From 946cc6a9acfff2ca1937cf7cf7842466b635dff4 Mon Sep 17 00:00:00 2001 From: Hubert Kario Date: Sat, 5 Apr 2014 19:21:59 +0200 Subject: [PATCH] Report the signature type used on server certificate Parse the certificate used by server and report the signature used: prio ciphersuite protocols pubkey_size signature_algorithm pfs_keysize 1 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 sha1WithRSAEncryption ECDH,P-256,256bits 2 ECDHE-ECDSA-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 256 ecdsa-with-SHA512 ECDH,P-256,256bits 3 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption 4 AECDH-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None ECDH,P-256,256bits 5 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption 6 EXP-RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption RSA,512bits --- cipherscan | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/cipherscan b/cipherscan index 2eca621..aa3c202 100755 --- a/cipherscan +++ b/cipherscan @@ -76,6 +76,10 @@ test_cipher_on_target() { if [ -z $current_pubkey ]; then current_pubkey=0 fi + current_sigalg=$(openssl x509 -noout -text 2>/dev/null <<<"$tmp"|grep Signature\ Algorithm | head -n 1 | awk '{print $3}') || current_sigalg="None" + if [ -z $current_sigalg ]; then + current_sigalg=None + fi if [[ -z "$current_protocol" || "$current_cipher" == '(NONE)' ]]; then # connection failed, try again with next TLS version continue @@ -97,6 +101,7 @@ test_cipher_on_target() { cipher=$current_cipher pfs=$current_pfs pubkey=$current_pubkey + sigalg=$current_sigalg # grab the cipher and PFS key size done # if cipher is empty, that means none of the TLS version worked with @@ -108,13 +113,13 @@ test_cipher_on_target() { # if cipher contains NONE, the cipher wasn't accepted elif [ "$cipher" == '(NONE) ' ]; then - result="$cipher $protocols $pubkey $pfs" + result="$cipher $protocols $pubkey $sigalg $pfs" verbose "handshake failed, server returned ciphersuite '$result'" return 1 # the connection succeeded else - result="$cipher $protocols $pubkey $pfs" + result="$cipher $protocols $pubkey $sigalg $pfs" verbose "handshake succeeded, server returned ciphersuite '$result'" return 0 fi @@ -178,9 +183,9 @@ display_results_in_terminal() { done if [ $DOBENCHMARK -eq 1 ]; then - header="prio ciphersuite protocols pubkey_size pfs_keysize avg_handshake_microsec" + header="prio ciphersuite protocols pubkey_size signature_algoritm pfs_keysize avg_handshake_microsec" else - header="prio ciphersuite protocols pubkey_size pfs_keysize" + header="prio ciphersuite protocols pubkey_size signature_algorithm pfs_keysize" fi ctr=0 for result in "${results[@]}"; do @@ -202,7 +207,8 @@ display_results_in_json() { echo -n "{\"cipher\":\"$(echo $cipher|awk '{print $1}')\"," echo -n "\"protocols\":[\"$(echo $cipher|awk '{print $2}'|sed 's/,/","/g')\"]," echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"]," - pfs=$(echo $cipher|awk '{print $4}') + echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"]," + pfs=$(echo $cipher|awk '{print $5}') [ "$pfs" == "" ] && pfs="None" echo -n "\"pfs\":\"$pfs\"}" ctr=$((ctr+1))