
2014-04-05 19:59:01 +02:00
Hubert Kario
7a92186122
Improve scanning performance and reduce false negatives
...
scan all the machines from top-1m.csv file, wait for completion
of all jobs
i=1 is an off-by-one-error
support top-1m.csv files with arbitrary number of sites
run scans for many hosts at a time, but don't run more than
specified amount
in case where default domain name doesn't resolve or doesn't have
port 443 open, retry with www. prefix
2014-04-05 19:43:49 +02:00
Hubert Kario
9931ca2a2d
update README with new examples
...
New features = new examples
2014-04-05 19:40:19 +02:00
Hubert Kario
f04567d40e
check if certificate used by server is trused
...
Use system trust anchors to check if certificate chain used by server
is actually valid.
2014-04-05 19:36:51 +02:00
Hubert Kario
946cc6a9ac
Report the signature type used on server certificate
...
Parse the certificate used by server and report the signature used:
prio ciphersuite protocols pubkey_size signature_algorithm pfs_keysize
1 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 sha1WithRSAEncryption ECDH,P-256,256bits
2 ECDHE-ECDSA-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 256 ecdsa-with-SHA512 ECDH,P-256,256bits
3 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption
4 AECDH-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None ECDH,P-256,256bits
5 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption
6 EXP-RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption RSA,512bits
2014-04-05 19:23:04 +02:00
Hubert Kario
f9fdd62a59
report key size used in server's certificate
...
Extend the report to show also server certificate key size:
prio ciphersuite protocols pubkey_size pfs_keysize
1 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 ECDH,P-256,256bits
2 ECDHE-ECDSA-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 256 ECDH,P-256,256bits
3 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048
4 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048
5 EXP-RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 RSA,512bits
2014-04-05 19:23:04 +02:00
Hubert Kario
32eba4e644
update examples from README
...
since now the scan reports protocols correctly, update the example
to illustrate that
2014-04-05 18:47:37 +02:00
Hubert Kario
ac3e5f4d62
Correctly report TLSv1.2 only ciphers as negotiable with TLSv1.2
...
Previously scan would report:
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES128-GCM-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
2 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
Now it correctly reports:
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits
2 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
2014-04-05 18:47:37 +02:00
Julien Vehent
afcc92db02
Merge pull request #5 from mzeltner/master
...
Cleaned up options and documented custom OpenSSL build
2014-04-04 21:26:59 -04:00
Michael Zeltner
05bd24b405
Cleaning up old style, fixing --allciphers
2014-04-04 20:46:40 -04:00
Michael Zeltner
bf48cd2a3c
Documenting how to build OpenSSL with ChaCha20-Poly1305
...
Also updating README.md with new options by MacLemon
2014-04-01 14:29:55 -04:00
Michael Zeltner
45f0f3305d
Merge branch 'master' of https://github.com/MacLemon/cipherscan
2014-04-01 13:04:08 -04:00
Pepi Zawodsky
49214fc508
Verbose and Debug output go to stderr now. Added simple --delay function.
2014-02-18 02:05:26 +01:00
Michael Zeltner
8480e63ff7
Fixing a typo
2014-02-14 20:44:15 +01:00
Pepi Zawodsky
3282c2c3a5
Improved reference of switches documentation formatting.
2014-02-10 19:46:46 +01:00
Pepi Zawodsky
0282ae9209
Added simple debug function
2014-02-08 18:37:30 +01:00
Pepi Zawodsky
0d93b5d37e
Updated README to reflect the changes in cipherscan.
2014-02-08 17:07:54 +01:00
Pepi Zawodsky
490c86c43e
Changed grep invocation to prevent strange grep versions to balk on -E
2014-02-08 01:14:40 +01:00
Michael Zeltner
26b52d4e17
Make mktemp obsolete
...
We have pipes, we shall use them!
2014-02-07 00:56:31 +01:00
Pepi Zawodsky
57f41d7376
Fixed variable renaming.
2014-02-06 23:32:12 +01:00
Pepi Zawodsky
9e5ce9cca3
Removed neccessity for timeout, thanks to mzeltner. Better parameter parsing with short- and longoptions. Can now pass a path to use any openssl. Now works on OS X.
2014-02-06 23:26:19 +01:00
Julien Vehent
1f92094b3d
Merge pull request #4 from mzeltner/master
...
Support s_client args, give -starttls example. Contributed by mzeltner.
2014-02-02 18:15:27 -08:00
Michael Zeltner
5c07a6e552
Support s_client args, give -starttls example
2014-02-02 15:41:16 +01:00
Julien Vehent
ae5d7ad15c
Merge branch 'master' of github.com:jvehent/cipherscan
2014-01-31 10:24:02 -05:00
Julien Vehent
b3ca13a5ae
Rebuilt openssl to support ChaCha20/Poly1305. Test against google servers.
2014-01-31 10:22:21 -05:00
Julien Vehent
5e8b495a18
added many tests
2014-01-11 01:07:32 +00:00
Julien Vehent
1414973531
basic results parsing script in python
2014-01-10 05:50:03 +00:00
Julien Vehent
f3c8b24b8b
tweaks
2014-01-09 20:16:40 +00:00
Julien Vehent
5df0fe3d52
Merge branch 'master' of github.com:jvehent/cipherscan
2014-01-09 11:53:54 -05:00
Julien Vehent
19d443b8fe
OpenSSL binary location fix
2014-01-09 11:52:43 -05:00
Julien Vehent
e4ea957c8d
Script to scan Alexa's top 1m websites
2014-01-09 11:52:17 -05:00
Julien Vehent
26948cbccf
Merge pull request #3 from simondeziel/clean-temp
...
Cleanup old temp files when a connection failed
2014-01-07 19:04:43 -08:00
Simon Deziel
93ee5e3f33
Cleanup old temp files when a connection failed
2014-01-07 18:32:09 -05:00
Julien Vehent
af7b4ce18c
Rename CiphersScan to cipherscan
2013-12-09 11:01:30 -05:00
Julien Vehent
34a011ab71
Better doc
2013-12-09 10:40:23 -05:00
Julien Vehent
f7c159b568
Support JSON output with -json
2013-12-09 10:16:45 -05:00
Julien Vehent
4420db6f9b
prevent http keep-alive from blocking the scan
2013-11-20 11:51:37 -05:00
Julien Vehent
7c55288a7e
Fix test of all ciphers individually
2013-11-20 10:47:59 -05:00
Julien Vehent
d6556f5620
Progress indicator
2013-11-20 10:47:23 -05:00
Julien Vehent
889a75722d
doc update
2013-11-20 10:33:58 -05:00