2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 22:33:40 +01:00
Commit Graph

224 Commits

Author SHA1 Message Date
Hubert Kario
8bde9c4d03 do fallback scan in case of problems
It's unlikely that there are SSLv2 only servers on the 'net, all
that were detected as such and I've checked actually are intolerant
to low placement of RC4 in cipher order or intolerant to large client
hello in general. In case we detect issues with the server, switch to
reduced cipher set and run the test again that should give better results
for about 3% of hosts
2015-05-29 23:50:07 +02:00
Julien Vehent
3bc8dc5583 one big readme update 2015-04-03 10:59:22 -04:00
Julien Vehent
d4441cf2bc update sample output in readme to show curves 2015-04-03 10:42:07 -04:00
Julien Vehent
02d555bf9d update openssl binary for darwin 2015-04-03 10:41:41 -04:00
Julien Vehent
1a26e09c7b Merge pull request #54 from jvehent/jvehent-rework-tomato42-curves-tolerance-5
Jvehent rework tomato42 curves tolerance 5, closes #46
2015-04-02 09:50:46 -04:00
Julien Vehent
4a6ff56b81 Add back support for old curve json format in parse results 2015-04-02 04:39:59 -04:00
Julien Vehent
a966574edc Fix curve fallback detection 2015-04-01 14:51:01 -04:00
Julien Vehent
b2a399617f Use new JSON format in parse_results 2015-04-01 14:50:49 -04:00
Julien Vehent
4d7e1cb05a Re-add curve fallback detection 2015-04-01 12:50:01 -04:00
Julien Vehent
04314bffdc Updated openssl linux amd64 binary 2015-04-01 11:18:41 -04:00
Julien Vehent
c90e5c59d7 Improve output of curves 2015-04-01 11:18:31 -04:00
Julien Vehent
cc014f085d test curve for each ECDH cipher, change PFS output to use curve name 2015-03-27 19:03:27 -04:00
Hubert Kario
224227cc5e force at least TLSv1.0 in curves tolerance test
because to advertise curves to server we need extensions and
extensions are only available in TLSv1.0 or later, we need to force
OpenSSL not to send SSLv2 compatible hello if it thinks it's ok to
do (when there are SSLv2 ciphers present in cipherstring it will try to)
2015-03-27 10:04:15 -04:00
Hubert Kario
c52e008347 add support for testing supported curves
since early versions of 1.0.2 openssl supports -curves command line
option, it allows us to set the curves advertised as supported

use the same approach to testing: advertise all, check what server
accepts, remove the accepted from list, repeat. When server aborts
connection or selects non ECC cipher, we know that we've tested all.
2015-03-27 10:04:15 -04:00
Julien Vehent
089f9e04c2 Merge pull request #50 from firstbanco/busybox_fix
Fix for busybox timeout binary
2015-03-26 12:58:48 -04:00
Julien Vehent
800eff19ce Merge branch 'master' of github.com:jvehent/cipherscan 2015-03-19 13:52:38 -04:00
Julien Vehent
7bf35cb02a rebuild openssl binaries with better config flags 2015-03-19 13:52:18 -04:00
Julien Vehent
3ff415a338 Merge pull request #53 from tomato42/how-to-compile-2
How to compile OpenSSL with all testing features
2015-03-19 12:32:21 -04:00
Hubert Kario
2f0f906dbf how to compile the openssl with all features 2015-03-19 17:25:47 +01:00
Julien Vehent
8b38f8fad9 Merge branch 'master' of github.com:jvehent/cipherscan 2015-03-19 11:30:46 -04:00
Julien Vehent
aee4d8f109 Update openssl binary to 1.0.2a 2015-03-19 11:30:07 -04:00
Samuel Kleiner
6db82374b4 Fix for busybox timeout binary 2015-03-13 11:58:23 +00:00
Julien Vehent
606d7626db Merge pull request #44 from genodeftest/patch-1
fix: ignore case in bash version string
2015-01-26 11:10:55 -05:00
Julien Vehent
3e4b86eedd Merge pull request #47 from ScriptFanix/master
fix silent TypeError on sigalg md5WithRSAEncryption
2015-01-26 11:09:54 -05:00
Julien Vehent
3915164430 Use custom darwin openssl bin in analyze.py 2015-01-18 12:26:59 -05:00
Christian Stadelmann
9ecc3f7164 New bash version info test using $BASH_VERSINFO 2015-01-12 16:46:18 +01:00
Vincent Riquer
d1a8604a2a fix silent TypeError on sigalg md5WithRSAEncryption
conn['sigalg'] is an array, logging.debug(conn['sigalg']) caused silent failure
2015-01-10 03:51:26 +01:00
Christian Stadelmann
54ec2aca99 fix: ignore case in bash version string
Currently on some systems `bash --version` reports `GNU bash, Version 4[…]` which will fail the test.
2015-01-02 22:47:28 +01:00
Julien Vehent
a90fc8bc58 Merge pull request #43 from ScriptFanix/master
don't expect openssl to be in cwd
2014-12-30 15:36:11 -05:00
Vincent Riquer
b457951f5f don't expect openssl to be in cwd 2014-12-26 09:49:52 +01:00
Julien Vehent
ac15fc738d Update README.md 2014-12-25 13:50:10 -05:00
Julien Vehent
051f927fcd Merge branch 'master' of github.com:jvehent/cipherscan 2014-12-25 13:26:04 -05:00
Julien Vehent
904e311124 Fix OSX: require bash4, add openssl-darwin64 binary 2014-12-25 13:25:29 -05:00
Julien Vehent
b04cbc6b85 Merge pull request #42 from ScriptFanix/master
--nagios: run as a nagios plugin
2014-12-25 12:34:34 -05:00
Julien Vehent
4e74308c37 Merge pull request #41 from MikeDawg/master
Added usage print and exit if no options are given
2014-12-25 12:27:35 -05:00
Julien Vehent
008bd6af2b Merge pull request #38 from PeterMosmans/changeorder
Bugfix: correct flow when number of ciphers are loaded
2014-12-25 12:15:11 -05:00
Julien Vehent
726ef22552 Merge pull request #35 from PeterMosmans/openssl
Updated 64-bit OpenSSL binary (1.0.2 beta 4)
2014-12-25 12:11:01 -05:00
Julien Vehent
2d030775c4 Merge pull request #36 from PeterMosmans/symlinks
Make sure that custom openssl gets selected
2014-12-25 12:08:00 -05:00
Vincent Riquer
0e7996181a Don't expect scripts to be in working directory 2014-12-24 11:26:24 +01:00
Vincent Riquer
983f85d2d4 --nagios: run as a nagios plugin 2014-12-23 14:51:50 +01:00
Mike
c019ecd493 Added usage print and exit if no options are given 2014-12-17 13:06:06 -07:00
Peter Mosmans
81c1809463 corrected flow when number of ciphers was shown
First make sure that ${OPENSSLBIN} is correctly set
2014-11-22 18:36:24 +10:00
Peter Mosmans
558bf7c9e2 Make sure that custom openssl gets selected
Symlinks are now resolved (when readlink -f is available)
2014-11-14 10:49:16 +11:00
Peter Mosmans
c71828dc09 Updated 64-bit OpenSSL binary (1.0.2 beta 4)
Compiled for 64-bit-linux from the following source:
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha

Commands used:
./Configure linux-x86_64 no-shared zlib enable-gost enable-ec_nistp_64_gcc_128 enable-idea \
enable-md2 enable-rc5 enable-rfc3779 enable-ssl2 experimental-jpake
make depend
make
make report
2014-11-11 17:46:23 +11:00
Julien Vehent
818bf29b02 Merge pull request #33 from tomato42/cipherscan-fixes-3
Cipherscan fixes, speedups and saving of certificates (v3)
2014-11-05 12:36:33 -05:00
Hubert Kario
c4a8495a54 limit number of forks needed to speed up execution
bash has a built in regular expression processor, we can match
lines using =~

moreover, stuff that will match while being inside parentheses is
later available in the BASH_REMATCH array

the IFS (Internal Field Separator) by default includes space, tab and
new line, as such we can use it to split longer lines to separate
words, just as awk '{print $1}' can, just need to put the value to
an array for that

we also don't have to use $(echo $var) when assigning variables, $var
is enough

bash has also built in substitution engine, so we can do ${var/,/ & }
to switch all commas to ampersands when using the variable
2014-11-05 18:14:30 +01:00
Hubert Kario
9f06829486 make handling of self signed certs more robust
openssl sometimes will print the filename, then the error, and finish
with OK, matching the colon and space prevents from considering such
certs to be valid
2014-11-05 18:13:39 +01:00
Hubert Kario
4c22d50f0c few less forks in the script
again, we can use arrays and a bit advanced awk syntax to reduce
the number of forks necessary to run the script
2014-11-05 18:13:39 +01:00
Hubert Kario
0f576c1fbc don't calculate sha sums for the certificates over and over
we can use cksum to calculate simple checksum much faster than
with using openssl, so we can compute sums only once
2014-11-05 18:13:39 +01:00
Hubert Kario
1eae0cc71b use CApath for certificates and store certificates (v2)
CApath is about 20% faster than CAfile so use it, also
save the received certificates from the servers for later analysis
(proper hostname checking, looking for certificates sharing private key,
etc.)

Use the mechanism from cipherscan to find location of ca cert bundle
2014-11-05 18:13:39 +01:00