From 9e5ce9cca3a091beeda6c4263c9b4b16d770123c Mon Sep 17 00:00:00 2001 From: Pepi Zawodsky Date: Thu, 6 Feb 2014 23:26:19 +0100 Subject: [PATCH 01/11] Removed neccessity for timeout, thanks to mzeltner. Better parameter parsing with short- and longoptions. Can now pass a path to use any openssl. Now works on OS X. --- cipherscan | 134 +++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 100 insertions(+), 34 deletions(-) diff --git a/cipherscan b/cipherscan index 84fc0a3..f97873e 100755 --- a/cipherscan +++ b/cipherscan @@ -10,13 +10,7 @@ BENCHMARKITER=30 OPENSSLBIN="$(dirname $0)/openssl" TIMEOUT=10 CIPHERSUITE="ALL:COMPLEMENTOFALL" -HOST=$(sed -e 's/:.*//'<<<"${@: -1}") -PORT=$(sed -e 's/.*://'<<<"${@: -1}") -if [ "$HOST" = "$PORT" ]; then - PORT=443 -fi -TARGET=$HOST:$PORT -SCLIENTARGS=$(sed -e "s/${@: -1}//" -e "s/-v//" -e "s/-a//" -e "s/-json//" <<<"$@") + VERBOSE=0 ALLCIPHERS=0 OUTPUTFORMAT="terminal" @@ -29,7 +23,8 @@ Connection: close usage() { - echo -e "usage: $0 [-a|-v|-json] [openssl s_client args] + echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] + usage: $0 -h|--help $0 attempts to connect to a target site using all the ciphersuites it knowns. Julien Vehent [:ulfr] - https://github.com/jvehent/cipherscan @@ -38,25 +33,25 @@ Port defaults to 443 example: $ $0 www.google.com:443 -Use one of the options below as the first argument: --v increase verbosity --a test all known ciphers individually at the end --json output results in json format +Use one of the options below: + +-a | --allciphers Test all known ciphers individually at the end. +-b | --benchmark Activate benchmark mode. +-h | --help Shows this help text. +-j | --json Output results in JSON format. +-o | --openssl path/to/your/openssl binary you want to use. +-v | --verbose Increase verbosity. The rest of the arguments will be interpreted as openssl s_client argument. This enables checking smtp/imap/pop3/ftp/xmpp via -starttls -example: $0 -starttls xmpp jabber.ccc.de:5222 - -OpenSSL path can be changed in the OPENSSLBIN variable -Benchmarking can be enabled in the DOBENCHMARK variable +EXAMPLES: $0 -starttls xmpp jabber.ccc.de:5222 " - exit 1 } verbose() { - if [ $VERBOSE -eq 1 ];then + if [ $VERBOSE != 0 ];then echo $@ fi } @@ -70,7 +65,8 @@ test_cipher_on_target() { pfs="" for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2" do - local tmp=$(mktemp) + local tmp=$(mktemp "/tmp/cipherscan.XXXXXXXX") # OS X mktemp requires this. + # echo "$sslcommand $tls_version" $sslcommand $tls_version 1>"$tmp" 2>/dev/null << EOF $REQUEST EOF @@ -118,11 +114,11 @@ EOF # Calculate the average handshake time for a specific ciphersuite bench_cipher() { local ciphersuite="$1" - local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" + local sslcommand='echo "quit\n" | $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite' local t="$(date +%s%N)" verbose "Benchmarking handshake on '$TARGET' with ciphersuite '$ciphersuite'" for i in $(seq 1 $BENCHMARKITER); do - $sslcommand 2>/dev/null 1>/dev/null << EOF + ($sslcommand 2>/dev/null 1>/dev/null) << EOF $REQUEST EOF if [ $? -gt 0 ]; then @@ -142,7 +138,7 @@ EOF get_cipher_pref() { [ "$OUTPUTFORMAT" == "terminal" ] && echo -n '.' local ciphersuite="$1" - local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" + local sslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'" test_cipher_on_target "$sslcommand" local success=$? @@ -203,20 +199,90 @@ display_results_in_json() { echo ']}' } +# UNKNOWNOPTIONS="" +while : +do + case $1 in + -h | --help | -\?) + usage + exit 0 # This is not an error, User asked help. Don't do "exit 1" + ;; + -o | --openssl) + OPENSSLBIN=$2 # You might want to check if you really got FILE + shift 2 + ;; + -a | --allciphers) + ALLCIPHERS=1 + shift + ;; + -v | --verbose) + # Each instance of -v adds 1 to verbosity + VERBOSE=$((VERBOSE+1)) + shift + ;; + -j | -json | --json | --JSON) + OUTPUTFORMAT="json" + shift + ;; + -b | --benchmark) + DOBENCHMARK=1 + shift + ;; + --) # End of all options + shift + break + ;; + # -*) + # UNKNOWNOPTIONS=$((UNKNOWNOPTIONS+$1)) + # # echo "WARN: Unknown option (ignored): $1" >&2 + # shift + # ;; + *) # no more options we understand. + break + ;; + esac +done -[[ -z $1 || "$1" == "-h" || "$1" == "--help" ]] && usage -if [ ! -z $2 ]; then - if [ "$1" == "-v" ]; then - VERBOSE=1 - echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))" - $OPENSSLBIN ciphers ALL 2>/dev/null - elif [ "$1" == "-a" ]; then - ALLCIPHERS=1 - elif [ "$1" == "-json" ]; then - OUTPUTFORMAT="json" - fi +if [ VERBOSE != 0 ] ; then + echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))" + $OPENSSLBIN ciphers ALL 2>/dev/null fi +#[[ -z $1 || "$1" == "-h" || "$1" == "--help" ]] && usage +# if [ ! -z $2 ]; then +# if [ "$1" == "-v" ]; then +# VERBOSE=1 +# echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))" +# $OPENSSLBIN ciphers ALL 2>/dev/null +# elif [ "$1" == "-a" ]; then +# ALLCIPHERS=1 +# elif [ "$1" == "-json" ]; then +# OUTPUTFORMAT="json" +# fi +# fi + +# echo paramters left: $@ + +TEMPTARGET=$(sed -e 's/^.* //'<<<"${@}") +HOST=$(sed -e 's/:.*//'<<<"${TESTTARGET}") +PORT=$(sed -e 's/.*://'<<<"${TESTTARGET}") + +# Default to https if no port given +if [ "$HOST" = "$PORT" ]; then + PORT=443 +fi + +# echo host: $HOST +# echo port: $PORT + +TARGET=$HOST:$PORT +# echo target: $TARGET + + +SCLIENTARGS=$(sed -e s,${TEMPTARGET},,<<<"${@}") +# echo sclientargs: $SCLIENTARGS + + cipherspref=(); results=() @@ -235,7 +301,7 @@ if [ $ALLCIPHERS -gt 0 ]; then echo; echo "All accepted ciphersuites" for c in $($OPENSSLBIN ciphers -v ALL:COMPLEMENTOFALL 2>/dev/null |awk '{print $1}'|sort|uniq); do r="fail" - osslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $c" + osslcommand='echo "quit\n" | $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $c' test_cipher_on_target "$osslcommand" if [ $? -eq 0 ]; then r="pass" From 57f41d73767005d421523359c714707413234c8c Mon Sep 17 00:00:00 2001 From: Pepi Zawodsky Date: Thu, 6 Feb 2014 23:32:12 +0100 Subject: [PATCH 02/11] Fixed variable renaming. --- cipherscan | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cipherscan b/cipherscan index f97873e..636640f 100755 --- a/cipherscan +++ b/cipherscan @@ -264,8 +264,8 @@ fi # echo paramters left: $@ TEMPTARGET=$(sed -e 's/^.* //'<<<"${@}") -HOST=$(sed -e 's/:.*//'<<<"${TESTTARGET}") -PORT=$(sed -e 's/.*://'<<<"${TESTTARGET}") +HOST=$(sed -e 's/:.*//'<<<"${TEMPTARGET}") +PORT=$(sed -e 's/.*://'<<<"${TEMPTARGET}") # Default to https if no port given if [ "$HOST" = "$PORT" ]; then From 26b52d4e17fbda8352ceb3ab5fb4b5ef5119cc52 Mon Sep 17 00:00:00 2001 From: Michael Zeltner Date: Fri, 7 Feb 2014 00:56:31 +0100 Subject: [PATCH 03/11] Make mktemp obsolete We have pipes, we shall use them! --- cipherscan | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/cipherscan b/cipherscan index 636640f..ac71ced 100755 --- a/cipherscan +++ b/cipherscan @@ -65,17 +65,16 @@ test_cipher_on_target() { pfs="" for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2" do - local tmp=$(mktemp "/tmp/cipherscan.XXXXXXXX") # OS X mktemp requires this. # echo "$sslcommand $tls_version" - $sslcommand $tls_version 1>"$tmp" 2>/dev/null << EOF + local tmp=$($sslcommand $tls_version 1>/dev/stdout 2>/dev/null << EOF $REQUEST EOF - current_cipher=$(grep "New, " $tmp|awk '{print $5}') - current_pfs=$(grep 'Server Temp Key' $tmp|awk '{print $4$5$6$7}') - current_protocol=$(grep -E "^\s+Protocol\s+:" $tmp|awk '{print $3}') +) + current_cipher=$(grep "New, " <<<"$tmp"|awk '{print $5}') + current_pfs=$(grep 'Server Temp Key' <<<"$tmp"|awk '{print $4$5$6$7}') + current_protocol=$(grep -E "^\s+Protocol\s+:" <<<"$tmp"|awk '{print $3}') if [[ -z "$current_protocol" || "$current_cipher" == '(NONE)' ]]; then # connection failed, try again with next TLS version - rm "$tmp" continue fi # connection succeeded, add TLS version to positive results @@ -87,7 +86,6 @@ EOF cipher=$current_cipher pfs=$current_pfs # grab the cipher and PFS key size - rm "$tmp" done # if cipher is empty, that means none of the TLS version worked with # the current cipher From 490c86c43eacb6d7676b55276c4d6b8a290ebb9b Mon Sep 17 00:00:00 2001 From: Pepi Zawodsky Date: Sat, 8 Feb 2014 01:14:40 +0100 Subject: [PATCH 04/11] Changed grep invocation to prevent strange grep versions to balk on -E --- cipherscan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cipherscan b/cipherscan index ac71ced..f738858 100755 --- a/cipherscan +++ b/cipherscan @@ -72,7 +72,7 @@ EOF ) current_cipher=$(grep "New, " <<<"$tmp"|awk '{print $5}') current_pfs=$(grep 'Server Temp Key' <<<"$tmp"|awk '{print $4$5$6$7}') - current_protocol=$(grep -E "^\s+Protocol\s+:" <<<"$tmp"|awk '{print $3}') + current_protocol=$(egrep "^\s+Protocol\s+:" <<<"$tmp"|awk '{print $3}') if [[ -z "$current_protocol" || "$current_cipher" == '(NONE)' ]]; then # connection failed, try again with next TLS version continue From 0d93b5d37eb6cfd56463159250bfb348b6fe1f87 Mon Sep 17 00:00:00 2001 From: Pepi Zawodsky Date: Sat, 8 Feb 2014 17:07:54 +0100 Subject: [PATCH 05/11] Updated README to reflect the changes in cipherscan. --- README.md | 35 +++++++++++++++++++++++------------ 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 0392b4f..eb2166f 100644 --- a/README.md +++ b/README.md @@ -2,30 +2,37 @@ CipherScan ========== A very simple way to find out which SSL ciphersuites are supported by a target. -Run: ./cipherscan www.google.com:443 -And watch. +On Linux x86_64 run: ./cipherscan www.google.com:443 +On any other *nix or *tux run: ./cipherscan -o /path/to/openssl www.google.com:443 +and watch. + +The newer your version of openssl, the better results you'll get. Versions +of OpenSSL below 1.0.1 don't support TLS1.2 ciphers, elliptic curves, etc... Build your own or test what your system's OpenSSL supports. + +Cipherscan should work fine on Linux, Mac OS X, Solaris, Illumos, SmartOS, OpenIndiana if you specify a an openssl binary with -o. -The newer your version of openssl, the better results you'll get. Older versions -of OpenSSL don't support TLS1.2 ciphers, elliptic curves, etc... Build Your Own! Options ------- -Enable benchmarking by setting DOBENCHMARK to 1 at the top of the script. +Enable benchmarking by passing -b|--benchmark -You can use one of the options below (only one. yes, I know...) +You can the options below. -Use '-v' to get more stuff to read. - -Use '-a' to force openssl to test every single cipher it know. - -Use '-json' to output the results in json format +-a | --allciphers Test all known ciphers individually at the end. +-b | --benchmark Activate benchmark mode. +-h | --help Shows this help text. +-j | --json Output results in JSON format. +-o | --openssl /path/to/the/openssl binary you want to use. +-v | --verbose Increase verbosity. + ``` -$ ./cipherscan -json www.google.com:443 +linux $ ./cipherscan -json www.google.com:443 ``` Example ------- +Testing plain SSL/TLS: ``` $ ./cipherscan www.google.com:443 ................... @@ -48,6 +55,10 @@ prio ciphersuite protocols pfs_keysize 16 ECDHE-RSA-AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 17 AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 18 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 +``` + +Testing STARTTLS: +``` $ ./cipherscan -starttls xmpp jabber.ccc.de:5222 ......... prio ciphersuite protocols pfs_keysize From 0282ae9209c9dab9bebbf4431cc41ccaa09b1ee8 Mon Sep 17 00:00:00 2001 From: Pepi Zawodsky Date: Sat, 8 Feb 2014 18:37:30 +0100 Subject: [PATCH 06/11] Added simple debug function --- cipherscan | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/cipherscan b/cipherscan index f738858..c6be697 100755 --- a/cipherscan +++ b/cipherscan @@ -10,7 +10,7 @@ BENCHMARKITER=30 OPENSSLBIN="$(dirname $0)/openssl" TIMEOUT=10 CIPHERSUITE="ALL:COMPLEMENTOFALL" - +DEBUG=0 VERBOSE=0 ALLCIPHERS=0 OUTPUTFORMAT="terminal" @@ -37,6 +37,7 @@ Use one of the options below: -a | --allciphers Test all known ciphers individually at the end. -b | --benchmark Activate benchmark mode. +-d | --debug Output ALL the information. -h | --help Shows this help text. -j | --json Output results in JSON format. -o | --openssl path/to/your/openssl binary you want to use. @@ -51,11 +52,16 @@ EXAMPLES: $0 -starttls xmpp jabber.ccc.de:5222 verbose() { - if [ $VERBOSE != 0 ];then + if [ $VERBOSE != 0 ]; then echo $@ fi } +debug(){ + if [ $DEBUG == 1 ]; then + echo Debug: "$@" + fi +} # Connect to a target host with the selected ciphersuite test_cipher_on_target() { @@ -226,6 +232,10 @@ do DOBENCHMARK=1 shift ;; + -d | --debug) + DEBUG=1 + shift + ;; --) # End of all options shift break @@ -270,15 +280,15 @@ if [ "$HOST" = "$PORT" ]; then PORT=443 fi -# echo host: $HOST -# echo port: $PORT +debug "host: $HOST" +debug "Port: $PORT" TARGET=$HOST:$PORT -# echo target: $TARGET +debug "target: $TARGET" SCLIENTARGS=$(sed -e s,${TEMPTARGET},,<<<"${@}") -# echo sclientargs: $SCLIENTARGS +debug "sclientargs: $SCLIENTARGS" cipherspref=(); From 3282c2c3a5df20911dc7650479abf23120fa81d3 Mon Sep 17 00:00:00 2001 From: Pepi Zawodsky Date: Mon, 10 Feb 2014 19:46:46 +0100 Subject: [PATCH 07/11] Improved reference of switches documentation formatting. --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index eb2166f..7c9486b 100644 --- a/README.md +++ b/README.md @@ -18,12 +18,12 @@ Enable benchmarking by passing -b|--benchmark You can the options below. --a | --allciphers Test all known ciphers individually at the end. --b | --benchmark Activate benchmark mode. --h | --help Shows this help text. --j | --json Output results in JSON format. --o | --openssl /path/to/the/openssl binary you want to use. --v | --verbose Increase verbosity. +-a | --allciphers Test all known ciphers individually at the end. +-b | --benchmark Activate benchmark mode. +-h | --help Shows this help text. +-j | --json Output results in JSON format. +-o | --openssl /path/to/the/openssl binary you want to use. +-v | --verbose Increase verbosity. ``` linux $ ./cipherscan -json www.google.com:443 From 8480e63ff7b2d2762a90b2aed9cba11469e8e25d Mon Sep 17 00:00:00 2001 From: Michael Zeltner Date: Fri, 14 Feb 2014 20:44:15 +0100 Subject: [PATCH 08/11] Fixing a typo --- cipherscan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cipherscan b/cipherscan index c6be697..b07d31d 100755 --- a/cipherscan +++ b/cipherscan @@ -251,7 +251,7 @@ do esac done -if [ VERBOSE != 0 ] ; then +if [ $VERBOSE != 0 ] ; then echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))" $OPENSSLBIN ciphers ALL 2>/dev/null fi From 49214fc5084a052b7faf2938add09a62b1afa444 Mon Sep 17 00:00:00 2001 From: Pepi Zawodsky Date: Tue, 18 Feb 2014 02:05:26 +0100 Subject: [PATCH 09/11] Verbose and Debug output go to stderr now. Added simple --delay function. --- cipherscan | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/cipherscan b/cipherscan index c6be697..bf2fb49 100755 --- a/cipherscan +++ b/cipherscan @@ -12,6 +12,7 @@ TIMEOUT=10 CIPHERSUITE="ALL:COMPLEMENTOFALL" DEBUG=0 VERBOSE=0 +DELAY=0 ALLCIPHERS=0 OUTPUTFORMAT="terminal" REQUEST="GET / HTTP/1.1 @@ -23,7 +24,7 @@ Connection: close usage() { - echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] + echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] usage: $0 -h|--help $0 attempts to connect to a target site using all the ciphersuites it knowns. @@ -37,7 +38,8 @@ Use one of the options below: -a | --allciphers Test all known ciphers individually at the end. -b | --benchmark Activate benchmark mode. --d | --debug Output ALL the information. +-d | --delay Pause for n seconds between connections +-D | --debug Output ALL the information. -h | --help Shows this help text. -j | --json Output results in JSON format. -o | --openssl path/to/your/openssl binary you want to use. @@ -53,13 +55,13 @@ EXAMPLES: $0 -starttls xmpp jabber.ccc.de:5222 verbose() { if [ $VERBOSE != 0 ]; then - echo $@ + echo "$@" >&2 fi } debug(){ if [ $DEBUG == 1 ]; then - echo Debug: "$@" + echo Debug: "$@" >&2 fi } @@ -153,6 +155,7 @@ get_cipher_pref() { get_cipher_pref "!$pciph:$ciphersuite" return 0 fi + sleep $DELAY } @@ -232,10 +235,14 @@ do DOBENCHMARK=1 shift ;; - -d | --debug) + -D | --debug) DEBUG=1 shift ;; + -d | --delay) + DELAY=$2 + shift 2 + ;; --) # End of all options shift break @@ -315,5 +322,7 @@ if [ $ALLCIPHERS -gt 0 ]; then r="pass" fi echo "$c $r"|awk '{printf "%-35s %s\n",$1,$2}' + debug "Sleeping for $DELAY." + sleep $DELAY done fi From bf48cd2a3ca94ad133e6390aac95e13e192617fc Mon Sep 17 00:00:00 2001 From: Michael Zeltner Date: Tue, 1 Apr 2014 14:29:55 -0400 Subject: [PATCH 10/11] Documenting how to build OpenSSL with ChaCha20-Poly1305 Also updating README.md with new options by MacLemon --- README.md | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 7c9486b..651e846 100644 --- a/README.md +++ b/README.md @@ -11,22 +11,30 @@ of OpenSSL below 1.0.1 don't support TLS1.2 ciphers, elliptic curves, etc... Bui Cipherscan should work fine on Linux, Mac OS X, Solaris, Illumos, SmartOS, OpenIndiana if you specify a an openssl binary with -o. +Build OpenSSL with ChaCha20-Poly1305 support (Optional) +------------------------------------------------------- + +The OpenSSL binary in this repository is built for 64bit Linux. If you wish to build a version with the same features for your own platform, [the snapshot from the OpenSSL gitweb view](http://git.openssl.org/gitweb/?p=openssl.git;a=tree;h=161b23361778c155f9c174694b1db2506a2e0b52;hb=9a8646510b) and build it like this: + +``` +./config no-shared +make +``` + +And get the binary from `app/openssl`. (`./config` will ask you to run `make depend` which will fail - for our purposes this step is not required) Options ------- -Enable benchmarking by passing -b|--benchmark -You can the options below. - --a | --allciphers Test all known ciphers individually at the end. --b | --benchmark Activate benchmark mode. --h | --help Shows this help text. --j | --json Output results in JSON format. --o | --openssl /path/to/the/openssl binary you want to use. --v | --verbose Increase verbosity. - ``` -linux $ ./cipherscan -json www.google.com:443 +-a | --allciphers Test all known ciphers individually at the end. +-b | --benchmark Activate benchmark mode. +-d | --delay Pause for n seconds between connections +-D | --debug Output ALL the information. +-h | --help Shows this help text. +-j | --json Output results in JSON format. +-o | --openssl path/to/your/openssl binary you want to use. +-v | --verbose Increase verbosity. ``` Example @@ -34,7 +42,7 @@ Example Testing plain SSL/TLS: ``` -$ ./cipherscan www.google.com:443 +linux $ ./cipherscan www.google.com:443 ................... prio ciphersuite protocols pfs_keysize 1 ECDHE-RSA-CHACHA20-POLY1305 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits @@ -59,7 +67,7 @@ prio ciphersuite protocols pfs_keysize Testing STARTTLS: ``` -$ ./cipherscan -starttls xmpp jabber.ccc.de:5222 +darwin $ ./cipherscan -o ./openssl-mine -starttls xmpp jabber.ccc.de:5222 ......... prio ciphersuite protocols pfs_keysize 1 DHE-RSA-AES256-SHA SSLv3,TLSv1 DH,1024bits From 05bd24b4056525e0ee4e4f7a50ad46428bb07368 Mon Sep 17 00:00:00 2001 From: Michael Zeltner Date: Fri, 4 Apr 2014 20:46:40 -0400 Subject: [PATCH 11/11] Cleaning up old style, fixing --allciphers --- cipherscan | 38 +++++++------------------------------- 1 file changed, 7 insertions(+), 31 deletions(-) diff --git a/cipherscan b/cipherscan index 942a54a..4d861aa 100755 --- a/cipherscan +++ b/cipherscan @@ -8,19 +8,12 @@ DOBENCHMARK=0 BENCHMARKITER=30 OPENSSLBIN="$(dirname $0)/openssl" -TIMEOUT=10 CIPHERSUITE="ALL:COMPLEMENTOFALL" DEBUG=0 VERBOSE=0 DELAY=0 ALLCIPHERS=0 OUTPUTFORMAT="terminal" -REQUEST="GET / HTTP/1.1 -Host: $TARGET -Connection: close - - -" usage() { @@ -73,11 +66,8 @@ test_cipher_on_target() { pfs="" for tls_version in "-ssl2" "-ssl3" "-tls1" "-tls1_1" "-tls1_2" do - # echo "$sslcommand $tls_version" - local tmp=$($sslcommand $tls_version 1>/dev/stdout 2>/dev/null << EOF -$REQUEST -EOF -) + debug echo \"quit\\n\" \| $sslcommand $tls_version + local tmp=$(echo "quit\n" | $sslcommand $tls_version 1>/dev/stdout 2>/dev/null) current_cipher=$(grep "New, " <<<"$tmp"|awk '{print $5}') current_pfs=$(grep 'Server Temp Key' <<<"$tmp"|awk '{print $4$5$6$7}') current_protocol=$(egrep "^\s+Protocol\s+:" <<<"$tmp"|awk '{print $3}') @@ -120,13 +110,12 @@ EOF # Calculate the average handshake time for a specific ciphersuite bench_cipher() { local ciphersuite="$1" - local sslcommand='echo "quit\n" | $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite' + local sslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" local t="$(date +%s%N)" verbose "Benchmarking handshake on '$TARGET' with ciphersuite '$ciphersuite'" for i in $(seq 1 $BENCHMARKITER); do - ($sslcommand 2>/dev/null 1>/dev/null) << EOF -$REQUEST -EOF + debug Connection $i + (echo "quit\n" | $sslcommand 2>/dev/null 1>/dev/null) if [ $? -gt 0 ]; then break fi @@ -142,7 +131,7 @@ EOF # Connect to the target and retrieve the chosen cipher # recursively until the connection fails get_cipher_pref() { - [ "$OUTPUTFORMAT" == "terminal" ] && echo -n '.' + [ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.' local ciphersuite="$1" local sslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'" @@ -263,19 +252,6 @@ if [ $VERBOSE != 0 ] ; then $OPENSSLBIN ciphers ALL 2>/dev/null fi -#[[ -z $1 || "$1" == "-h" || "$1" == "--help" ]] && usage -# if [ ! -z $2 ]; then -# if [ "$1" == "-v" ]; then -# VERBOSE=1 -# echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))" -# $OPENSSLBIN ciphers ALL 2>/dev/null -# elif [ "$1" == "-a" ]; then -# ALLCIPHERS=1 -# elif [ "$1" == "-json" ]; then -# OUTPUTFORMAT="json" -# fi -# fi - # echo paramters left: $@ TEMPTARGET=$(sed -e 's/^.* //'<<<"${@}") @@ -316,7 +292,7 @@ if [ $ALLCIPHERS -gt 0 ]; then echo; echo "All accepted ciphersuites" for c in $($OPENSSLBIN ciphers -v ALL:COMPLEMENTOFALL 2>/dev/null |awk '{print $1}'|sort|uniq); do r="fail" - osslcommand='echo "quit\n" | $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $c' + osslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $c" test_cipher_on_target "$osslcommand" if [ $? -eq 0 ]; then r="pass"