Commit graph

65 commits

Author SHA1 Message Date
Hubert Kario c8abfb53e8 add support for Chacha20 based ciphers
Basically all Google servers support Chacha20 now and it is
not a bad choice, so report it as a regular cipher
2014-04-19 23:14:57 +02:00
Hubert Kario 2b794ebfe0 fix and extend reporting of AES-GCM ciphers
AES-GCM ciphers don't have "AES-GCM" substring in the openssl name

extend reporting of AES ciphers, split to AES-CBC, AES-GCM and
AES in general
2014-04-19 23:14:57 +02:00
Hubert Kario fd6fcdd359 fix spelling in TLS stats (TLS1_1 vs TLS1.1) 2014-04-19 23:14:57 +02:00
Hubert Kario faef8d692f in "no-untrusted mode": filter out ADH and AECDH suites
If server negotiates ADH or AECDH suite, openssl returns "ok" in
cert checking. Don't mark server as trusted because of that.

Don't collect statistics on servers that provide only untrusted
connections.
2014-04-19 23:14:47 +02:00
Hubert Kario 45dc1da3f6 add ability to ignore results from untrusted servers 2014-04-19 23:07:01 +02:00
Hubert Kario ff620f5b26 report number of servers that use ECDSA and RSA certificates
Since use of both ECDSA and RSA certificates is easy, it is
relatively simple to support both. Report the total number of
such servers
2014-04-19 23:07:00 +02:00
Hubert Kario 863441a179 parsing of signature algorithm and key size
add parsing of signature algorithm and key size from the individual
results, report summary
2014-04-19 23:07:00 +02:00
Hubert Kario b6b9a1a364 Improve scanning performance and reduce false negatives
scan all the machines from top-1m.csv file, wait for completion
of all jobs

i=1 is an off-by-one-error

support top-1m.csv files with arbitrary number of sites

run scans for many hosts at a time, but don't run more than
specified amount

in case where default domain name doesn't resolve or doesn't have
port 443 open, retry with www. prefix
2014-04-19 22:56:41 +02:00
Julien Vehent 370348ba1b Updated README 2014-04-19 12:04:09 -04:00
Julien Vehent f703ca9c26 Merge pull request #12 from tomato42/certificate-scanning-02
Certificate scanning 02 (alternative version)
2014-04-19 11:46:25 -04:00
Hubert Kario 4e0e03b61e make default output more narrow
If server uses the same certificate for all connections, it's
useless to print the same information over and over.

In such case, omit those columns and print a summary at the end
2014-04-06 18:01:13 +02:00
Hubert Kario 9931ca2a2d update README with new examples
New features = new examples
2014-04-05 19:40:19 +02:00
Hubert Kario f04567d40e check if certificate used by server is trused
Use system trust anchors to check if certificate chain used by server
is actually valid.
2014-04-05 19:36:51 +02:00
Hubert Kario 946cc6a9ac Report the signature type used on server certificate
Parse the certificate used by server and report the signature used:

prio  ciphersuite              protocols                    pubkey_size  signature_algorithm    pfs_keysize
1     ECDHE-RSA-AES128-SHA256  TLSv1.2                      2048         sha1WithRSAEncryption  ECDH,P-256,256bits
2     ECDHE-ECDSA-AES128-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2  256          ecdsa-with-SHA512      ECDH,P-256,256bits
3     AES128-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption
4     AECDH-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  0            None                   ECDH,P-256,256bits
5     RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption
6     EXP-RC4-MD5              SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  RSA,512bits
2014-04-05 19:23:04 +02:00
Hubert Kario f9fdd62a59 report key size used in server's certificate
Extend the report to show also server certificate key size:
prio  ciphersuite              protocols                    pubkey_size  pfs_keysize
1     ECDHE-RSA-AES128-SHA256  TLSv1.2                      2048         ECDH,P-256,256bits
2     ECDHE-ECDSA-AES128-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2  256          ECDH,P-256,256bits
3     AES128-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
4     RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
5     EXP-RC4-MD5              SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         RSA,512bits
2014-04-05 19:23:04 +02:00
Hubert Kario 32eba4e644 update examples from README
since now the scan reports protocols correctly, update the example
to illustrate that
2014-04-05 18:47:37 +02:00
Hubert Kario ac3e5f4d62 Correctly report TLSv1.2 only ciphers as negotiable with TLSv1.2
Previously scan would report:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits

Now it correctly reports:
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,P-256,256bits
2     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
2014-04-05 18:47:37 +02:00
Julien Vehent afcc92db02 Merge pull request #5 from mzeltner/master
Cleaned up options and documented custom OpenSSL build
2014-04-04 21:26:59 -04:00
Michael Zeltner 05bd24b405
Cleaning up old style, fixing --allciphers 2014-04-04 20:46:40 -04:00
Michael Zeltner bf48cd2a3c
Documenting how to build OpenSSL with ChaCha20-Poly1305
Also updating README.md with new options by MacLemon
2014-04-01 14:29:55 -04:00
Michael Zeltner 45f0f3305d Merge branch 'master' of https://github.com/MacLemon/cipherscan 2014-04-01 13:04:08 -04:00
Pepi Zawodsky 49214fc508 Verbose and Debug output go to stderr now. Added simple --delay function. 2014-02-18 02:05:26 +01:00
Michael Zeltner 8480e63ff7
Fixing a typo 2014-02-14 20:44:15 +01:00
Pepi Zawodsky 3282c2c3a5 Improved reference of switches documentation formatting. 2014-02-10 19:46:46 +01:00
Pepi Zawodsky 0282ae9209 Added simple debug function 2014-02-08 18:37:30 +01:00
Pepi Zawodsky 0d93b5d37e Updated README to reflect the changes in cipherscan. 2014-02-08 17:07:54 +01:00
Pepi Zawodsky 490c86c43e Changed grep invocation to prevent strange grep versions to balk on -E 2014-02-08 01:14:40 +01:00
Michael Zeltner 26b52d4e17
Make mktemp obsolete
We have pipes, we shall use them!
2014-02-07 00:56:31 +01:00
Pepi Zawodsky 57f41d7376 Fixed variable renaming. 2014-02-06 23:32:12 +01:00
Pepi Zawodsky 9e5ce9cca3 Removed neccessity for timeout, thanks to mzeltner. Better parameter parsing with short- and longoptions. Can now pass a path to use any openssl. Now works on OS X. 2014-02-06 23:26:19 +01:00
Julien Vehent 1f92094b3d Merge pull request #4 from mzeltner/master
Support s_client args, give -starttls example. Contributed by mzeltner.
2014-02-02 18:15:27 -08:00
Michael Zeltner 5c07a6e552
Support s_client args, give -starttls example 2014-02-02 15:41:16 +01:00
Julien Vehent ae5d7ad15c Merge branch 'master' of github.com:jvehent/cipherscan 2014-01-31 10:24:02 -05:00
Julien Vehent b3ca13a5ae Rebuilt openssl to support ChaCha20/Poly1305. Test against google servers. 2014-01-31 10:22:21 -05:00
Julien Vehent 5e8b495a18 added many tests 2014-01-11 01:07:32 +00:00
Julien Vehent 1414973531 basic results parsing script in python 2014-01-10 05:50:03 +00:00
Julien Vehent f3c8b24b8b tweaks 2014-01-09 20:16:40 +00:00
Julien Vehent 5df0fe3d52 Merge branch 'master' of github.com:jvehent/cipherscan 2014-01-09 11:53:54 -05:00
Julien Vehent 19d443b8fe OpenSSL binary location fix 2014-01-09 11:52:43 -05:00
Julien Vehent e4ea957c8d Script to scan Alexa's top 1m websites 2014-01-09 11:52:17 -05:00
Julien Vehent 26948cbccf Merge pull request #3 from simondeziel/clean-temp
Cleanup old temp files when a connection failed
2014-01-07 19:04:43 -08:00
Simon Deziel 93ee5e3f33 Cleanup old temp files when a connection failed 2014-01-07 18:32:09 -05:00
Julien Vehent af7b4ce18c Rename CiphersScan to cipherscan 2013-12-09 11:01:30 -05:00
Julien Vehent 34a011ab71 Better doc 2013-12-09 10:40:23 -05:00
Julien Vehent f7c159b568 Support JSON output with -json 2013-12-09 10:16:45 -05:00
Julien Vehent 4420db6f9b prevent http keep-alive from blocking the scan 2013-11-20 11:51:37 -05:00
Julien Vehent 7c55288a7e Fix test of all ciphers individually 2013-11-20 10:47:59 -05:00
Julien Vehent d6556f5620 Progress indicator 2013-11-20 10:47:23 -05:00
Julien Vehent 889a75722d doc update 2013-11-20 10:33:58 -05:00
Julien Vehent a0e4f96a7b Test all versions of SSL and TLS 2013-11-20 10:30:45 -05:00