LittleNellie
/
cipherscan
mirror of https://github.com/mozilla/cipherscan.git
2
0
Fork 0
Code Issues Releases Wiki Activity
133 Commits 5 Branches 0 Tags 35 MiB
Commit Graph

133 Commits

Author SHA1 Message Date
Hubert Kario 77f326522e fixes for the pull request #18 
there were few small issues with the pull #18 even though jvehent merged
it, this fixes them
 2014-10-04 14:46:36 +02:00
Hubert Kario 8911827be1 process-certificate-statistics.sh - the script HOWTO to turn results to CA stats 2014-10-04 14:29:36 +02:00
Hubert Kario 0adf721643 parse_CAs.py - add support for MD5 sigs 2014-10-04 14:29:36 +02:00
Hubert Kario 1aeff568ee update SEED and IDEA classification, do a total of broken ciphers 
SEED and IDEA are not good ciphers, but not broken, so count them
separately, do a total count of servers that support broken and insecure
ciphers
 2014-10-04 14:29:36 +02:00
Hubert Kario 3c93cbd6c2 make handling of self signed certs more robust 
openssl sometimes will print the filename, then the error, and finish
with OK, matching the colon and space prevents from considering such
certs to be valid
 2014-10-04 14:29:36 +02:00
Hubert Kario 9a956dc5a5 use pre-parsed data outputted by the C application 2014-10-04 14:29:36 +02:00
Hubert Kario 0591829ed1 application for finding the correct certificate chain 
process the result files and output if the cert chain inside is
complete or not (that means it requires further processing)
 2014-10-04 14:28:14 +02:00
Hubert Kario b4291236bb add collection of LoS for the cert paths found 2014-10-04 14:27:13 +02:00
Hubert Kario 68577f7918 collect statistics about found certificates 2014-10-04 14:27:13 +02:00
Hubert Kario ab8b794557 few less forks in the script 
again, we can use arrays and a bit advanced awk syntax to reduce
the number of forks necessary to run the script
 2014-10-04 14:27:13 +02:00
Hubert Kario bcfe0dbae1 don't calculate sha sums for the certificates over and over 
we can use cksum to calculate simple checksum much faster than
with using openssl, so we can compute sums only once
 2014-10-04 14:27:13 +02:00
Hubert Kario ef4786f1d7 no need to grep the input when we're using awk 
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
 2014-10-04 14:27:13 +02:00
Hubert Kario caa534bfd7 don't retry protocols we know don't work 
When connection is unsuccessful with a given protocol, don't try it again
since we probably exhausted the ciphers supported by the protocol

makes scanning about 10% faster
 2014-10-04 14:27:13 +02:00
Hubert Kario d2f112033d clean up the extracted certificate 
the certificate extracted in the above way will contain some junk
from openssl s_client output we don't want like verification status
we can remove it ro reduce disk usage for saved certificates
 2014-10-04 14:27:13 +02:00
Hubert Kario 2b959f601d use CApath for certificates and store certificates 
CApath is about 20% faster than CAfile so use it, also
save the recived certificates from the servers for later analysis
(proper hostname checking, looking for certificates sharing private key,
etc.)
 2014-10-04 14:27:13 +02:00
Hubert Kario 431b453e43 add ability to also save leaf certificates and untrusted ones 2014-10-04 14:27:13 +02:00
Hubert Kario 56893f7b2f add caching of intermediate CA certificates 2014-10-04 14:27:13 +02:00
Hubert Kario aeffc87e05 add some comments, group related code 2014-10-04 14:24:30 +02:00
Hubert Kario 7f5743620b add support for CApath 
capath for relatively small cert sets (~300) makes scanning about 5%
faster

also do a little clean up of the command-to-run generation code
 2014-10-04 14:24:30 +02:00
Hubert Kario 30d0839df6 report cipher ordering in scanning stats, use it to simulate handshakes 
since now we know if server honours client order or not, we can use it
to properly simulate handshakes for a given client, also report
the general stats of this server configuration variable
 2014-10-04 14:24:30 +02:00
Hubert Kario ab66f04e53 report if server uses client side or server side cipher ordering 2014-10-04 14:24:30 +02:00
Hubert Kario 0ae9d76771 openssl in -ssl2 mode doesn't tolerate -servername option 
when openssl is run in -ssl2 mode, it doesn't accept -servername
option and just aborts operation, it doesn't consider -status
to be special though.

Remove this option when running the SSLv2 portion of the test.
 2014-10-04 14:24:30 +02:00
Hubert Kario 5c4a8e8fd6 report what ciphers Firefox would select while connecting to server 2014-10-04 14:24:30 +02:00
Hubert Kario 8bcc9d3cf6 report ciphers causing incompatibility for Firefox 
It turns out that the situation is even more bleak for Firefox
with regards to RC4, add it to report
 2014-10-04 14:24:30 +02:00
Hubert Kario 4ffa061977 make the output shorter in case the server supports all protocol types 2014-10-04 14:01:53 +02:00
Hubert Kario 17bc04f71d add missing ocsp_staple header 2014-10-04 14:01:53 +02:00
Hubert Kario 144e6ea2f7 sort reported TLS session ticket hint using natural sort 2014-10-04 14:01:53 +02:00
Hubert Kario 3bab715012 count ECDH-RSA ciphers as ECDSA 
the ECDH parameters come from server certificate - the point
on elliptic curve. The RSA comes from the signature on the certificate
which comes from CA
 2014-10-04 14:01:53 +02:00
Julien Vehent ded65c40df Merge pull request #22 from simondeziel/sdeziel 
Use Debian's system-wide trust anchors when possible
 2014-08-28 16:02:36 -04:00
Julien Vehent ecd77f94fc Merge pull request #18 from tomato42/wip 
Hodgepodge of fixes
 2014-08-28 16:02:19 -04:00
Simon Deziel 7dee967dd7 Attempt to use /etc/ssl/certs/ca-certificates.crt if no CACERTS 
are available. On Debian, this is the default location for
system-wide trust anchors.
 2014-07-25 10:01:31 -04:00
Julien Vehent 273211f025 Merge pull request #21 from azet/master 
add real execution tracing to debug
 2014-07-17 12:29:42 -04:00
Aaron Zauner efd84cdb24 add real execution tracing to debug 2014-07-17 18:08:29 +02:00
Julien Vehent e345f6034d Merge pull request #20 from PeterMosmans/binaries 
Updated binary with latest 1.0.2-chacha build
 2014-07-13 09:22:24 -04:00
Peter Mosmans b65c13c7b9 Compiled for 64-bit-linux from the following source: 
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha
Added CAMELLIA 256SHA ciphers
 2014-07-13 20:56:17 +10:00
Peter Mosmans 26a24d0429 Updated binary with latest 1.0.2-chacha build 
Compiled for 64-bit linux from the following source:
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha
 2014-07-12 10:15:00 +10:00
Julien Vehent 60a6a02c6f Merge pull request #19 from phlipper/patch-1 
minor typo fix
 2014-06-25 19:37:53 -04:00
Phil Cohen 5ae2132f23 minor typo fix 2014-06-25 16:28:48 -07:00
Hubert Kario 7591062bbc parse_results.py: compatibility with old results files 2014-06-04 18:52:39 +02:00
Hubert Kario be0439ef99 provide statistics for all key exchange methods, not DHE and ECDHE only 2014-06-04 18:17:41 +02:00
Hubert Kario 3667b04ad7 correctly count broken cipher suites with "no reporting of untrusted" 2014-06-04 18:17:02 +02:00
Hubert Kario 86ff1122cc parse_results.py: don't count anonymous cipher suites toward correct config stats 2014-06-04 15:15:32 +02:00
Hubert Kario ee81927200 fix cipherscan human-readable output - pfs_keysize option 2014-05-30 11:49:44 +02:00
Julien Vehent b69863c5c5 Merge branch 'master' of github.com:jvehent/cipherscan 2014-05-20 08:52:09 -04:00
Julien Vehent 50f4959e79 updated license on parse_results.py 2014-05-20 08:23:57 -04:00
Hubert Kario 2f56f0515e don't scan the same host twice 2014-05-16 18:16:45 +02:00
Hubert Kario f1d3b51749 update the top 1M list to the version from 2014-05-16 2014-05-16 17:34:22 +02:00
Hubert Kario 4e94d95bd8 ask for OCSP stapling by default 
for now, no option to disable
 2014-05-16 17:31:44 +02:00
Hubert Kario 0777682aa6 collect TLS ticket lifetime hints 2014-05-16 16:55:19 +02:00
Hubert Kario 1a78172936 scan just one host per hostname 2014-05-16 16:11:01 +02:00