Hubert Kario
2e9c3fcc90
don't retry protocols we know don't work
...
When connection is unsuccessful with a given protocol, don't try it again
since we probably exhausted the ciphers supported by the protocol
makes scanning about 10% faster
2014-10-11 15:19:03 +02:00
Hubert Kario
0e6c40ad83
make handling of self signed certs more robust
...
openssl sometimes will print the filename, then the error, and finish
with OK, matching the colon and space prevents from considering such
certs to be valid
2014-10-11 15:19:03 +02:00
Hubert Kario
0071870c7c
few less forks in the script
...
again, we can use arrays and a bit advanced awk syntax to reduce
the number of forks necessary to run the script
2014-10-11 15:19:03 +02:00
Hubert Kario
9f9af9c71d
don't calculate sha sums for the certificates over and over
...
we can use cksum to calculate simple checksum much faster than
with using openssl, so we can compute sums only once
2014-10-11 15:19:03 +02:00
Hubert Kario
c2b3b6d7aa
use CApath for certificates and store certificates (v2)
...
CApath is about 20% faster than CAfile so use it, also
save the received certificates from the servers for later analysis
(proper hostname checking, looking for certificates sharing private key,
etc.)
Use the mechanism from cipherscan to find location of ca cert bundle
2014-10-11 15:19:03 +02:00
Hubert Kario
ea9f0056eb
clean up the extracted certificate
...
the certificate extracted in the above way will contain some junk
from openssl s_client output we don't want like verification status
we can remove it ro reduce disk usage for saved certificates
2014-10-11 15:19:03 +02:00
Hubert Kario
eaa64e48a3
add ability to also save leaf certificates and untrusted ones
2014-10-11 15:18:48 +02:00
Hubert Kario
38f428b476
add caching of intermediate CA certificates
2014-10-11 15:18:11 +02:00
Hubert Kario
512819a33f
no need to grep the input when we're using awk (v2)
...
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
This version uses slightly different syntax that is compatible with old
awk
2014-10-11 13:59:43 +02:00
Julien Vehent
0da92f25b7
verify server side ordering is used in analyze.py
2014-10-11 00:34:07 -04:00
Julien Vehent
1c9d52c94c
First shot at ordering analysis. Not yet perfect, but somewhat useful...
2014-10-10 20:30:27 -04:00
Julien Vehent
a46e474337
add some fubar recommentations
2014-10-10 19:07:31 -04:00
Julien Vehent
f4d0d598c7
analyze.py add option to give path to specific openssl
2014-10-10 18:56:44 -04:00
Julien Vehent
37f04054f8
fix json date to use UTC
2014-10-10 18:16:22 -04:00
Julien Vehent
86edd481f6
analyze.py uses provided openssl only on linux 64
2014-10-10 18:00:10 -04:00
Julien Vehent
81ef37c593
gitignore update
2014-10-10 17:31:44 -04:00
Julien Vehent
b80b5cdd35
hide errors when json format is used
2014-10-10 17:27:58 -04:00
Julien Vehent
278dab4800
Fix json date argument to be compatible on macos
2014-10-10 17:27:29 -04:00
Julien Vehent
f6f4fe8b86
Find timeout binary on linux and mac
2014-10-10 17:19:44 -04:00
Julien Vehent
c7c91ff5f8
updated authors
2014-10-10 16:56:06 -04:00
Julien Vehent
d5685da796
check that provided openssl is executable, fall back to system one if not
2014-10-10 16:56:00 -04:00
Julien Vehent
26aa8f9408
cleanups
2014-10-10 16:55:34 -04:00
Julien Vehent
7d2c8b4cad
Use local ca bundle if none is found on the system, fixes issues with MacOS
2014-10-10 16:55:09 -04:00
Julien Vehent
cc1230efd9
Analysis wording changes
2014-10-09 10:09:44 -04:00
Julien Vehent
a722ad177d
updated README with analysis info
2014-10-09 10:03:19 -04:00
Julien Vehent
5665951b09
minor analysis wording changes
2014-10-09 09:57:40 -04:00
Julien Vehent
215dbd0c1a
ignore openssl errors in analyze.py
2014-10-09 09:54:30 -04:00
Julien Vehent
e9110c6bc8
gitignore
2014-10-09 09:36:08 -04:00
Julien Vehent
405b104583
improved configuration analysis
2014-10-09 09:35:59 -04:00
Julien Vehent
2858ef8116
Revert "no need to grep the input when we're using awk"
...
This reverts commit 4c05897be2
.
2014-10-08 21:53:22 -04:00
Julien Vehent
34b2eb7819
First shot at cipherscan results analyzer
2014-10-08 21:53:05 -04:00
Hubert Kario
ca0ef2fc5c
fixes for the pull request #18
...
there were few small issues with the pull #18 even though jvehent merged
it, this fixes them
2014-10-06 13:26:53 -04:00
Hubert Kario
29109f1e64
update SEED and IDEA classification, do a total of broken ciphers
...
SEED and IDEA are not good ciphers, but not broken, so count them
separately, do a total count of servers that support broken and insecure
ciphers
2014-10-06 13:25:04 -04:00
Hubert Kario
4c05897be2
no need to grep the input when we're using awk
...
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
2014-10-06 13:24:39 -04:00
Hubert Kario
fb02ae87ac
add some comments, group related code
2014-10-06 13:22:29 -04:00
Hubert Kario
77671137df
add support for CApath
...
capath for relatively small cert sets (~300) makes scanning about 5%
faster
also do a little clean up of the command-to-run generation code
2014-10-06 13:22:15 -04:00
Hubert Kario
189460da9e
report if server uses client side or server side cipher ordering
2014-10-06 13:21:40 -04:00
Hubert Kario
a7ae42b08e
openssl in -ssl2 mode doesn't tolerate -servername option
...
when openssl is run in -ssl2 mode, it doesn't accept -servername
option and just aborts operation, it doesn't consider -status
to be special though.
Remove this option when running the SSLv2 portion of the test.
2014-10-06 13:21:16 -04:00
Hubert Kario
3a4a5f938d
add missing ocsp_staple header
2014-10-06 13:20:49 -04:00
Hubert Kario
8a0c9190a9
sort reported TLS session ticket hint using natural sort
2014-10-06 13:20:37 -04:00
Julien Vehent
ded65c40df
Merge pull request #22 from simondeziel/sdeziel
...
Use Debian's system-wide trust anchors when possible
2014-08-28 16:02:36 -04:00
Julien Vehent
ecd77f94fc
Merge pull request #18 from tomato42/wip
...
Hodgepodge of fixes
2014-08-28 16:02:19 -04:00
Simon Deziel
7dee967dd7
Attempt to use /etc/ssl/certs/ca-certificates.crt if no CACERTS
...
are available. On Debian, this is the default location for
system-wide trust anchors.
2014-07-25 10:01:31 -04:00
Julien Vehent
273211f025
Merge pull request #21 from azet/master
...
add real execution tracing to debug
2014-07-17 12:29:42 -04:00
Aaron Zauner
efd84cdb24
add real execution tracing to debug
2014-07-17 18:08:29 +02:00
Julien Vehent
e345f6034d
Merge pull request #20 from PeterMosmans/binaries
...
Updated binary with latest 1.0.2-chacha build
2014-07-13 09:22:24 -04:00
Peter Mosmans
b65c13c7b9
Compiled for 64-bit-linux from the following source:
...
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha
Added CAMELLIA 256SHA ciphers
2014-07-13 20:56:17 +10:00
Peter Mosmans
26a24d0429
Updated binary with latest 1.0.2-chacha build
...
Compiled for 64-bit linux from the following source:
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha
2014-07-12 10:15:00 +10:00
Julien Vehent
60a6a02c6f
Merge pull request #19 from phlipper/patch-1
...
minor typo fix
2014-06-25 19:37:53 -04:00
Phil Cohen
5ae2132f23
minor typo fix
2014-06-25 16:28:48 -07:00