LittleNellie
/
cipherscan
mirror of https://github.com/mozilla/cipherscan.git
2
0
Fork 0
Code Issues Releases Wiki Activity
205 Commits 5 Branches 0 Tags 35 MiB
Commit Graph

31 Commits

Author SHA1 Message Date
Hubert Kario 29c739faa9 count EDH-DES as PFS too in general stats 2014-10-25 16:23:41 +02:00
Hubert Kario af2e25ec89 fix EDH checking 
old ciphers have names that use EDH instead of DHE so we need check
for both names
 2014-10-25 16:11:18 +02:00
Hubert Kario 76d791fcbe make cipher selection simulation generic 
it's relatively easy to make the cipher selection generic,
so that adding different clients is as easy as converting their
client hello cipher ordering to openssl cipher names
 2014-10-12 20:39:39 +02:00
Hubert Kario c82bc44558 report cipher ordering in scanning stats, use it to simulate handshakes 
since now we know if server honours client order or not, we can use it
to properly simulate handshakes for a given client, also report
the general stats of this server configuration variable
 2014-10-12 20:39:39 +02:00
Hubert Kario 42fa7d9ecb report what ciphers Firefox would select while connecting to server 2014-10-12 20:39:39 +02:00
Hubert Kario 1b4dcc4393 report ciphers causing incompatibility for Firefox 
It turns out that the situation is even more bleak for Firefox
with regards to RC4, add it to report
 2014-10-12 20:39:39 +02:00
Hubert Kario 142726c4fd count ECDH-RSA ciphers as ECDSA 
the ECDH parameters come from server certificate - the point
on elliptic curve. The RSA comes from the signature on the certificate
which comes from CA
 2014-10-12 20:39:39 +02:00
Hubert Kario ca0ef2fc5c fixes for the pull request #18 
there were few small issues with the pull #18 even though jvehent merged
it, this fixes them
 2014-10-06 13:26:53 -04:00
Hubert Kario 29109f1e64 update SEED and IDEA classification, do a total of broken ciphers 
SEED and IDEA are not good ciphers, but not broken, so count them
separately, do a total count of servers that support broken and insecure
ciphers
 2014-10-06 13:25:04 -04:00
Hubert Kario 8a0c9190a9 sort reported TLS session ticket hint using natural sort 2014-10-06 13:20:37 -04:00
Julien Vehent ecd77f94fc Merge pull request #18 from tomato42/wip 
Hodgepodge of fixes
 2014-08-28 16:02:19 -04:00
Hubert Kario 7591062bbc parse_results.py: compatibility with old results files 2014-06-04 18:52:39 +02:00
Hubert Kario be0439ef99 provide statistics for all key exchange methods, not DHE and ECDHE only 2014-06-04 18:17:41 +02:00
Hubert Kario 3667b04ad7 correctly count broken cipher suites with "no reporting of untrusted" 2014-06-04 18:17:02 +02:00
Hubert Kario 86ff1122cc parse_results.py: don't count anonymous cipher suites toward correct config stats 2014-06-04 15:15:32 +02:00
Julien Vehent 50f4959e79 updated license on parse_results.py 2014-05-20 08:23:57 -04:00
Hubert Kario 4e94d95bd8 ask for OCSP stapling by default 
for now, no option to disable
 2014-05-16 17:31:44 +02:00
Hubert Kario 0777682aa6 collect TLS ticket lifetime hints 2014-05-16 16:55:19 +02:00
Hubert Kario 686d7c958b extend reporting of RC4-related stats 
While preferring RC4 in TLS1.0 or SSL3 was recommended before,
it was always known that TLS1.1 and TLS1.2 were not vulnerable against
BEAST, so forcing RC4 there is a mistake. Report number of such servers.
 2014-04-19 23:14:57 +02:00
Hubert Kario 21bba67df0 extend SSL stats 
Two interesting server configurations are ones that support
only SSL3 or TLS1 only (old, but otherwise correctly configured servers)
and ones that support only TLS1.1 or up (brave admins that support
only new clients)
 2014-04-19 23:14:57 +02:00
Hubert Kario 349d4ebc3c more detailed PFS report 
Just because server supports some bad DH params, doesn't mean
it will force them on users. Report number of servers
that prefer specific DH params.
 2014-04-19 23:14:57 +02:00
Hubert Kario d3b6f9b507 fix reporting of the TLS1.2 but not TLS1.1 
Some servers may be configured to support only TLS1.2, it would
count them towards the number of servers affected by the OpenSSL bug
 2014-04-19 23:14:57 +02:00
Hubert Kario c8abfb53e8 add support for Chacha20 based ciphers 
Basically all Google servers support Chacha20 now and it is
not a bad choice, so report it as a regular cipher
 2014-04-19 23:14:57 +02:00
Hubert Kario 2b794ebfe0 fix and extend reporting of AES-GCM ciphers 
AES-GCM ciphers don't have "AES-GCM" substring in the openssl name

extend reporting of AES ciphers, split to AES-CBC, AES-GCM and
AES in general
 2014-04-19 23:14:57 +02:00
Hubert Kario fd6fcdd359 fix spelling in TLS stats (TLS1_1 vs TLS1.1) 2014-04-19 23:14:57 +02:00
Hubert Kario faef8d692f in "no-untrusted mode": filter out ADH and AECDH suites 
If server negotiates ADH or AECDH suite, openssl returns "ok" in
cert checking. Don't mark server as trusted because of that.

Don't collect statistics on servers that provide only untrusted
connections.
 2014-04-19 23:14:47 +02:00
Hubert Kario 45dc1da3f6 add ability to ignore results from untrusted servers 2014-04-19 23:07:01 +02:00
Hubert Kario ff620f5b26 report number of servers that use ECDSA and RSA certificates 
Since use of both ECDSA and RSA certificates is easy, it is
relatively simple to support both. Report the total number of
such servers
 2014-04-19 23:07:00 +02:00
Hubert Kario 863441a179 parsing of signature algorithm and key size 
add parsing of signature algorithm and key size from the individual
results, report summary
 2014-04-19 23:07:00 +02:00
Julien Vehent 5e8b495a18 added many tests 2014-01-11 01:07:32 +00:00
Julien Vehent 1414973531 basic results parsing script in python 2014-01-10 05:50:03 +00:00