check if certificate used by server is trused
Use system trust anchors to check if certificate chain used by server is actually valid.master
parent
946cc6a9ac
commit
f04567d40e
28
cipherscan
28
cipherscan
|
@ -8,6 +8,10 @@
|
|||
DOBENCHMARK=0
|
||||
BENCHMARKITER=30
|
||||
OPENSSLBIN="$(dirname $0)/openssl"
|
||||
CACERTS=${CACERTS:-/etc/pki/tls/certs/ca-bundle.crt}
|
||||
if [ ! -e "$CACERTS" ]; then
|
||||
echo "Warning: CA Certificates not found at $CACERTS, export CACERTS variable with location of your trust anchors" 1>&2
|
||||
fi
|
||||
CIPHERSUITE="ALL:COMPLEMENTOFALL"
|
||||
DEBUG=0
|
||||
VERBOSE=0
|
||||
|
@ -77,6 +81,12 @@ test_cipher_on_target() {
|
|||
current_pubkey=0
|
||||
fi
|
||||
current_sigalg=$(openssl x509 -noout -text 2>/dev/null <<<"$tmp"|grep Signature\ Algorithm | head -n 1 | awk '{print $3}') || current_sigalg="None"
|
||||
grep 'Verify return code: 0 ' <<<"$tmp" >/dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
current_trusted="True"
|
||||
else
|
||||
current_trusted="False"
|
||||
fi
|
||||
if [ -z $current_sigalg ]; then
|
||||
current_sigalg=None
|
||||
fi
|
||||
|
@ -102,6 +112,7 @@ test_cipher_on_target() {
|
|||
pfs=$current_pfs
|
||||
pubkey=$current_pubkey
|
||||
sigalg=$current_sigalg
|
||||
trusted=$current_trusted
|
||||
# grab the cipher and PFS key size
|
||||
done
|
||||
# if cipher is empty, that means none of the TLS version worked with
|
||||
|
@ -113,13 +124,13 @@ test_cipher_on_target() {
|
|||
|
||||
# if cipher contains NONE, the cipher wasn't accepted
|
||||
elif [ "$cipher" == '(NONE) ' ]; then
|
||||
result="$cipher $protocols $pubkey $sigalg $pfs"
|
||||
result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
|
||||
verbose "handshake failed, server returned ciphersuite '$result'"
|
||||
return 1
|
||||
|
||||
# the connection succeeded
|
||||
else
|
||||
result="$cipher $protocols $pubkey $sigalg $pfs"
|
||||
result="$cipher $protocols $pubkey $sigalg $trusted $pfs"
|
||||
verbose "handshake succeeded, server returned ciphersuite '$result'"
|
||||
return 0
|
||||
fi
|
||||
|
@ -152,7 +163,11 @@ bench_cipher() {
|
|||
get_cipher_pref() {
|
||||
[ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.'
|
||||
local ciphersuite="$1"
|
||||
local sslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||
if [ -e $CACERTS ]; then
|
||||
local sslcommand="$OPENSSLBIN s_client -CAfile $CACERTS $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||
else
|
||||
local sslcommand="$OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
|
||||
fi
|
||||
verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
|
||||
test_cipher_on_target "$sslcommand"
|
||||
local success=$?
|
||||
|
@ -183,9 +198,9 @@ display_results_in_terminal() {
|
|||
done
|
||||
|
||||
if [ $DOBENCHMARK -eq 1 ]; then
|
||||
header="prio ciphersuite protocols pubkey_size signature_algoritm pfs_keysize avg_handshake_microsec"
|
||||
header="prio ciphersuite protocols pubkey_size signature_algoritm trusted pfs_keysize avg_handshake_microsec"
|
||||
else
|
||||
header="prio ciphersuite protocols pubkey_size signature_algorithm pfs_keysize"
|
||||
header="prio ciphersuite protocols pubkey_size signature_algorithm trusted pfs_keysize"
|
||||
fi
|
||||
ctr=0
|
||||
for result in "${results[@]}"; do
|
||||
|
@ -208,7 +223,8 @@ display_results_in_json() {
|
|||
echo -n "\"protocols\":[\"$(echo $cipher|awk '{print $2}'|sed 's/,/","/g')\"],"
|
||||
echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"],"
|
||||
echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"],"
|
||||
pfs=$(echo $cipher|awk '{print $5}')
|
||||
echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\","
|
||||
pfs=$(echo $cipher|awk '{print $6}')
|
||||
[ "$pfs" == "" ] && pfs="None"
|
||||
echo -n "\"pfs\":\"$pfs\"}"
|
||||
ctr=$((ctr+1))
|
||||
|
|
Loading…
Reference in New Issue