2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-16 20:03:41 +01:00
Commit Graph

85 Commits

Author SHA1 Message Date
Hubert Kario
22ed23f071 TLS version (in)tolerance scanner
Since it is impossible to make openssl command line tool send
TLSv1.3 Client Hello message, add a python based tool to perform
TLS version intolerance scan
2016-08-27 23:26:55 +02:00
Julien Vehent [:ulfr]
8b73962b72 Merge pull request #122 from tomato42/result-parser-update
Result parser update
2016-07-23 10:30:52 -04:00
Julien Vehent [:ulfr]
4a6cb350c8 Merge pull request #123 from tomato42/certificate-verification-time
changing time of verification for certificate chains
2016-07-23 10:29:11 -04:00
Julien Vehent [:ulfr]
38f5ffba9d Merge pull request #121 from tomato42/better-ca-handling
Better CA certificate handling
2016-07-23 10:27:00 -04:00
Hubert Kario
a5ec045000 changing time of verification for certificate chains
allow to run the analysis of certificate chains later after the
data was collected, allows also for re-analysis of archival data
2016-07-20 21:17:37 +02:00
Hubert Kario
7bb272e353 single-out 3DES ciphers
3DES is the weakest cipher from the ones that are still officially
standing, so report more detailed statistics about it
2016-07-20 20:51:51 +02:00
Hubert Kario
bbeac6107a add FF 44 ciphers
since FF 44 has a different cipher set than FF 35, especially the
drop of DSS and RC4, it will be useful to have connection
statistics for it
2016-07-20 20:50:26 +02:00
Hubert Kario
f9f3407bb4 scripts to create CApath directories with roots or intermediaries
In case the user has a set of certificates *and* intermediaries,
it is necessary to prime both the `ca_trusted` directory and the
`ca_files` directories with respectively all root CA's and
all CA's (root or intermediate)
2016-07-20 20:40:35 +02:00
Hubert Kario
e9808a1bcb report errors in cert file searching
since the certificates are separate from results file, they can get
missing (or an incorrect set can be used)

provide a clear message about what file is missing
2016-07-20 20:21:28 +02:00
Hubert Kario
985e26c71a add README for the top1m folder
since the top-1m.csv.zip is not static, tell the users where it
can be found

also add a generic explanation about files in the folder
2016-07-20 20:16:39 +02:00
Hubert Kario
99a0b6be07 collect stats about compression and renegotiation
since no support for compression and support for renegotiation are
necessary for the server to have a secure configuration, collect
and report those two too
2015-09-21 16:44:45 +02:00
Hubert Kario
8f5b1eedc9 tests for ordering of sig algs in TLS 1.2 PFS kex 2015-09-19 18:47:01 +02:00
Hubert Kario
434b383f01 add test for TLSv1.2 PFS key exchange
since the signature and hash algorithm in TLSv1.2 is selectable by server
and negotiated using TLS extensions, we can check what sig algs is
the server willing to perform and whatever it does honour client
selection

it also tests what happens if the client doesn't offer any sigalgs that
are necessary to use the ciphers selected by server
2015-09-19 18:47:01 +02:00
Hubert Kario
abe8d329a9 Big handshake intolerance report 2015-07-16 16:15:39 +02:00
Hubert Kario
5f5487307d Interpret some intolerance test results 2015-07-16 16:15:39 +02:00
Hubert Kario
5c98fe2107 do a scan with -no_tlsext openssl if possible 2015-07-16 16:15:39 +02:00
Hubert Kario
a71bfe5ebd detect some TLS intolerancies
buggy servers may choke on large ClientHello's, TLSv1.2 ClientHello's,
etc. try to detect such failures and report them

among tried connections are TLS1.2, TLS1.1, TLS1.0 and SSLv3 with
ability to downgrade to lower protocol versions as well as a size
limited client hello, both TLS1.2 and TLS1.0 version
2015-07-16 16:15:39 +02:00
Julien Vehent
0119b9c115 Merge pull request #59 from tomato42/parsing-fixes
Fixes for results parsing
2015-06-10 07:33:17 +02:00
Julien Vehent
90ed0bbb3e Merge pull request #62 from tomato42/python3
Python 3 compatibility
2015-06-10 07:00:21 +02:00
Hubert Kario
a53a91695e make scripts python 3 compatible 2015-05-30 15:46:26 +02:00
Hubert Kario
d151705218 parse_results.py - GOST support 2015-05-30 14:58:23 +02:00
Hubert Kario
d8ebaf2d9f report summary for clients for RC4 Preferred too 2015-05-30 00:01:32 +02:00
Hubert Kario
c55d8166c5 don't limit client specific RC4 Only to servers with multiple ciphers 2015-05-30 00:01:32 +02:00
Hubert Kario
37f1d15af1 count SSLv2 IDEA as insecure 2015-05-30 00:01:32 +02:00
Hubert Kario
b673fb976a separate AES-CBC from AES-GCM 2015-05-30 00:01:32 +02:00
Hubert Kario
d773b73e45 don't divide by zero on empty results folder 2015-05-30 00:01:32 +02:00
Hubert Kario
b9b3a221ce add Firefox 35 cipher settings 2015-05-30 00:01:32 +02:00
Hubert Kario
82f643244e don't count export grade ciphers towards PFS 2015-05-30 00:01:32 +02:00
Hubert Kario
1b360153a0 sum servers that support SSL3 or TLS1 as the highest protocol 2015-05-30 00:01:32 +02:00
Hubert Kario
341f657e83 better detection for EXP and low grade ciphers in stats
EXP is self explanatory - export grade
DES-CBC3-MD5 is available only in SSLv2 - not secure
RC4-64-MD5 is also a weakened version (though not marked as export grade)
2015-05-30 00:01:32 +02:00
Julien Vehent
4a6ff56b81 Add back support for old curve json format in parse results 2015-04-02 04:39:59 -04:00
Julien Vehent
b2a399617f Use new JSON format in parse_results 2015-04-01 14:50:49 -04:00
Hubert Kario
c52e008347 add support for testing supported curves
since early versions of 1.0.2 openssl supports -curves command line
option, it allows us to set the curves advertised as supported

use the same approach to testing: advertise all, check what server
accepts, remove the accepted from list, repeat. When server aborts
connection or selects non ECC cipher, we know that we've tested all.
2015-03-27 10:04:15 -04:00
Hubert Kario
1eae0cc71b use CApath for certificates and store certificates (v2)
CApath is about 20% faster than CAfile so use it, also
save the received certificates from the servers for later analysis
(proper hostname checking, looking for certificates sharing private key,
etc.)

Use the mechanism from cipherscan to find location of ca cert bundle
2014-11-05 18:13:39 +01:00
Julien Vehent
dca3457d5a Merge pull request #28 from tomato42/certificate-stats
Certificate stats
2014-11-03 22:15:44 -05:00
Hubert Kario
5a6eaaac41 parse_CAs.c - implement error checking, remove magic numbers, compile fix 2014-10-30 23:37:43 +01:00
Hubert Kario
aac3e9a9db parse_CAs.py - add few comments 2014-10-30 01:41:46 +01:00
Hubert Kario
edab545f3e add Makefile for the C utility 2014-10-30 01:33:58 +01:00
Julien Vehent
ebc6939299 Merge pull request #29 from tomato42/client-handshake-simulation
Client handshake simulation
2014-10-29 19:22:52 -04:00
Hubert Kario
11ce6187de small fixes for delay
firstly, test_cipher_on_target() will try at least 4 connections before
incurring the sleep, for aggressive rate limiter on server side it may be
too much, so sleep before every connection

secondly, because running external commands like sleep incurs a fork
penalty, we first check if it is necessary
2014-10-28 16:44:43 +01:00
Hubert Kario
29c739faa9 count EDH-DES as PFS too in general stats 2014-10-25 16:23:41 +02:00
Hubert Kario
af2e25ec89 fix EDH checking
old ciphers have names that use EDH instead of DHE so we need check
for both names
2014-10-25 16:11:18 +02:00
Hubert Kario
76d791fcbe make cipher selection simulation generic
it's relatively easy to make the cipher selection generic,
so that adding different clients is as easy as converting their
client hello cipher ordering to openssl cipher names
2014-10-12 20:39:39 +02:00
Hubert Kario
c82bc44558 report cipher ordering in scanning stats, use it to simulate handshakes
since now we know if server honours client order or not, we can use it
to properly simulate handshakes for a given client, also report
the general stats of this server configuration variable
2014-10-12 20:39:39 +02:00
Hubert Kario
42fa7d9ecb report what ciphers Firefox would select while connecting to server 2014-10-12 20:39:39 +02:00
Hubert Kario
1b4dcc4393 report ciphers causing incompatibility for Firefox
It turns out that the situation is even more bleak for Firefox
with regards to RC4, add it to report
2014-10-12 20:39:39 +02:00
Hubert Kario
142726c4fd count ECDH-RSA ciphers as ECDSA
the ECDH parameters come from server certificate - the point
on elliptic curve. The RSA comes from the signature on the certificate
which comes from CA
2014-10-12 20:39:39 +02:00
Hubert Kario
ac18195b21 process-certificate-statistics.sh - the script HOWTO to turn results to CA stats 2014-10-12 20:38:25 +02:00
Hubert Kario
3cfd7b76cc collect statistics about found certificates 2014-10-12 20:38:25 +02:00
Hubert Kario
3699acfc2d helper application for finding cert chains
because neither M2crypto nor OpenSSL packages provide extensive
enough API to do certificate chain building, verification
and outputting of details, we have to pre-parse the data
with a C app that can access the full OpenSSL API.

I've also tried monkey patching the packages, but unfortunately
the result wasn't working reliably

The actual statistic collection (both about the chains and
specific certificates) will be done in a python script
2014-10-12 20:34:53 +02:00