Hubert Kario
3e37517c96
add ability to also save leaf certificates and untrusted ones
2014-11-05 18:13:39 +01:00
Hubert Kario
826f7b5541
add caching of intermediate CA certificates
2014-11-05 18:13:39 +01:00
Hubert Kario
3b14cd914f
no need to grep the input when we're using awk (v2)
...
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
This version uses slightly different syntax that is compatible with old
awk
2014-11-05 18:13:39 +01:00
Julien Vehent
dca3457d5a
Merge pull request #28 from tomato42/certificate-stats
...
Certificate stats
2014-11-03 22:15:44 -05:00
Hubert Kario
5a6eaaac41
parse_CAs.c - implement error checking, remove magic numbers, compile fix
2014-10-30 23:37:43 +01:00
Hubert Kario
aac3e9a9db
parse_CAs.py - add few comments
2014-10-30 01:41:46 +01:00
Hubert Kario
edab545f3e
add Makefile for the C utility
2014-10-30 01:33:58 +01:00
Julien Vehent
ebc6939299
Merge pull request #29 from tomato42/client-handshake-simulation
...
Client handshake simulation
2014-10-29 19:22:52 -04:00
Julien Vehent
334c3118e2
Merge pull request #30 from tomato42/timeouts
...
Fix delay option
2014-10-29 17:34:18 -04:00
Hubert Kario
11ce6187de
small fixes for delay
...
firstly, test_cipher_on_target() will try at least 4 connections before
incurring the sleep, for aggressive rate limiter on server side it may be
too much, so sleep before every connection
secondly, because running external commands like sleep incurs a fork
penalty, we first check if it is necessary
2014-10-28 16:44:43 +01:00
Hubert Kario
71ba3c88b0
increase timeout
...
when some servers notice a scan (because of frequent connections) they
delay further connections, increase the timeout to properly scan them
2014-10-28 13:17:20 +01:00
Hubert Kario
29c739faa9
count EDH-DES as PFS too in general stats
2014-10-25 16:23:41 +02:00
Hubert Kario
af2e25ec89
fix EDH checking
...
old ciphers have names that use EDH instead of DHE so we need check
for both names
2014-10-25 16:11:18 +02:00
Julien Vehent
d11d5e9f36
update old and intermediate ciphersuites
2014-10-18 08:31:53 -04:00
Julien Vehent
a17cfe373e
make 2048 DHE key optional in intermediate level
2014-10-18 08:20:00 -04:00
Julien Vehent
ebf4f8bcc7
fix ECC size in fubar pfs analysis
2014-10-18 07:23:24 -04:00
Julien Vehent
244e9ca9f2
refactor pfs evaluation in separate function
2014-10-17 11:58:19 -04:00
Julien Vehent
ddfaa6722d
display target level compliance in text output
2014-10-17 11:58:05 -04:00
Julien Vehent
551255f8b4
detect fubar dh parameters
2014-10-17 11:20:25 -04:00
Julien Vehent
a4f573195e
update intermediate ciphersuite to accept 3des
2014-10-17 11:10:01 -04:00
Julien Vehent
df0b5d8d3f
fix wrong failure flag
2014-10-17 11:09:42 -04:00
Julien Vehent
a11b594ab4
Fix dhparam size detection in inter and modern levels
2014-10-17 11:09:28 -04:00
Julien Vehent
28c6c2488b
Accept sha384 and sha512 signatures as well as sha256
2014-10-17 11:08:32 -04:00
Julien Vehent
5b32afaa1f
Add target to text output
2014-10-17 10:48:59 -04:00
Hubert Kario
76d791fcbe
make cipher selection simulation generic
...
it's relatively easy to make the cipher selection generic,
so that adding different clients is as easy as converting their
client hello cipher ordering to openssl cipher names
2014-10-12 20:39:39 +02:00
Hubert Kario
c82bc44558
report cipher ordering in scanning stats, use it to simulate handshakes
...
since now we know if server honours client order or not, we can use it
to properly simulate handshakes for a given client, also report
the general stats of this server configuration variable
2014-10-12 20:39:39 +02:00
Hubert Kario
42fa7d9ecb
report what ciphers Firefox would select while connecting to server
2014-10-12 20:39:39 +02:00
Hubert Kario
1b4dcc4393
report ciphers causing incompatibility for Firefox
...
It turns out that the situation is even more bleak for Firefox
with regards to RC4, add it to report
2014-10-12 20:39:39 +02:00
Hubert Kario
142726c4fd
count ECDH-RSA ciphers as ECDSA
...
the ECDH parameters come from server certificate - the point
on elliptic curve. The RSA comes from the signature on the certificate
which comes from CA
2014-10-12 20:39:39 +02:00
Hubert Kario
ac18195b21
process-certificate-statistics.sh - the script HOWTO to turn results to CA stats
2014-10-12 20:38:25 +02:00
Hubert Kario
3cfd7b76cc
collect statistics about found certificates
2014-10-12 20:38:25 +02:00
Hubert Kario
3699acfc2d
helper application for finding cert chains
...
because neither M2crypto nor OpenSSL packages provide extensive
enough API to do certificate chain building, verification
and outputting of details, we have to pre-parse the data
with a C app that can access the full OpenSSL API.
I've also tried monkey patching the packages, but unfortunately
the result wasn't working reliably
The actual statistic collection (both about the chains and
specific certificates) will be done in a python script
2014-10-12 20:34:53 +02:00
Julien Vehent
26c7b0e0d7
fix target level verification check
2014-10-11 23:08:35 -04:00
Julien Vehent
a749742ff3
make sha-256 cert an optional requirement to the intermediate level
2014-10-11 23:08:21 -04:00
Julien Vehent
b009c71321
add operator flag to analyze.py
2014-10-11 20:52:18 -04:00
Julien Vehent
cdd34fce03
fix bug in status detection of analyze.py
2014-10-11 20:45:14 -04:00
Julien Vehent
b846ac9d5b
add json output to analyze.py via the -j flag
2014-10-11 19:37:08 -04:00
Julien Vehent
0da92f25b7
verify server side ordering is used in analyze.py
2014-10-11 00:34:07 -04:00
Julien Vehent
1c9d52c94c
First shot at ordering analysis. Not yet perfect, but somewhat useful...
2014-10-10 20:30:27 -04:00
Julien Vehent
a46e474337
add some fubar recommentations
2014-10-10 19:07:31 -04:00
Julien Vehent
f4d0d598c7
analyze.py add option to give path to specific openssl
2014-10-10 18:56:44 -04:00
Julien Vehent
37f04054f8
fix json date to use UTC
2014-10-10 18:16:22 -04:00
Julien Vehent
86edd481f6
analyze.py uses provided openssl only on linux 64
2014-10-10 18:00:10 -04:00
Julien Vehent
81ef37c593
gitignore update
2014-10-10 17:31:44 -04:00
Julien Vehent
b80b5cdd35
hide errors when json format is used
2014-10-10 17:27:58 -04:00
Julien Vehent
278dab4800
Fix json date argument to be compatible on macos
2014-10-10 17:27:29 -04:00
Julien Vehent
f6f4fe8b86
Find timeout binary on linux and mac
2014-10-10 17:19:44 -04:00
Julien Vehent
c7c91ff5f8
updated authors
2014-10-10 16:56:06 -04:00
Julien Vehent
d5685da796
check that provided openssl is executable, fall back to system one if not
2014-10-10 16:56:00 -04:00
Julien Vehent
26aa8f9408
cleanups
2014-10-10 16:55:34 -04:00