Hubert Kario
ca0ef2fc5c
fixes for the pull request #18
...
there were few small issues with the pull #18 even though jvehent merged
it, this fixes them
2014-10-06 13:26:53 -04:00
Hubert Kario
4c05897be2
no need to grep the input when we're using awk
...
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
2014-10-06 13:24:39 -04:00
Hubert Kario
fb02ae87ac
add some comments, group related code
2014-10-06 13:22:29 -04:00
Hubert Kario
77671137df
add support for CApath
...
capath for relatively small cert sets (~300) makes scanning about 5%
faster
also do a little clean up of the command-to-run generation code
2014-10-06 13:22:15 -04:00
Hubert Kario
189460da9e
report if server uses client side or server side cipher ordering
2014-10-06 13:21:40 -04:00
Hubert Kario
a7ae42b08e
openssl in -ssl2 mode doesn't tolerate -servername option
...
when openssl is run in -ssl2 mode, it doesn't accept -servername
option and just aborts operation, it doesn't consider -status
to be special though.
Remove this option when running the SSLv2 portion of the test.
2014-10-06 13:21:16 -04:00
Hubert Kario
3a4a5f938d
add missing ocsp_staple header
2014-10-06 13:20:49 -04:00
Julien Vehent
ded65c40df
Merge pull request #22 from simondeziel/sdeziel
...
Use Debian's system-wide trust anchors when possible
2014-08-28 16:02:36 -04:00
Julien Vehent
ecd77f94fc
Merge pull request #18 from tomato42/wip
...
Hodgepodge of fixes
2014-08-28 16:02:19 -04:00
Simon Deziel
7dee967dd7
Attempt to use /etc/ssl/certs/ca-certificates.crt if no CACERTS
...
are available. On Debian, this is the default location for
system-wide trust anchors.
2014-07-25 10:01:31 -04:00
Aaron Zauner
efd84cdb24
add real execution tracing to debug
2014-07-17 18:08:29 +02:00
Phil Cohen
5ae2132f23
minor typo fix
2014-06-25 16:28:48 -07:00
Hubert Kario
ee81927200
fix cipherscan human-readable output - pfs_keysize option
2014-05-30 11:49:44 +02:00
Hubert Kario
4e94d95bd8
ask for OCSP stapling by default
...
for now, no option to disable
2014-05-16 17:31:44 +02:00
Hubert Kario
0777682aa6
collect TLS ticket lifetime hints
2014-05-16 16:55:19 +02:00
Hubert Kario
c48c012771
use the same openssl for all tasks
2014-05-13 13:41:16 +02:00
Hubert Kario
5dfa3c444e
put ECDSA ciphers before RSA ciphers
...
Google servers (like youtube) negotiate ECDSA variant
of ciphersuite only if the RSA variant is also present,
so to return more comple cipher listing, we need to move
ECDSA ciphers before RSA ciphers
2014-05-13 13:41:16 +02:00
Hubert Kario
a0cb766381
add support for archlinux
...
archlinux has ca certificates in different place than Fedora
2014-05-13 13:41:16 +02:00
Hubert Kario
dca614d218
use proper quit semantic for openssl s_client
...
openssl s_client expect "Q" as the first character on a line,
with case being significant. Also, the \n marker is unnecessary
the echo command prints a newline automatically, additionally,
for the \n to be actually interpreted, the -e option must be used
2014-05-09 14:46:01 +02:00
Hubert Kario
d7b99f125e
restore timeout
...
some servers have port 443 open but won't reply to ClientHello
requests, this hangs openssl s_client, as such we need to kill it
after some timeout
2014-05-09 12:00:53 +02:00
Hubert Kario
4e0e03b61e
make default output more narrow
...
If server uses the same certificate for all connections, it's
useless to print the same information over and over.
In such case, omit those columns and print a summary at the end
2014-04-06 18:01:13 +02:00
Hubert Kario
f04567d40e
check if certificate used by server is trused
...
Use system trust anchors to check if certificate chain used by server
is actually valid.
2014-04-05 19:36:51 +02:00
Hubert Kario
946cc6a9ac
Report the signature type used on server certificate
...
Parse the certificate used by server and report the signature used:
prio ciphersuite protocols pubkey_size signature_algorithm pfs_keysize
1 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 sha1WithRSAEncryption ECDH,P-256,256bits
2 ECDHE-ECDSA-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 256 ecdsa-with-SHA512 ECDH,P-256,256bits
3 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption
4 AECDH-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None ECDH,P-256,256bits
5 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption
6 EXP-RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption RSA,512bits
2014-04-05 19:23:04 +02:00
Hubert Kario
f9fdd62a59
report key size used in server's certificate
...
Extend the report to show also server certificate key size:
prio ciphersuite protocols pubkey_size pfs_keysize
1 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 ECDH,P-256,256bits
2 ECDHE-ECDSA-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 256 ECDH,P-256,256bits
3 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048
4 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048
5 EXP-RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 RSA,512bits
2014-04-05 19:23:04 +02:00
Hubert Kario
ac3e5f4d62
Correctly report TLSv1.2 only ciphers as negotiable with TLSv1.2
...
Previously scan would report:
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES128-GCM-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
2 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
Now it correctly reports:
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits
2 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
2014-04-05 18:47:37 +02:00
Michael Zeltner
05bd24b405
Cleaning up old style, fixing --allciphers
2014-04-04 20:46:40 -04:00
Michael Zeltner
45f0f3305d
Merge branch 'master' of https://github.com/MacLemon/cipherscan
2014-04-01 13:04:08 -04:00
Pepi Zawodsky
49214fc508
Verbose and Debug output go to stderr now. Added simple --delay function.
2014-02-18 02:05:26 +01:00
Michael Zeltner
8480e63ff7
Fixing a typo
2014-02-14 20:44:15 +01:00
Pepi Zawodsky
0282ae9209
Added simple debug function
2014-02-08 18:37:30 +01:00
Pepi Zawodsky
490c86c43e
Changed grep invocation to prevent strange grep versions to balk on -E
2014-02-08 01:14:40 +01:00
Michael Zeltner
26b52d4e17
Make mktemp obsolete
...
We have pipes, we shall use them!
2014-02-07 00:56:31 +01:00
Pepi Zawodsky
57f41d7376
Fixed variable renaming.
2014-02-06 23:32:12 +01:00
Pepi Zawodsky
9e5ce9cca3
Removed neccessity for timeout, thanks to mzeltner. Better parameter parsing with short- and longoptions. Can now pass a path to use any openssl. Now works on OS X.
2014-02-06 23:26:19 +01:00
Michael Zeltner
5c07a6e552
Support s_client args, give -starttls example
2014-02-02 15:41:16 +01:00
Julien Vehent
5df0fe3d52
Merge branch 'master' of github.com:jvehent/cipherscan
2014-01-09 11:53:54 -05:00
Julien Vehent
19d443b8fe
OpenSSL binary location fix
2014-01-09 11:52:43 -05:00
Simon Deziel
93ee5e3f33
Cleanup old temp files when a connection failed
2014-01-07 18:32:09 -05:00
Julien Vehent
af7b4ce18c
Rename CiphersScan to cipherscan
2013-12-09 11:01:30 -05:00