2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 06:13:42 +01:00
Commit Graph

388 Commits

Author SHA1 Message Date
Julien Vehent [:ulfr]
757bfefc6d Merge pull request #134 from tycho/fix-benchmark-output
fix -b (benchmark) output
2017-01-13 16:19:56 -05:00
Julien Vehent [:ulfr]
1f2846d54e Merge pull request #131 from castillar/master
Added info about OpenSSL proxy option to cipherscan script.
2017-01-13 16:15:15 -05:00
Julien Vehent [:ulfr]
6d66214fd1 Merge pull request #124 from firesock/master
Allow EC keys to have a smaller bitsize
2017-01-13 16:14:33 -05:00
Julien Vehent [:ulfr]
b1d37bf26d Merge pull request #128 from tomato42/intolerance-tests
TLS version (in)tolerance scanner
2017-01-13 16:07:44 -05:00
Steven Noonan
981cf0744e cipherscan: fix benchmark mode output
The microsecond measurement column wasn't being rendered.

Signed-off-by: Steven Noonan <steven@uplinklabs.net>
2017-01-01 14:15:23 -08:00
Steven Noonan
532ff712aa cipherscan: always define a curves_ordering column value
Signed-off-by: Steven Noonan <steven@uplinklabs.net>
2017-01-01 14:15:23 -08:00
Jos Purvis
c6934569bd Update to fix OpenSSL version in info message 2016-12-02 21:07:24 -05:00
Jos Purvis
3fc28b001c Added info about OpenSSL proxy option to cipherscan script. 2016-12-02 12:29:44 -05:00
Hubert Kario
fb8b4d73bf interpreting the intolerance data 2016-10-11 22:46:02 +02:00
Hubert Kario
45bb7d0c28 TLS version (in)tolerance scanner
Since it is impossible to make openssl command line tool send
TLSv1.3 Client Hello message, add a python based tool to perform
TLS version intolerance scan
2016-10-05 01:00:11 +02:00
Julien Vehent [:ulfr]
e5b747d29b Merge pull request #125 from tomato42/sort-cas-by-usage
sort CA's by count, not name
2016-09-30 15:30:48 -04:00
Julien Vehent [:ulfr]
197881da81 Merge pull request #126 from tomato42/npn
Add support for collecting supported NPN protocols
2016-09-17 08:11:03 -04:00
Hubert Kario
6a906a6267 add support for collecting supported NPN protocols 2016-09-16 23:06:34 +02:00
Hubert Kario
0120fff9bc sort CA's by count, not name 2016-09-06 14:08:06 +02:00
Awad Mackie
bb3e89ec09 Update fubar EC parameter size to 256 2016-08-25 00:40:39 +01:00
Awad Mackie
3a2a43f91d Hardcode minimum EC key size 2016-08-22 23:44:13 +01:00
Awad Mackie
955d55a6ba Update EC check to use regexp and match all OpenSSL EC cipher suite variants 2016-08-22 23:33:28 +01:00
Awad Mackie
f5ad5806c3 Allow EC keys to have a smaller bitsize 2016-08-21 13:16:54 +01:00
Julien Vehent
74dd82e8ad Update OpenSSL binary 2016-08-16 11:28:34 -04:00
Julien Vehent [:ulfr]
8b73962b72 Merge pull request #122 from tomato42/result-parser-update
Result parser update
2016-07-23 10:30:52 -04:00
Julien Vehent [:ulfr]
4a6cb350c8 Merge pull request #123 from tomato42/certificate-verification-time
changing time of verification for certificate chains
2016-07-23 10:29:11 -04:00
Julien Vehent [:ulfr]
38f5ffba9d Merge pull request #121 from tomato42/better-ca-handling
Better CA certificate handling
2016-07-23 10:27:00 -04:00
Hubert Kario
a5ec045000 changing time of verification for certificate chains
allow to run the analysis of certificate chains later after the
data was collected, allows also for re-analysis of archival data
2016-07-20 21:17:37 +02:00
Hubert Kario
7bb272e353 single-out 3DES ciphers
3DES is the weakest cipher from the ones that are still officially
standing, so report more detailed statistics about it
2016-07-20 20:51:51 +02:00
Hubert Kario
bbeac6107a add FF 44 ciphers
since FF 44 has a different cipher set than FF 35, especially the
drop of DSS and RC4, it will be useful to have connection
statistics for it
2016-07-20 20:50:26 +02:00
Hubert Kario
7834cd0748 fold some long lines
long lines hard to read, make Hulk sad
2016-07-20 20:45:15 +02:00
Hubert Kario
94efc235d0 use more robust trust path building by default
use the -trusted_first flag to openssl, so that it tries alternative
trust paths to verify validity of server presented certificate
2016-07-20 20:43:47 +02:00
Hubert Kario
f9f3407bb4 scripts to create CApath directories with roots or intermediaries
In case the user has a set of certificates *and* intermediaries,
it is necessary to prime both the `ca_trusted` directory and the
`ca_files` directories with respectively all root CA's and
all CA's (root or intermediate)
2016-07-20 20:40:35 +02:00
Julien Vehent [:ulfr]
189695c0b1 Merge pull request #120 from tomato42/top1m-info
add README for the top1m folder
2016-07-20 14:30:22 -04:00
Hubert Kario
e9808a1bcb report errors in cert file searching
since the certificates are separate from results file, they can get
missing (or an incorrect set can be used)

provide a clear message about what file is missing
2016-07-20 20:21:28 +02:00
Hubert Kario
985e26c71a add README for the top1m folder
since the top-1m.csv.zip is not static, tell the users where it
can be found

also add a generic explanation about files in the folder
2016-07-20 20:16:39 +02:00
Julien Vehent [:ulfr]
5d930c2d32 Merge pull request #117 from adamcrosby/master
Fallback to local JSON if urllib fails to retrieve updated list
2016-02-29 08:58:05 -05:00
Adam Crosby
34f92a6838 Added adamcrobsy to contributors list 2016-02-29 08:23:14 -05:00
Adam Crosby
55cdb74ff7 Added fallback to use local json recommendations file if urllib fails to connect (including SNI errors), fixes issue #116 2016-02-29 08:21:04 -05:00
Julien Vehent
9f0226e00b analyze.py: update example of json input 2016-02-24 10:52:18 -05:00
Julien Vehent
639bc45bf7 analyze.py refactoring to use online recommendations 2016-02-24 10:48:28 -05:00
Julien Vehent
18b0d1b952 Update linux openssl binary 2015-12-17 15:06:10 -05:00
Julien Vehent
6d2b850679 Merge pull request #105 from Emantor/intermediate-fix
Update analyze.py
2015-11-19 13:16:32 -05:00
Emantor
536ff90b86 ECDHE-ECDSA-DES-CBC3-SHA was missing too
Fix `ECDHE-ECDSA-DES-CBC3-SHA` as well.
2015-11-19 16:58:49 +01:00
Julien Vehent
a9cfcc8376 Merge pull request #107 from tomato42/ecdsa-certs
properly detect ECDSA certs for size compare
2015-11-19 08:54:43 -05:00
Hubert Kario
4d77c87494 properly detect ECDSA certs for keysize compare
since ECDSA certificates during the transition are likely to be
signed using RSA keys, we need to check the cipher rather than the
signature in the certificate to tell if the cert is ECDSA and as such
can have small key sizes
2015-11-17 15:31:46 +01:00
Emantor
e8ba5ab8fe Update analyze.py
Per https://mozilla.github.io/server-side-tls/ssl-config-generator/
The intermediate config supports 'ECDHE-RSA-DES-CBC3-SHA', add it to analyze.py
2015-11-17 09:01:52 +01:00
Julien Vehent
1e65be5fd5 Added copy of the MPL 2015-10-18 08:45:20 -04:00
Julien Vehent
b03320887f Merge pull request #100 from tomato42/compress-and-renego-info
Add testing for renegotiation and compression
2015-10-17 09:10:08 -04:00
Julien Vehent
34d6ca62bd Merge pull request #104 from injcristianrojas/master
Untrusted certificate alert should be red
2015-09-23 15:16:23 -04:00
Cristián Rojas
f717a556e5 Untrusted certificate alert should be red 2015-09-23 15:59:24 -03:00
Julien Vehent
29bdf5fdcb Merge pull request #103 from PeterMosmans/msys
Fallback to default openssl when supplied openssl can't be executed
2015-09-22 12:53:17 -04:00
Peter Mosmans
c00474805d Fallback to default openssl when supplied openssl can't be executed 2015-09-22 19:25:27 +10:00
Julien Vehent
5a10991008 Merge pull request #102 from floatingatoll/negative-nope
workaround bash 4.2- not having unset A[-1] support
2015-09-21 16:05:26 -04:00
Richard Soderberg
c9412e395d workaround bash 4.2- not having unset A[-1] support 2015-09-21 12:51:18 -07:00