LittleNellie
/
cipherscan
mirror of https://github.com/mozilla/cipherscan.git
2
0
Fork 0
Code Issues Releases Wiki Activity
358 Commits 5 Branches 0 Tags 35 MiB
Commit Graph

358 Commits

Author SHA1 Message Date
Hubert Kario 985e26c71a add README for the top1m folder 
since the top-1m.csv.zip is not static, tell the users where it
can be found

also add a generic explanation about files in the folder
 2016-07-20 20:16:39 +02:00
Julien Vehent [:ulfr] 5d930c2d32 Merge pull request #117 from adamcrosby/master 
Fallback to local JSON if urllib fails to retrieve updated list
 2016-02-29 08:58:05 -05:00
Adam Crosby 34f92a6838 Added adamcrobsy to contributors list 2016-02-29 08:23:14 -05:00
Adam Crosby 55cdb74ff7 Added fallback to use local json recommendations file if urllib fails to connect (including SNI errors), fixes issue #116 2016-02-29 08:21:04 -05:00
Julien Vehent 9f0226e00b analyze.py: update example of json input 2016-02-24 10:52:18 -05:00
Julien Vehent 639bc45bf7 analyze.py refactoring to use online recommendations 2016-02-24 10:48:28 -05:00
Julien Vehent 18b0d1b952 Update linux openssl binary 2015-12-17 15:06:10 -05:00
Julien Vehent 6d2b850679 Merge pull request #105 from Emantor/intermediate-fix 
Update analyze.py
 2015-11-19 13:16:32 -05:00
Emantor 536ff90b86 ECDHE-ECDSA-DES-CBC3-SHA was missing too 
Fix `ECDHE-ECDSA-DES-CBC3-SHA` as well.
 2015-11-19 16:58:49 +01:00
Julien Vehent a9cfcc8376 Merge pull request #107 from tomato42/ecdsa-certs 
properly detect ECDSA certs for size compare
 2015-11-19 08:54:43 -05:00
Hubert Kario 4d77c87494 properly detect ECDSA certs for keysize compare 
since ECDSA certificates during the transition are likely to be
signed using RSA keys, we need to check the cipher rather than the
signature in the certificate to tell if the cert is ECDSA and as such
can have small key sizes
 2015-11-17 15:31:46 +01:00
Emantor e8ba5ab8fe Update analyze.py 
Per https://mozilla.github.io/server-side-tls/ssl-config-generator/
The intermediate config supports 'ECDHE-RSA-DES-CBC3-SHA', add it to analyze.py
 2015-11-17 09:01:52 +01:00
Julien Vehent 1e65be5fd5 Added copy of the MPL 2015-10-18 08:45:20 -04:00
Julien Vehent b03320887f Merge pull request #100 from tomato42/compress-and-renego-info 
Add testing for renegotiation and compression
 2015-10-17 09:10:08 -04:00
Julien Vehent 34d6ca62bd Merge pull request #104 from injcristianrojas/master 
Untrusted certificate alert should be red
 2015-09-23 15:16:23 -04:00
Cristián Rojas f717a556e5 Untrusted certificate alert should be red 2015-09-23 15:59:24 -03:00
Julien Vehent 29bdf5fdcb Merge pull request #103 from PeterMosmans/msys 
Fallback to default openssl when supplied openssl can't be executed
 2015-09-22 12:53:17 -04:00
Peter Mosmans c00474805d Fallback to default openssl when supplied openssl can't be executed 2015-09-22 19:25:27 +10:00
Julien Vehent 5a10991008 Merge pull request #102 from floatingatoll/negative-nope 
workaround bash 4.2- not having unset A[-1] support
 2015-09-21 16:05:26 -04:00
Richard Soderberg c9412e395d workaround bash 4.2- not having unset A[-1] support 2015-09-21 12:51:18 -07:00
Hubert Kario aa093bc86d add openssl options to help message 
add examples of useful openssl options
 2015-09-21 16:51:16 +02:00
Hubert Kario 99a0b6be07 collect stats about compression and renegotiation 
since no support for compression and support for renegotiation are
necessary for the server to have a secure configuration, collect
and report those two too
 2015-09-21 16:44:45 +02:00
Julien Vehent 73b21d3977 Merge pull request #99 from tomato42/tolerance-report 
fix printing of test data for intolerant servers
 2015-09-21 10:33:10 -04:00
Hubert Kario dbce87cb1a fix printing of test data for intolerant servers 
tls_tolerance is an array, so we need to use array syntax...

since if the server is tls version intolerant we will be printing
a lot of info, space it out from the certificate-related summary

ephemeral sigalgs are also printing a lot of information, so space
them from the TLS Tolerance test results
 2015-09-21 16:18:37 +02:00
Julien Vehent 0011abcec7 readme update 2015-09-21 09:38:34 -04:00
Julien Vehent 4916e89087 remove unneeded echo 2015-09-21 09:31:03 -04:00
Julien Vehent ce91e221d1 Merge pull request #98 from tomato42/custom-openssl-fixes 
fix custom openssl with GOST config incompatibility
 2015-09-21 09:29:51 -04:00
Julien Vehent 035d8c0a19 Merge pull request #97 from tomato42/uri-handling 
handle hostnames that are URIs
 2015-09-21 09:29:03 -04:00
Julien Vehent 50ef7960f7 Merge pull request #96 from tomato42/ecdsa-keys 
fix coloring of cert key sizes
 2015-09-21 09:25:16 -04:00
Julien Vehent 4620627454 Merge pull request #65 from tomato42/tls12-kex 
Tests for TLS1.2 PFS key exchanges
 2015-09-21 09:23:18 -04:00
Hubert Kario 2ba7dc6dbf fix custom openssl with GOST config incompatibility 
fixes two issues
 1). -help message is used from the openssl set with the -o option
 2). doesn't use GOST config unconditionally - verifies that it works
     first

based partially off of Greg Owen <gowen@swynwyr.com> work in #67

fixes #86
 2015-09-19 20:02:15 +02:00
Hubert Kario 9cea1cdc67 handle hostnames that are URIs 
fixes #83
 2015-09-19 19:43:27 +02:00
Hubert Kario 8337fb7308 fix coloring of cert key sizes 
a 2047 bit RSA certificate is just as secure as 2048 bit one (and
known good algorithms can very infrequently provide them when asked for
2048) so accept them too

DSA keys are bad in every case, so always red color them

ECDSA keys are OK above 256 bits
 2015-09-19 19:22:40 +02:00
Hubert Kario 8f5b1eedc9 tests for ordering of sig algs in TLS 1.2 PFS kex 2015-09-19 18:47:01 +02:00
Hubert Kario 434b383f01 add test for TLSv1.2 PFS key exchange 
since the signature and hash algorithm in TLSv1.2 is selectable by server
and negotiated using TLS extensions, we can check what sig algs is
the server willing to perform and whatever it does honour client
selection

it also tests what happens if the client doesn't offer any sigalgs that
are necessary to use the ciphers selected by server
 2015-09-19 18:47:01 +02:00
Julien Vehent 67c2a7cfe4 Merge pull request #95 from tomato42/auto-colour 
autodetect if the colors should be used
 2015-09-19 11:05:16 -04:00
Hubert Kario bb2d3223f8 autodetect if the colors should be used 
check if the terminal output doesn't go to a pipe (less, file, etc.)
don't output colors by default then
 2015-09-19 16:16:11 +02:00
Julien Vehent 0fe7013641 Fix colors 2015-09-19 08:38:57 -04:00
Julien Vehent 460f9cf1f6 Merge pull request #91 from floatingatoll/fix-1 
revert unintended inclusion of sigalg skipping from 9ea1749f
 2015-09-18 16:50:11 -04:00
Richard Soderberg e27f614f08 revert unintended inclusion of sigalg skipping from 9ea1749f 2015-09-18 13:40:05 -07:00
Julien Vehent 4ffd2de58d Merge pull request #90 from jvehent/snidefault 
Enable Server Name Indication by default
 2015-09-18 16:04:50 -04:00
Julien Vehent 8618d44371 Merge branch 'snidefault' of github.com:jvehent/cipherscan into snidefault 2015-09-18 16:00:39 -04:00
Julien Vehent 3131abb333 Add warning if target is not fqdn and SNI needs to be disabled 2015-09-18 15:58:31 -04:00
Julien Vehent 5284dda0fb Enable SNI by default only if target is a fqdn and -servername not supplied 2015-09-18 15:45:10 -04:00
Julien Vehent 72e2b4f6e9 Enable Server Name Indication by default 2015-09-18 15:45:08 -04:00
Julien Vehent 901e3cbdfc Merge pull request #89 from jvehent/output20150918 
A few fixes to the terminal output
 2015-09-18 15:42:26 -04:00
Julien Vehent 5526c58ffb Merge pull request #82 from floatingatoll/various_fixes 
Various fixes
 2015-09-18 15:41:44 -04:00
Richard Soderberg 179cbe8db1 refuse to permit --allciphers and --json together 2015-09-18 11:56:28 -07:00
Richard Soderberg 8f3341a165 openssl fallback and version warnings should go to STDERR 2015-09-18 11:53:18 -07:00
Julien Vehent f11a0e3594 Revert "When in JSON mode, run curve and tolerance tests" 
This reverts commit 3dd0f58f4c.
 2015-09-18 14:50:03 -04:00