2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-12-26 12:43:42 +01:00
Commit Graph

349 Commits

Author SHA1 Message Date
Richard Soderberg
8757bbd039 Add handling for TLS-dependent trusted values.
As per previous commits, this adds TLS-dependent support for the
'Trusted' value in the output.
2015-10-05 08:42:23 -07:00
Richard Soderberg
eb752c541c Add handling for TLS-variant ticket hint value.
This, as previous commits, adds support for reporting the TLS ticket
hint value per-protocol, which results in a lot of 'None' for SSLv3 (as
expected).
2015-10-05 08:42:23 -07:00
Richard Soderberg
638e0cbd10 Add handling for TLS-variant results for the PFS value.
As before with signature algorithms, we need to handle the case where
the PFS value varies based on SSL protocol version.
2015-10-05 08:42:23 -07:00
Richard Soderberg
0be95b821a Emit an array of certificate signature algorithms, where applicable.
Certain SSL servers may emit a different certificate for each TLS
protocol version. Previously, we simply emitted one of their signature
algorithms. Now, we emit an array where each element corresponds to the
array of TLS versions.

This will be extended to the other certificate-dependent attributes in
future commits.
2015-10-05 08:42:23 -07:00
Richard Soderberg
32bf52a452 Store the found protocols in an array, rather than a CSV-joined string. 2015-10-05 08:42:23 -07:00
Richard Soderberg
1828183e3f Extract the list of TLS versions to test into an array. 2015-10-05 08:42:23 -07:00
Richard Soderberg
3107661b7c Unroll the if-return/elif-return/else-return chain in test_cipher_on_target.
Rather than doing if-return, elif-return, else-return, just do
if-return, if-return, if-return. This provides no immediate benefit to
the code itself, but permits the introduction of code that alters the
$sigalg variable in between the first if-return and the latter two in an
upcoming commit.
2015-10-05 08:42:23 -07:00
Julien Vehent
34d6ca62bd Merge pull request #104 from injcristianrojas/master
Untrusted certificate alert should be red
2015-09-23 15:16:23 -04:00
Cristián Rojas
f717a556e5 Untrusted certificate alert should be red 2015-09-23 15:59:24 -03:00
Julien Vehent
29bdf5fdcb Merge pull request #103 from PeterMosmans/msys
Fallback to default openssl when supplied openssl can't be executed
2015-09-22 12:53:17 -04:00
Peter Mosmans
c00474805d Fallback to default openssl when supplied openssl can't be executed 2015-09-22 19:25:27 +10:00
Julien Vehent
5a10991008 Merge pull request #102 from floatingatoll/negative-nope
workaround bash 4.2- not having unset A[-1] support
2015-09-21 16:05:26 -04:00
Richard Soderberg
c9412e395d workaround bash 4.2- not having unset A[-1] support 2015-09-21 12:51:18 -07:00
Julien Vehent
73b21d3977 Merge pull request #99 from tomato42/tolerance-report
fix printing of test data for intolerant servers
2015-09-21 10:33:10 -04:00
Hubert Kario
dbce87cb1a fix printing of test data for intolerant servers
tls_tolerance is an array, so we need to use array syntax...

since if the server is tls version intolerant we will be printing
a lot of info, space it out from the certificate-related summary

ephemeral sigalgs are also printing a lot of information, so space
them from the TLS Tolerance test results
2015-09-21 16:18:37 +02:00
Julien Vehent
0011abcec7 readme update 2015-09-21 09:38:34 -04:00
Julien Vehent
4916e89087 remove unneeded echo 2015-09-21 09:31:03 -04:00
Julien Vehent
ce91e221d1 Merge pull request #98 from tomato42/custom-openssl-fixes
fix custom openssl with GOST config incompatibility
2015-09-21 09:29:51 -04:00
Julien Vehent
035d8c0a19 Merge pull request #97 from tomato42/uri-handling
handle hostnames that are URIs
2015-09-21 09:29:03 -04:00
Julien Vehent
50ef7960f7 Merge pull request #96 from tomato42/ecdsa-keys
fix coloring of cert key sizes
2015-09-21 09:25:16 -04:00
Julien Vehent
4620627454 Merge pull request #65 from tomato42/tls12-kex
Tests for TLS1.2 PFS key exchanges
2015-09-21 09:23:18 -04:00
Hubert Kario
2ba7dc6dbf fix custom openssl with GOST config incompatibility
fixes two issues
 1). -help message is used from the openssl set with the -o option
 2). doesn't use GOST config unconditionally - verifies that it works
     first

based partially off of Greg Owen <gowen@swynwyr.com> work in #67

fixes #86
2015-09-19 20:02:15 +02:00
Hubert Kario
9cea1cdc67 handle hostnames that are URIs
fixes #83
2015-09-19 19:43:27 +02:00
Hubert Kario
8337fb7308 fix coloring of cert key sizes
a 2047 bit RSA certificate is just as secure as 2048 bit one (and
known good algorithms can very infrequently provide them when asked for
2048) so accept them too

DSA keys are bad in every case, so always red color them

ECDSA keys are OK above 256 bits
2015-09-19 19:22:40 +02:00
Hubert Kario
8f5b1eedc9 tests for ordering of sig algs in TLS 1.2 PFS kex 2015-09-19 18:47:01 +02:00
Hubert Kario
434b383f01 add test for TLSv1.2 PFS key exchange
since the signature and hash algorithm in TLSv1.2 is selectable by server
and negotiated using TLS extensions, we can check what sig algs is
the server willing to perform and whatever it does honour client
selection

it also tests what happens if the client doesn't offer any sigalgs that
are necessary to use the ciphers selected by server
2015-09-19 18:47:01 +02:00
Julien Vehent
67c2a7cfe4 Merge pull request #95 from tomato42/auto-colour
autodetect if the colors should be used
2015-09-19 11:05:16 -04:00
Hubert Kario
bb2d3223f8 autodetect if the colors should be used
check if the terminal output doesn't go to a pipe (less, file, etc.)
don't output colors by default then
2015-09-19 16:16:11 +02:00
Julien Vehent
0fe7013641 Fix colors 2015-09-19 08:38:57 -04:00
Julien Vehent
460f9cf1f6 Merge pull request #91 from floatingatoll/fix-1
revert unintended inclusion of sigalg skipping from 9ea1749f
2015-09-18 16:50:11 -04:00
Richard Soderberg
e27f614f08 revert unintended inclusion of sigalg skipping from 9ea1749f 2015-09-18 13:40:05 -07:00
Julien Vehent
4ffd2de58d Merge pull request #90 from jvehent/snidefault
Enable Server Name Indication by default
2015-09-18 16:04:50 -04:00
Julien Vehent
8618d44371 Merge branch 'snidefault' of github.com:jvehent/cipherscan into snidefault 2015-09-18 16:00:39 -04:00
Julien Vehent
3131abb333 Add warning if target is not fqdn and SNI needs to be disabled 2015-09-18 15:58:31 -04:00
Julien Vehent
5284dda0fb Enable SNI by default only if target is a fqdn and -servername not supplied 2015-09-18 15:45:10 -04:00
Julien Vehent
72e2b4f6e9 Enable Server Name Indication by default 2015-09-18 15:45:08 -04:00
Julien Vehent
901e3cbdfc Merge pull request #89 from jvehent/output20150918
A few fixes to the terminal output
2015-09-18 15:42:26 -04:00
Julien Vehent
5526c58ffb Merge pull request #82 from floatingatoll/various_fixes
Various fixes
2015-09-18 15:41:44 -04:00
Richard Soderberg
179cbe8db1 refuse to permit --allciphers and --json together 2015-09-18 11:56:28 -07:00
Richard Soderberg
8f3341a165 openssl fallback and version warnings should go to STDERR 2015-09-18 11:53:18 -07:00
Julien Vehent
f11a0e3594 Revert "When in JSON mode, run curve and tolerance tests"
This reverts commit 3dd0f58f4c.
2015-09-18 14:50:03 -04:00
Julien Vehent
5d5568f03a use colors instead of ok/ko 2015-09-18 14:50:00 -04:00
Julien Vehent
8a03b8d4e7 fix pubkey quality test 2015-09-18 14:49:51 -04:00
Richard Soderberg
ce2f97f05c Replace instances of [[ $ == "" ]] with [[ -z "" ]]. 2015-09-18 11:41:20 -07:00
Richard Soderberg
236b0b8cfe Fixes instances of "SC2128: Expanding an array without an index only gives the first element.".
In cipherscan line 851:
        local selected=($result)
                        ^-- SC2128: Expanding an array without an index only gives the first element.

In cipherscan line 852:
        if [[ $selected == "$prefered" ]]; then
              ^-- SC2128: Expanding an array without an index only gives the first element.
2015-09-18 11:40:14 -07:00
Richard Soderberg
b2521c8e42 Fixes instances of "SC2053: Quote the rhs of == in [[ ]] to prevent glob matching."
In cipherscan line 469:
            if [[ ${known_certs[$cksum]} == $cert ]]; then
                                            ^-- SC2053: Quote the rhs of == in [[ ]] to prevent glob matching.

In cipherscan line 852:
        if [[ $selected == $prefered ]]; then
                           ^-- SC2053: Quote the rhs of == in [[ ]] to prevent glob matching.

In cipherscan line 915:
                if [[ "$cname" == ${curves[$id]} ]]; then
                                  ^-- SC2053: Quote the rhs of == in [[ ]] to prevent glob matching.
2015-09-18 11:40:14 -07:00
Richard Soderberg
24268e063e Fixes one instance of "SC2124: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate."
In cipherscan line 427:
    local sslcommand=$@
                     ^-- SC2124: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate.
2015-09-18 11:40:14 -07:00
Richard Soderberg
bc79c51065 Fixes instances of SC2086, SC2046 errors regarding unquoted variables.
In cipherscan line 294:
    echo $identifier
         ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 587:
                current_curves="$(get_curve_name $(echo $pfs|cut -d ',' -f2))"
                                                 ^-- SC2046: Quote this to prevent word splitting.

In cipherscan line 603:
        debug Connection $i
                         ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 715:
            echo $header
                 ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 719:
            echo $result|grep -v '(NONE)'
                 ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 897:
        local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null)
                                                 ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 910:
                cname="$(get_curve_name ${ephem_data[1]})"
                                        ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 953:
        local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null)
                                                 ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 967:
                local cname="$(get_curve_name ${ephem_data[1]})"
                                              ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 1017:
        local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null)
                                                 ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 1030:
                local cname="$(get_curve_name ${ephem_data[1]})"
                                              ^-- SC2086: Double quote to prevent globbing and word splitting.
2015-09-18 11:40:14 -07:00
Richard Soderberg
c103805a38 Replace instances of [[ $ != "" ]] with [[ -n "" ]]. 2015-09-18 11:40:11 -07:00
Richard Soderberg
5c09af67fd Remove one unnecessary string-to-array-to-string from get_curve_name(). 2015-09-18 11:35:03 -07:00