74dd82e8ad
Update OpenSSL binary
2016-08-16 11:28:34 -04:00
8b73962b72
Merge pull request #122 from tomato42/result-parser-update
...
Result parser update
2016-07-23 10:30:52 -04:00
4a6cb350c8
Merge pull request #123 from tomato42/certificate-verification-time
...
changing time of verification for certificate chains
2016-07-23 10:29:11 -04:00
38f5ffba9d
Merge pull request #121 from tomato42/better-ca-handling
...
Better CA certificate handling
2016-07-23 10:27:00 -04:00
a5ec045000
changing time of verification for certificate chains
...
allow to run the analysis of certificate chains later after the
data was collected, allows also for re-analysis of archival data
2016-07-20 21:17:37 +02:00
7bb272e353
single-out 3DES ciphers
...
3DES is the weakest cipher from the ones that are still officially
standing, so report more detailed statistics about it
2016-07-20 20:51:51 +02:00
bbeac6107a
add FF 44 ciphers
...
since FF 44 has a different cipher set than FF 35, especially the
drop of DSS and RC4, it will be useful to have connection
statistics for it
2016-07-20 20:50:26 +02:00
7834cd0748
fold some long lines
...
long lines hard to read, make Hulk sad
2016-07-20 20:45:15 +02:00
94efc235d0
use more robust trust path building by default
...
use the -trusted_first flag to openssl, so that it tries alternative
trust paths to verify validity of server presented certificate
2016-07-20 20:43:47 +02:00
f9f3407bb4
scripts to create CApath directories with roots or intermediaries
...
In case the user has a set of certificates *and* intermediaries,
it is necessary to prime both the `ca_trusted` directory and the
`ca_files` directories with respectively all root CA's and
all CA's (root or intermediate)
2016-07-20 20:40:35 +02:00
189695c0b1
Merge pull request #120 from tomato42/top1m-info
...
add README for the top1m folder
2016-07-20 14:30:22 -04:00
e9808a1bcb
report errors in cert file searching
...
since the certificates are separate from results file, they can get
missing (or an incorrect set can be used)
provide a clear message about what file is missing
2016-07-20 20:21:28 +02:00
985e26c71a
add README for the top1m folder
...
since the top-1m.csv.zip is not static, tell the users where it
can be found
also add a generic explanation about files in the folder
2016-07-20 20:16:39 +02:00
5d930c2d32
Merge pull request #117 from adamcrosby/master
...
Fallback to local JSON if urllib fails to retrieve updated list
2016-02-29 08:58:05 -05:00
34f92a6838
Added adamcrobsy to contributors list
2016-02-29 08:23:14 -05:00
55cdb74ff7
Added fallback to use local json recommendations file if urllib fails to connect (including SNI errors), fixes issue #116
2016-02-29 08:21:04 -05:00
9f0226e00b
analyze.py: update example of json input
2016-02-24 10:52:18 -05:00
639bc45bf7
analyze.py refactoring to use online recommendations
2016-02-24 10:48:28 -05:00
18b0d1b952
Update linux openssl binary
2015-12-17 15:06:10 -05:00
6d2b850679
Merge pull request #105 from Emantor/intermediate-fix
...
Update analyze.py
2015-11-19 13:16:32 -05:00
536ff90b86
ECDHE-ECDSA-DES-CBC3-SHA was missing too
...
Fix `ECDHE-ECDSA-DES-CBC3-SHA` as well.
2015-11-19 16:58:49 +01:00
a9cfcc8376
Merge pull request #107 from tomato42/ecdsa-certs
...
properly detect ECDSA certs for size compare
2015-11-19 08:54:43 -05:00
4d77c87494
properly detect ECDSA certs for keysize compare
...
since ECDSA certificates during the transition are likely to be
signed using RSA keys, we need to check the cipher rather than the
signature in the certificate to tell if the cert is ECDSA and as such
can have small key sizes
2015-11-17 15:31:46 +01:00
e8ba5ab8fe
Update analyze.py
...
Per https://mozilla.github.io/server-side-tls/ssl-config-generator/
The intermediate config supports 'ECDHE-RSA-DES-CBC3-SHA', add it to analyze.py
2015-11-17 09:01:52 +01:00
1e65be5fd5
Added copy of the MPL
2015-10-18 08:45:20 -04:00
b03320887f
Merge pull request #100 from tomato42/compress-and-renego-info
...
Add testing for renegotiation and compression
2015-10-17 09:10:08 -04:00
34d6ca62bd
Merge pull request #104 from injcristianrojas/master
...
Untrusted certificate alert should be red
2015-09-23 15:16:23 -04:00
f717a556e5
Untrusted certificate alert should be red
2015-09-23 15:59:24 -03:00
29bdf5fdcb
Merge pull request #103 from PeterMosmans/msys
...
Fallback to default openssl when supplied openssl can't be executed
2015-09-22 12:53:17 -04:00
c00474805d
Fallback to default openssl when supplied openssl can't be executed
2015-09-22 19:25:27 +10:00
5a10991008
Merge pull request #102 from floatingatoll/negative-nope
...
workaround bash 4.2- not having unset A[-1] support
2015-09-21 16:05:26 -04:00
c9412e395d
workaround bash 4.2- not having unset A[-1] support
2015-09-21 12:51:18 -07:00
aa093bc86d
add openssl options to help message
...
add examples of useful openssl options
2015-09-21 16:51:16 +02:00
99a0b6be07
collect stats about compression and renegotiation
...
since no support for compression and support for renegotiation are
necessary for the server to have a secure configuration, collect
and report those two too
2015-09-21 16:44:45 +02:00
73b21d3977
Merge pull request #99 from tomato42/tolerance-report
...
fix printing of test data for intolerant servers
2015-09-21 10:33:10 -04:00
dbce87cb1a
fix printing of test data for intolerant servers
...
tls_tolerance is an array, so we need to use array syntax...
since if the server is tls version intolerant we will be printing
a lot of info, space it out from the certificate-related summary
ephemeral sigalgs are also printing a lot of information, so space
them from the TLS Tolerance test results
2015-09-21 16:18:37 +02:00
0011abcec7
readme update
2015-09-21 09:38:34 -04:00
4916e89087
remove unneeded echo
2015-09-21 09:31:03 -04:00
ce91e221d1
Merge pull request #98 from tomato42/custom-openssl-fixes
...
fix custom openssl with GOST config incompatibility
2015-09-21 09:29:51 -04:00
035d8c0a19
Merge pull request #97 from tomato42/uri-handling
...
handle hostnames that are URIs
2015-09-21 09:29:03 -04:00
50ef7960f7
Merge pull request #96 from tomato42/ecdsa-keys
...
fix coloring of cert key sizes
2015-09-21 09:25:16 -04:00
4620627454
Merge pull request #65 from tomato42/tls12-kex
...
Tests for TLS1.2 PFS key exchanges
2015-09-21 09:23:18 -04:00
2ba7dc6dbf
fix custom openssl with GOST config incompatibility
...
fixes two issues
1). -help message is used from the openssl set with the -o option
2). doesn't use GOST config unconditionally - verifies that it works
first
based partially off of Greg Owen <gowen@swynwyr.com> work in #67
fixes #86
2015-09-19 20:02:15 +02:00
9cea1cdc67
handle hostnames that are URIs
...
fixes #83
2015-09-19 19:43:27 +02:00
8337fb7308
fix coloring of cert key sizes
...
a 2047 bit RSA certificate is just as secure as 2048 bit one (and
known good algorithms can very infrequently provide them when asked for
2048) so accept them too
DSA keys are bad in every case, so always red color them
ECDSA keys are OK above 256 bits
2015-09-19 19:22:40 +02:00
8f5b1eedc9
tests for ordering of sig algs in TLS 1.2 PFS kex
2015-09-19 18:47:01 +02:00
434b383f01
add test for TLSv1.2 PFS key exchange
...
since the signature and hash algorithm in TLSv1.2 is selectable by server
and negotiated using TLS extensions, we can check what sig algs is
the server willing to perform and whatever it does honour client
selection
it also tests what happens if the client doesn't offer any sigalgs that
are necessary to use the ciphers selected by server
2015-09-19 18:47:01 +02:00
67c2a7cfe4
Merge pull request #95 from tomato42/auto-colour
...
autodetect if the colors should be used
2015-09-19 11:05:16 -04:00
bb2d3223f8
autodetect if the colors should be used
...
check if the terminal output doesn't go to a pipe (less, file, etc.)
don't output colors by default then
2015-09-19 16:16:11 +02:00
0fe7013641
Fix colors
2015-09-19 08:38:57 -04:00
Julien Vehent
Julien Vehent [:ulfr]
Hubert Kario
Hubert Kario
Adam Crosby
Emantor
Cristián Rojas
Peter Mosmans
Richard Soderberg