LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-16 20:03:41 +01:00
Code Issues Releases Wiki Activity
116 Commits 5 Branches 0 Tags 35 MiB
c92c1f70ce
Commit Graph

116 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Olivier Paroz
c92c1f70ce Added a common location for the cert bundle on FreeBSD 2014-09-21 16:19:23 +02:00
Olivier Paroz
ad88f047e6 Style fix 2014-09-21 16:08:50 +02:00
Olivier Paroz
4bc2539f44 Local branch was out of sync... 2014-09-21 16:04:35 +02:00
Olivier Paroz
a76774f260 Merge pull request #2 from oparoz/patch-1 
removed Mozilla handle
 2014-09-21 16:03:29 +02:00
Olivier Paroz
54a54aa428 New option to enable SNI 
Simulates a SNI capable client
 2014-09-21 15:59:28 +02:00
Olivier Paroz
2d75e7dc4a removed Mozilla handle 2014-09-21 15:35:27 +02:00
Olivier Paroz
8f5eb93fd9 Merge pull request #1 from oparoz/patch-1 
Patch 1
 2014-09-16 02:12:18 +02:00
Olivier Paroz
3cc5001ebf SNI fix 
Without this fix you always get the first cert attached to an IP and not necessarily the cert attached to the domain you're trying to scan.

Could be made modular in order to simulate a client which doesn't support SNI...
 2014-09-16 02:05:01 +02:00
Olivier Paroz
9438d64762 OpenSSL 1.0.2 is not a requirement 
Back when egrep wasn't working, I tried to fix various things and 1.0.2 was allowing the script to go further without breaking. After having installed a more recent version of GNU grep, things were back to normal and 1.0.1 works fine
 2014-09-15 17:38:47 +02:00
Olivier Paroz
d3b2c48e13 FreeBSD + extra chacha20 repo 
I've found another repository which offers 1.0.2 with chacha20
I've added some extra instructions for FreeBSD users
 2014-09-15 17:31:06 +02:00
Olivier Paroz
0662fa61d8 FreeBSD compatible 
Detect the OS and use gtimeout from sysutils/coreutils
 2014-09-15 17:06:59 +02:00
Julien Vehent
ded65c40df Merge pull request #22 from simondeziel/sdeziel 
Use Debian's system-wide trust anchors when possible
 2014-08-28 16:02:36 -04:00
Julien Vehent
ecd77f94fc Merge pull request #18 from tomato42/wip 
Hodgepodge of fixes
 2014-08-28 16:02:19 -04:00
Simon Deziel
7dee967dd7 Attempt to use /etc/ssl/certs/ca-certificates.crt if no CACERTS 
are available. On Debian, this is the default location for
system-wide trust anchors.
 2014-07-25 10:01:31 -04:00
Julien Vehent
273211f025 Merge pull request #21 from azet/master 
add real execution tracing to debug
 2014-07-17 12:29:42 -04:00
Aaron Zauner
efd84cdb24 add real execution tracing to debug 2014-07-17 18:08:29 +02:00
Julien Vehent
e345f6034d Merge pull request #20 from PeterMosmans/binaries 
Updated binary with latest 1.0.2-chacha build
 2014-07-13 09:22:24 -04:00
Peter Mosmans
b65c13c7b9 Compiled for 64-bit-linux from the following source: 
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha
Added CAMELLIA 256SHA ciphers
 2014-07-13 20:56:17 +10:00
Peter Mosmans
26a24d0429 Updated binary with latest 1.0.2-chacha build 
Compiled for 64-bit linux from the following source:
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha
 2014-07-12 10:15:00 +10:00
Julien Vehent
60a6a02c6f Merge pull request #19 from phlipper/patch-1 
minor typo fix
 2014-06-25 19:37:53 -04:00
Phil Cohen
5ae2132f23 minor typo fix 2014-06-25 16:28:48 -07:00
Hubert Kario
7591062bbc parse_results.py: compatibility with old results files 2014-06-04 18:52:39 +02:00
Hubert Kario
be0439ef99 provide statistics for all key exchange methods, not DHE and ECDHE only 2014-06-04 18:17:41 +02:00
Hubert Kario
3667b04ad7 correctly count broken cipher suites with "no reporting of untrusted" 2014-06-04 18:17:02 +02:00
Hubert Kario
86ff1122cc parse_results.py: don't count anonymous cipher suites toward correct config stats 2014-06-04 15:15:32 +02:00
Hubert Kario
ee81927200 fix cipherscan human-readable output - pfs_keysize option 2014-05-30 11:49:44 +02:00
Julien Vehent
b69863c5c5 Merge branch 'master' of github.com:jvehent/cipherscan 2014-05-20 08:52:09 -04:00
Julien Vehent
50f4959e79 updated license on parse_results.py 2014-05-20 08:23:57 -04:00
Hubert Kario
2f56f0515e don't scan the same host twice 2014-05-16 18:16:45 +02:00
Hubert Kario
f1d3b51749 update the top 1M list to the version from 2014-05-16 2014-05-16 17:34:22 +02:00
Hubert Kario
4e94d95bd8 ask for OCSP stapling by default 
for now, no option to disable
 2014-05-16 17:31:44 +02:00
Hubert Kario
0777682aa6 collect TLS ticket lifetime hints 2014-05-16 16:55:19 +02:00
Hubert Kario
1a78172936 scan just one host per hostname 2014-05-16 16:11:01 +02:00
Hubert Kario
cdbf596466 properly handle pure IP adressess 
(it's illegal to use IP in SNI)
 2014-05-16 15:42:47 +02:00
Hubert Kario
5ef53dda9c increase paralelism of jobs 
because sometimes tcping takes a long time to timeout for a lot
of hosts in batch use also load average to keep the cpu busy
 2014-05-13 13:41:16 +02:00
Hubert Kario
a213fc45d0 remove the folder/file part from url 
some hostnames in the top-1m.csv file have folder or site specified
in them, cut it off before using
 2014-05-13 13:41:16 +02:00
Hubert Kario
00b20a20ed perform SNI enabled scan 
for example, youtube requires SNI extension to be present to return
ECDSA certificates, use it for scanning
 2014-05-13 13:41:16 +02:00
Hubert Kario
c48c012771 use the same openssl for all tasks 2014-05-13 13:41:16 +02:00
Hubert Kario
5dfa3c444e put ECDSA ciphers before RSA ciphers 
Google servers (like youtube) negotiate ECDSA variant
of ciphersuite only if the RSA variant is also present,
so to return more comple cipher listing, we need to move
ECDSA ciphers before RSA ciphers
 2014-05-13 13:41:16 +02:00
Hubert Kario
a0cb766381 add support for archlinux 
archlinux has ca certificates in different place than Fedora
 2014-05-13 13:41:16 +02:00
Hubert Kario
8817a7b1c8 testtop1m.sh: correct counting of background jobs 
`jobs` command returns multiple lines for a jobs with `if` so counting
number of background jobs was off
 2014-05-13 13:41:16 +02:00
Julien Vehent
92851d7c74 Merge pull request #17 from tomato42/proper-quit 
use proper quit semantic for openssl s_client
 2014-05-12 13:36:46 -04:00
Hubert Kario
dca614d218 use proper quit semantic for openssl s_client 
openssl s_client expect "Q" as the first character on a line,
with case being significant. Also, the \n marker is unnecessary
the echo command prints a newline automatically, additionally,
for the \n to be actually interpreted, the -e option must be used
 2014-05-09 14:46:01 +02:00
Julien Vehent
5417dacda3 Merge pull request #16 from tomato42/restore-timeout 
restore timeout
 2014-05-09 08:32:36 -04:00
Hubert Kario
d7b99f125e restore timeout 
some servers have port 443 open but won't reply to ClientHello
requests, this hangs openssl s_client, as such we need to kill it
after some timeout
 2014-05-09 12:00:53 +02:00
Julien Vehent
325329d1ad Merge pull request #15 from tomato42/reporting-improvements-03 
Reporting improvements 03
 2014-04-20 13:16:34 -04:00
Julien Vehent
ba4defb707 Merge pull request #14 from tomato42/scan-improvements-02 
Improve scanning performance and reduce false negatives
 2014-04-20 13:15:44 -04:00
Hubert Kario
686d7c958b extend reporting of RC4-related stats 
While preferring RC4 in TLS1.0 or SSL3 was recommended before,
it was always known that TLS1.1 and TLS1.2 were not vulnerable against
BEAST, so forcing RC4 there is a mistake. Report number of such servers.
 2014-04-19 23:14:57 +02:00
Hubert Kario
21bba67df0 extend SSL stats 
Two interesting server configurations are ones that support
only SSL3 or TLS1 only (old, but otherwise correctly configured servers)
and ones that support only TLS1.1 or up (brave admins that support
only new clients)
 2014-04-19 23:14:57 +02:00
Hubert Kario
349d4ebc3c more detailed PFS report 
Just because server supports some bad DH params, doesn't mean
it will force them on users. Report number of servers
that prefer specific DH params.
 2014-04-19 23:14:57 +02:00