2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 22:33:40 +01:00
Commit Graph

39 Commits

Author SHA1 Message Date
Hubert Kario
ca0ef2fc5c fixes for the pull request #18
there were few small issues with the pull #18 even though jvehent merged
it, this fixes them
2014-10-06 13:26:53 -04:00
Hubert Kario
4c05897be2 no need to grep the input when we're using awk
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
2014-10-06 13:24:39 -04:00
Hubert Kario
fb02ae87ac add some comments, group related code 2014-10-06 13:22:29 -04:00
Hubert Kario
77671137df add support for CApath
capath for relatively small cert sets (~300) makes scanning about 5%
faster

also do a little clean up of the command-to-run generation code
2014-10-06 13:22:15 -04:00
Hubert Kario
189460da9e report if server uses client side or server side cipher ordering 2014-10-06 13:21:40 -04:00
Hubert Kario
a7ae42b08e openssl in -ssl2 mode doesn't tolerate -servername option
when openssl is run in -ssl2 mode, it doesn't accept -servername
option and just aborts operation, it doesn't consider -status
to be special though.

Remove this option when running the SSLv2 portion of the test.
2014-10-06 13:21:16 -04:00
Hubert Kario
3a4a5f938d add missing ocsp_staple header 2014-10-06 13:20:49 -04:00
Julien Vehent
ded65c40df Merge pull request #22 from simondeziel/sdeziel
Use Debian's system-wide trust anchors when possible
2014-08-28 16:02:36 -04:00
Julien Vehent
ecd77f94fc Merge pull request #18 from tomato42/wip
Hodgepodge of fixes
2014-08-28 16:02:19 -04:00
Simon Deziel
7dee967dd7 Attempt to use /etc/ssl/certs/ca-certificates.crt if no CACERTS
are available. On Debian, this is the default location for
system-wide trust anchors.
2014-07-25 10:01:31 -04:00
Aaron Zauner
efd84cdb24 add real execution tracing to debug 2014-07-17 18:08:29 +02:00
Phil Cohen
5ae2132f23 minor typo fix 2014-06-25 16:28:48 -07:00
Hubert Kario
ee81927200 fix cipherscan human-readable output - pfs_keysize option 2014-05-30 11:49:44 +02:00
Hubert Kario
4e94d95bd8 ask for OCSP stapling by default
for now, no option to disable
2014-05-16 17:31:44 +02:00
Hubert Kario
0777682aa6 collect TLS ticket lifetime hints 2014-05-16 16:55:19 +02:00
Hubert Kario
c48c012771 use the same openssl for all tasks 2014-05-13 13:41:16 +02:00
Hubert Kario
5dfa3c444e put ECDSA ciphers before RSA ciphers
Google servers (like youtube) negotiate ECDSA variant
of ciphersuite only if the RSA variant is also present,
so to return more comple cipher listing, we need to move
ECDSA ciphers before RSA ciphers
2014-05-13 13:41:16 +02:00
Hubert Kario
a0cb766381 add support for archlinux
archlinux has ca certificates in different place than Fedora
2014-05-13 13:41:16 +02:00
Hubert Kario
dca614d218 use proper quit semantic for openssl s_client
openssl s_client expect "Q" as the first character on a line,
with case being significant. Also, the \n marker is unnecessary
the echo command prints a newline automatically, additionally,
for the \n to be actually interpreted, the -e option must be used
2014-05-09 14:46:01 +02:00
Hubert Kario
d7b99f125e restore timeout
some servers have port 443 open but won't reply to ClientHello
requests, this hangs openssl s_client, as such we need to kill it
after some timeout
2014-05-09 12:00:53 +02:00
Hubert Kario
4e0e03b61e make default output more narrow
If server uses the same certificate for all connections, it's
useless to print the same information over and over.

In such case, omit those columns and print a summary at the end
2014-04-06 18:01:13 +02:00
Hubert Kario
f04567d40e check if certificate used by server is trused
Use system trust anchors to check if certificate chain used by server
is actually valid.
2014-04-05 19:36:51 +02:00
Hubert Kario
946cc6a9ac Report the signature type used on server certificate
Parse the certificate used by server and report the signature used:

prio  ciphersuite              protocols                    pubkey_size  signature_algorithm    pfs_keysize
1     ECDHE-RSA-AES128-SHA256  TLSv1.2                      2048         sha1WithRSAEncryption  ECDH,P-256,256bits
2     ECDHE-ECDSA-AES128-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2  256          ecdsa-with-SHA512      ECDH,P-256,256bits
3     AES128-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption
4     AECDH-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  0            None                   ECDH,P-256,256bits
5     RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption
6     EXP-RC4-MD5              SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  RSA,512bits
2014-04-05 19:23:04 +02:00
Hubert Kario
f9fdd62a59 report key size used in server's certificate
Extend the report to show also server certificate key size:
prio  ciphersuite              protocols                    pubkey_size  pfs_keysize
1     ECDHE-RSA-AES128-SHA256  TLSv1.2                      2048         ECDH,P-256,256bits
2     ECDHE-ECDSA-AES128-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2  256          ECDH,P-256,256bits
3     AES128-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
4     RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
5     EXP-RC4-MD5              SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         RSA,512bits
2014-04-05 19:23:04 +02:00
Hubert Kario
ac3e5f4d62 Correctly report TLSv1.2 only ciphers as negotiable with TLSv1.2
Previously scan would report:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits

Now it correctly reports:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
2014-04-05 18:47:37 +02:00
Michael Zeltner
05bd24b405
Cleaning up old style, fixing --allciphers 2014-04-04 20:46:40 -04:00
Michael Zeltner
45f0f3305d Merge branch 'master' of https://github.com/MacLemon/cipherscan 2014-04-01 13:04:08 -04:00
Pepi Zawodsky
49214fc508 Verbose and Debug output go to stderr now. Added simple --delay function. 2014-02-18 02:05:26 +01:00
Michael Zeltner
8480e63ff7
Fixing a typo 2014-02-14 20:44:15 +01:00
Pepi Zawodsky
0282ae9209 Added simple debug function 2014-02-08 18:37:30 +01:00
Pepi Zawodsky
490c86c43e Changed grep invocation to prevent strange grep versions to balk on -E 2014-02-08 01:14:40 +01:00
Michael Zeltner
26b52d4e17
Make mktemp obsolete
We have pipes, we shall use them!
2014-02-07 00:56:31 +01:00
Pepi Zawodsky
57f41d7376 Fixed variable renaming. 2014-02-06 23:32:12 +01:00
Pepi Zawodsky
9e5ce9cca3 Removed neccessity for timeout, thanks to mzeltner. Better parameter parsing with short- and longoptions. Can now pass a path to use any openssl. Now works on OS X. 2014-02-06 23:26:19 +01:00
Michael Zeltner
5c07a6e552
Support s_client args, give -starttls example 2014-02-02 15:41:16 +01:00
Julien Vehent
5df0fe3d52 Merge branch 'master' of github.com:jvehent/cipherscan 2014-01-09 11:53:54 -05:00
Julien Vehent
19d443b8fe OpenSSL binary location fix 2014-01-09 11:52:43 -05:00
Simon Deziel
93ee5e3f33 Cleanup old temp files when a connection failed 2014-01-07 18:32:09 -05:00
Julien Vehent
af7b4ce18c Rename CiphersScan to cipherscan 2013-12-09 11:01:30 -05:00