fc4927be5b
refuse to process invalid arguments to cipherscan itself
2015-08-31 15:06:30 -07:00
5f43f911bd
Merge pull request #70 from tomato42/python3-analyze-fix
...
fix analyze.py Python3 compatibility
2015-08-23 15:23:45 -04:00
a3e04d3d01
fix analyze.py Python3 compat
...
because subprocess returns `bytes` in Python 3
we need to interpret them to characters, which are needed by json
input and string parsing
fixes #69 , #71
2015-08-23 17:31:04 +02:00
db4b16e50c
Merge pull request #60 from tomato42/tls-intolerancies
...
TLS intolerancies
2015-07-16 10:30:27 -04:00
abe8d329a9
Big handshake intolerance report
2015-07-16 16:15:39 +02:00
5f5487307d
Interpret some intolerance test results
2015-07-16 16:15:39 +02:00
5c98fe2107
do a scan with -no_tlsext openssl if possible
2015-07-16 16:15:39 +02:00
a71bfe5ebd
detect some TLS intolerancies
...
buggy servers may choke on large ClientHello's, TLSv1.2 ClientHello's,
etc. try to detect such failures and report them
among tried connections are TLS1.2, TLS1.1, TLS1.0 and SSLv3 with
ability to downgrade to lower protocol versions as well as a size
limited client hello, both TLS1.2 and TLS1.0 version
2015-07-16 16:15:39 +02:00
0ab0575274
Merge pull request #58 from tomato42/fallback-scan
...
Fallback scan
2015-07-15 10:21:47 -04:00
0119b9c115
Merge pull request #59 from tomato42/parsing-fixes
...
Fixes for results parsing
2015-06-10 07:33:17 +02:00
90ed0bbb3e
Merge pull request #62 from tomato42/python3
...
Python 3 compatibility
2015-06-10 07:00:21 +02:00
19983c0c2b
Merge pull request #61 from tomato42/gost-support
...
GOST support
2015-06-10 06:39:37 +02:00
86bc8e8574
fix is_fubar key size check
2015-05-30 19:48:56 +02:00
a53a91695e
make scripts python 3 compatible
2015-05-30 15:46:26 +02:00
8ea6b57f9d
cipherscan - capture whole Signature Algorithm line
...
the GOST certificates have a signature algorithm name with spaces
2015-05-30 14:58:23 +02:00
d151705218
parse_results.py - GOST support
2015-05-30 14:58:23 +02:00
596692a18e
add support for GOST cipher scanning
2015-05-30 14:58:23 +02:00
d8ebaf2d9f
report summary for clients for RC4 Preferred too
2015-05-30 00:01:32 +02:00
c55d8166c5
don't limit client specific RC4 Only to servers with multiple ciphers
2015-05-30 00:01:32 +02:00
37f1d15af1
count SSLv2 IDEA as insecure
2015-05-30 00:01:32 +02:00
b673fb976a
separate AES-CBC from AES-GCM
2015-05-30 00:01:32 +02:00
d773b73e45
don't divide by zero on empty results folder
2015-05-30 00:01:32 +02:00
b9b3a221ce
add Firefox 35 cipher settings
2015-05-30 00:01:32 +02:00
82f643244e
don't count export grade ciphers towards PFS
2015-05-30 00:01:32 +02:00
1b360153a0
sum servers that support SSL3 or TLS1 as the highest protocol
2015-05-30 00:01:32 +02:00
341f657e83
better detection for EXP and low grade ciphers in stats
...
EXP is self explanatory - export grade
DES-CBC3-MD5 is available only in SSLv2 - not secure
RC4-64-MD5 is also a weakened version (though not marked as export grade)
2015-05-30 00:01:32 +02:00
8bde9c4d03
do fallback scan in case of problems
...
It's unlikely that there are SSLv2 only servers on the 'net, all
that were detected as such and I've checked actually are intolerant
to low placement of RC4 in cipher order or intolerant to large client
hello in general. In case we detect issues with the server, switch to
reduced cipher set and run the test again that should give better results
for about 3% of hosts
2015-05-29 23:50:07 +02:00
3bc8dc5583
one big readme update
2015-04-03 10:59:22 -04:00
d4441cf2bc
update sample output in readme to show curves
2015-04-03 10:42:07 -04:00
02d555bf9d
update openssl binary for darwin
2015-04-03 10:41:41 -04:00
1a26e09c7b
Merge pull request #54 from jvehent/jvehent-rework-tomato42-curves-tolerance-5
...
Jvehent rework tomato42 curves tolerance 5, closes #46
2015-04-02 09:50:46 -04:00
4a6ff56b81
Add back support for old curve json format in parse results
2015-04-02 04:39:59 -04:00
a966574edc
Fix curve fallback detection
2015-04-01 14:51:01 -04:00
b2a399617f
Use new JSON format in parse_results
2015-04-01 14:50:49 -04:00
4d7e1cb05a
Re-add curve fallback detection
2015-04-01 12:50:01 -04:00
04314bffdc
Updated openssl linux amd64 binary
2015-04-01 11:18:41 -04:00
c90e5c59d7
Improve output of curves
2015-04-01 11:18:31 -04:00
cc014f085d
test curve for each ECDH cipher, change PFS output to use curve name
2015-03-27 19:03:27 -04:00
224227cc5e
force at least TLSv1.0 in curves tolerance test
...
because to advertise curves to server we need extensions and
extensions are only available in TLSv1.0 or later, we need to force
OpenSSL not to send SSLv2 compatible hello if it thinks it's ok to
do (when there are SSLv2 ciphers present in cipherstring it will try to)
2015-03-27 10:04:15 -04:00
c52e008347
add support for testing supported curves
...
since early versions of 1.0.2 openssl supports -curves command line
option, it allows us to set the curves advertised as supported
use the same approach to testing: advertise all, check what server
accepts, remove the accepted from list, repeat. When server aborts
connection or selects non ECC cipher, we know that we've tested all.
2015-03-27 10:04:15 -04:00
089f9e04c2
Merge pull request #50 from firstbanco/busybox_fix
...
Fix for busybox timeout binary
2015-03-26 12:58:48 -04:00
800eff19ce
Merge branch 'master' of github.com:jvehent/cipherscan
2015-03-19 13:52:38 -04:00
7bf35cb02a
rebuild openssl binaries with better config flags
2015-03-19 13:52:18 -04:00
3ff415a338
Merge pull request #53 from tomato42/how-to-compile-2
...
How to compile OpenSSL with all testing features
2015-03-19 12:32:21 -04:00
2f0f906dbf
how to compile the openssl with all features
2015-03-19 17:25:47 +01:00
8b38f8fad9
Merge branch 'master' of github.com:jvehent/cipherscan
2015-03-19 11:30:46 -04:00
aee4d8f109
Update openssl binary to 1.0.2a
2015-03-19 11:30:07 -04:00
6db82374b4
Fix for busybox timeout binary
2015-03-13 11:58:23 +00:00
606d7626db
Merge pull request #44 from genodeftest/patch-1
...
fix: ignore case in bash version string
2015-01-26 11:10:55 -05:00
3e4b86eedd
Merge pull request #47 from ScriptFanix/master
...
fix silent TypeError on sigalg md5WithRSAEncryption
2015-01-26 11:09:54 -05:00
Richard Soderberg
Julien Vehent
Hubert Kario
Samuel Kleiner