Hubert Kario
abe8d329a9
Big handshake intolerance report
2015-07-16 16:15:39 +02:00
Hubert Kario
5f5487307d
Interpret some intolerance test results
2015-07-16 16:15:39 +02:00
Hubert Kario
5c98fe2107
do a scan with -no_tlsext openssl if possible
2015-07-16 16:15:39 +02:00
Hubert Kario
a71bfe5ebd
detect some TLS intolerancies
...
buggy servers may choke on large ClientHello's, TLSv1.2 ClientHello's,
etc. try to detect such failures and report them
among tried connections are TLS1.2, TLS1.1, TLS1.0 and SSLv3 with
ability to downgrade to lower protocol versions as well as a size
limited client hello, both TLS1.2 and TLS1.0 version
2015-07-16 16:15:39 +02:00
Julien Vehent
0119b9c115
Merge pull request #59 from tomato42/parsing-fixes
...
Fixes for results parsing
2015-06-10 07:33:17 +02:00
Julien Vehent
90ed0bbb3e
Merge pull request #62 from tomato42/python3
...
Python 3 compatibility
2015-06-10 07:00:21 +02:00
Hubert Kario
a53a91695e
make scripts python 3 compatible
2015-05-30 15:46:26 +02:00
Hubert Kario
d151705218
parse_results.py - GOST support
2015-05-30 14:58:23 +02:00
Hubert Kario
d8ebaf2d9f
report summary for clients for RC4 Preferred too
2015-05-30 00:01:32 +02:00
Hubert Kario
c55d8166c5
don't limit client specific RC4 Only to servers with multiple ciphers
2015-05-30 00:01:32 +02:00
Hubert Kario
37f1d15af1
count SSLv2 IDEA as insecure
2015-05-30 00:01:32 +02:00
Hubert Kario
b673fb976a
separate AES-CBC from AES-GCM
2015-05-30 00:01:32 +02:00
Hubert Kario
d773b73e45
don't divide by zero on empty results folder
2015-05-30 00:01:32 +02:00
Hubert Kario
b9b3a221ce
add Firefox 35 cipher settings
2015-05-30 00:01:32 +02:00
Hubert Kario
82f643244e
don't count export grade ciphers towards PFS
2015-05-30 00:01:32 +02:00
Hubert Kario
1b360153a0
sum servers that support SSL3 or TLS1 as the highest protocol
2015-05-30 00:01:32 +02:00
Hubert Kario
341f657e83
better detection for EXP and low grade ciphers in stats
...
EXP is self explanatory - export grade
DES-CBC3-MD5 is available only in SSLv2 - not secure
RC4-64-MD5 is also a weakened version (though not marked as export grade)
2015-05-30 00:01:32 +02:00
Julien Vehent
4a6ff56b81
Add back support for old curve json format in parse results
2015-04-02 04:39:59 -04:00
Julien Vehent
b2a399617f
Use new JSON format in parse_results
2015-04-01 14:50:49 -04:00
Hubert Kario
c52e008347
add support for testing supported curves
...
since early versions of 1.0.2 openssl supports -curves command line
option, it allows us to set the curves advertised as supported
use the same approach to testing: advertise all, check what server
accepts, remove the accepted from list, repeat. When server aborts
connection or selects non ECC cipher, we know that we've tested all.
2015-03-27 10:04:15 -04:00
Hubert Kario
29c739faa9
count EDH-DES as PFS too in general stats
2014-10-25 16:23:41 +02:00
Hubert Kario
af2e25ec89
fix EDH checking
...
old ciphers have names that use EDH instead of DHE so we need check
for both names
2014-10-25 16:11:18 +02:00
Hubert Kario
76d791fcbe
make cipher selection simulation generic
...
it's relatively easy to make the cipher selection generic,
so that adding different clients is as easy as converting their
client hello cipher ordering to openssl cipher names
2014-10-12 20:39:39 +02:00
Hubert Kario
c82bc44558
report cipher ordering in scanning stats, use it to simulate handshakes
...
since now we know if server honours client order or not, we can use it
to properly simulate handshakes for a given client, also report
the general stats of this server configuration variable
2014-10-12 20:39:39 +02:00
Hubert Kario
42fa7d9ecb
report what ciphers Firefox would select while connecting to server
2014-10-12 20:39:39 +02:00
Hubert Kario
1b4dcc4393
report ciphers causing incompatibility for Firefox
...
It turns out that the situation is even more bleak for Firefox
with regards to RC4, add it to report
2014-10-12 20:39:39 +02:00
Hubert Kario
142726c4fd
count ECDH-RSA ciphers as ECDSA
...
the ECDH parameters come from server certificate - the point
on elliptic curve. The RSA comes from the signature on the certificate
which comes from CA
2014-10-12 20:39:39 +02:00
Hubert Kario
ca0ef2fc5c
fixes for the pull request #18
...
there were few small issues with the pull #18 even though jvehent merged
it, this fixes them
2014-10-06 13:26:53 -04:00
Hubert Kario
29109f1e64
update SEED and IDEA classification, do a total of broken ciphers
...
SEED and IDEA are not good ciphers, but not broken, so count them
separately, do a total count of servers that support broken and insecure
ciphers
2014-10-06 13:25:04 -04:00
Hubert Kario
8a0c9190a9
sort reported TLS session ticket hint using natural sort
2014-10-06 13:20:37 -04:00
Julien Vehent
ecd77f94fc
Merge pull request #18 from tomato42/wip
...
Hodgepodge of fixes
2014-08-28 16:02:19 -04:00
Hubert Kario
7591062bbc
parse_results.py: compatibility with old results files
2014-06-04 18:52:39 +02:00
Hubert Kario
be0439ef99
provide statistics for all key exchange methods, not DHE and ECDHE only
2014-06-04 18:17:41 +02:00
Hubert Kario
3667b04ad7
correctly count broken cipher suites with "no reporting of untrusted"
2014-06-04 18:17:02 +02:00
Hubert Kario
86ff1122cc
parse_results.py: don't count anonymous cipher suites toward correct config stats
2014-06-04 15:15:32 +02:00
Julien Vehent
50f4959e79
updated license on parse_results.py
2014-05-20 08:23:57 -04:00
Hubert Kario
4e94d95bd8
ask for OCSP stapling by default
...
for now, no option to disable
2014-05-16 17:31:44 +02:00
Hubert Kario
0777682aa6
collect TLS ticket lifetime hints
2014-05-16 16:55:19 +02:00
Hubert Kario
686d7c958b
extend reporting of RC4-related stats
...
While preferring RC4 in TLS1.0 or SSL3 was recommended before,
it was always known that TLS1.1 and TLS1.2 were not vulnerable against
BEAST, so forcing RC4 there is a mistake. Report number of such servers.
2014-04-19 23:14:57 +02:00
Hubert Kario
21bba67df0
extend SSL stats
...
Two interesting server configurations are ones that support
only SSL3 or TLS1 only (old, but otherwise correctly configured servers)
and ones that support only TLS1.1 or up (brave admins that support
only new clients)
2014-04-19 23:14:57 +02:00
Hubert Kario
349d4ebc3c
more detailed PFS report
...
Just because server supports some bad DH params, doesn't mean
it will force them on users. Report number of servers
that prefer specific DH params.
2014-04-19 23:14:57 +02:00
Hubert Kario
d3b6f9b507
fix reporting of the TLS1.2 but not TLS1.1
...
Some servers may be configured to support only TLS1.2, it would
count them towards the number of servers affected by the OpenSSL bug
2014-04-19 23:14:57 +02:00
Hubert Kario
c8abfb53e8
add support for Chacha20 based ciphers
...
Basically all Google servers support Chacha20 now and it is
not a bad choice, so report it as a regular cipher
2014-04-19 23:14:57 +02:00
Hubert Kario
2b794ebfe0
fix and extend reporting of AES-GCM ciphers
...
AES-GCM ciphers don't have "AES-GCM" substring in the openssl name
extend reporting of AES ciphers, split to AES-CBC, AES-GCM and
AES in general
2014-04-19 23:14:57 +02:00
Hubert Kario
fd6fcdd359
fix spelling in TLS stats (TLS1_1 vs TLS1.1)
2014-04-19 23:14:57 +02:00
Hubert Kario
faef8d692f
in "no-untrusted mode": filter out ADH and AECDH suites
...
If server negotiates ADH or AECDH suite, openssl returns "ok" in
cert checking. Don't mark server as trusted because of that.
Don't collect statistics on servers that provide only untrusted
connections.
2014-04-19 23:14:47 +02:00
Hubert Kario
45dc1da3f6
add ability to ignore results from untrusted servers
2014-04-19 23:07:01 +02:00
Hubert Kario
ff620f5b26
report number of servers that use ECDSA and RSA certificates
...
Since use of both ECDSA and RSA certificates is easy, it is
relatively simple to support both. Report the total number of
such servers
2014-04-19 23:07:00 +02:00
Hubert Kario
863441a179
parsing of signature algorithm and key size
...
add parsing of signature algorithm and key size from the individual
results, report summary
2014-04-19 23:07:00 +02:00
Julien Vehent
5e8b495a18
added many tests
2014-01-11 01:07:32 +00:00