LittleNellie
/
cipherscan
mirror of https://github.com/mozilla/cipherscan.git
2
0
Fork 0
Code Issues Releases Wiki Activity
114 Commits 5 Branches 0 Tags 35 MiB
Commit Graph

39 Commits

Author SHA1 Message Date
Hubert Kario ca0ef2fc5c fixes for the pull request #18 
there were few small issues with the pull #18 even though jvehent merged
it, this fixes them
 2014-10-06 13:26:53 -04:00
Hubert Kario 4c05897be2 no need to grep the input when we're using awk 
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
 2014-10-06 13:24:39 -04:00
Hubert Kario fb02ae87ac add some comments, group related code 2014-10-06 13:22:29 -04:00
Hubert Kario 77671137df add support for CApath 
capath for relatively small cert sets (~300) makes scanning about 5%
faster

also do a little clean up of the command-to-run generation code
 2014-10-06 13:22:15 -04:00
Hubert Kario 189460da9e report if server uses client side or server side cipher ordering 2014-10-06 13:21:40 -04:00
Hubert Kario a7ae42b08e openssl in -ssl2 mode doesn't tolerate -servername option 
when openssl is run in -ssl2 mode, it doesn't accept -servername
option and just aborts operation, it doesn't consider -status
to be special though.

Remove this option when running the SSLv2 portion of the test.
 2014-10-06 13:21:16 -04:00
Hubert Kario 3a4a5f938d add missing ocsp_staple header 2014-10-06 13:20:49 -04:00
Julien Vehent ded65c40df Merge pull request #22 from simondeziel/sdeziel 
Use Debian's system-wide trust anchors when possible
 2014-08-28 16:02:36 -04:00
Julien Vehent ecd77f94fc Merge pull request #18 from tomato42/wip 
Hodgepodge of fixes
 2014-08-28 16:02:19 -04:00
Simon Deziel 7dee967dd7 Attempt to use /etc/ssl/certs/ca-certificates.crt if no CACERTS 
are available. On Debian, this is the default location for
system-wide trust anchors.
 2014-07-25 10:01:31 -04:00
Aaron Zauner efd84cdb24 add real execution tracing to debug 2014-07-17 18:08:29 +02:00
Phil Cohen 5ae2132f23 minor typo fix 2014-06-25 16:28:48 -07:00
Hubert Kario ee81927200 fix cipherscan human-readable output - pfs_keysize option 2014-05-30 11:49:44 +02:00
Hubert Kario 4e94d95bd8 ask for OCSP stapling by default 
for now, no option to disable
 2014-05-16 17:31:44 +02:00
Hubert Kario 0777682aa6 collect TLS ticket lifetime hints 2014-05-16 16:55:19 +02:00
Hubert Kario c48c012771 use the same openssl for all tasks 2014-05-13 13:41:16 +02:00
Hubert Kario 5dfa3c444e put ECDSA ciphers before RSA ciphers 
Google servers (like youtube) negotiate ECDSA variant
of ciphersuite only if the RSA variant is also present,
so to return more comple cipher listing, we need to move
ECDSA ciphers before RSA ciphers
 2014-05-13 13:41:16 +02:00
Hubert Kario a0cb766381 add support for archlinux 
archlinux has ca certificates in different place than Fedora
 2014-05-13 13:41:16 +02:00
Hubert Kario dca614d218 use proper quit semantic for openssl s_client 
openssl s_client expect "Q" as the first character on a line,
with case being significant. Also, the \n marker is unnecessary
the echo command prints a newline automatically, additionally,
for the \n to be actually interpreted, the -e option must be used
 2014-05-09 14:46:01 +02:00
Hubert Kario d7b99f125e restore `timeout` 
some servers have port 443 open but won't reply to ClientHello
requests, this hangs openssl s_client, as such we need to kill it
after some timeout
 2014-05-09 12:00:53 +02:00
Hubert Kario 4e0e03b61e make default output more narrow 
If server uses the same certificate for all connections, it's
useless to print the same information over and over.

In such case, omit those columns and print a summary at the end
 2014-04-06 18:01:13 +02:00
Hubert Kario f04567d40e check if certificate used by server is trused 
Use system trust anchors to check if certificate chain used by server
is actually valid.
 2014-04-05 19:36:51 +02:00
Hubert Kario 946cc6a9ac Report the signature type used on server certificate 
Parse the certificate used by server and report the signature used:

prio  ciphersuite              protocols                    pubkey_size  signature_algorithm    pfs_keysize
1     ECDHE-RSA-AES128-SHA256  TLSv1.2                      2048         sha1WithRSAEncryption  ECDH,P-256,256bits
2     ECDHE-ECDSA-AES128-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2  256          ecdsa-with-SHA512      ECDH,P-256,256bits
3     AES128-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption
4     AECDH-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  0            None                   ECDH,P-256,256bits
5     RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption
6     EXP-RC4-MD5              SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  RSA,512bits
 2014-04-05 19:23:04 +02:00
Hubert Kario f9fdd62a59 report key size used in server's certificate 
Extend the report to show also server certificate key size:
prio  ciphersuite              protocols                    pubkey_size  pfs_keysize
1     ECDHE-RSA-AES128-SHA256  TLSv1.2                      2048         ECDH,P-256,256bits
2     ECDHE-ECDSA-AES128-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2  256          ECDH,P-256,256bits
3     AES128-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
4     RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
5     EXP-RC4-MD5              SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         RSA,512bits
 2014-04-05 19:23:04 +02:00
Hubert Kario ac3e5f4d62 Correctly report TLSv1.2 only ciphers as negotiable with TLSv1.2 
Previously scan would report:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits

Now it correctly reports:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
 2014-04-05 18:47:37 +02:00
Michael Zeltner 05bd24b405
Cleaning up old style, fixing --allciphers 2014-04-04 20:46:40 -04:00
Michael Zeltner 45f0f3305d Merge branch 'master' of https://github.com/MacLemon/cipherscan 2014-04-01 13:04:08 -04:00
Pepi Zawodsky 49214fc508 Verbose and Debug output go to stderr now. Added simple --delay function. 2014-02-18 02:05:26 +01:00
Michael Zeltner 8480e63ff7
Fixing a typo 2014-02-14 20:44:15 +01:00
Pepi Zawodsky 0282ae9209 Added simple debug function 2014-02-08 18:37:30 +01:00
Pepi Zawodsky 490c86c43e Changed grep invocation to prevent strange grep versions to balk on -E 2014-02-08 01:14:40 +01:00
Michael Zeltner 26b52d4e17
Make mktemp obsolete 
We have pipes, we shall use them!
 2014-02-07 00:56:31 +01:00
Pepi Zawodsky 57f41d7376 Fixed variable renaming. 2014-02-06 23:32:12 +01:00
Pepi Zawodsky 9e5ce9cca3 Removed neccessity for timeout, thanks to mzeltner. Better parameter parsing with short- and longoptions. Can now pass a path to use any openssl. Now works on OS X. 2014-02-06 23:26:19 +01:00
Michael Zeltner 5c07a6e552
Support s_client args, give -starttls example 2014-02-02 15:41:16 +01:00
Julien Vehent 5df0fe3d52 Merge branch 'master' of github.com:jvehent/cipherscan 2014-01-09 11:53:54 -05:00
Julien Vehent 19d443b8fe OpenSSL binary location fix 2014-01-09 11:52:43 -05:00
Simon Deziel 93ee5e3f33 Cleanup old temp files when a connection failed 2014-01-07 18:32:09 -05:00
Julien Vehent af7b4ce18c Rename CiphersScan to cipherscan 2013-12-09 11:01:30 -05:00