551255f8b4
detect fubar dh parameters
2014-10-17 11:20:25 -04:00
a4f573195e
update intermediate ciphersuite to accept 3des
2014-10-17 11:10:01 -04:00
df0b5d8d3f
fix wrong failure flag
2014-10-17 11:09:42 -04:00
a11b594ab4
Fix dhparam size detection in inter and modern levels
2014-10-17 11:09:28 -04:00
28c6c2488b
Accept sha384 and sha512 signatures as well as sha256
2014-10-17 11:08:32 -04:00
5b32afaa1f
Add target to text output
2014-10-17 10:48:59 -04:00
76d791fcbe
make cipher selection simulation generic
...
it's relatively easy to make the cipher selection generic,
so that adding different clients is as easy as converting their
client hello cipher ordering to openssl cipher names
2014-10-12 20:39:39 +02:00
c82bc44558
report cipher ordering in scanning stats, use it to simulate handshakes
...
since now we know if server honours client order or not, we can use it
to properly simulate handshakes for a given client, also report
the general stats of this server configuration variable
2014-10-12 20:39:39 +02:00
42fa7d9ecb
report what ciphers Firefox would select while connecting to server
2014-10-12 20:39:39 +02:00
1b4dcc4393
report ciphers causing incompatibility for Firefox
...
It turns out that the situation is even more bleak for Firefox
with regards to RC4, add it to report
2014-10-12 20:39:39 +02:00
142726c4fd
count ECDH-RSA ciphers as ECDSA
...
the ECDH parameters come from server certificate - the point
on elliptic curve. The RSA comes from the signature on the certificate
which comes from CA
2014-10-12 20:39:39 +02:00
ac18195b21
process-certificate-statistics.sh - the script HOWTO to turn results to CA stats
2014-10-12 20:38:25 +02:00
3cfd7b76cc
collect statistics about found certificates
2014-10-12 20:38:25 +02:00
3699acfc2d
helper application for finding cert chains
...
because neither M2crypto nor OpenSSL packages provide extensive
enough API to do certificate chain building, verification
and outputting of details, we have to pre-parse the data
with a C app that can access the full OpenSSL API.
I've also tried monkey patching the packages, but unfortunately
the result wasn't working reliably
The actual statistic collection (both about the chains and
specific certificates) will be done in a python script
2014-10-12 20:34:53 +02:00
26c7b0e0d7
fix target level verification check
2014-10-11 23:08:35 -04:00
a749742ff3
make sha-256 cert an optional requirement to the intermediate level
2014-10-11 23:08:21 -04:00
b009c71321
add operator flag to analyze.py
2014-10-11 20:52:18 -04:00
cdd34fce03
fix bug in status detection of analyze.py
2014-10-11 20:45:14 -04:00
b846ac9d5b
add json output to analyze.py via the -j flag
2014-10-11 19:37:08 -04:00
0da92f25b7
verify server side ordering is used in analyze.py
2014-10-11 00:34:07 -04:00
1c9d52c94c
First shot at ordering analysis. Not yet perfect, but somewhat useful...
2014-10-10 20:30:27 -04:00
a46e474337
add some fubar recommentations
2014-10-10 19:07:31 -04:00
f4d0d598c7
analyze.py add option to give path to specific openssl
2014-10-10 18:56:44 -04:00
37f04054f8
fix json date to use UTC
2014-10-10 18:16:22 -04:00
86edd481f6
analyze.py uses provided openssl only on linux 64
2014-10-10 18:00:10 -04:00
81ef37c593
gitignore update
2014-10-10 17:31:44 -04:00
b80b5cdd35
hide errors when json format is used
2014-10-10 17:27:58 -04:00
278dab4800
Fix json date argument to be compatible on macos
2014-10-10 17:27:29 -04:00
f6f4fe8b86
Find timeout binary on linux and mac
2014-10-10 17:19:44 -04:00
c7c91ff5f8
updated authors
2014-10-10 16:56:06 -04:00
d5685da796
check that provided openssl is executable, fall back to system one if not
2014-10-10 16:56:00 -04:00
26aa8f9408
cleanups
2014-10-10 16:55:34 -04:00
7d2c8b4cad
Use local ca bundle if none is found on the system, fixes issues with MacOS
2014-10-10 16:55:09 -04:00
cc1230efd9
Analysis wording changes
2014-10-09 10:09:44 -04:00
a722ad177d
updated README with analysis info
2014-10-09 10:03:19 -04:00
5665951b09
minor analysis wording changes
2014-10-09 09:57:40 -04:00
215dbd0c1a
ignore openssl errors in analyze.py
2014-10-09 09:54:30 -04:00
e9110c6bc8
gitignore
2014-10-09 09:36:08 -04:00
405b104583
improved configuration analysis
2014-10-09 09:35:59 -04:00
2858ef8116
Revert "no need to grep the input when we're using awk"
...
This reverts commit 4c05897be2
2014-10-08 21:53:22 -04:00
34b2eb7819
First shot at cipherscan results analyzer
2014-10-08 21:53:05 -04:00
ca0ef2fc5c
fixes for the pull request #18
...
there were few small issues with the pull #18 even though jvehent merged
it, this fixes them
2014-10-06 13:26:53 -04:00
29109f1e64
update SEED and IDEA classification, do a total of broken ciphers
...
SEED and IDEA are not good ciphers, but not broken, so count them
separately, do a total count of servers that support broken and insecure
ciphers
2014-10-06 13:25:04 -04:00
4c05897be2
no need to grep the input when we're using awk
...
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
2014-10-06 13:24:39 -04:00
fb02ae87ac
add some comments, group related code
2014-10-06 13:22:29 -04:00
77671137df
add support for CApath
...
capath for relatively small cert sets (~300) makes scanning about 5%
faster
also do a little clean up of the command-to-run generation code
2014-10-06 13:22:15 -04:00
189460da9e
report if server uses client side or server side cipher ordering
2014-10-06 13:21:40 -04:00
a7ae42b08e
openssl in -ssl2 mode doesn't tolerate -servername option
...
when openssl is run in -ssl2 mode, it doesn't accept -servername
option and just aborts operation, it doesn't consider -status
to be special though.
Remove this option when running the SSLv2 portion of the test.
2014-10-06 13:21:16 -04:00
3a4a5f938d
add missing ocsp_staple header
2014-10-06 13:20:49 -04:00
8a0c9190a9
sort reported TLS session ticket hint using natural sort
2014-10-06 13:20:37 -04:00
Julien Vehent
Hubert Kario
Hubert Kario