Commit Graph

339 Commits

Author SHA1 Message Date
Julien Vehent 008bd6af2b Merge pull request #38 from PeterMosmans/changeorder
Bugfix: correct flow when number of ciphers are loaded
2014-12-25 12:15:11 -05:00
Julien Vehent 726ef22552 Merge pull request #35 from PeterMosmans/openssl
Updated 64-bit OpenSSL binary (1.0.2 beta 4)
2014-12-25 12:11:01 -05:00
Julien Vehent 2d030775c4 Merge pull request #36 from PeterMosmans/symlinks
Make sure that custom openssl gets selected
2014-12-25 12:08:00 -05:00
Vincent Riquer 0e7996181a Don't expect scripts to be in working directory 2014-12-24 11:26:24 +01:00
Vincent Riquer 983f85d2d4 --nagios: run as a nagios plugin 2014-12-23 14:51:50 +01:00
Mike c019ecd493 Added usage print and exit if no options are given 2014-12-17 13:06:06 -07:00
Peter Mosmans 81c1809463 corrected flow when number of ciphers was shown
First make sure that ${OPENSSLBIN} is correctly set
2014-11-22 18:36:24 +10:00
Peter Mosmans 558bf7c9e2 Make sure that custom openssl gets selected
Symlinks are now resolved (when readlink -f is available)
2014-11-14 10:49:16 +11:00
Peter Mosmans c71828dc09 Updated 64-bit OpenSSL binary (1.0.2 beta 4)
Compiled for 64-bit-linux from the following source:
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha

Commands used:
./Configure linux-x86_64 no-shared zlib enable-gost enable-ec_nistp_64_gcc_128 enable-idea \
enable-md2 enable-rc5 enable-rfc3779 enable-ssl2 experimental-jpake
make depend
make
make report
2014-11-11 17:46:23 +11:00
Julien Vehent 818bf29b02 Merge pull request #33 from tomato42/cipherscan-fixes-3
Cipherscan fixes, speedups and saving of certificates (v3)
2014-11-05 12:36:33 -05:00
Hubert Kario c4a8495a54 limit number of forks needed to speed up execution
bash has a built in regular expression processor, we can match
lines using =~

moreover, stuff that will match while being inside parentheses is
later available in the BASH_REMATCH array

the IFS (Internal Field Separator) by default includes space, tab and
new line, as such we can use it to split longer lines to separate
words, just as awk '{print $1}' can, just need to put the value to
an array for that

we also don't have to use $(echo $var) when assigning variables, $var
is enough

bash has also built in substitution engine, so we can do ${var/,/ & }
to switch all commas to ampersands when using the variable
2014-11-05 18:14:30 +01:00
Hubert Kario 9f06829486 make handling of self signed certs more robust
openssl sometimes will print the filename, then the error, and finish
with OK, matching the colon and space prevents from considering such
certs to be valid
2014-11-05 18:13:39 +01:00
Hubert Kario 4c22d50f0c few less forks in the script
again, we can use arrays and a bit advanced awk syntax to reduce
the number of forks necessary to run the script
2014-11-05 18:13:39 +01:00
Hubert Kario 0f576c1fbc don't calculate sha sums for the certificates over and over
we can use cksum to calculate simple checksum much faster than
with using openssl, so we can compute sums only once
2014-11-05 18:13:39 +01:00
Hubert Kario 1eae0cc71b use CApath for certificates and store certificates (v2)
CApath is about 20% faster than CAfile so use it, also
save the received certificates from the servers for later analysis
(proper hostname checking, looking for certificates sharing private key,
etc.)

Use the mechanism from cipherscan to find location of ca cert bundle
2014-11-05 18:13:39 +01:00
Hubert Kario d9b718be12 clean up the extracted certificate
the certificate extracted in the above way will contain some junk
from openssl s_client output we don't want like verification status
we can remove it ro reduce disk usage for saved certificates
2014-11-05 18:13:39 +01:00
Hubert Kario 3e37517c96 add ability to also save leaf certificates and untrusted ones 2014-11-05 18:13:39 +01:00
Hubert Kario 826f7b5541 add caching of intermediate CA certificates 2014-11-05 18:13:39 +01:00
Hubert Kario 3b14cd914f no need to grep the input when we're using awk (v2)
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for

This version uses slightly different syntax that is compatible with old
awk
2014-11-05 18:13:39 +01:00
Julien Vehent dca3457d5a Merge pull request #28 from tomato42/certificate-stats
Certificate stats
2014-11-03 22:15:44 -05:00
Hubert Kario 5a6eaaac41 parse_CAs.c - implement error checking, remove magic numbers, compile fix 2014-10-30 23:37:43 +01:00
Hubert Kario aac3e9a9db parse_CAs.py - add few comments 2014-10-30 01:41:46 +01:00
Hubert Kario edab545f3e add Makefile for the C utility 2014-10-30 01:33:58 +01:00
Julien Vehent ebc6939299 Merge pull request #29 from tomato42/client-handshake-simulation
Client handshake simulation
2014-10-29 19:22:52 -04:00
Julien Vehent 334c3118e2 Merge pull request #30 from tomato42/timeouts
Fix delay option
2014-10-29 17:34:18 -04:00
Hubert Kario 11ce6187de small fixes for delay
firstly, test_cipher_on_target() will try at least 4 connections before
incurring the sleep, for aggressive rate limiter on server side it may be
too much, so sleep before every connection

secondly, because running external commands like sleep incurs a fork
penalty, we first check if it is necessary
2014-10-28 16:44:43 +01:00
Hubert Kario 71ba3c88b0 increase timeout
when some servers notice a scan (because of frequent connections) they
delay further connections, increase the timeout to properly scan them
2014-10-28 13:17:20 +01:00
Hubert Kario 29c739faa9 count EDH-DES as PFS too in general stats 2014-10-25 16:23:41 +02:00
Hubert Kario af2e25ec89 fix EDH checking
old ciphers have names that use EDH instead of DHE so we need check
for both names
2014-10-25 16:11:18 +02:00
Julien Vehent d11d5e9f36 update old and intermediate ciphersuites 2014-10-18 08:31:53 -04:00
Julien Vehent a17cfe373e make 2048 DHE key optional in intermediate level 2014-10-18 08:20:00 -04:00
Julien Vehent ebf4f8bcc7 fix ECC size in fubar pfs analysis 2014-10-18 07:23:24 -04:00
Julien Vehent 244e9ca9f2 refactor pfs evaluation in separate function 2014-10-17 11:58:19 -04:00
Julien Vehent ddfaa6722d display target level compliance in text output 2014-10-17 11:58:05 -04:00
Julien Vehent 551255f8b4 detect fubar dh parameters 2014-10-17 11:20:25 -04:00
Julien Vehent a4f573195e update intermediate ciphersuite to accept 3des 2014-10-17 11:10:01 -04:00
Julien Vehent df0b5d8d3f fix wrong failure flag 2014-10-17 11:09:42 -04:00
Julien Vehent a11b594ab4 Fix dhparam size detection in inter and modern levels 2014-10-17 11:09:28 -04:00
Julien Vehent 28c6c2488b Accept sha384 and sha512 signatures as well as sha256 2014-10-17 11:08:32 -04:00
Julien Vehent 5b32afaa1f Add target to text output 2014-10-17 10:48:59 -04:00
Hubert Kario 76d791fcbe make cipher selection simulation generic
it's relatively easy to make the cipher selection generic,
so that adding different clients is as easy as converting their
client hello cipher ordering to openssl cipher names
2014-10-12 20:39:39 +02:00
Hubert Kario c82bc44558 report cipher ordering in scanning stats, use it to simulate handshakes
since now we know if server honours client order or not, we can use it
to properly simulate handshakes for a given client, also report
the general stats of this server configuration variable
2014-10-12 20:39:39 +02:00
Hubert Kario 42fa7d9ecb report what ciphers Firefox would select while connecting to server 2014-10-12 20:39:39 +02:00
Hubert Kario 1b4dcc4393 report ciphers causing incompatibility for Firefox
It turns out that the situation is even more bleak for Firefox
with regards to RC4, add it to report
2014-10-12 20:39:39 +02:00
Hubert Kario 142726c4fd count ECDH-RSA ciphers as ECDSA
the ECDH parameters come from server certificate - the point
on elliptic curve. The RSA comes from the signature on the certificate
which comes from CA
2014-10-12 20:39:39 +02:00
Hubert Kario ac18195b21 process-certificate-statistics.sh - the script HOWTO to turn results to CA stats 2014-10-12 20:38:25 +02:00
Hubert Kario 3cfd7b76cc collect statistics about found certificates 2014-10-12 20:38:25 +02:00
Hubert Kario 3699acfc2d helper application for finding cert chains
because neither M2crypto nor OpenSSL packages provide extensive
enough API to do certificate chain building, verification
and outputting of details, we have to pre-parse the data
with a C app that can access the full OpenSSL API.

I've also tried monkey patching the packages, but unfortunately
the result wasn't working reliably

The actual statistic collection (both about the chains and
specific certificates) will be done in a python script
2014-10-12 20:34:53 +02:00
Julien Vehent 26c7b0e0d7 fix target level verification check 2014-10-11 23:08:35 -04:00
Julien Vehent a749742ff3 make sha-256 cert an optional requirement to the intermediate level 2014-10-11 23:08:21 -04:00