ded65c40df
Merge pull request #22 from simondeziel/sdeziel
...
Use Debian's system-wide trust anchors when possible
2014-08-28 16:02:36 -04:00
ecd77f94fc
Merge pull request #18 from tomato42/wip
...
Hodgepodge of fixes
2014-08-28 16:02:19 -04:00
7dee967dd7
Attempt to use /etc/ssl/certs/ca-certificates.crt if no CACERTS
...
are available. On Debian, this is the default location for
system-wide trust anchors.
2014-07-25 10:01:31 -04:00
273211f025
Merge pull request #21 from azet/master
...
add real execution tracing to debug
2014-07-17 12:29:42 -04:00
efd84cdb24
add real execution tracing to debug
2014-07-17 18:08:29 +02:00
e345f6034d
Merge pull request #20 from PeterMosmans/binaries
...
Updated binary with latest 1.0.2-chacha build
2014-07-13 09:22:24 -04:00
b65c13c7b9
Compiled for 64-bit-linux from the following source:
...
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha
Added CAMELLIA 256SHA ciphers
2014-07-13 20:56:17 +10:00
26a24d0429
Updated binary with latest 1.0.2-chacha build
...
Compiled for 64-bit linux from the following source:
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha
2014-07-12 10:15:00 +10:00
60a6a02c6f
Merge pull request #19 from phlipper/patch-1
...
minor typo fix
2014-06-25 19:37:53 -04:00
5ae2132f23
minor typo fix
2014-06-25 16:28:48 -07:00
7591062bbc
parse_results.py: compatibility with old results files
2014-06-04 18:52:39 +02:00
be0439ef99
provide statistics for all key exchange methods, not DHE and ECDHE only
2014-06-04 18:17:41 +02:00
3667b04ad7
correctly count broken cipher suites with "no reporting of untrusted"
2014-06-04 18:17:02 +02:00
86ff1122cc
parse_results.py: don't count anonymous cipher suites toward correct config stats
2014-06-04 15:15:32 +02:00
ee81927200
fix cipherscan human-readable output - pfs_keysize option
2014-05-30 11:49:44 +02:00
b69863c5c5
Merge branch 'master' of github.com:jvehent/cipherscan
2014-05-20 08:52:09 -04:00
50f4959e79
updated license on parse_results.py
2014-05-20 08:23:57 -04:00
2f56f0515e
don't scan the same host twice
2014-05-16 18:16:45 +02:00
f1d3b51749
update the top 1M list to the version from 2014-05-16
2014-05-16 17:34:22 +02:00
4e94d95bd8
ask for OCSP stapling by default
...
for now, no option to disable
2014-05-16 17:31:44 +02:00
0777682aa6
collect TLS ticket lifetime hints
2014-05-16 16:55:19 +02:00
1a78172936
scan just one host per hostname
2014-05-16 16:11:01 +02:00
cdbf596466
properly handle pure IP adressess
...
(it's illegal to use IP in SNI)
2014-05-16 15:42:47 +02:00
5ef53dda9c
increase paralelism of jobs
...
because sometimes tcping takes a long time to timeout for a lot
of hosts in batch use also load average to keep the cpu busy
2014-05-13 13:41:16 +02:00
a213fc45d0
remove the folder/file part from url
...
some hostnames in the top-1m.csv file have folder or site specified
in them, cut it off before using
2014-05-13 13:41:16 +02:00
00b20a20ed
perform SNI enabled scan
...
for example, youtube requires SNI extension to be present to return
ECDSA certificates, use it for scanning
2014-05-13 13:41:16 +02:00
c48c012771
use the same openssl for all tasks
2014-05-13 13:41:16 +02:00
5dfa3c444e
put ECDSA ciphers before RSA ciphers
...
Google servers (like youtube) negotiate ECDSA variant
of ciphersuite only if the RSA variant is also present,
so to return more comple cipher listing, we need to move
ECDSA ciphers before RSA ciphers
2014-05-13 13:41:16 +02:00
a0cb766381
add support for archlinux
...
archlinux has ca certificates in different place than Fedora
2014-05-13 13:41:16 +02:00
8817a7b1c8
testtop1m.sh: correct counting of background jobs
...
`jobs` command returns multiple lines for a jobs with `if` so counting
number of background jobs was off
2014-05-13 13:41:16 +02:00
92851d7c74
Merge pull request #17 from tomato42/proper-quit
...
use proper quit semantic for openssl s_client
2014-05-12 13:36:46 -04:00
dca614d218
use proper quit semantic for openssl s_client
...
openssl s_client expect "Q" as the first character on a line,
with case being significant. Also, the \n marker is unnecessary
the echo command prints a newline automatically, additionally,
for the \n to be actually interpreted, the -e option must be used
2014-05-09 14:46:01 +02:00
5417dacda3
Merge pull request #16 from tomato42/restore-timeout
...
restore timeout
2014-05-09 08:32:36 -04:00
d7b99f125e
restore `timeout`
...
some servers have port 443 open but won't reply to ClientHello
requests, this hangs openssl s_client, as such we need to kill it
after some timeout
2014-05-09 12:00:53 +02:00
325329d1ad
Merge pull request #15 from tomato42/reporting-improvements-03
...
Reporting improvements 03
2014-04-20 13:16:34 -04:00
ba4defb707
Merge pull request #14 from tomato42/scan-improvements-02
...
Improve scanning performance and reduce false negatives
2014-04-20 13:15:44 -04:00
686d7c958b
extend reporting of RC4-related stats
...
While preferring RC4 in TLS1.0 or SSL3 was recommended before,
it was always known that TLS1.1 and TLS1.2 were not vulnerable against
BEAST, so forcing RC4 there is a mistake. Report number of such servers.
2014-04-19 23:14:57 +02:00
21bba67df0
extend SSL stats
...
Two interesting server configurations are ones that support
only SSL3 or TLS1 only (old, but otherwise correctly configured servers)
and ones that support only TLS1.1 or up (brave admins that support
only new clients)
2014-04-19 23:14:57 +02:00
349d4ebc3c
more detailed PFS report
...
Just because server supports some bad DH params, doesn't mean
it will force them on users. Report number of servers
that prefer specific DH params.
2014-04-19 23:14:57 +02:00
d3b6f9b507
fix reporting of the TLS1.2 but not TLS1.1
...
Some servers may be configured to support only TLS1.2, it would
count them towards the number of servers affected by the OpenSSL bug
2014-04-19 23:14:57 +02:00
c8abfb53e8
add support for Chacha20 based ciphers
...
Basically all Google servers support Chacha20 now and it is
not a bad choice, so report it as a regular cipher
2014-04-19 23:14:57 +02:00
2b794ebfe0
fix and extend reporting of AES-GCM ciphers
...
AES-GCM ciphers don't have "AES-GCM" substring in the openssl name
extend reporting of AES ciphers, split to AES-CBC, AES-GCM and
AES in general
2014-04-19 23:14:57 +02:00
fd6fcdd359
fix spelling in TLS stats (TLS1_1 vs TLS1.1)
2014-04-19 23:14:57 +02:00
faef8d692f
in "no-untrusted mode": filter out ADH and AECDH suites
...
If server negotiates ADH or AECDH suite, openssl returns "ok" in
cert checking. Don't mark server as trusted because of that.
Don't collect statistics on servers that provide only untrusted
connections.
2014-04-19 23:14:47 +02:00
45dc1da3f6
add ability to ignore results from untrusted servers
2014-04-19 23:07:01 +02:00
ff620f5b26
report number of servers that use ECDSA and RSA certificates
...
Since use of both ECDSA and RSA certificates is easy, it is
relatively simple to support both. Report the total number of
such servers
2014-04-19 23:07:00 +02:00
863441a179
parsing of signature algorithm and key size
...
add parsing of signature algorithm and key size from the individual
results, report summary
2014-04-19 23:07:00 +02:00
b6b9a1a364
Improve scanning performance and reduce false negatives
...
scan all the machines from top-1m.csv file, wait for completion
of all jobs
i=1 is an off-by-one-error
support top-1m.csv files with arbitrary number of sites
run scans for many hosts at a time, but don't run more than
specified amount
in case where default domain name doesn't resolve or doesn't have
port 443 open, retry with www. prefix
2014-04-19 22:56:41 +02:00
370348ba1b
Updated README
2014-04-19 12:04:09 -04:00
f703ca9c26
Merge pull request #12 from tomato42/certificate-scanning-02
...
Certificate scanning 02 (alternative version)
2014-04-19 11:46:25 -04:00
Julien Vehent
Simon Deziel
Aaron Zauner
Peter Mosmans
Phil Cohen
Hubert Kario
Hubert Kario