Julien Vehent
ebc6939299
Merge pull request #29 from tomato42/client-handshake-simulation
...
Client handshake simulation
2014-10-29 19:22:52 -04:00
Hubert Kario
11ce6187de
small fixes for delay
...
firstly, test_cipher_on_target() will try at least 4 connections before
incurring the sleep, for aggressive rate limiter on server side it may be
too much, so sleep before every connection
secondly, because running external commands like sleep incurs a fork
penalty, we first check if it is necessary
2014-10-28 16:44:43 +01:00
Hubert Kario
29c739faa9
count EDH-DES as PFS too in general stats
2014-10-25 16:23:41 +02:00
Hubert Kario
af2e25ec89
fix EDH checking
...
old ciphers have names that use EDH instead of DHE so we need check
for both names
2014-10-25 16:11:18 +02:00
Hubert Kario
76d791fcbe
make cipher selection simulation generic
...
it's relatively easy to make the cipher selection generic,
so that adding different clients is as easy as converting their
client hello cipher ordering to openssl cipher names
2014-10-12 20:39:39 +02:00
Hubert Kario
c82bc44558
report cipher ordering in scanning stats, use it to simulate handshakes
...
since now we know if server honours client order or not, we can use it
to properly simulate handshakes for a given client, also report
the general stats of this server configuration variable
2014-10-12 20:39:39 +02:00
Hubert Kario
42fa7d9ecb
report what ciphers Firefox would select while connecting to server
2014-10-12 20:39:39 +02:00
Hubert Kario
1b4dcc4393
report ciphers causing incompatibility for Firefox
...
It turns out that the situation is even more bleak for Firefox
with regards to RC4, add it to report
2014-10-12 20:39:39 +02:00
Hubert Kario
142726c4fd
count ECDH-RSA ciphers as ECDSA
...
the ECDH parameters come from server certificate - the point
on elliptic curve. The RSA comes from the signature on the certificate
which comes from CA
2014-10-12 20:39:39 +02:00
Hubert Kario
ca0ef2fc5c
fixes for the pull request #18
...
there were few small issues with the pull #18 even though jvehent merged
it, this fixes them
2014-10-06 13:26:53 -04:00
Hubert Kario
29109f1e64
update SEED and IDEA classification, do a total of broken ciphers
...
SEED and IDEA are not good ciphers, but not broken, so count them
separately, do a total count of servers that support broken and insecure
ciphers
2014-10-06 13:25:04 -04:00
Hubert Kario
8a0c9190a9
sort reported TLS session ticket hint using natural sort
2014-10-06 13:20:37 -04:00
Julien Vehent
ecd77f94fc
Merge pull request #18 from tomato42/wip
...
Hodgepodge of fixes
2014-08-28 16:02:19 -04:00
Hubert Kario
7591062bbc
parse_results.py: compatibility with old results files
2014-06-04 18:52:39 +02:00
Hubert Kario
be0439ef99
provide statistics for all key exchange methods, not DHE and ECDHE only
2014-06-04 18:17:41 +02:00
Hubert Kario
3667b04ad7
correctly count broken cipher suites with "no reporting of untrusted"
2014-06-04 18:17:02 +02:00
Hubert Kario
86ff1122cc
parse_results.py: don't count anonymous cipher suites toward correct config stats
2014-06-04 15:15:32 +02:00
Julien Vehent
50f4959e79
updated license on parse_results.py
2014-05-20 08:23:57 -04:00
Hubert Kario
2f56f0515e
don't scan the same host twice
2014-05-16 18:16:45 +02:00
Hubert Kario
f1d3b51749
update the top 1M list to the version from 2014-05-16
2014-05-16 17:34:22 +02:00
Hubert Kario
4e94d95bd8
ask for OCSP stapling by default
...
for now, no option to disable
2014-05-16 17:31:44 +02:00
Hubert Kario
0777682aa6
collect TLS ticket lifetime hints
2014-05-16 16:55:19 +02:00
Hubert Kario
1a78172936
scan just one host per hostname
2014-05-16 16:11:01 +02:00
Hubert Kario
cdbf596466
properly handle pure IP adressess
...
(it's illegal to use IP in SNI)
2014-05-16 15:42:47 +02:00
Hubert Kario
5ef53dda9c
increase paralelism of jobs
...
because sometimes tcping takes a long time to timeout for a lot
of hosts in batch use also load average to keep the cpu busy
2014-05-13 13:41:16 +02:00
Hubert Kario
a213fc45d0
remove the folder/file part from url
...
some hostnames in the top-1m.csv file have folder or site specified
in them, cut it off before using
2014-05-13 13:41:16 +02:00
Hubert Kario
00b20a20ed
perform SNI enabled scan
...
for example, youtube requires SNI extension to be present to return
ECDSA certificates, use it for scanning
2014-05-13 13:41:16 +02:00
Hubert Kario
8817a7b1c8
testtop1m.sh: correct counting of background jobs
...
`jobs` command returns multiple lines for a jobs with `if` so counting
number of background jobs was off
2014-05-13 13:41:16 +02:00
Hubert Kario
686d7c958b
extend reporting of RC4-related stats
...
While preferring RC4 in TLS1.0 or SSL3 was recommended before,
it was always known that TLS1.1 and TLS1.2 were not vulnerable against
BEAST, so forcing RC4 there is a mistake. Report number of such servers.
2014-04-19 23:14:57 +02:00
Hubert Kario
21bba67df0
extend SSL stats
...
Two interesting server configurations are ones that support
only SSL3 or TLS1 only (old, but otherwise correctly configured servers)
and ones that support only TLS1.1 or up (brave admins that support
only new clients)
2014-04-19 23:14:57 +02:00
Hubert Kario
349d4ebc3c
more detailed PFS report
...
Just because server supports some bad DH params, doesn't mean
it will force them on users. Report number of servers
that prefer specific DH params.
2014-04-19 23:14:57 +02:00
Hubert Kario
d3b6f9b507
fix reporting of the TLS1.2 but not TLS1.1
...
Some servers may be configured to support only TLS1.2, it would
count them towards the number of servers affected by the OpenSSL bug
2014-04-19 23:14:57 +02:00
Hubert Kario
c8abfb53e8
add support for Chacha20 based ciphers
...
Basically all Google servers support Chacha20 now and it is
not a bad choice, so report it as a regular cipher
2014-04-19 23:14:57 +02:00
Hubert Kario
2b794ebfe0
fix and extend reporting of AES-GCM ciphers
...
AES-GCM ciphers don't have "AES-GCM" substring in the openssl name
extend reporting of AES ciphers, split to AES-CBC, AES-GCM and
AES in general
2014-04-19 23:14:57 +02:00
Hubert Kario
fd6fcdd359
fix spelling in TLS stats (TLS1_1 vs TLS1.1)
2014-04-19 23:14:57 +02:00
Hubert Kario
faef8d692f
in "no-untrusted mode": filter out ADH and AECDH suites
...
If server negotiates ADH or AECDH suite, openssl returns "ok" in
cert checking. Don't mark server as trusted because of that.
Don't collect statistics on servers that provide only untrusted
connections.
2014-04-19 23:14:47 +02:00
Hubert Kario
45dc1da3f6
add ability to ignore results from untrusted servers
2014-04-19 23:07:01 +02:00
Hubert Kario
ff620f5b26
report number of servers that use ECDSA and RSA certificates
...
Since use of both ECDSA and RSA certificates is easy, it is
relatively simple to support both. Report the total number of
such servers
2014-04-19 23:07:00 +02:00
Hubert Kario
863441a179
parsing of signature algorithm and key size
...
add parsing of signature algorithm and key size from the individual
results, report summary
2014-04-19 23:07:00 +02:00
Hubert Kario
b6b9a1a364
Improve scanning performance and reduce false negatives
...
scan all the machines from top-1m.csv file, wait for completion
of all jobs
i=1 is an off-by-one-error
support top-1m.csv files with arbitrary number of sites
run scans for many hosts at a time, but don't run more than
specified amount
in case where default domain name doesn't resolve or doesn't have
port 443 open, retry with www. prefix
2014-04-19 22:56:41 +02:00
Julien Vehent
5e8b495a18
added many tests
2014-01-11 01:07:32 +00:00
Julien Vehent
1414973531
basic results parsing script in python
2014-01-10 05:50:03 +00:00
Julien Vehent
f3c8b24b8b
tweaks
2014-01-09 20:16:40 +00:00
Julien Vehent
e4ea957c8d
Script to scan Alexa's top 1m websites
2014-01-09 11:52:17 -05:00