LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2025-05-11 01:13:39 +02:00
Code Issues Releases Wiki Activity
379 Commits 5 Branches 0 Tags 35 MiB
f79484c45d
Commit Graph

379 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
floatingatoll
f79484c45d Merge d7a7458667 into 74dd82e8ad 2016-08-21 15:28:31 +00:00
Julien Vehent
74dd82e8ad Update OpenSSL binary 2016-08-16 11:28:34 -04:00
Julien Vehent [:ulfr]
8b73962b72 Merge pull request #122 from tomato42/result-parser-update 
Result parser update
 2016-07-23 10:30:52 -04:00
Julien Vehent [:ulfr]
4a6cb350c8 Merge pull request #123 from tomato42/certificate-verification-time 
changing time of verification for certificate chains
 2016-07-23 10:29:11 -04:00
Julien Vehent [:ulfr]
38f5ffba9d Merge pull request #121 from tomato42/better-ca-handling 
Better CA certificate handling
 2016-07-23 10:27:00 -04:00
Hubert Kario
a5ec045000 changing time of verification for certificate chains 
allow to run the analysis of certificate chains later after the
data was collected, allows also for re-analysis of archival data
 2016-07-20 21:17:37 +02:00
Hubert Kario
7bb272e353 single-out 3DES ciphers 
3DES is the weakest cipher from the ones that are still officially
standing, so report more detailed statistics about it
 2016-07-20 20:51:51 +02:00
Hubert Kario
bbeac6107a add FF 44 ciphers 
since FF 44 has a different cipher set than FF 35, especially the
drop of DSS and RC4, it will be useful to have connection
statistics for it
 2016-07-20 20:50:26 +02:00
Hubert Kario
7834cd0748 fold some long lines 
long lines hard to read, make Hulk sad
 2016-07-20 20:45:15 +02:00
Hubert Kario
94efc235d0 use more robust trust path building by default 
use the -trusted_first flag to openssl, so that it tries alternative
trust paths to verify validity of server presented certificate
 2016-07-20 20:43:47 +02:00
Hubert Kario
f9f3407bb4 scripts to create CApath directories with roots or intermediaries 
In case the user has a set of certificates *and* intermediaries,
it is necessary to prime both the `ca_trusted` directory and the
`ca_files` directories with respectively all root CA's and
all CA's (root or intermediate)
 2016-07-20 20:40:35 +02:00
Julien Vehent [:ulfr]
189695c0b1 Merge pull request #120 from tomato42/top1m-info 
add README for the top1m folder
 2016-07-20 14:30:22 -04:00
Hubert Kario
e9808a1bcb report errors in cert file searching 
since the certificates are separate from results file, they can get
missing (or an incorrect set can be used)

provide a clear message about what file is missing
 2016-07-20 20:21:28 +02:00
Hubert Kario
985e26c71a add README for the top1m folder 
since the top-1m.csv.zip is not static, tell the users where it
can be found

also add a generic explanation about files in the folder
 2016-07-20 20:16:39 +02:00
Julien Vehent [:ulfr]
5d930c2d32 Merge pull request #117 from adamcrosby/master 
Fallback to local JSON if urllib fails to retrieve updated list
 2016-02-29 08:58:05 -05:00
Adam Crosby
34f92a6838 Added adamcrobsy to contributors list 2016-02-29 08:23:14 -05:00
Adam Crosby
55cdb74ff7 Added fallback to use local json recommendations file if urllib fails to connect (including SNI errors), fixes issue #116 2016-02-29 08:21:04 -05:00
Julien Vehent
9f0226e00b analyze.py: update example of json input 2016-02-24 10:52:18 -05:00
Julien Vehent
639bc45bf7 analyze.py refactoring to use online recommendations 2016-02-24 10:48:28 -05:00
Julien Vehent
18b0d1b952 Update linux openssl binary 2015-12-17 15:06:10 -05:00
Julien Vehent
6d2b850679 Merge pull request #105 from Emantor/intermediate-fix 
Update analyze.py
 2015-11-19 13:16:32 -05:00
Emantor
536ff90b86 ECDHE-ECDSA-DES-CBC3-SHA was missing too 
Fix `ECDHE-ECDSA-DES-CBC3-SHA` as well.
 2015-11-19 16:58:49 +01:00
Julien Vehent
a9cfcc8376 Merge pull request #107 from tomato42/ecdsa-certs 
properly detect ECDSA certs for size compare
 2015-11-19 08:54:43 -05:00
Hubert Kario
4d77c87494 properly detect ECDSA certs for keysize compare 
since ECDSA certificates during the transition are likely to be
signed using RSA keys, we need to check the cipher rather than the
signature in the certificate to tell if the cert is ECDSA and as such
can have small key sizes
 2015-11-17 15:31:46 +01:00
Emantor
e8ba5ab8fe Update analyze.py 
Per https://mozilla.github.io/server-side-tls/ssl-config-generator/
The intermediate config supports 'ECDHE-RSA-DES-CBC3-SHA', add it to analyze.py
 2015-11-17 09:01:52 +01:00
Julien Vehent
1e65be5fd5 Added copy of the MPL 2015-10-18 08:45:20 -04:00
Julien Vehent
b03320887f Merge pull request #100 from tomato42/compress-and-renego-info 
Add testing for renegotiation and compression
 2015-10-17 09:10:08 -04:00
Richard Soderberg
d7a7458667 Add handling of TLS-dependent pubkey sizes. 
As with previous commits, this adds reporting for TLS-dependent pubkey
sizes.
 2015-10-05 08:42:23 -07:00
Richard Soderberg
8757bbd039 Add handling for TLS-dependent trusted values. 
As per previous commits, this adds TLS-dependent support for the
'Trusted' value in the output.
 2015-10-05 08:42:23 -07:00
Richard Soderberg
eb752c541c Add handling for TLS-variant ticket hint value. 
This, as previous commits, adds support for reporting the TLS ticket
hint value per-protocol, which results in a lot of 'None' for SSLv3 (as
expected).
 2015-10-05 08:42:23 -07:00
Richard Soderberg
638e0cbd10 Add handling for TLS-variant results for the PFS value. 
As before with signature algorithms, we need to handle the case where
the PFS value varies based on SSL protocol version.
 2015-10-05 08:42:23 -07:00
Richard Soderberg
0be95b821a Emit an array of certificate signature algorithms, where applicable. 
Certain SSL servers may emit a different certificate for each TLS
protocol version. Previously, we simply emitted one of their signature
algorithms. Now, we emit an array where each element corresponds to the
array of TLS versions.

This will be extended to the other certificate-dependent attributes in
future commits.
 2015-10-05 08:42:23 -07:00
Richard Soderberg
32bf52a452 Store the found protocols in an array, rather than a CSV-joined string. 2015-10-05 08:42:23 -07:00
Richard Soderberg
1828183e3f Extract the list of TLS versions to test into an array. 2015-10-05 08:42:23 -07:00
Richard Soderberg
3107661b7c Unroll the if-return/elif-return/else-return chain in test_cipher_on_target. 
Rather than doing if-return, elif-return, else-return, just do
if-return, if-return, if-return. This provides no immediate benefit to
the code itself, but permits the introduction of code that alters the
$sigalg variable in between the first if-return and the latter two in an
upcoming commit.
 2015-10-05 08:42:23 -07:00
Julien Vehent
34d6ca62bd Merge pull request #104 from injcristianrojas/master 
Untrusted certificate alert should be red
 2015-09-23 15:16:23 -04:00
Cristián Rojas
f717a556e5 Untrusted certificate alert should be red 2015-09-23 15:59:24 -03:00
Julien Vehent
29bdf5fdcb Merge pull request #103 from PeterMosmans/msys 
Fallback to default openssl when supplied openssl can't be executed
 2015-09-22 12:53:17 -04:00
Peter Mosmans
c00474805d Fallback to default openssl when supplied openssl can't be executed 2015-09-22 19:25:27 +10:00
Julien Vehent
5a10991008 Merge pull request #102 from floatingatoll/negative-nope 
workaround bash 4.2- not having unset A[-1] support
 2015-09-21 16:05:26 -04:00
Richard Soderberg
c9412e395d workaround bash 4.2- not having unset A[-1] support 2015-09-21 12:51:18 -07:00
Hubert Kario
aa093bc86d add openssl options to help message 
add examples of useful openssl options
 2015-09-21 16:51:16 +02:00
Hubert Kario
99a0b6be07 collect stats about compression and renegotiation 
since no support for compression and support for renegotiation are
necessary for the server to have a secure configuration, collect
and report those two too
 2015-09-21 16:44:45 +02:00
Julien Vehent
73b21d3977 Merge pull request #99 from tomato42/tolerance-report 
fix printing of test data for intolerant servers
 2015-09-21 10:33:10 -04:00
Hubert Kario
dbce87cb1a fix printing of test data for intolerant servers 
tls_tolerance is an array, so we need to use array syntax...

since if the server is tls version intolerant we will be printing
a lot of info, space it out from the certificate-related summary

ephemeral sigalgs are also printing a lot of information, so space
them from the TLS Tolerance test results
 2015-09-21 16:18:37 +02:00
Julien Vehent
0011abcec7 readme update 2015-09-21 09:38:34 -04:00
Julien Vehent
4916e89087 remove unneeded echo 2015-09-21 09:31:03 -04:00
Julien Vehent
ce91e221d1 Merge pull request #98 from tomato42/custom-openssl-fixes 
fix custom openssl with GOST config incompatibility
 2015-09-21 09:29:51 -04:00
Julien Vehent
035d8c0a19 Merge pull request #97 from tomato42/uri-handling 
handle hostnames that are URIs
 2015-09-21 09:29:03 -04:00
Julien Vehent
50ef7960f7 Merge pull request #96 from tomato42/ecdsa-keys 
fix coloring of cert key sizes
 2015-09-21 09:25:16 -04:00