2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-12-26 12:43:42 +01:00
Commit Graph

110 Commits

Author SHA1 Message Date
Peter Mosmans
558bf7c9e2 Make sure that custom openssl gets selected
Symlinks are now resolved (when readlink -f is available)
2014-11-14 10:49:16 +11:00
Hubert Kario
c4a8495a54 limit number of forks needed to speed up execution
bash has a built in regular expression processor, we can match
lines using =~

moreover, stuff that will match while being inside parentheses is
later available in the BASH_REMATCH array

the IFS (Internal Field Separator) by default includes space, tab and
new line, as such we can use it to split longer lines to separate
words, just as awk '{print $1}' can, just need to put the value to
an array for that

we also don't have to use $(echo $var) when assigning variables, $var
is enough

bash has also built in substitution engine, so we can do ${var/,/ & }
to switch all commas to ampersands when using the variable
2014-11-05 18:14:30 +01:00
Hubert Kario
9f06829486 make handling of self signed certs more robust
openssl sometimes will print the filename, then the error, and finish
with OK, matching the colon and space prevents from considering such
certs to be valid
2014-11-05 18:13:39 +01:00
Hubert Kario
4c22d50f0c few less forks in the script
again, we can use arrays and a bit advanced awk syntax to reduce
the number of forks necessary to run the script
2014-11-05 18:13:39 +01:00
Hubert Kario
0f576c1fbc don't calculate sha sums for the certificates over and over
we can use cksum to calculate simple checksum much faster than
with using openssl, so we can compute sums only once
2014-11-05 18:13:39 +01:00
Hubert Kario
d9b718be12 clean up the extracted certificate
the certificate extracted in the above way will contain some junk
from openssl s_client output we don't want like verification status
we can remove it ro reduce disk usage for saved certificates
2014-11-05 18:13:39 +01:00
Hubert Kario
3e37517c96 add ability to also save leaf certificates and untrusted ones 2014-11-05 18:13:39 +01:00
Hubert Kario
826f7b5541 add caching of intermediate CA certificates 2014-11-05 18:13:39 +01:00
Hubert Kario
3b14cd914f no need to grep the input when we're using awk (v2)
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for

This version uses slightly different syntax that is compatible with old
awk
2014-11-05 18:13:39 +01:00
Hubert Kario
11ce6187de small fixes for delay
firstly, test_cipher_on_target() will try at least 4 connections before
incurring the sleep, for aggressive rate limiter on server side it may be
too much, so sleep before every connection

secondly, because running external commands like sleep incurs a fork
penalty, we first check if it is necessary
2014-10-28 16:44:43 +01:00
Hubert Kario
71ba3c88b0 increase timeout
when some servers notice a scan (because of frequent connections) they
delay further connections, increase the timeout to properly scan them
2014-10-28 13:17:20 +01:00
Julien Vehent
5b32afaa1f Add target to text output 2014-10-17 10:48:59 -04:00
Julien Vehent
37f04054f8 fix json date to use UTC 2014-10-10 18:16:22 -04:00
Julien Vehent
b80b5cdd35 hide errors when json format is used 2014-10-10 17:27:58 -04:00
Julien Vehent
278dab4800 Fix json date argument to be compatible on macos 2014-10-10 17:27:29 -04:00
Julien Vehent
f6f4fe8b86 Find timeout binary on linux and mac 2014-10-10 17:19:44 -04:00
Julien Vehent
c7c91ff5f8 updated authors 2014-10-10 16:56:06 -04:00
Julien Vehent
d5685da796 check that provided openssl is executable, fall back to system one if not 2014-10-10 16:56:00 -04:00
Julien Vehent
26aa8f9408 cleanups 2014-10-10 16:55:34 -04:00
Julien Vehent
7d2c8b4cad Use local ca bundle if none is found on the system, fixes issues with MacOS 2014-10-10 16:55:09 -04:00
Julien Vehent
2858ef8116 Revert "no need to grep the input when we're using awk"
This reverts commit 4c05897be2.
2014-10-08 21:53:22 -04:00
Hubert Kario
ca0ef2fc5c fixes for the pull request #18
there were few small issues with the pull #18 even though jvehent merged
it, this fixes them
2014-10-06 13:26:53 -04:00
Hubert Kario
4c05897be2 no need to grep the input when we're using awk
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
2014-10-06 13:24:39 -04:00
Hubert Kario
fb02ae87ac add some comments, group related code 2014-10-06 13:22:29 -04:00
Hubert Kario
77671137df add support for CApath
capath for relatively small cert sets (~300) makes scanning about 5%
faster

also do a little clean up of the command-to-run generation code
2014-10-06 13:22:15 -04:00
Hubert Kario
189460da9e report if server uses client side or server side cipher ordering 2014-10-06 13:21:40 -04:00
Hubert Kario
a7ae42b08e openssl in -ssl2 mode doesn't tolerate -servername option
when openssl is run in -ssl2 mode, it doesn't accept -servername
option and just aborts operation, it doesn't consider -status
to be special though.

Remove this option when running the SSLv2 portion of the test.
2014-10-06 13:21:16 -04:00
Hubert Kario
3a4a5f938d add missing ocsp_staple header 2014-10-06 13:20:49 -04:00
Julien Vehent
ded65c40df Merge pull request #22 from simondeziel/sdeziel
Use Debian's system-wide trust anchors when possible
2014-08-28 16:02:36 -04:00
Julien Vehent
ecd77f94fc Merge pull request #18 from tomato42/wip
Hodgepodge of fixes
2014-08-28 16:02:19 -04:00
Simon Deziel
7dee967dd7 Attempt to use /etc/ssl/certs/ca-certificates.crt if no CACERTS
are available. On Debian, this is the default location for
system-wide trust anchors.
2014-07-25 10:01:31 -04:00
Aaron Zauner
efd84cdb24 add real execution tracing to debug 2014-07-17 18:08:29 +02:00
Phil Cohen
5ae2132f23 minor typo fix 2014-06-25 16:28:48 -07:00
Hubert Kario
ee81927200 fix cipherscan human-readable output - pfs_keysize option 2014-05-30 11:49:44 +02:00
Hubert Kario
4e94d95bd8 ask for OCSP stapling by default
for now, no option to disable
2014-05-16 17:31:44 +02:00
Hubert Kario
0777682aa6 collect TLS ticket lifetime hints 2014-05-16 16:55:19 +02:00
Hubert Kario
c48c012771 use the same openssl for all tasks 2014-05-13 13:41:16 +02:00
Hubert Kario
5dfa3c444e put ECDSA ciphers before RSA ciphers
Google servers (like youtube) negotiate ECDSA variant
of ciphersuite only if the RSA variant is also present,
so to return more comple cipher listing, we need to move
ECDSA ciphers before RSA ciphers
2014-05-13 13:41:16 +02:00
Hubert Kario
a0cb766381 add support for archlinux
archlinux has ca certificates in different place than Fedora
2014-05-13 13:41:16 +02:00
Hubert Kario
dca614d218 use proper quit semantic for openssl s_client
openssl s_client expect "Q" as the first character on a line,
with case being significant. Also, the \n marker is unnecessary
the echo command prints a newline automatically, additionally,
for the \n to be actually interpreted, the -e option must be used
2014-05-09 14:46:01 +02:00
Hubert Kario
d7b99f125e restore timeout
some servers have port 443 open but won't reply to ClientHello
requests, this hangs openssl s_client, as such we need to kill it
after some timeout
2014-05-09 12:00:53 +02:00
Hubert Kario
4e0e03b61e make default output more narrow
If server uses the same certificate for all connections, it's
useless to print the same information over and over.

In such case, omit those columns and print a summary at the end
2014-04-06 18:01:13 +02:00
Hubert Kario
f04567d40e check if certificate used by server is trused
Use system trust anchors to check if certificate chain used by server
is actually valid.
2014-04-05 19:36:51 +02:00
Hubert Kario
946cc6a9ac Report the signature type used on server certificate
Parse the certificate used by server and report the signature used:

prio  ciphersuite              protocols                    pubkey_size  signature_algorithm    pfs_keysize
1     ECDHE-RSA-AES128-SHA256  TLSv1.2                      2048         sha1WithRSAEncryption  ECDH,P-256,256bits
2     ECDHE-ECDSA-AES128-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2  256          ecdsa-with-SHA512      ECDH,P-256,256bits
3     AES128-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption
4     AECDH-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  0            None                   ECDH,P-256,256bits
5     RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption
6     EXP-RC4-MD5              SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  RSA,512bits
2014-04-05 19:23:04 +02:00
Hubert Kario
f9fdd62a59 report key size used in server's certificate
Extend the report to show also server certificate key size:
prio  ciphersuite              protocols                    pubkey_size  pfs_keysize
1     ECDHE-RSA-AES128-SHA256  TLSv1.2                      2048         ECDH,P-256,256bits
2     ECDHE-ECDSA-AES128-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2  256          ECDH,P-256,256bits
3     AES128-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
4     RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
5     EXP-RC4-MD5              SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         RSA,512bits
2014-04-05 19:23:04 +02:00
Hubert Kario
ac3e5f4d62 Correctly report TLSv1.2 only ciphers as negotiable with TLSv1.2
Previously scan would report:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits

Now it correctly reports:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
2014-04-05 18:47:37 +02:00
Michael Zeltner
05bd24b405
Cleaning up old style, fixing --allciphers 2014-04-04 20:46:40 -04:00
Michael Zeltner
45f0f3305d Merge branch 'master' of https://github.com/MacLemon/cipherscan 2014-04-01 13:04:08 -04:00
Pepi Zawodsky
49214fc508 Verbose and Debug output go to stderr now. Added simple --delay function. 2014-02-18 02:05:26 +01:00
Michael Zeltner
8480e63ff7
Fixing a typo 2014-02-14 20:44:15 +01:00
Pepi Zawodsky
0282ae9209 Added simple debug function 2014-02-08 18:37:30 +01:00
Pepi Zawodsky
490c86c43e Changed grep invocation to prevent strange grep versions to balk on -E 2014-02-08 01:14:40 +01:00
Michael Zeltner
26b52d4e17
Make mktemp obsolete
We have pipes, we shall use them!
2014-02-07 00:56:31 +01:00
Pepi Zawodsky
57f41d7376 Fixed variable renaming. 2014-02-06 23:32:12 +01:00
Pepi Zawodsky
9e5ce9cca3 Removed neccessity for timeout, thanks to mzeltner. Better parameter parsing with short- and longoptions. Can now pass a path to use any openssl. Now works on OS X. 2014-02-06 23:26:19 +01:00
Michael Zeltner
5c07a6e552
Support s_client args, give -starttls example 2014-02-02 15:41:16 +01:00
Julien Vehent
5df0fe3d52 Merge branch 'master' of github.com:jvehent/cipherscan 2014-01-09 11:53:54 -05:00
Julien Vehent
19d443b8fe OpenSSL binary location fix 2014-01-09 11:52:43 -05:00
Simon Deziel
93ee5e3f33 Cleanup old temp files when a connection failed 2014-01-07 18:32:09 -05:00
Julien Vehent
af7b4ce18c Rename CiphersScan to cipherscan 2013-12-09 11:01:30 -05:00