LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-04 15:03:41 +01:00
Code Issues Releases Wiki Activity
205 Commits 5 Branches 0 Tags 35 MiB
7bf35cb02a
Commit Graph

205 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Julien Vehent
7bf35cb02a rebuild openssl binaries with better config flags 2015-03-19 13:52:18 -04:00
Julien Vehent
8b38f8fad9 Merge branch 'master' of github.com:jvehent/cipherscan 2015-03-19 11:30:46 -04:00
Julien Vehent
aee4d8f109 Update openssl binary to 1.0.2a 2015-03-19 11:30:07 -04:00
Julien Vehent
606d7626db Merge pull request #44 from genodeftest/patch-1 
fix: ignore case in bash version string
 2015-01-26 11:10:55 -05:00
Julien Vehent
3e4b86eedd Merge pull request #47 from ScriptFanix/master 
fix silent TypeError on sigalg md5WithRSAEncryption
 2015-01-26 11:09:54 -05:00
Julien Vehent
3915164430 Use custom darwin openssl bin in analyze.py 2015-01-18 12:26:59 -05:00
Christian Stadelmann
9ecc3f7164 New bash version info test using $BASH_VERSINFO 2015-01-12 16:46:18 +01:00
Vincent Riquer
d1a8604a2a fix silent TypeError on sigalg md5WithRSAEncryption 
conn['sigalg'] is an array, logging.debug(conn['sigalg']) caused silent failure
 2015-01-10 03:51:26 +01:00
Christian Stadelmann
54ec2aca99 fix: ignore case in bash version string 
Currently on some systems `bash --version` reports `GNU bash, Version 4[…]` which will fail the test.
 2015-01-02 22:47:28 +01:00
Julien Vehent
a90fc8bc58 Merge pull request #43 from ScriptFanix/master 
don't expect openssl to be in cwd
 2014-12-30 15:36:11 -05:00
Vincent Riquer
b457951f5f don't expect openssl to be in cwd 2014-12-26 09:49:52 +01:00
Julien Vehent
ac15fc738d Update README.md 2014-12-25 13:50:10 -05:00
Julien Vehent
051f927fcd Merge branch 'master' of github.com:jvehent/cipherscan 2014-12-25 13:26:04 -05:00
Julien Vehent
904e311124 Fix OSX: require bash4, add openssl-darwin64 binary 2014-12-25 13:25:29 -05:00
Julien Vehent
b04cbc6b85 Merge pull request #42 from ScriptFanix/master 
--nagios: run as a nagios plugin
 2014-12-25 12:34:34 -05:00
Julien Vehent
4e74308c37 Merge pull request #41 from MikeDawg/master 
Added usage print and exit if no options are given
 2014-12-25 12:27:35 -05:00
Julien Vehent
008bd6af2b Merge pull request #38 from PeterMosmans/changeorder 
Bugfix: correct flow when number of ciphers are loaded
 2014-12-25 12:15:11 -05:00
Julien Vehent
726ef22552 Merge pull request #35 from PeterMosmans/openssl 
Updated 64-bit OpenSSL binary (1.0.2 beta 4)
 2014-12-25 12:11:01 -05:00
Julien Vehent
2d030775c4 Merge pull request #36 from PeterMosmans/symlinks 
Make sure that custom openssl gets selected
 2014-12-25 12:08:00 -05:00
Vincent Riquer
0e7996181a Don't expect scripts to be in working directory 2014-12-24 11:26:24 +01:00
Vincent Riquer
983f85d2d4 --nagios: run as a nagios plugin 2014-12-23 14:51:50 +01:00
Mike
c019ecd493 Added usage print and exit if no options are given 2014-12-17 13:06:06 -07:00
Peter Mosmans
81c1809463 corrected flow when number of ciphers was shown 
First make sure that ${OPENSSLBIN} is correctly set
 2014-11-22 18:36:24 +10:00
Peter Mosmans
558bf7c9e2 Make sure that custom openssl gets selected 
Symlinks are now resolved (when readlink -f is available)
 2014-11-14 10:49:16 +11:00
Peter Mosmans
c71828dc09 Updated 64-bit OpenSSL binary (1.0.2 beta 4) 
Compiled for 64-bit-linux from the following source:
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha

Commands used:
./Configure linux-x86_64 no-shared zlib enable-gost enable-ec_nistp_64_gcc_128 enable-idea \
enable-md2 enable-rc5 enable-rfc3779 enable-ssl2 experimental-jpake
make depend
make
make report
 2014-11-11 17:46:23 +11:00
Julien Vehent
818bf29b02 Merge pull request #33 from tomato42/cipherscan-fixes-3 
Cipherscan fixes, speedups and saving of certificates (v3)
 2014-11-05 12:36:33 -05:00
Hubert Kario
c4a8495a54 limit number of forks needed to speed up execution 
bash has a built in regular expression processor, we can match
lines using =~

moreover, stuff that will match while being inside parentheses is
later available in the BASH_REMATCH array

the IFS (Internal Field Separator) by default includes space, tab and
new line, as such we can use it to split longer lines to separate
words, just as awk '{print $1}' can, just need to put the value to
an array for that

we also don't have to use $(echo $var) when assigning variables, $var
is enough

bash has also built in substitution engine, so we can do ${var/,/ & }
to switch all commas to ampersands when using the variable
 2014-11-05 18:14:30 +01:00
Hubert Kario
9f06829486 make handling of self signed certs more robust 
openssl sometimes will print the filename, then the error, and finish
with OK, matching the colon and space prevents from considering such
certs to be valid
 2014-11-05 18:13:39 +01:00
Hubert Kario
4c22d50f0c few less forks in the script 
again, we can use arrays and a bit advanced awk syntax to reduce
the number of forks necessary to run the script
 2014-11-05 18:13:39 +01:00
Hubert Kario
0f576c1fbc don't calculate sha sums for the certificates over and over 
we can use cksum to calculate simple checksum much faster than
with using openssl, so we can compute sums only once
 2014-11-05 18:13:39 +01:00
Hubert Kario
1eae0cc71b use CApath for certificates and store certificates (v2) 
CApath is about 20% faster than CAfile so use it, also
save the received certificates from the servers for later analysis
(proper hostname checking, looking for certificates sharing private key,
etc.)

Use the mechanism from cipherscan to find location of ca cert bundle
 2014-11-05 18:13:39 +01:00
Hubert Kario
d9b718be12 clean up the extracted certificate 
the certificate extracted in the above way will contain some junk
from openssl s_client output we don't want like verification status
we can remove it ro reduce disk usage for saved certificates
 2014-11-05 18:13:39 +01:00
Hubert Kario
3e37517c96 add ability to also save leaf certificates and untrusted ones 2014-11-05 18:13:39 +01:00
Hubert Kario
826f7b5541 add caching of intermediate CA certificates 2014-11-05 18:13:39 +01:00
Hubert Kario
3b14cd914f no need to grep the input when we're using awk (v2) 
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for

This version uses slightly different syntax that is compatible with old
awk
 2014-11-05 18:13:39 +01:00
Julien Vehent
dca3457d5a Merge pull request #28 from tomato42/certificate-stats 
Certificate stats
 2014-11-03 22:15:44 -05:00
Hubert Kario
5a6eaaac41 parse_CAs.c - implement error checking, remove magic numbers, compile fix 2014-10-30 23:37:43 +01:00
Hubert Kario
aac3e9a9db parse_CAs.py - add few comments 2014-10-30 01:41:46 +01:00
Hubert Kario
edab545f3e add Makefile for the C utility 2014-10-30 01:33:58 +01:00
Julien Vehent
ebc6939299 Merge pull request #29 from tomato42/client-handshake-simulation 
Client handshake simulation
 2014-10-29 19:22:52 -04:00
Julien Vehent
334c3118e2 Merge pull request #30 from tomato42/timeouts 
Fix delay option
 2014-10-29 17:34:18 -04:00
Hubert Kario
11ce6187de small fixes for delay 
firstly, test_cipher_on_target() will try at least 4 connections before
incurring the sleep, for aggressive rate limiter on server side it may be
too much, so sleep before every connection

secondly, because running external commands like sleep incurs a fork
penalty, we first check if it is necessary
 2014-10-28 16:44:43 +01:00
Hubert Kario
71ba3c88b0 increase timeout 
when some servers notice a scan (because of frequent connections) they
delay further connections, increase the timeout to properly scan them
 2014-10-28 13:17:20 +01:00
Hubert Kario
29c739faa9 count EDH-DES as PFS too in general stats 2014-10-25 16:23:41 +02:00
Hubert Kario
af2e25ec89 fix EDH checking 
old ciphers have names that use EDH instead of DHE so we need check
for both names
 2014-10-25 16:11:18 +02:00
Julien Vehent
d11d5e9f36 update old and intermediate ciphersuites 2014-10-18 08:31:53 -04:00
Julien Vehent
a17cfe373e make 2048 DHE key optional in intermediate level 2014-10-18 08:20:00 -04:00
Julien Vehent
ebf4f8bcc7 fix ECC size in fubar pfs analysis 2014-10-18 07:23:24 -04:00
Julien Vehent
244e9ca9f2 refactor pfs evaluation in separate function 2014-10-17 11:58:19 -04:00
Julien Vehent
ddfaa6722d display target level compliance in text output 2014-10-17 11:58:05 -04:00