2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-05 07:23:42 +01:00
Commit Graph

395 Commits

Author SHA1 Message Date
Hubert Kario
5f5487307d Interpret some intolerance test results 2015-07-16 16:15:39 +02:00
Hubert Kario
5c98fe2107 do a scan with -no_tlsext openssl if possible 2015-07-16 16:15:39 +02:00
Hubert Kario
a71bfe5ebd detect some TLS intolerancies
buggy servers may choke on large ClientHello's, TLSv1.2 ClientHello's,
etc. try to detect such failures and report them

among tried connections are TLS1.2, TLS1.1, TLS1.0 and SSLv3 with
ability to downgrade to lower protocol versions as well as a size
limited client hello, both TLS1.2 and TLS1.0 version
2015-07-16 16:15:39 +02:00
Julien Vehent
0ab0575274 Merge pull request #58 from tomato42/fallback-scan
Fallback scan
2015-07-15 10:21:47 -04:00
Julien Vehent
0119b9c115 Merge pull request #59 from tomato42/parsing-fixes
Fixes for results parsing
2015-06-10 07:33:17 +02:00
Julien Vehent
90ed0bbb3e Merge pull request #62 from tomato42/python3
Python 3 compatibility
2015-06-10 07:00:21 +02:00
Julien Vehent
19983c0c2b Merge pull request #61 from tomato42/gost-support
GOST support
2015-06-10 06:39:37 +02:00
Hubert Kario
86bc8e8574 fix is_fubar key size check 2015-05-30 19:48:56 +02:00
Hubert Kario
a53a91695e make scripts python 3 compatible 2015-05-30 15:46:26 +02:00
Hubert Kario
8ea6b57f9d cipherscan - capture whole Signature Algorithm line
the GOST certificates have a signature algorithm name with spaces
2015-05-30 14:58:23 +02:00
Hubert Kario
d151705218 parse_results.py - GOST support 2015-05-30 14:58:23 +02:00
Hubert Kario
596692a18e add support for GOST cipher scanning 2015-05-30 14:58:23 +02:00
Hubert Kario
d8ebaf2d9f report summary for clients for RC4 Preferred too 2015-05-30 00:01:32 +02:00
Hubert Kario
c55d8166c5 don't limit client specific RC4 Only to servers with multiple ciphers 2015-05-30 00:01:32 +02:00
Hubert Kario
37f1d15af1 count SSLv2 IDEA as insecure 2015-05-30 00:01:32 +02:00
Hubert Kario
b673fb976a separate AES-CBC from AES-GCM 2015-05-30 00:01:32 +02:00
Hubert Kario
d773b73e45 don't divide by zero on empty results folder 2015-05-30 00:01:32 +02:00
Hubert Kario
b9b3a221ce add Firefox 35 cipher settings 2015-05-30 00:01:32 +02:00
Hubert Kario
82f643244e don't count export grade ciphers towards PFS 2015-05-30 00:01:32 +02:00
Hubert Kario
1b360153a0 sum servers that support SSL3 or TLS1 as the highest protocol 2015-05-30 00:01:32 +02:00
Hubert Kario
341f657e83 better detection for EXP and low grade ciphers in stats
EXP is self explanatory - export grade
DES-CBC3-MD5 is available only in SSLv2 - not secure
RC4-64-MD5 is also a weakened version (though not marked as export grade)
2015-05-30 00:01:32 +02:00
Hubert Kario
8bde9c4d03 do fallback scan in case of problems
It's unlikely that there are SSLv2 only servers on the 'net, all
that were detected as such and I've checked actually are intolerant
to low placement of RC4 in cipher order or intolerant to large client
hello in general. In case we detect issues with the server, switch to
reduced cipher set and run the test again that should give better results
for about 3% of hosts
2015-05-29 23:50:07 +02:00
Julien Vehent
3bc8dc5583 one big readme update 2015-04-03 10:59:22 -04:00
Julien Vehent
d4441cf2bc update sample output in readme to show curves 2015-04-03 10:42:07 -04:00
Julien Vehent
02d555bf9d update openssl binary for darwin 2015-04-03 10:41:41 -04:00
Julien Vehent
1a26e09c7b Merge pull request #54 from jvehent/jvehent-rework-tomato42-curves-tolerance-5
Jvehent rework tomato42 curves tolerance 5, closes #46
2015-04-02 09:50:46 -04:00
Julien Vehent
4a6ff56b81 Add back support for old curve json format in parse results 2015-04-02 04:39:59 -04:00
Julien Vehent
a966574edc Fix curve fallback detection 2015-04-01 14:51:01 -04:00
Julien Vehent
b2a399617f Use new JSON format in parse_results 2015-04-01 14:50:49 -04:00
Julien Vehent
4d7e1cb05a Re-add curve fallback detection 2015-04-01 12:50:01 -04:00
Julien Vehent
04314bffdc Updated openssl linux amd64 binary 2015-04-01 11:18:41 -04:00
Julien Vehent
c90e5c59d7 Improve output of curves 2015-04-01 11:18:31 -04:00
Julien Vehent
cc014f085d test curve for each ECDH cipher, change PFS output to use curve name 2015-03-27 19:03:27 -04:00
Hubert Kario
224227cc5e force at least TLSv1.0 in curves tolerance test
because to advertise curves to server we need extensions and
extensions are only available in TLSv1.0 or later, we need to force
OpenSSL not to send SSLv2 compatible hello if it thinks it's ok to
do (when there are SSLv2 ciphers present in cipherstring it will try to)
2015-03-27 10:04:15 -04:00
Hubert Kario
c52e008347 add support for testing supported curves
since early versions of 1.0.2 openssl supports -curves command line
option, it allows us to set the curves advertised as supported

use the same approach to testing: advertise all, check what server
accepts, remove the accepted from list, repeat. When server aborts
connection or selects non ECC cipher, we know that we've tested all.
2015-03-27 10:04:15 -04:00
Julien Vehent
089f9e04c2 Merge pull request #50 from firstbanco/busybox_fix
Fix for busybox timeout binary
2015-03-26 12:58:48 -04:00
Julien Vehent
800eff19ce Merge branch 'master' of github.com:jvehent/cipherscan 2015-03-19 13:52:38 -04:00
Julien Vehent
7bf35cb02a rebuild openssl binaries with better config flags 2015-03-19 13:52:18 -04:00
Julien Vehent
3ff415a338 Merge pull request #53 from tomato42/how-to-compile-2
How to compile OpenSSL with all testing features
2015-03-19 12:32:21 -04:00
Hubert Kario
2f0f906dbf how to compile the openssl with all features 2015-03-19 17:25:47 +01:00
Julien Vehent
8b38f8fad9 Merge branch 'master' of github.com:jvehent/cipherscan 2015-03-19 11:30:46 -04:00
Julien Vehent
aee4d8f109 Update openssl binary to 1.0.2a 2015-03-19 11:30:07 -04:00
Samuel Kleiner
6db82374b4 Fix for busybox timeout binary 2015-03-13 11:58:23 +00:00
Julien Vehent
606d7626db Merge pull request #44 from genodeftest/patch-1
fix: ignore case in bash version string
2015-01-26 11:10:55 -05:00
Julien Vehent
3e4b86eedd Merge pull request #47 from ScriptFanix/master
fix silent TypeError on sigalg md5WithRSAEncryption
2015-01-26 11:09:54 -05:00
Julien Vehent
3915164430 Use custom darwin openssl bin in analyze.py 2015-01-18 12:26:59 -05:00
Christian Stadelmann
9ecc3f7164 New bash version info test using $BASH_VERSINFO 2015-01-12 16:46:18 +01:00
Vincent Riquer
d1a8604a2a fix silent TypeError on sigalg md5WithRSAEncryption
conn['sigalg'] is an array, logging.debug(conn['sigalg']) caused silent failure
2015-01-10 03:51:26 +01:00
Christian Stadelmann
54ec2aca99 fix: ignore case in bash version string
Currently on some systems `bash --version` reports `GNU bash, Version 4[…]` which will fail the test.
2015-01-02 22:47:28 +01:00
Julien Vehent
a90fc8bc58 Merge pull request #43 from ScriptFanix/master
don't expect openssl to be in cwd
2014-12-30 15:36:11 -05:00