deac
/
cipherscan
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
73 Commits
1 Branch
0 Tags
12 MiB
Commit Graph

73 Commits (master)

Author SHA1 Message Date
Julien Vehent 5417dacda3 Merge pull request #16 from tomato42/restore-timeout 
restore timeout
 2014-05-09 08:32:36 -04:00
Hubert Kario d7b99f125e restore `timeout` 
some servers have port 443 open but won't reply to ClientHello
requests, this hangs openssl s_client, as such we need to kill it
after some timeout
 2014-05-09 12:00:53 +02:00
Julien Vehent 325329d1ad Merge pull request #15 from tomato42/reporting-improvements-03 
Reporting improvements 03
 2014-04-20 13:16:34 -04:00
Julien Vehent ba4defb707 Merge pull request #14 from tomato42/scan-improvements-02 
Improve scanning performance and reduce false negatives
 2014-04-20 13:15:44 -04:00
Hubert Kario 686d7c958b extend reporting of RC4-related stats 
While preferring RC4 in TLS1.0 or SSL3 was recommended before,
it was always known that TLS1.1 and TLS1.2 were not vulnerable against
BEAST, so forcing RC4 there is a mistake. Report number of such servers.
 2014-04-19 23:14:57 +02:00
Hubert Kario 21bba67df0 extend SSL stats 
Two interesting server configurations are ones that support
only SSL3 or TLS1 only (old, but otherwise correctly configured servers)
and ones that support only TLS1.1 or up (brave admins that support
only new clients)
 2014-04-19 23:14:57 +02:00
Hubert Kario 349d4ebc3c more detailed PFS report 
Just because server supports some bad DH params, doesn't mean
it will force them on users. Report number of servers
that prefer specific DH params.
 2014-04-19 23:14:57 +02:00
Hubert Kario d3b6f9b507 fix reporting of the TLS1.2 but not TLS1.1 
Some servers may be configured to support only TLS1.2, it would
count them towards the number of servers affected by the OpenSSL bug
 2014-04-19 23:14:57 +02:00
Hubert Kario c8abfb53e8 add support for Chacha20 based ciphers 
Basically all Google servers support Chacha20 now and it is
not a bad choice, so report it as a regular cipher
 2014-04-19 23:14:57 +02:00
Hubert Kario 2b794ebfe0 fix and extend reporting of AES-GCM ciphers 
AES-GCM ciphers don't have "AES-GCM" substring in the openssl name

extend reporting of AES ciphers, split to AES-CBC, AES-GCM and
AES in general
 2014-04-19 23:14:57 +02:00
Hubert Kario fd6fcdd359 fix spelling in TLS stats (TLS1_1 vs TLS1.1) 2014-04-19 23:14:57 +02:00
Hubert Kario faef8d692f in "no-untrusted mode": filter out ADH and AECDH suites 
If server negotiates ADH or AECDH suite, openssl returns "ok" in
cert checking. Don't mark server as trusted because of that.

Don't collect statistics on servers that provide only untrusted
connections.
 2014-04-19 23:14:47 +02:00
Hubert Kario 45dc1da3f6 add ability to ignore results from untrusted servers 2014-04-19 23:07:01 +02:00
Hubert Kario ff620f5b26 report number of servers that use ECDSA and RSA certificates 
Since use of both ECDSA and RSA certificates is easy, it is
relatively simple to support both. Report the total number of
such servers
 2014-04-19 23:07:00 +02:00
Hubert Kario 863441a179 parsing of signature algorithm and key size 
add parsing of signature algorithm and key size from the individual
results, report summary
 2014-04-19 23:07:00 +02:00
Hubert Kario b6b9a1a364 Improve scanning performance and reduce false negatives 
scan all the machines from top-1m.csv file, wait for completion
of all jobs

i=1 is an off-by-one-error

support top-1m.csv files with arbitrary number of sites

run scans for many hosts at a time, but don't run more than
specified amount

in case where default domain name doesn't resolve or doesn't have
port 443 open, retry with www. prefix
 2014-04-19 22:56:41 +02:00
Julien Vehent 370348ba1b Updated README 2014-04-19 12:04:09 -04:00
Julien Vehent f703ca9c26 Merge pull request #12 from tomato42/certificate-scanning-02 
Certificate scanning 02 (alternative version)
 2014-04-19 11:46:25 -04:00
Hubert Kario 4e0e03b61e make default output more narrow 
If server uses the same certificate for all connections, it's
useless to print the same information over and over.

In such case, omit those columns and print a summary at the end
 2014-04-06 18:01:13 +02:00
Hubert Kario 9931ca2a2d update README with new examples 
New features = new examples
 2014-04-05 19:40:19 +02:00
Hubert Kario f04567d40e check if certificate used by server is trused 
Use system trust anchors to check if certificate chain used by server
is actually valid.
 2014-04-05 19:36:51 +02:00
Hubert Kario 946cc6a9ac Report the signature type used on server certificate 
Parse the certificate used by server and report the signature used:

prio  ciphersuite              protocols                    pubkey_size  signature_algorithm    pfs_keysize
1     ECDHE-RSA-AES128-SHA256  TLSv1.2                      2048         sha1WithRSAEncryption  ECDH,P-256,256bits
2     ECDHE-ECDSA-AES128-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2  256          ecdsa-with-SHA512      ECDH,P-256,256bits
3     AES128-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption
4     AECDH-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  0            None                   ECDH,P-256,256bits
5     RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption
6     EXP-RC4-MD5              SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  RSA,512bits
 2014-04-05 19:23:04 +02:00
Hubert Kario f9fdd62a59 report key size used in server's certificate 
Extend the report to show also server certificate key size:
prio  ciphersuite              protocols                    pubkey_size  pfs_keysize
1     ECDHE-RSA-AES128-SHA256  TLSv1.2                      2048         ECDH,P-256,256bits
2     ECDHE-ECDSA-AES128-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2  256          ECDH,P-256,256bits
3     AES128-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
4     RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
5     EXP-RC4-MD5              SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         RSA,512bits
 2014-04-05 19:23:04 +02:00
Hubert Kario 32eba4e644 update examples from README 
since now the scan reports protocols correctly, update the example
to illustrate that
 2014-04-05 18:47:37 +02:00
Hubert Kario ac3e5f4d62 Correctly report TLSv1.2 only ciphers as negotiable with TLSv1.2 
Previously scan would report:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits

Now it correctly reports:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
 2014-04-05 18:47:37 +02:00
Julien Vehent afcc92db02 Merge pull request #5 from mzeltner/master 
Cleaned up options and documented custom OpenSSL build
 2014-04-04 21:26:59 -04:00
Michael Zeltner 05bd24b405
Cleaning up old style, fixing --allciphers 2014-04-04 20:46:40 -04:00
Michael Zeltner bf48cd2a3c
Documenting how to build OpenSSL with ChaCha20-Poly1305 
Also updating README.md with new options by MacLemon
 2014-04-01 14:29:55 -04:00
Michael Zeltner 45f0f3305d Merge branch 'master' of https://github.com/MacLemon/cipherscan 2014-04-01 13:04:08 -04:00
Pepi Zawodsky 49214fc508 Verbose and Debug output go to stderr now. Added simple --delay function. 2014-02-18 02:05:26 +01:00
Michael Zeltner 8480e63ff7
Fixing a typo 2014-02-14 20:44:15 +01:00
Pepi Zawodsky 3282c2c3a5 Improved reference of switches documentation formatting. 2014-02-10 19:46:46 +01:00
Pepi Zawodsky 0282ae9209 Added simple debug function 2014-02-08 18:37:30 +01:00
Pepi Zawodsky 0d93b5d37e Updated README to reflect the changes in cipherscan. 2014-02-08 17:07:54 +01:00
Pepi Zawodsky 490c86c43e Changed grep invocation to prevent strange grep versions to balk on -E 2014-02-08 01:14:40 +01:00
Michael Zeltner 26b52d4e17
Make mktemp obsolete 
We have pipes, we shall use them!
 2014-02-07 00:56:31 +01:00
Pepi Zawodsky 57f41d7376 Fixed variable renaming. 2014-02-06 23:32:12 +01:00
Pepi Zawodsky 9e5ce9cca3 Removed neccessity for timeout, thanks to mzeltner. Better parameter parsing with short- and longoptions. Can now pass a path to use any openssl. Now works on OS X. 2014-02-06 23:26:19 +01:00
Julien Vehent 1f92094b3d Merge pull request #4 from mzeltner/master 
Support s_client args, give -starttls example. Contributed by mzeltner.
 2014-02-02 18:15:27 -08:00
Michael Zeltner 5c07a6e552
Support s_client args, give -starttls example 2014-02-02 15:41:16 +01:00
Julien Vehent ae5d7ad15c Merge branch 'master' of github.com:jvehent/cipherscan 2014-01-31 10:24:02 -05:00
Julien Vehent b3ca13a5ae Rebuilt openssl to support ChaCha20/Poly1305. Test against google servers. 2014-01-31 10:22:21 -05:00
Julien Vehent 5e8b495a18 added many tests 2014-01-11 01:07:32 +00:00
Julien Vehent 1414973531 basic results parsing script in python 2014-01-10 05:50:03 +00:00
Julien Vehent f3c8b24b8b tweaks 2014-01-09 20:16:40 +00:00
Julien Vehent 5df0fe3d52 Merge branch 'master' of github.com:jvehent/cipherscan 2014-01-09 11:53:54 -05:00
Julien Vehent 19d443b8fe OpenSSL binary location fix 2014-01-09 11:52:43 -05:00
Julien Vehent e4ea957c8d Script to scan Alexa's top 1m websites 2014-01-09 11:52:17 -05:00
Julien Vehent 26948cbccf Merge pull request #3 from simondeziel/clean-temp 
Cleanup old temp files when a connection failed
 2014-01-07 19:04:43 -08:00
Simon Deziel 93ee5e3f33 Cleanup old temp files when a connection failed 2014-01-07 18:32:09 -05:00