2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-12-27 05:03:42 +01:00
Commit Graph

75 Commits

Author SHA1 Message Date
Julien Vehent
1a26e09c7b Merge pull request #54 from jvehent/jvehent-rework-tomato42-curves-tolerance-5
Jvehent rework tomato42 curves tolerance 5, closes #46
2015-04-02 09:50:46 -04:00
Julien Vehent
a966574edc Fix curve fallback detection 2015-04-01 14:51:01 -04:00
Julien Vehent
4d7e1cb05a Re-add curve fallback detection 2015-04-01 12:50:01 -04:00
Julien Vehent
c90e5c59d7 Improve output of curves 2015-04-01 11:18:31 -04:00
Julien Vehent
cc014f085d test curve for each ECDH cipher, change PFS output to use curve name 2015-03-27 19:03:27 -04:00
Hubert Kario
224227cc5e force at least TLSv1.0 in curves tolerance test
because to advertise curves to server we need extensions and
extensions are only available in TLSv1.0 or later, we need to force
OpenSSL not to send SSLv2 compatible hello if it thinks it's ok to
do (when there are SSLv2 ciphers present in cipherstring it will try to)
2015-03-27 10:04:15 -04:00
Hubert Kario
c52e008347 add support for testing supported curves
since early versions of 1.0.2 openssl supports -curves command line
option, it allows us to set the curves advertised as supported

use the same approach to testing: advertise all, check what server
accepts, remove the accepted from list, repeat. When server aborts
connection or selects non ECC cipher, we know that we've tested all.
2015-03-27 10:04:15 -04:00
Samuel Kleiner
6db82374b4 Fix for busybox timeout binary 2015-03-13 11:58:23 +00:00
Christian Stadelmann
9ecc3f7164 New bash version info test using $BASH_VERSINFO 2015-01-12 16:46:18 +01:00
Christian Stadelmann
54ec2aca99 fix: ignore case in bash version string
Currently on some systems `bash --version` reports `GNU bash, Version 4[…]` which will fail the test.
2015-01-02 22:47:28 +01:00
Julien Vehent
904e311124 Fix OSX: require bash4, add openssl-darwin64 binary 2014-12-25 13:25:29 -05:00
Julien Vehent
4e74308c37 Merge pull request #41 from MikeDawg/master
Added usage print and exit if no options are given
2014-12-25 12:27:35 -05:00
Julien Vehent
008bd6af2b Merge pull request #38 from PeterMosmans/changeorder
Bugfix: correct flow when number of ciphers are loaded
2014-12-25 12:15:11 -05:00
Mike
c019ecd493 Added usage print and exit if no options are given 2014-12-17 13:06:06 -07:00
Peter Mosmans
81c1809463 corrected flow when number of ciphers was shown
First make sure that ${OPENSSLBIN} is correctly set
2014-11-22 18:36:24 +10:00
Peter Mosmans
558bf7c9e2 Make sure that custom openssl gets selected
Symlinks are now resolved (when readlink -f is available)
2014-11-14 10:49:16 +11:00
Hubert Kario
c4a8495a54 limit number of forks needed to speed up execution
bash has a built in regular expression processor, we can match
lines using =~

moreover, stuff that will match while being inside parentheses is
later available in the BASH_REMATCH array

the IFS (Internal Field Separator) by default includes space, tab and
new line, as such we can use it to split longer lines to separate
words, just as awk '{print $1}' can, just need to put the value to
an array for that

we also don't have to use $(echo $var) when assigning variables, $var
is enough

bash has also built in substitution engine, so we can do ${var/,/ & }
to switch all commas to ampersands when using the variable
2014-11-05 18:14:30 +01:00
Hubert Kario
9f06829486 make handling of self signed certs more robust
openssl sometimes will print the filename, then the error, and finish
with OK, matching the colon and space prevents from considering such
certs to be valid
2014-11-05 18:13:39 +01:00
Hubert Kario
4c22d50f0c few less forks in the script
again, we can use arrays and a bit advanced awk syntax to reduce
the number of forks necessary to run the script
2014-11-05 18:13:39 +01:00
Hubert Kario
0f576c1fbc don't calculate sha sums for the certificates over and over
we can use cksum to calculate simple checksum much faster than
with using openssl, so we can compute sums only once
2014-11-05 18:13:39 +01:00
Hubert Kario
d9b718be12 clean up the extracted certificate
the certificate extracted in the above way will contain some junk
from openssl s_client output we don't want like verification status
we can remove it ro reduce disk usage for saved certificates
2014-11-05 18:13:39 +01:00
Hubert Kario
3e37517c96 add ability to also save leaf certificates and untrusted ones 2014-11-05 18:13:39 +01:00
Hubert Kario
826f7b5541 add caching of intermediate CA certificates 2014-11-05 18:13:39 +01:00
Hubert Kario
3b14cd914f no need to grep the input when we're using awk (v2)
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for

This version uses slightly different syntax that is compatible with old
awk
2014-11-05 18:13:39 +01:00
Hubert Kario
11ce6187de small fixes for delay
firstly, test_cipher_on_target() will try at least 4 connections before
incurring the sleep, for aggressive rate limiter on server side it may be
too much, so sleep before every connection

secondly, because running external commands like sleep incurs a fork
penalty, we first check if it is necessary
2014-10-28 16:44:43 +01:00
Hubert Kario
71ba3c88b0 increase timeout
when some servers notice a scan (because of frequent connections) they
delay further connections, increase the timeout to properly scan them
2014-10-28 13:17:20 +01:00
Julien Vehent
5b32afaa1f Add target to text output 2014-10-17 10:48:59 -04:00
Julien Vehent
37f04054f8 fix json date to use UTC 2014-10-10 18:16:22 -04:00
Julien Vehent
b80b5cdd35 hide errors when json format is used 2014-10-10 17:27:58 -04:00
Julien Vehent
278dab4800 Fix json date argument to be compatible on macos 2014-10-10 17:27:29 -04:00
Julien Vehent
f6f4fe8b86 Find timeout binary on linux and mac 2014-10-10 17:19:44 -04:00
Julien Vehent
c7c91ff5f8 updated authors 2014-10-10 16:56:06 -04:00
Julien Vehent
d5685da796 check that provided openssl is executable, fall back to system one if not 2014-10-10 16:56:00 -04:00
Julien Vehent
26aa8f9408 cleanups 2014-10-10 16:55:34 -04:00
Julien Vehent
7d2c8b4cad Use local ca bundle if none is found on the system, fixes issues with MacOS 2014-10-10 16:55:09 -04:00
Julien Vehent
2858ef8116 Revert "no need to grep the input when we're using awk"
This reverts commit 4c05897be2.
2014-10-08 21:53:22 -04:00
Hubert Kario
ca0ef2fc5c fixes for the pull request #18
there were few small issues with the pull #18 even though jvehent merged
it, this fixes them
2014-10-06 13:26:53 -04:00
Hubert Kario
4c05897be2 no need to grep the input when we're using awk
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
2014-10-06 13:24:39 -04:00
Hubert Kario
fb02ae87ac add some comments, group related code 2014-10-06 13:22:29 -04:00
Hubert Kario
77671137df add support for CApath
capath for relatively small cert sets (~300) makes scanning about 5%
faster

also do a little clean up of the command-to-run generation code
2014-10-06 13:22:15 -04:00
Hubert Kario
189460da9e report if server uses client side or server side cipher ordering 2014-10-06 13:21:40 -04:00
Hubert Kario
a7ae42b08e openssl in -ssl2 mode doesn't tolerate -servername option
when openssl is run in -ssl2 mode, it doesn't accept -servername
option and just aborts operation, it doesn't consider -status
to be special though.

Remove this option when running the SSLv2 portion of the test.
2014-10-06 13:21:16 -04:00
Hubert Kario
3a4a5f938d add missing ocsp_staple header 2014-10-06 13:20:49 -04:00
Julien Vehent
ded65c40df Merge pull request #22 from simondeziel/sdeziel
Use Debian's system-wide trust anchors when possible
2014-08-28 16:02:36 -04:00
Julien Vehent
ecd77f94fc Merge pull request #18 from tomato42/wip
Hodgepodge of fixes
2014-08-28 16:02:19 -04:00
Simon Deziel
7dee967dd7 Attempt to use /etc/ssl/certs/ca-certificates.crt if no CACERTS
are available. On Debian, this is the default location for
system-wide trust anchors.
2014-07-25 10:01:31 -04:00
Aaron Zauner
efd84cdb24 add real execution tracing to debug 2014-07-17 18:08:29 +02:00
Phil Cohen
5ae2132f23 minor typo fix 2014-06-25 16:28:48 -07:00
Hubert Kario
ee81927200 fix cipherscan human-readable output - pfs_keysize option 2014-05-30 11:49:44 +02:00
Hubert Kario
4e94d95bd8 ask for OCSP stapling by default
for now, no option to disable
2014-05-16 17:31:44 +02:00