2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-10 01:13:42 +01:00
Commit Graph

15 Commits

Author SHA1 Message Date
Hubert Kario
434b383f01 add test for TLSv1.2 PFS key exchange
since the signature and hash algorithm in TLSv1.2 is selectable by server
and negotiated using TLS extensions, we can check what sig algs is
the server willing to perform and whatever it does honour client
selection

it also tests what happens if the client doesn't offer any sigalgs that
are necessary to use the ciphers selected by server
2015-09-19 18:47:01 +02:00
Hubert Kario
c52e008347 add support for testing supported curves
since early versions of 1.0.2 openssl supports -curves command line
option, it allows us to set the curves advertised as supported

use the same approach to testing: advertise all, check what server
accepts, remove the accepted from list, repeat. When server aborts
connection or selects non ECC cipher, we know that we've tested all.
2015-03-27 10:04:15 -04:00
Hubert Kario
1eae0cc71b use CApath for certificates and store certificates (v2)
CApath is about 20% faster than CAfile so use it, also
save the received certificates from the servers for later analysis
(proper hostname checking, looking for certificates sharing private key,
etc.)

Use the mechanism from cipherscan to find location of ca cert bundle
2014-11-05 18:13:39 +01:00
Hubert Kario
11ce6187de small fixes for delay
firstly, test_cipher_on_target() will try at least 4 connections before
incurring the sleep, for aggressive rate limiter on server side it may be
too much, so sleep before every connection

secondly, because running external commands like sleep incurs a fork
penalty, we first check if it is necessary
2014-10-28 16:44:43 +01:00
Hubert Kario
ca0ef2fc5c fixes for the pull request #18
there were few small issues with the pull #18 even though jvehent merged
it, this fixes them
2014-10-06 13:26:53 -04:00
Hubert Kario
2f56f0515e don't scan the same host twice 2014-05-16 18:16:45 +02:00
Hubert Kario
1a78172936 scan just one host per hostname 2014-05-16 16:11:01 +02:00
Hubert Kario
cdbf596466 properly handle pure IP adressess
(it's illegal to use IP in SNI)
2014-05-16 15:42:47 +02:00
Hubert Kario
5ef53dda9c increase paralelism of jobs
because sometimes tcping takes a long time to timeout for a lot
of hosts in batch use also load average to keep the cpu busy
2014-05-13 13:41:16 +02:00
Hubert Kario
a213fc45d0 remove the folder/file part from url
some hostnames in the top-1m.csv file have folder or site specified
in them, cut it off before using
2014-05-13 13:41:16 +02:00
Hubert Kario
00b20a20ed perform SNI enabled scan
for example, youtube requires SNI extension to be present to return
ECDSA certificates, use it for scanning
2014-05-13 13:41:16 +02:00
Hubert Kario
8817a7b1c8 testtop1m.sh: correct counting of background jobs
`jobs` command returns multiple lines for a jobs with `if` so counting
number of background jobs was off
2014-05-13 13:41:16 +02:00
Hubert Kario
b6b9a1a364 Improve scanning performance and reduce false negatives
scan all the machines from top-1m.csv file, wait for completion
of all jobs

i=1 is an off-by-one-error

support top-1m.csv files with arbitrary number of sites

run scans for many hosts at a time, but don't run more than
specified amount

in case where default domain name doesn't resolve or doesn't have
port 443 open, retry with www. prefix
2014-04-19 22:56:41 +02:00
Julien Vehent
f3c8b24b8b tweaks 2014-01-09 20:16:40 +00:00
Julien Vehent
e4ea957c8d Script to scan Alexa's top 1m websites 2014-01-09 11:52:17 -05:00