2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-05 07:23:42 +01:00
Commit Graph

92 Commits

Author SHA1 Message Date
Hubert Kario
be0439ef99 provide statistics for all key exchange methods, not DHE and ECDHE only 2014-06-04 18:17:41 +02:00
Hubert Kario
3667b04ad7 correctly count broken cipher suites with "no reporting of untrusted" 2014-06-04 18:17:02 +02:00
Hubert Kario
86ff1122cc parse_results.py: don't count anonymous cipher suites toward correct config stats 2014-06-04 15:15:32 +02:00
Hubert Kario
ee81927200 fix cipherscan human-readable output - pfs_keysize option 2014-05-30 11:49:44 +02:00
Hubert Kario
2f56f0515e don't scan the same host twice 2014-05-16 18:16:45 +02:00
Hubert Kario
f1d3b51749 update the top 1M list to the version from 2014-05-16 2014-05-16 17:34:22 +02:00
Hubert Kario
4e94d95bd8 ask for OCSP stapling by default
for now, no option to disable
2014-05-16 17:31:44 +02:00
Hubert Kario
0777682aa6 collect TLS ticket lifetime hints 2014-05-16 16:55:19 +02:00
Hubert Kario
1a78172936 scan just one host per hostname 2014-05-16 16:11:01 +02:00
Hubert Kario
cdbf596466 properly handle pure IP adressess
(it's illegal to use IP in SNI)
2014-05-16 15:42:47 +02:00
Hubert Kario
5ef53dda9c increase paralelism of jobs
because sometimes tcping takes a long time to timeout for a lot
of hosts in batch use also load average to keep the cpu busy
2014-05-13 13:41:16 +02:00
Hubert Kario
a213fc45d0 remove the folder/file part from url
some hostnames in the top-1m.csv file have folder or site specified
in them, cut it off before using
2014-05-13 13:41:16 +02:00
Hubert Kario
00b20a20ed perform SNI enabled scan
for example, youtube requires SNI extension to be present to return
ECDSA certificates, use it for scanning
2014-05-13 13:41:16 +02:00
Hubert Kario
c48c012771 use the same openssl for all tasks 2014-05-13 13:41:16 +02:00
Hubert Kario
5dfa3c444e put ECDSA ciphers before RSA ciphers
Google servers (like youtube) negotiate ECDSA variant
of ciphersuite only if the RSA variant is also present,
so to return more comple cipher listing, we need to move
ECDSA ciphers before RSA ciphers
2014-05-13 13:41:16 +02:00
Hubert Kario
a0cb766381 add support for archlinux
archlinux has ca certificates in different place than Fedora
2014-05-13 13:41:16 +02:00
Hubert Kario
8817a7b1c8 testtop1m.sh: correct counting of background jobs
`jobs` command returns multiple lines for a jobs with `if` so counting
number of background jobs was off
2014-05-13 13:41:16 +02:00
Julien Vehent
92851d7c74 Merge pull request #17 from tomato42/proper-quit
use proper quit semantic for openssl s_client
2014-05-12 13:36:46 -04:00
Hubert Kario
dca614d218 use proper quit semantic for openssl s_client
openssl s_client expect "Q" as the first character on a line,
with case being significant. Also, the \n marker is unnecessary
the echo command prints a newline automatically, additionally,
for the \n to be actually interpreted, the -e option must be used
2014-05-09 14:46:01 +02:00
Julien Vehent
5417dacda3 Merge pull request #16 from tomato42/restore-timeout
restore timeout
2014-05-09 08:32:36 -04:00
Hubert Kario
d7b99f125e restore timeout
some servers have port 443 open but won't reply to ClientHello
requests, this hangs openssl s_client, as such we need to kill it
after some timeout
2014-05-09 12:00:53 +02:00
Julien Vehent
325329d1ad Merge pull request #15 from tomato42/reporting-improvements-03
Reporting improvements 03
2014-04-20 13:16:34 -04:00
Julien Vehent
ba4defb707 Merge pull request #14 from tomato42/scan-improvements-02
Improve scanning performance and reduce false negatives
2014-04-20 13:15:44 -04:00
Hubert Kario
686d7c958b extend reporting of RC4-related stats
While preferring RC4 in TLS1.0 or SSL3 was recommended before,
it was always known that TLS1.1 and TLS1.2 were not vulnerable against
BEAST, so forcing RC4 there is a mistake. Report number of such servers.
2014-04-19 23:14:57 +02:00
Hubert Kario
21bba67df0 extend SSL stats
Two interesting server configurations are ones that support
only SSL3 or TLS1 only (old, but otherwise correctly configured servers)
and ones that support only TLS1.1 or up (brave admins that support
only new clients)
2014-04-19 23:14:57 +02:00
Hubert Kario
349d4ebc3c more detailed PFS report
Just because server supports some bad DH params, doesn't mean
it will force them on users. Report number of servers
that prefer specific DH params.
2014-04-19 23:14:57 +02:00
Hubert Kario
d3b6f9b507 fix reporting of the TLS1.2 but not TLS1.1
Some servers may be configured to support only TLS1.2, it would
count them towards the number of servers affected by the OpenSSL bug
2014-04-19 23:14:57 +02:00
Hubert Kario
c8abfb53e8 add support for Chacha20 based ciphers
Basically all Google servers support Chacha20 now and it is
not a bad choice, so report it as a regular cipher
2014-04-19 23:14:57 +02:00
Hubert Kario
2b794ebfe0 fix and extend reporting of AES-GCM ciphers
AES-GCM ciphers don't have "AES-GCM" substring in the openssl name

extend reporting of AES ciphers, split to AES-CBC, AES-GCM and
AES in general
2014-04-19 23:14:57 +02:00
Hubert Kario
fd6fcdd359 fix spelling in TLS stats (TLS1_1 vs TLS1.1) 2014-04-19 23:14:57 +02:00
Hubert Kario
faef8d692f in "no-untrusted mode": filter out ADH and AECDH suites
If server negotiates ADH or AECDH suite, openssl returns "ok" in
cert checking. Don't mark server as trusted because of that.

Don't collect statistics on servers that provide only untrusted
connections.
2014-04-19 23:14:47 +02:00
Hubert Kario
45dc1da3f6 add ability to ignore results from untrusted servers 2014-04-19 23:07:01 +02:00
Hubert Kario
ff620f5b26 report number of servers that use ECDSA and RSA certificates
Since use of both ECDSA and RSA certificates is easy, it is
relatively simple to support both. Report the total number of
such servers
2014-04-19 23:07:00 +02:00
Hubert Kario
863441a179 parsing of signature algorithm and key size
add parsing of signature algorithm and key size from the individual
results, report summary
2014-04-19 23:07:00 +02:00
Hubert Kario
b6b9a1a364 Improve scanning performance and reduce false negatives
scan all the machines from top-1m.csv file, wait for completion
of all jobs

i=1 is an off-by-one-error

support top-1m.csv files with arbitrary number of sites

run scans for many hosts at a time, but don't run more than
specified amount

in case where default domain name doesn't resolve or doesn't have
port 443 open, retry with www. prefix
2014-04-19 22:56:41 +02:00
Julien Vehent
370348ba1b Updated README 2014-04-19 12:04:09 -04:00
Julien Vehent
f703ca9c26 Merge pull request #12 from tomato42/certificate-scanning-02
Certificate scanning 02 (alternative version)
2014-04-19 11:46:25 -04:00
Hubert Kario
4e0e03b61e make default output more narrow
If server uses the same certificate for all connections, it's
useless to print the same information over and over.

In such case, omit those columns and print a summary at the end
2014-04-06 18:01:13 +02:00
Hubert Kario
9931ca2a2d update README with new examples
New features = new examples
2014-04-05 19:40:19 +02:00
Hubert Kario
f04567d40e check if certificate used by server is trused
Use system trust anchors to check if certificate chain used by server
is actually valid.
2014-04-05 19:36:51 +02:00
Hubert Kario
946cc6a9ac Report the signature type used on server certificate
Parse the certificate used by server and report the signature used:

prio  ciphersuite              protocols                    pubkey_size  signature_algorithm    pfs_keysize
1     ECDHE-RSA-AES128-SHA256  TLSv1.2                      2048         sha1WithRSAEncryption  ECDH,P-256,256bits
2     ECDHE-ECDSA-AES128-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2  256          ecdsa-with-SHA512      ECDH,P-256,256bits
3     AES128-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption
4     AECDH-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  0            None                   ECDH,P-256,256bits
5     RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption
6     EXP-RC4-MD5              SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  RSA,512bits
2014-04-05 19:23:04 +02:00
Hubert Kario
f9fdd62a59 report key size used in server's certificate
Extend the report to show also server certificate key size:
prio  ciphersuite              protocols                    pubkey_size  pfs_keysize
1     ECDHE-RSA-AES128-SHA256  TLSv1.2                      2048         ECDH,P-256,256bits
2     ECDHE-ECDSA-AES128-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2  256          ECDH,P-256,256bits
3     AES128-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
4     RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
5     EXP-RC4-MD5              SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         RSA,512bits
2014-04-05 19:23:04 +02:00
Hubert Kario
32eba4e644 update examples from README
since now the scan reports protocols correctly, update the example
to illustrate that
2014-04-05 18:47:37 +02:00
Hubert Kario
ac3e5f4d62 Correctly report TLSv1.2 only ciphers as negotiable with TLSv1.2
Previously scan would report:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits

Now it correctly reports:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
2014-04-05 18:47:37 +02:00
Julien Vehent
afcc92db02 Merge pull request #5 from mzeltner/master
Cleaned up options and documented custom OpenSSL build
2014-04-04 21:26:59 -04:00
Michael Zeltner
05bd24b405
Cleaning up old style, fixing --allciphers 2014-04-04 20:46:40 -04:00
Michael Zeltner
bf48cd2a3c
Documenting how to build OpenSSL with ChaCha20-Poly1305
Also updating README.md with new options by MacLemon
2014-04-01 14:29:55 -04:00
Michael Zeltner
45f0f3305d Merge branch 'master' of https://github.com/MacLemon/cipherscan 2014-04-01 13:04:08 -04:00
Pepi Zawodsky
49214fc508 Verbose and Debug output go to stderr now. Added simple --delay function. 2014-02-18 02:05:26 +01:00
Michael Zeltner
8480e63ff7
Fixing a typo 2014-02-14 20:44:15 +01:00