7bf35cb02a
rebuild openssl binaries with better config flags
2015-03-19 13:52:18 -04:00
8b38f8fad9
Merge branch 'master' of github.com:jvehent/cipherscan
2015-03-19 11:30:46 -04:00
aee4d8f109
Update openssl binary to 1.0.2a
2015-03-19 11:30:07 -04:00
606d7626db
Merge pull request #44 from genodeftest/patch-1
...
fix: ignore case in bash version string
2015-01-26 11:10:55 -05:00
3e4b86eedd
Merge pull request #47 from ScriptFanix/master
...
fix silent TypeError on sigalg md5WithRSAEncryption
2015-01-26 11:09:54 -05:00
3915164430
Use custom darwin openssl bin in analyze.py
2015-01-18 12:26:59 -05:00
9ecc3f7164
New bash version info test using $BASH_VERSINFO
2015-01-12 16:46:18 +01:00
d1a8604a2a
fix silent TypeError on sigalg md5WithRSAEncryption
...
conn['sigalg'] is an array, logging.debug(conn['sigalg']) caused silent failure
2015-01-10 03:51:26 +01:00
54ec2aca99
fix: ignore case in bash version string
...
Currently on some systems `bash --version` reports `GNU bash, Version 4[…]` which will fail the test.
2015-01-02 22:47:28 +01:00
a90fc8bc58
Merge pull request #43 from ScriptFanix/master
...
don't expect openssl to be in cwd
2014-12-30 15:36:11 -05:00
b457951f5f
don't expect openssl to be in cwd
2014-12-26 09:49:52 +01:00
ac15fc738d
Update README.md
2014-12-25 13:50:10 -05:00
051f927fcd
Merge branch 'master' of github.com:jvehent/cipherscan
2014-12-25 13:26:04 -05:00
904e311124
Fix OSX: require bash4, add openssl-darwin64 binary
2014-12-25 13:25:29 -05:00
b04cbc6b85
Merge pull request #42 from ScriptFanix/master
...
--nagios: run as a nagios plugin
2014-12-25 12:34:34 -05:00
4e74308c37
Merge pull request #41 from MikeDawg/master
...
Added usage print and exit if no options are given
2014-12-25 12:27:35 -05:00
008bd6af2b
Merge pull request #38 from PeterMosmans/changeorder
...
Bugfix: correct flow when number of ciphers are loaded
2014-12-25 12:15:11 -05:00
726ef22552
Merge pull request #35 from PeterMosmans/openssl
...
Updated 64-bit OpenSSL binary (1.0.2 beta 4)
2014-12-25 12:11:01 -05:00
2d030775c4
Merge pull request #36 from PeterMosmans/symlinks
...
Make sure that custom openssl gets selected
2014-12-25 12:08:00 -05:00
0e7996181a
Don't expect scripts to be in working directory
2014-12-24 11:26:24 +01:00
983f85d2d4
--nagios: run as a nagios plugin
2014-12-23 14:51:50 +01:00
c019ecd493
Added usage print and exit if no options are given
2014-12-17 13:06:06 -07:00
81c1809463
corrected flow when number of ciphers was shown
...
First make sure that ${OPENSSLBIN} is correctly set
2014-11-22 18:36:24 +10:00
558bf7c9e2
Make sure that custom openssl gets selected
...
Symlinks are now resolved (when readlink -f is available)
2014-11-14 10:49:16 +11:00
c71828dc09
Updated 64-bit OpenSSL binary (1.0.2 beta 4)
...
Compiled for 64-bit-linux from the following source:
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha
Commands used:
./Configure linux-x86_64 no-shared zlib enable-gost enable-ec_nistp_64_gcc_128 enable-idea \
enable-md2 enable-rc5 enable-rfc3779 enable-ssl2 experimental-jpake
make depend
make
make report
2014-11-11 17:46:23 +11:00
818bf29b02
Merge pull request #33 from tomato42/cipherscan-fixes-3
...
Cipherscan fixes, speedups and saving of certificates (v3)
2014-11-05 12:36:33 -05:00
c4a8495a54
limit number of forks needed to speed up execution
...
bash has a built in regular expression processor, we can match
lines using =~
moreover, stuff that will match while being inside parentheses is
later available in the BASH_REMATCH array
the IFS (Internal Field Separator) by default includes space, tab and
new line, as such we can use it to split longer lines to separate
words, just as awk '{print $1}' can, just need to put the value to
an array for that
we also don't have to use $(echo $var) when assigning variables, $var
is enough
bash has also built in substitution engine, so we can do ${var/,/ & }
to switch all commas to ampersands when using the variable
2014-11-05 18:14:30 +01:00
9f06829486
make handling of self signed certs more robust
...
openssl sometimes will print the filename, then the error, and finish
with OK, matching the colon and space prevents from considering such
certs to be valid
2014-11-05 18:13:39 +01:00
4c22d50f0c
few less forks in the script
...
again, we can use arrays and a bit advanced awk syntax to reduce
the number of forks necessary to run the script
2014-11-05 18:13:39 +01:00
0f576c1fbc
don't calculate sha sums for the certificates over and over
...
we can use cksum to calculate simple checksum much faster than
with using openssl, so we can compute sums only once
2014-11-05 18:13:39 +01:00
1eae0cc71b
use CApath for certificates and store certificates (v2)
...
CApath is about 20% faster than CAfile so use it, also
save the received certificates from the servers for later analysis
(proper hostname checking, looking for certificates sharing private key,
etc.)
Use the mechanism from cipherscan to find location of ca cert bundle
2014-11-05 18:13:39 +01:00
d9b718be12
clean up the extracted certificate
...
the certificate extracted in the above way will contain some junk
from openssl s_client output we don't want like verification status
we can remove it ro reduce disk usage for saved certificates
2014-11-05 18:13:39 +01:00
3e37517c96
add ability to also save leaf certificates and untrusted ones
2014-11-05 18:13:39 +01:00
826f7b5541
add caching of intermediate CA certificates
2014-11-05 18:13:39 +01:00
3b14cd914f
no need to grep the input when we're using awk (v2)
...
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
This version uses slightly different syntax that is compatible with old
awk
2014-11-05 18:13:39 +01:00
dca3457d5a
Merge pull request #28 from tomato42/certificate-stats
...
Certificate stats
2014-11-03 22:15:44 -05:00
5a6eaaac41
parse_CAs.c - implement error checking, remove magic numbers, compile fix
2014-10-30 23:37:43 +01:00
aac3e9a9db
parse_CAs.py - add few comments
2014-10-30 01:41:46 +01:00
edab545f3e
add Makefile for the C utility
2014-10-30 01:33:58 +01:00
ebc6939299
Merge pull request #29 from tomato42/client-handshake-simulation
...
Client handshake simulation
2014-10-29 19:22:52 -04:00
334c3118e2
Merge pull request #30 from tomato42/timeouts
...
Fix delay option
2014-10-29 17:34:18 -04:00
11ce6187de
small fixes for delay
...
firstly, test_cipher_on_target() will try at least 4 connections before
incurring the sleep, for aggressive rate limiter on server side it may be
too much, so sleep before every connection
secondly, because running external commands like sleep incurs a fork
penalty, we first check if it is necessary
2014-10-28 16:44:43 +01:00
71ba3c88b0
increase timeout
...
when some servers notice a scan (because of frequent connections) they
delay further connections, increase the timeout to properly scan them
2014-10-28 13:17:20 +01:00
29c739faa9
count EDH-DES as PFS too in general stats
2014-10-25 16:23:41 +02:00
af2e25ec89
fix EDH checking
...
old ciphers have names that use EDH instead of DHE so we need check
for both names
2014-10-25 16:11:18 +02:00
d11d5e9f36
update old and intermediate ciphersuites
2014-10-18 08:31:53 -04:00
a17cfe373e
make 2048 DHE key optional in intermediate level
2014-10-18 08:20:00 -04:00
ebf4f8bcc7
fix ECC size in fubar pfs analysis
2014-10-18 07:23:24 -04:00
244e9ca9f2
refactor pfs evaluation in separate function
2014-10-17 11:58:19 -04:00
ddfaa6722d
display target level compliance in text output
2014-10-17 11:58:05 -04:00
Julien Vehent
Christian Stadelmann
Vincent Riquer
Vincent Riquer
Mike
Peter Mosmans
Hubert Kario
Hubert Kario