LittleNellie
/
cipherscan
mirror of https://github.com/mozilla/cipherscan.git
2
0
Fork 0
Code Issues Releases Wiki Activity
370 Commits 5 Branches 0 Tags 35 MiB
Commit Graph

370 Commits

Author SHA1 Message Date
Julien Vehent 5665951b09 minor analysis wording changes 2014-10-09 09:57:40 -04:00
Julien Vehent 215dbd0c1a ignore openssl errors in analyze.py 2014-10-09 09:54:30 -04:00
Julien Vehent e9110c6bc8 gitignore 2014-10-09 09:36:08 -04:00
Julien Vehent 405b104583 improved configuration analysis 2014-10-09 09:35:59 -04:00
Julien Vehent 2858ef8116 Revert "no need to grep the input when we're using awk" 
This reverts commit 4c05897be2.
 2014-10-08 21:53:22 -04:00
Julien Vehent 34b2eb7819 First shot at cipherscan results analyzer 2014-10-08 21:53:05 -04:00
Hubert Kario ca0ef2fc5c fixes for the pull request #18 
there were few small issues with the pull #18 even though jvehent merged
it, this fixes them
 2014-10-06 13:26:53 -04:00
Hubert Kario 29109f1e64 update SEED and IDEA classification, do a total of broken ciphers 
SEED and IDEA are not good ciphers, but not broken, so count them
separately, do a total count of servers that support broken and insecure
ciphers
 2014-10-06 13:25:04 -04:00
Hubert Kario 4c05897be2 no need to grep the input when we're using awk 
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
 2014-10-06 13:24:39 -04:00
Hubert Kario fb02ae87ac add some comments, group related code 2014-10-06 13:22:29 -04:00
Hubert Kario 77671137df add support for CApath 
capath for relatively small cert sets (~300) makes scanning about 5%
faster

also do a little clean up of the command-to-run generation code
 2014-10-06 13:22:15 -04:00
Hubert Kario 189460da9e report if server uses client side or server side cipher ordering 2014-10-06 13:21:40 -04:00
Hubert Kario a7ae42b08e openssl in -ssl2 mode doesn't tolerate -servername option 
when openssl is run in -ssl2 mode, it doesn't accept -servername
option and just aborts operation, it doesn't consider -status
to be special though.

Remove this option when running the SSLv2 portion of the test.
 2014-10-06 13:21:16 -04:00
Hubert Kario 3a4a5f938d add missing ocsp_staple header 2014-10-06 13:20:49 -04:00
Hubert Kario 8a0c9190a9 sort reported TLS session ticket hint using natural sort 2014-10-06 13:20:37 -04:00
Julien Vehent ded65c40df Merge pull request #22 from simondeziel/sdeziel 
Use Debian's system-wide trust anchors when possible
 2014-08-28 16:02:36 -04:00
Julien Vehent ecd77f94fc Merge pull request #18 from tomato42/wip 
Hodgepodge of fixes
 2014-08-28 16:02:19 -04:00
Simon Deziel 7dee967dd7 Attempt to use /etc/ssl/certs/ca-certificates.crt if no CACERTS 
are available. On Debian, this is the default location for
system-wide trust anchors.
 2014-07-25 10:01:31 -04:00
Julien Vehent 273211f025 Merge pull request #21 from azet/master 
add real execution tracing to debug
 2014-07-17 12:29:42 -04:00
Aaron Zauner efd84cdb24 add real execution tracing to debug 2014-07-17 18:08:29 +02:00
Julien Vehent e345f6034d Merge pull request #20 from PeterMosmans/binaries 
Updated binary with latest 1.0.2-chacha build
 2014-07-13 09:22:24 -04:00
Peter Mosmans b65c13c7b9 Compiled for 64-bit-linux from the following source: 
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha
Added CAMELLIA 256SHA ciphers
 2014-07-13 20:56:17 +10:00
Peter Mosmans 26a24d0429 Updated binary with latest 1.0.2-chacha build 
Compiled for 64-bit linux from the following source:
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha
 2014-07-12 10:15:00 +10:00
Julien Vehent 60a6a02c6f Merge pull request #19 from phlipper/patch-1 
minor typo fix
 2014-06-25 19:37:53 -04:00
Phil Cohen 5ae2132f23 minor typo fix 2014-06-25 16:28:48 -07:00
Hubert Kario 7591062bbc parse_results.py: compatibility with old results files 2014-06-04 18:52:39 +02:00
Hubert Kario be0439ef99 provide statistics for all key exchange methods, not DHE and ECDHE only 2014-06-04 18:17:41 +02:00
Hubert Kario 3667b04ad7 correctly count broken cipher suites with "no reporting of untrusted" 2014-06-04 18:17:02 +02:00
Hubert Kario 86ff1122cc parse_results.py: don't count anonymous cipher suites toward correct config stats 2014-06-04 15:15:32 +02:00
Hubert Kario ee81927200 fix cipherscan human-readable output - pfs_keysize option 2014-05-30 11:49:44 +02:00
Julien Vehent b69863c5c5 Merge branch 'master' of github.com:jvehent/cipherscan 2014-05-20 08:52:09 -04:00
Julien Vehent 50f4959e79 updated license on parse_results.py 2014-05-20 08:23:57 -04:00
Hubert Kario 2f56f0515e don't scan the same host twice 2014-05-16 18:16:45 +02:00
Hubert Kario f1d3b51749 update the top 1M list to the version from 2014-05-16 2014-05-16 17:34:22 +02:00
Hubert Kario 4e94d95bd8 ask for OCSP stapling by default 
for now, no option to disable
 2014-05-16 17:31:44 +02:00
Hubert Kario 0777682aa6 collect TLS ticket lifetime hints 2014-05-16 16:55:19 +02:00
Hubert Kario 1a78172936 scan just one host per hostname 2014-05-16 16:11:01 +02:00
Hubert Kario cdbf596466 properly handle pure IP adressess 
(it's illegal to use IP in SNI)
 2014-05-16 15:42:47 +02:00
Hubert Kario 5ef53dda9c increase paralelism of jobs 
because sometimes tcping takes a long time to timeout for a lot
of hosts in batch use also load average to keep the cpu busy
 2014-05-13 13:41:16 +02:00
Hubert Kario a213fc45d0 remove the folder/file part from url 
some hostnames in the top-1m.csv file have folder or site specified
in them, cut it off before using
 2014-05-13 13:41:16 +02:00
Hubert Kario 00b20a20ed perform SNI enabled scan 
for example, youtube requires SNI extension to be present to return
ECDSA certificates, use it for scanning
 2014-05-13 13:41:16 +02:00
Hubert Kario c48c012771 use the same openssl for all tasks 2014-05-13 13:41:16 +02:00
Hubert Kario 5dfa3c444e put ECDSA ciphers before RSA ciphers 
Google servers (like youtube) negotiate ECDSA variant
of ciphersuite only if the RSA variant is also present,
so to return more comple cipher listing, we need to move
ECDSA ciphers before RSA ciphers
 2014-05-13 13:41:16 +02:00
Hubert Kario a0cb766381 add support for archlinux 
archlinux has ca certificates in different place than Fedora
 2014-05-13 13:41:16 +02:00
Hubert Kario 8817a7b1c8 testtop1m.sh: correct counting of background jobs 
`jobs` command returns multiple lines for a jobs with `if` so counting
number of background jobs was off
 2014-05-13 13:41:16 +02:00
Julien Vehent 92851d7c74 Merge pull request #17 from tomato42/proper-quit 
use proper quit semantic for openssl s_client
 2014-05-12 13:36:46 -04:00
Hubert Kario dca614d218 use proper quit semantic for openssl s_client 
openssl s_client expect "Q" as the first character on a line,
with case being significant. Also, the \n marker is unnecessary
the echo command prints a newline automatically, additionally,
for the \n to be actually interpreted, the -e option must be used
 2014-05-09 14:46:01 +02:00
Julien Vehent 5417dacda3 Merge pull request #16 from tomato42/restore-timeout 
restore timeout
 2014-05-09 08:32:36 -04:00
Hubert Kario d7b99f125e restore `timeout` 
some servers have port 443 open but won't reply to ClientHello
requests, this hangs openssl s_client, as such we need to kill it
after some timeout
 2014-05-09 12:00:53 +02:00
Julien Vehent 325329d1ad Merge pull request #15 from tomato42/reporting-improvements-03 
Reporting improvements 03
 2014-04-20 13:16:34 -04:00