Граф коммитов

148 Коммитов

Автор SHA1 Сообщение Дата
Hubert Kario 29c739faa9 count EDH-DES as PFS too in general stats 2014-10-25 16:23:41 +02:00
Hubert Kario af2e25ec89 fix EDH checking
old ciphers have names that use EDH instead of DHE so we need check
for both names
2014-10-25 16:11:18 +02:00
Hubert Kario 76d791fcbe make cipher selection simulation generic
it's relatively easy to make the cipher selection generic,
so that adding different clients is as easy as converting their
client hello cipher ordering to openssl cipher names
2014-10-12 20:39:39 +02:00
Hubert Kario c82bc44558 report cipher ordering in scanning stats, use it to simulate handshakes
since now we know if server honours client order or not, we can use it
to properly simulate handshakes for a given client, also report
the general stats of this server configuration variable
2014-10-12 20:39:39 +02:00
Hubert Kario 42fa7d9ecb report what ciphers Firefox would select while connecting to server 2014-10-12 20:39:39 +02:00
Hubert Kario 1b4dcc4393 report ciphers causing incompatibility for Firefox
It turns out that the situation is even more bleak for Firefox
with regards to RC4, add it to report
2014-10-12 20:39:39 +02:00
Hubert Kario 142726c4fd count ECDH-RSA ciphers as ECDSA
the ECDH parameters come from server certificate - the point
on elliptic curve. The RSA comes from the signature on the certificate
which comes from CA
2014-10-12 20:39:39 +02:00
Julien Vehent 26c7b0e0d7 fix target level verification check 2014-10-11 23:08:35 -04:00
Julien Vehent a749742ff3 make sha-256 cert an optional requirement to the intermediate level 2014-10-11 23:08:21 -04:00
Julien Vehent b009c71321 add operator flag to analyze.py 2014-10-11 20:52:18 -04:00
Julien Vehent cdd34fce03 fix bug in status detection of analyze.py 2014-10-11 20:45:14 -04:00
Julien Vehent b846ac9d5b add json output to analyze.py via the -j flag 2014-10-11 19:37:08 -04:00
Julien Vehent 0da92f25b7 verify server side ordering is used in analyze.py 2014-10-11 00:34:07 -04:00
Julien Vehent 1c9d52c94c First shot at ordering analysis. Not yet perfect, but somewhat useful... 2014-10-10 20:30:27 -04:00
Julien Vehent a46e474337 add some fubar recommentations 2014-10-10 19:07:31 -04:00
Julien Vehent f4d0d598c7 analyze.py add option to give path to specific openssl 2014-10-10 18:56:44 -04:00
Julien Vehent 37f04054f8 fix json date to use UTC 2014-10-10 18:16:22 -04:00
Julien Vehent 86edd481f6 analyze.py uses provided openssl only on linux 64 2014-10-10 18:00:10 -04:00
Julien Vehent 81ef37c593 gitignore update 2014-10-10 17:31:44 -04:00
Julien Vehent b80b5cdd35 hide errors when json format is used 2014-10-10 17:27:58 -04:00
Julien Vehent 278dab4800 Fix json date argument to be compatible on macos 2014-10-10 17:27:29 -04:00
Julien Vehent f6f4fe8b86 Find timeout binary on linux and mac 2014-10-10 17:19:44 -04:00
Julien Vehent c7c91ff5f8 updated authors 2014-10-10 16:56:06 -04:00
Julien Vehent d5685da796 check that provided openssl is executable, fall back to system one if not 2014-10-10 16:56:00 -04:00
Julien Vehent 26aa8f9408 cleanups 2014-10-10 16:55:34 -04:00
Julien Vehent 7d2c8b4cad Use local ca bundle if none is found on the system, fixes issues with MacOS 2014-10-10 16:55:09 -04:00
Julien Vehent cc1230efd9 Analysis wording changes 2014-10-09 10:09:44 -04:00
Julien Vehent a722ad177d updated README with analysis info 2014-10-09 10:03:19 -04:00
Julien Vehent 5665951b09 minor analysis wording changes 2014-10-09 09:57:40 -04:00
Julien Vehent 215dbd0c1a ignore openssl errors in analyze.py 2014-10-09 09:54:30 -04:00
Julien Vehent e9110c6bc8 gitignore 2014-10-09 09:36:08 -04:00
Julien Vehent 405b104583 improved configuration analysis 2014-10-09 09:35:59 -04:00
Julien Vehent 2858ef8116 Revert "no need to grep the input when we're using awk"
This reverts commit 4c05897be2.
2014-10-08 21:53:22 -04:00
Julien Vehent 34b2eb7819 First shot at cipherscan results analyzer 2014-10-08 21:53:05 -04:00
Hubert Kario ca0ef2fc5c fixes for the pull request #18
there were few small issues with the pull #18 even though jvehent merged
it, this fixes them
2014-10-06 13:26:53 -04:00
Hubert Kario 29109f1e64 update SEED and IDEA classification, do a total of broken ciphers
SEED and IDEA are not good ciphers, but not broken, so count them
separately, do a total count of servers that support broken and insecure
ciphers
2014-10-06 13:25:04 -04:00
Hubert Kario 4c05897be2 no need to grep the input when we're using awk
awk has an inbuilt version of grep, also truncate processing as soon
as we find what we're looking for
2014-10-06 13:24:39 -04:00
Hubert Kario fb02ae87ac add some comments, group related code 2014-10-06 13:22:29 -04:00
Hubert Kario 77671137df add support for CApath
capath for relatively small cert sets (~300) makes scanning about 5%
faster

also do a little clean up of the command-to-run generation code
2014-10-06 13:22:15 -04:00
Hubert Kario 189460da9e report if server uses client side or server side cipher ordering 2014-10-06 13:21:40 -04:00
Hubert Kario a7ae42b08e openssl in -ssl2 mode doesn't tolerate -servername option
when openssl is run in -ssl2 mode, it doesn't accept -servername
option and just aborts operation, it doesn't consider -status
to be special though.

Remove this option when running the SSLv2 portion of the test.
2014-10-06 13:21:16 -04:00
Hubert Kario 3a4a5f938d add missing ocsp_staple header 2014-10-06 13:20:49 -04:00
Hubert Kario 8a0c9190a9 sort reported TLS session ticket hint using natural sort 2014-10-06 13:20:37 -04:00
Julien Vehent ded65c40df Merge pull request #22 from simondeziel/sdeziel
Use Debian's system-wide trust anchors when possible
2014-08-28 16:02:36 -04:00
Julien Vehent ecd77f94fc Merge pull request #18 from tomato42/wip
Hodgepodge of fixes
2014-08-28 16:02:19 -04:00
Simon Deziel 7dee967dd7 Attempt to use /etc/ssl/certs/ca-certificates.crt if no CACERTS
are available. On Debian, this is the default location for
system-wide trust anchors.
2014-07-25 10:01:31 -04:00
Julien Vehent 273211f025 Merge pull request #21 from azet/master
add real execution tracing to debug
2014-07-17 12:29:42 -04:00
Aaron Zauner efd84cdb24 add real execution tracing to debug 2014-07-17 18:08:29 +02:00
Julien Vehent e345f6034d Merge pull request #20 from PeterMosmans/binaries
Updated binary with latest 1.0.2-chacha build
2014-07-13 09:22:24 -04:00
Peter Mosmans b65c13c7b9 Compiled for 64-bit-linux from the following source:
https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha
Added CAMELLIA 256SHA ciphers
2014-07-13 20:56:17 +10:00