Hubert Kario
b4291236bb
add collection of LoS for the cert paths found
2014-10-04 14:27:13 +02:00
Hubert Kario
68577f7918
collect statistics about found certificates
2014-10-04 14:27:13 +02:00
Hubert Kario
ab8b794557
few less forks in the script
...
again, we can use arrays and a bit advanced awk syntax to reduce
the number of forks necessary to run the script
2014-10-04 14:27:13 +02:00
Hubert Kario
bcfe0dbae1
don't calculate sha sums for the certificates over and over
...
we can use cksum to calculate simple checksum much faster than
with using openssl, so we can compute sums only once
2014-10-04 14:27:13 +02:00
Hubert Kario
ef4786f1d7
no need to grep the input when we're using awk
...
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
2014-10-04 14:27:13 +02:00
Hubert Kario
caa534bfd7
don't retry protocols we know don't work
...
When connection is unsuccessful with a given protocol, don't try it again
since we probably exhausted the ciphers supported by the protocol
makes scanning about 10% faster
2014-10-04 14:27:13 +02:00
Hubert Kario
d2f112033d
clean up the extracted certificate
...
the certificate extracted in the above way will contain some junk
from openssl s_client output we don't want like verification status
we can remove it ro reduce disk usage for saved certificates
2014-10-04 14:27:13 +02:00
Hubert Kario
2b959f601d
use CApath for certificates and store certificates
...
CApath is about 20% faster than CAfile so use it, also
save the recived certificates from the servers for later analysis
(proper hostname checking, looking for certificates sharing private key,
etc.)
2014-10-04 14:27:13 +02:00
Hubert Kario
431b453e43
add ability to also save leaf certificates and untrusted ones
2014-10-04 14:27:13 +02:00
Hubert Kario
56893f7b2f
add caching of intermediate CA certificates
2014-10-04 14:27:13 +02:00
Hubert Kario
aeffc87e05
add some comments, group related code
2014-10-04 14:24:30 +02:00
Hubert Kario
7f5743620b
add support for CApath
...
capath for relatively small cert sets (~300) makes scanning about 5%
faster
also do a little clean up of the command-to-run generation code
2014-10-04 14:24:30 +02:00
Hubert Kario
30d0839df6
report cipher ordering in scanning stats, use it to simulate handshakes
...
since now we know if server honours client order or not, we can use it
to properly simulate handshakes for a given client, also report
the general stats of this server configuration variable
2014-10-04 14:24:30 +02:00
Hubert Kario
ab66f04e53
report if server uses client side or server side cipher ordering
2014-10-04 14:24:30 +02:00
Hubert Kario
0ae9d76771
openssl in -ssl2 mode doesn't tolerate -servername option
...
when openssl is run in -ssl2 mode, it doesn't accept -servername
option and just aborts operation, it doesn't consider -status
to be special though.
Remove this option when running the SSLv2 portion of the test.
2014-10-04 14:24:30 +02:00
Hubert Kario
5c4a8e8fd6
report what ciphers Firefox would select while connecting to server
2014-10-04 14:24:30 +02:00
Hubert Kario
8bcc9d3cf6
report ciphers causing incompatibility for Firefox
...
It turns out that the situation is even more bleak for Firefox
with regards to RC4, add it to report
2014-10-04 14:24:30 +02:00
Hubert Kario
4ffa061977
make the output shorter in case the server supports all protocol types
2014-10-04 14:01:53 +02:00
Hubert Kario
17bc04f71d
add missing ocsp_staple header
2014-10-04 14:01:53 +02:00
Hubert Kario
144e6ea2f7
sort reported TLS session ticket hint using natural sort
2014-10-04 14:01:53 +02:00
Hubert Kario
3bab715012
count ECDH-RSA ciphers as ECDSA
...
the ECDH parameters come from server certificate - the point
on elliptic curve. The RSA comes from the signature on the certificate
which comes from CA
2014-10-04 14:01:53 +02:00
Julien Vehent
ded65c40df
Merge pull request #22 from simondeziel/sdeziel
...
Use Debian's system-wide trust anchors when possible
2014-08-28 16:02:36 -04:00
Julien Vehent
ecd77f94fc
Merge pull request #18 from tomato42/wip
...
Hodgepodge of fixes
2014-08-28 16:02:19 -04:00
Simon Deziel
7dee967dd7
Attempt to use /etc/ssl/certs/ca-certificates.crt if no CACERTS
...
are available. On Debian, this is the default location for
system-wide trust anchors.
2014-07-25 10:01:31 -04:00
Julien Vehent
273211f025
Merge pull request #21 from azet/master
...
add real execution tracing to debug
2014-07-17 12:29:42 -04:00
Aaron Zauner
efd84cdb24
add real execution tracing to debug
2014-07-17 18:08:29 +02:00
Julien Vehent
e345f6034d
Merge pull request #20 from PeterMosmans/binaries
...
Updated binary with latest 1.0.2-chacha build
2014-07-13 09:22:24 -04:00
Peter Mosmans
b65c13c7b9
Compiled for 64-bit-linux from the following source:
...
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha
Added CAMELLIA 256SHA ciphers
2014-07-13 20:56:17 +10:00
Peter Mosmans
26a24d0429
Updated binary with latest 1.0.2-chacha build
...
Compiled for 64-bit linux from the following source:
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha
2014-07-12 10:15:00 +10:00
Julien Vehent
60a6a02c6f
Merge pull request #19 from phlipper/patch-1
...
minor typo fix
2014-06-25 19:37:53 -04:00
Phil Cohen
5ae2132f23
minor typo fix
2014-06-25 16:28:48 -07:00
Hubert Kario
7591062bbc
parse_results.py: compatibility with old results files
2014-06-04 18:52:39 +02:00
Hubert Kario
be0439ef99
provide statistics for all key exchange methods, not DHE and ECDHE only
2014-06-04 18:17:41 +02:00
Hubert Kario
3667b04ad7
correctly count broken cipher suites with "no reporting of untrusted"
2014-06-04 18:17:02 +02:00
Hubert Kario
86ff1122cc
parse_results.py: don't count anonymous cipher suites toward correct config stats
2014-06-04 15:15:32 +02:00
Hubert Kario
ee81927200
fix cipherscan human-readable output - pfs_keysize option
2014-05-30 11:49:44 +02:00
Julien Vehent
b69863c5c5
Merge branch 'master' of github.com:jvehent/cipherscan
2014-05-20 08:52:09 -04:00
Julien Vehent
50f4959e79
updated license on parse_results.py
2014-05-20 08:23:57 -04:00
Hubert Kario
2f56f0515e
don't scan the same host twice
2014-05-16 18:16:45 +02:00
Hubert Kario
f1d3b51749
update the top 1M list to the version from 2014-05-16
2014-05-16 17:34:22 +02:00
Hubert Kario
4e94d95bd8
ask for OCSP stapling by default
...
for now, no option to disable
2014-05-16 17:31:44 +02:00
Hubert Kario
0777682aa6
collect TLS ticket lifetime hints
2014-05-16 16:55:19 +02:00
Hubert Kario
1a78172936
scan just one host per hostname
2014-05-16 16:11:01 +02:00
Hubert Kario
cdbf596466
properly handle pure IP adressess
...
(it's illegal to use IP in SNI)
2014-05-16 15:42:47 +02:00
Hubert Kario
5ef53dda9c
increase paralelism of jobs
...
because sometimes tcping takes a long time to timeout for a lot
of hosts in batch use also load average to keep the cpu busy
2014-05-13 13:41:16 +02:00
Hubert Kario
a213fc45d0
remove the folder/file part from url
...
some hostnames in the top-1m.csv file have folder or site specified
in them, cut it off before using
2014-05-13 13:41:16 +02:00
Hubert Kario
00b20a20ed
perform SNI enabled scan
...
for example, youtube requires SNI extension to be present to return
ECDSA certificates, use it for scanning
2014-05-13 13:41:16 +02:00
Hubert Kario
c48c012771
use the same openssl for all tasks
2014-05-13 13:41:16 +02:00
Hubert Kario
5dfa3c444e
put ECDSA ciphers before RSA ciphers
...
Google servers (like youtube) negotiate ECDSA variant
of ciphersuite only if the RSA variant is also present,
so to return more comple cipher listing, we need to move
ECDSA ciphers before RSA ciphers
2014-05-13 13:41:16 +02:00
Hubert Kario
a0cb766381
add support for archlinux
...
archlinux has ca certificates in different place than Fedora
2014-05-13 13:41:16 +02:00