Peter Mosmans
558bf7c9e2
Make sure that custom openssl gets selected
...
Symlinks are now resolved (when readlink -f is available)
2014-11-14 10:49:16 +11:00
Hubert Kario
c4a8495a54
limit number of forks needed to speed up execution
...
bash has a built in regular expression processor, we can match
lines using =~
moreover, stuff that will match while being inside parentheses is
later available in the BASH_REMATCH array
the IFS (Internal Field Separator) by default includes space, tab and
new line, as such we can use it to split longer lines to separate
words, just as awk '{print $1}' can, just need to put the value to
an array for that
we also don't have to use $(echo $var) when assigning variables, $var
is enough
bash has also built in substitution engine, so we can do ${var/,/ & }
to switch all commas to ampersands when using the variable
2014-11-05 18:14:30 +01:00
Hubert Kario
9f06829486
make handling of self signed certs more robust
...
openssl sometimes will print the filename, then the error, and finish
with OK, matching the colon and space prevents from considering such
certs to be valid
2014-11-05 18:13:39 +01:00
Hubert Kario
4c22d50f0c
few less forks in the script
...
again, we can use arrays and a bit advanced awk syntax to reduce
the number of forks necessary to run the script
2014-11-05 18:13:39 +01:00
Hubert Kario
0f576c1fbc
don't calculate sha sums for the certificates over and over
...
we can use cksum to calculate simple checksum much faster than
with using openssl, so we can compute sums only once
2014-11-05 18:13:39 +01:00
Hubert Kario
d9b718be12
clean up the extracted certificate
...
the certificate extracted in the above way will contain some junk
from openssl s_client output we don't want like verification status
we can remove it ro reduce disk usage for saved certificates
2014-11-05 18:13:39 +01:00
Hubert Kario
3e37517c96
add ability to also save leaf certificates and untrusted ones
2014-11-05 18:13:39 +01:00
Hubert Kario
826f7b5541
add caching of intermediate CA certificates
2014-11-05 18:13:39 +01:00
Hubert Kario
3b14cd914f
no need to grep the input when we're using awk (v2)
...
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
This version uses slightly different syntax that is compatible with old
awk
2014-11-05 18:13:39 +01:00
Hubert Kario
11ce6187de
small fixes for delay
...
firstly, test_cipher_on_target() will try at least 4 connections before
incurring the sleep, for aggressive rate limiter on server side it may be
too much, so sleep before every connection
secondly, because running external commands like sleep incurs a fork
penalty, we first check if it is necessary
2014-10-28 16:44:43 +01:00
Hubert Kario
71ba3c88b0
increase timeout
...
when some servers notice a scan (because of frequent connections) they
delay further connections, increase the timeout to properly scan them
2014-10-28 13:17:20 +01:00
Julien Vehent
5b32afaa1f
Add target to text output
2014-10-17 10:48:59 -04:00
Julien Vehent
37f04054f8
fix json date to use UTC
2014-10-10 18:16:22 -04:00
Julien Vehent
b80b5cdd35
hide errors when json format is used
2014-10-10 17:27:58 -04:00
Julien Vehent
278dab4800
Fix json date argument to be compatible on macos
2014-10-10 17:27:29 -04:00
Julien Vehent
f6f4fe8b86
Find timeout binary on linux and mac
2014-10-10 17:19:44 -04:00
Julien Vehent
c7c91ff5f8
updated authors
2014-10-10 16:56:06 -04:00
Julien Vehent
d5685da796
check that provided openssl is executable, fall back to system one if not
2014-10-10 16:56:00 -04:00
Julien Vehent
26aa8f9408
cleanups
2014-10-10 16:55:34 -04:00
Julien Vehent
7d2c8b4cad
Use local ca bundle if none is found on the system, fixes issues with MacOS
2014-10-10 16:55:09 -04:00
Julien Vehent
2858ef8116
Revert "no need to grep the input when we're using awk"
...
This reverts commit 4c05897be2
.
2014-10-08 21:53:22 -04:00
Hubert Kario
ca0ef2fc5c
fixes for the pull request #18
...
there were few small issues with the pull #18 even though jvehent merged
it, this fixes them
2014-10-06 13:26:53 -04:00
Hubert Kario
4c05897be2
no need to grep the input when we're using awk
...
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
2014-10-06 13:24:39 -04:00
Hubert Kario
fb02ae87ac
add some comments, group related code
2014-10-06 13:22:29 -04:00
Hubert Kario
77671137df
add support for CApath
...
capath for relatively small cert sets (~300) makes scanning about 5%
faster
also do a little clean up of the command-to-run generation code
2014-10-06 13:22:15 -04:00
Hubert Kario
189460da9e
report if server uses client side or server side cipher ordering
2014-10-06 13:21:40 -04:00
Hubert Kario
a7ae42b08e
openssl in -ssl2 mode doesn't tolerate -servername option
...
when openssl is run in -ssl2 mode, it doesn't accept -servername
option and just aborts operation, it doesn't consider -status
to be special though.
Remove this option when running the SSLv2 portion of the test.
2014-10-06 13:21:16 -04:00
Hubert Kario
3a4a5f938d
add missing ocsp_staple header
2014-10-06 13:20:49 -04:00
Julien Vehent
ded65c40df
Merge pull request #22 from simondeziel/sdeziel
...
Use Debian's system-wide trust anchors when possible
2014-08-28 16:02:36 -04:00
Julien Vehent
ecd77f94fc
Merge pull request #18 from tomato42/wip
...
Hodgepodge of fixes
2014-08-28 16:02:19 -04:00
Simon Deziel
7dee967dd7
Attempt to use /etc/ssl/certs/ca-certificates.crt if no CACERTS
...
are available. On Debian, this is the default location for
system-wide trust anchors.
2014-07-25 10:01:31 -04:00
Aaron Zauner
efd84cdb24
add real execution tracing to debug
2014-07-17 18:08:29 +02:00
Phil Cohen
5ae2132f23
minor typo fix
2014-06-25 16:28:48 -07:00
Hubert Kario
ee81927200
fix cipherscan human-readable output - pfs_keysize option
2014-05-30 11:49:44 +02:00
Hubert Kario
4e94d95bd8
ask for OCSP stapling by default
...
for now, no option to disable
2014-05-16 17:31:44 +02:00
Hubert Kario
0777682aa6
collect TLS ticket lifetime hints
2014-05-16 16:55:19 +02:00
Hubert Kario
c48c012771
use the same openssl for all tasks
2014-05-13 13:41:16 +02:00
Hubert Kario
5dfa3c444e
put ECDSA ciphers before RSA ciphers
...
Google servers (like youtube) negotiate ECDSA variant
of ciphersuite only if the RSA variant is also present,
so to return more comple cipher listing, we need to move
ECDSA ciphers before RSA ciphers
2014-05-13 13:41:16 +02:00
Hubert Kario
a0cb766381
add support for archlinux
...
archlinux has ca certificates in different place than Fedora
2014-05-13 13:41:16 +02:00
Hubert Kario
dca614d218
use proper quit semantic for openssl s_client
...
openssl s_client expect "Q" as the first character on a line,
with case being significant. Also, the \n marker is unnecessary
the echo command prints a newline automatically, additionally,
for the \n to be actually interpreted, the -e option must be used
2014-05-09 14:46:01 +02:00
Hubert Kario
d7b99f125e
restore timeout
...
some servers have port 443 open but won't reply to ClientHello
requests, this hangs openssl s_client, as such we need to kill it
after some timeout
2014-05-09 12:00:53 +02:00
Hubert Kario
4e0e03b61e
make default output more narrow
...
If server uses the same certificate for all connections, it's
useless to print the same information over and over.
In such case, omit those columns and print a summary at the end
2014-04-06 18:01:13 +02:00
Hubert Kario
f04567d40e
check if certificate used by server is trused
...
Use system trust anchors to check if certificate chain used by server
is actually valid.
2014-04-05 19:36:51 +02:00
Hubert Kario
946cc6a9ac
Report the signature type used on server certificate
...
Parse the certificate used by server and report the signature used:
prio ciphersuite protocols pubkey_size signature_algorithm pfs_keysize
1 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 sha1WithRSAEncryption ECDH,P-256,256bits
2 ECDHE-ECDSA-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 256 ecdsa-with-SHA512 ECDH,P-256,256bits
3 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption
4 AECDH-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None ECDH,P-256,256bits
5 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption
6 EXP-RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption RSA,512bits
2014-04-05 19:23:04 +02:00
Hubert Kario
f9fdd62a59
report key size used in server's certificate
...
Extend the report to show also server certificate key size:
prio ciphersuite protocols pubkey_size pfs_keysize
1 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 ECDH,P-256,256bits
2 ECDHE-ECDSA-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 256 ECDH,P-256,256bits
3 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048
4 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048
5 EXP-RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 RSA,512bits
2014-04-05 19:23:04 +02:00
Hubert Kario
ac3e5f4d62
Correctly report TLSv1.2 only ciphers as negotiable with TLSv1.2
...
Previously scan would report:
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES128-GCM-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
2 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
Now it correctly reports:
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits
2 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
2014-04-05 18:47:37 +02:00
Michael Zeltner
05bd24b405
Cleaning up old style, fixing --allciphers
2014-04-04 20:46:40 -04:00
Michael Zeltner
45f0f3305d
Merge branch 'master' of https://github.com/MacLemon/cipherscan
2014-04-01 13:04:08 -04:00
Pepi Zawodsky
49214fc508
Verbose and Debug output go to stderr now. Added simple --delay function.
2014-02-18 02:05:26 +01:00
Michael Zeltner
8480e63ff7
Fixing a typo
2014-02-14 20:44:15 +01:00
Pepi Zawodsky
0282ae9209
Added simple debug function
2014-02-08 18:37:30 +01:00
Pepi Zawodsky
490c86c43e
Changed grep invocation to prevent strange grep versions to balk on -E
2014-02-08 01:14:40 +01:00
Michael Zeltner
26b52d4e17
Make mktemp obsolete
...
We have pipes, we shall use them!
2014-02-07 00:56:31 +01:00
Pepi Zawodsky
57f41d7376
Fixed variable renaming.
2014-02-06 23:32:12 +01:00
Pepi Zawodsky
9e5ce9cca3
Removed neccessity for timeout, thanks to mzeltner. Better parameter parsing with short- and longoptions. Can now pass a path to use any openssl. Now works on OS X.
2014-02-06 23:26:19 +01:00
Michael Zeltner
5c07a6e552
Support s_client args, give -starttls example
2014-02-02 15:41:16 +01:00
Julien Vehent
5df0fe3d52
Merge branch 'master' of github.com:jvehent/cipherscan
2014-01-09 11:53:54 -05:00
Julien Vehent
19d443b8fe
OpenSSL binary location fix
2014-01-09 11:52:43 -05:00
Simon Deziel
93ee5e3f33
Cleanup old temp files when a connection failed
2014-01-07 18:32:09 -05:00
Julien Vehent
af7b4ce18c
Rename CiphersScan to cipherscan
2013-12-09 11:01:30 -05:00