LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-12-27 21:23:41 +01:00
Code Issues Releases Wiki Activity
229 Commits 5 Branches 0 Tags 35 MiB
b673fb976a
Commit Graph

75 Commits

Author SHA1 Message Date
Hubert Kario
0777682aa6 collect TLS ticket lifetime hints 2014-05-16 16:55:19 +02:00
Hubert Kario
c48c012771 use the same openssl for all tasks 2014-05-13 13:41:16 +02:00
Hubert Kario
5dfa3c444e put ECDSA ciphers before RSA ciphers 
Google servers (like youtube) negotiate ECDSA variant
of ciphersuite only if the RSA variant is also present,
so to return more comple cipher listing, we need to move
ECDSA ciphers before RSA ciphers
 2014-05-13 13:41:16 +02:00
Hubert Kario
a0cb766381 add support for archlinux 
archlinux has ca certificates in different place than Fedora
 2014-05-13 13:41:16 +02:00
Hubert Kario
dca614d218 use proper quit semantic for openssl s_client 
openssl s_client expect "Q" as the first character on a line,
with case being significant. Also, the \n marker is unnecessary
the echo command prints a newline automatically, additionally,
for the \n to be actually interpreted, the -e option must be used
 2014-05-09 14:46:01 +02:00
Hubert Kario
d7b99f125e restore timeout 
some servers have port 443 open but won't reply to ClientHello
requests, this hangs openssl s_client, as such we need to kill it
after some timeout
 2014-05-09 12:00:53 +02:00
Hubert Kario
4e0e03b61e make default output more narrow 
If server uses the same certificate for all connections, it's
useless to print the same information over and over.

In such case, omit those columns and print a summary at the end
 2014-04-06 18:01:13 +02:00
Hubert Kario
f04567d40e check if certificate used by server is trused 
Use system trust anchors to check if certificate chain used by server
is actually valid.
 2014-04-05 19:36:51 +02:00
Hubert Kario
946cc6a9ac Report the signature type used on server certificate 
Parse the certificate used by server and report the signature used:

prio  ciphersuite              protocols                    pubkey_size  signature_algorithm    pfs_keysize
1     ECDHE-RSA-AES128-SHA256  TLSv1.2                      2048         sha1WithRSAEncryption  ECDH,P-256,256bits
2     ECDHE-ECDSA-AES128-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2  256          ecdsa-with-SHA512      ECDH,P-256,256bits
3     AES128-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption
4     AECDH-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  0            None                   ECDH,P-256,256bits
5     RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption
6     EXP-RC4-MD5              SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  RSA,512bits
 2014-04-05 19:23:04 +02:00
Hubert Kario
f9fdd62a59 report key size used in server's certificate 
Extend the report to show also server certificate key size:
prio  ciphersuite              protocols                    pubkey_size  pfs_keysize
1     ECDHE-RSA-AES128-SHA256  TLSv1.2                      2048         ECDH,P-256,256bits
2     ECDHE-ECDSA-AES128-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2  256          ECDH,P-256,256bits
3     AES128-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
4     RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
5     EXP-RC4-MD5              SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         RSA,512bits
 2014-04-05 19:23:04 +02:00
Hubert Kario
ac3e5f4d62 Correctly report TLSv1.2 only ciphers as negotiable with TLSv1.2 
Previously scan would report:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits

Now it correctly reports:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
 2014-04-05 18:47:37 +02:00
Michael Zeltner
05bd24b405
Cleaning up old style, fixing --allciphers 2014-04-04 20:46:40 -04:00
Michael Zeltner
45f0f3305d Merge branch 'master' of https://github.com/MacLemon/cipherscan 2014-04-01 13:04:08 -04:00
Pepi Zawodsky
49214fc508 Verbose and Debug output go to stderr now. Added simple --delay function. 2014-02-18 02:05:26 +01:00
Michael Zeltner
8480e63ff7
Fixing a typo 2014-02-14 20:44:15 +01:00
Pepi Zawodsky
0282ae9209 Added simple debug function 2014-02-08 18:37:30 +01:00
Pepi Zawodsky
490c86c43e Changed grep invocation to prevent strange grep versions to balk on -E 2014-02-08 01:14:40 +01:00
Michael Zeltner
26b52d4e17
Make mktemp obsolete 
We have pipes, we shall use them!
 2014-02-07 00:56:31 +01:00
Pepi Zawodsky
57f41d7376 Fixed variable renaming. 2014-02-06 23:32:12 +01:00
Pepi Zawodsky
9e5ce9cca3 Removed neccessity for timeout, thanks to mzeltner. Better parameter parsing with short- and longoptions. Can now pass a path to use any openssl. Now works on OS X. 2014-02-06 23:26:19 +01:00
Michael Zeltner
5c07a6e552
Support s_client args, give -starttls example 2014-02-02 15:41:16 +01:00
Julien Vehent
5df0fe3d52 Merge branch 'master' of github.com:jvehent/cipherscan 2014-01-09 11:53:54 -05:00
Julien Vehent
19d443b8fe OpenSSL binary location fix 2014-01-09 11:52:43 -05:00
Simon Deziel
93ee5e3f33 Cleanup old temp files when a connection failed 2014-01-07 18:32:09 -05:00
Julien Vehent
af7b4ce18c Rename CiphersScan to cipherscan 2013-12-09 11:01:30 -05:00