deac
/
cipherscan
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #4 from mzeltner/master 

Support s_client args, give -starttls example. Contributed by mzeltner.
master
Julien Vehent 2014-02-02 18:15:27 -08:00
parent ae5d7ad15c 5c07a6e552
commit 1f92094b3d
2 changed files with 34 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
README.md
View File

@ -20,7 +20,7 @@ Use '-a' to force openssl to test every single cipher it know.
Use '-json' to output the results in json format Use '-json' to output the results in json format
``` ```
$ ./cipherscan www.google.com:443 -json $ ./cipherscan -json www.google.com:443
``` ```
Example Example
@ -48,4 +48,15 @@ prio ciphersuite protocols pfs_keysize
16 ECDHE-RSA-AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 16 ECDHE-RSA-AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
17 AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 17 AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2
18 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 18 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
$ ./cipherscan -starttls xmpp jabber.ccc.de:5222
.........
prio ciphersuite protocols pfs_keysize
1 DHE-RSA-AES256-SHA SSLv3,TLSv1 DH,1024bits
2 AES256-SHA SSLv3,TLSv1
3 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1 DH,1024bits
4 DES-CBC3-SHA SSLv3,TLSv1
5 DHE-RSA-AES128-SHA SSLv3,TLSv1 DH,1024bits
6 AES128-SHA SSLv3,TLSv1
7 RC4-SHA SSLv3,TLSv1
8 RC4-MD5 SSLv3,TLSv1
``` ```

34
cipherscan
View File

@ -10,7 +10,13 @@ BENCHMARKITER=30
OPENSSLBIN="$(dirname $0)/openssl" OPENSSLBIN="$(dirname $0)/openssl"
TIMEOUT=10 TIMEOUT=10
CIPHERSUITE="ALL:COMPLEMENTOFALL" CIPHERSUITE="ALL:COMPLEMENTOFALL"
TARGET=$1 HOST=$(sed -e 's/:.*//'<<<"${@: -1}")
PORT=$(sed -e 's/.*://'<<<"${@: -1}")
if [ "$HOST" = "$PORT" ]; then
PORT=443
fi
TARGET=$HOST:$PORT
SCLIENTARGS=$(sed -e "s/${@: -1}//" -e "s/-v//" -e "s/-a//" -e "s/-json//" <<<"$@")
VERBOSE=0 VERBOSE=0
ALLCIPHERS=0 ALLCIPHERS=0
OUTPUTFORMAT="terminal" OUTPUTFORMAT="terminal"
@ -23,18 +29,25 @@ Connection: close
usage() { usage() {
echo -e "usage: $0 <target:port> echo -e "usage: $0 [-a|-v|-json] [openssl s_client args] <target:port>
$0 attempts to connect to a target site using all the ciphersuites it knowns. $0 attempts to connect to a target site using all the ciphersuites it knowns.
Julien Vehent [:ulfr] - https://github.com/jvehent/cipherscan Julien Vehent [:ulfr] - https://github.com/jvehent/cipherscan
Port defaults to 443
example: $ $0 www.google.com:443 example: $ $0 www.google.com:443
Use only one of the options below: Use one of the options below as the first argument:
-v increase verbosity -v increase verbosity
-a test all known ciphers individually at the end -a test all known ciphers individually at the end
-json output results in json format -json output results in json format
The rest of the arguments will be interpreted as openssl s_client argument.
This enables checking smtp/imap/pop3/ftp/xmpp via -starttls
example: $0 -starttls xmpp jabber.ccc.de:5222
OpenSSL path can be changed in the OPENSSLBIN variable OpenSSL path can be changed in the OPENSSLBIN variable
Benchmarking can be enabled in the DOBENCHMARK variable Benchmarking can be enabled in the DOBENCHMARK variable
" "
@ -105,7 +118,7 @@ EOF
# Calculate the average handshake time for a specific ciphersuite # Calculate the average handshake time for a specific ciphersuite
bench_cipher() { bench_cipher() {
local ciphersuite="$1" local ciphersuite="$1"
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite" local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
local t="$(date +%s%N)" local t="$(date +%s%N)"
verbose "Benchmarking handshake on '$TARGET' with ciphersuite '$ciphersuite'" verbose "Benchmarking handshake on '$TARGET' with ciphersuite '$ciphersuite'"
for i in $(seq 1 $BENCHMARKITER); do for i in $(seq 1 $BENCHMARKITER); do
@ -129,7 +142,7 @@ EOF
get_cipher_pref() { get_cipher_pref() {
[ "$OUTPUTFORMAT" == "terminal" ] && echo -n '.' [ "$OUTPUTFORMAT" == "terminal" ] && echo -n '.'
local ciphersuite="$1" local ciphersuite="$1"
local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite" local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'" verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
test_cipher_on_target "$sslcommand" test_cipher_on_target "$sslcommand"
local success=$? local success=$?
@ -193,17 +206,14 @@ display_results_in_json() {
[[ -z $1 || "$1" == "-h" || "$1" == "--help" ]] && usage [[ -z $1 || "$1" == "-h" || "$1" == "--help" ]] && usage
if [ ! -z $2 ]; then if [ ! -z $2 ]; then
if [ "$2" == "-v" ]; then if [ "$1" == "-v" ]; then
VERBOSE=1 VERBOSE=1
echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))" echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))"
$OPENSSLBIN ciphers ALL 2>/dev/null $OPENSSLBIN ciphers ALL 2>/dev/null
elif [ "$2" == "-a" ]; then elif [ "$1" == "-a" ]; then
ALLCIPHERS=1 ALLCIPHERS=1
elif [ "$2" == "-json" ]; then elif [ "$1" == "-json" ]; then
OUTPUTFORMAT="json" OUTPUTFORMAT="json"
else
echo "ERROR: unknown option '$2'"; echo
usage
fi fi
fi fi
@ -225,7 +235,7 @@ if [ $ALLCIPHERS -gt 0 ]; then
echo; echo "All accepted ciphersuites" echo; echo "All accepted ciphersuites"
for c in $($OPENSSLBIN ciphers -v ALL:COMPLEMENTOFALL 2>/dev/null |awk '{print $1}'|sort|uniq); do for c in $($OPENSSLBIN ciphers -v ALL:COMPLEMENTOFALL 2>/dev/null |awk '{print $1}'|sort|uniq); do
r="fail" r="fail"
osslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $c" osslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $c"
test_cipher_on_target "$osslcommand" test_cipher_on_target "$osslcommand"
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
r="pass" r="pass"