forked from mozilla/cipherscan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathanalyze.py
121 lines (105 loc) · 5.58 KB
/
analyze.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#!/usr/bin/env python
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Contributor: Julien Vehent jvehent@mozilla.com [:ulfr]
import fileinput
import sys
import json
import subprocess
from collections import defaultdict
def is_fubar(results):
fubar_ciphers = set(all_ciphers) - set(old_ciphers)
for conn in results['ciphersuite']:
if conn['cipher'] in fubar_ciphers:
return True
if 'SSLv2' in conn['protocols']:
return True
if conn['pubkey'] < 2048:
return True
return False
def is_old(results):
for conn in results['ciphersuite']:
if conn['cipher'] not in old_ciphers:
return False
if 'SSLv3' not in conn['protocols']:
return False
if 'sha1WithRSAEncryption' not in conn['sigalg']:
return False
return True
def is_intermediate(results):
for conn in results['ciphersuite']:
if conn['cipher'] not in intermediate_ciphers:
return False
if len(set(conn['protocols']) - set(['TLSv1', 'TLSv1.1', 'TLSv1.2'])) > 0:
return False
return True
def is_modern(results):
for conn in results['ciphersuite']:
if conn['cipher'] not in modern_ciphers:
errors["modern"]["ciphers"].append(conn['cipher'])
return False
if len(set(conn['protocols']) - set(['TLSv1.1', 'TLSv1.2'])) > 0:
# deprecated protocols are supported
return False
return True
def is_ordered(results, ciphersuite):
return True
def evaluate(results):
status = "obscure unknown ssl"
if len(results['ciphersuite']) == 0:
status = "no ssl"
if is_modern(results):
if is_ordered(results, modern_ciphers):
status = "modern tls"
else:
status = "modern tls with bad ordering"
if is_intermediate(results):
if is_ordered(results, intermediate_ciphers):
status = "intermediate tls"
else:
status = "intermediate tls with bad ordering"
if is_old(results):
if is_ordered(results, old_ciphers):
status = "old ssl"
else:
status = "old ssl with bad ordering"
if is_fubar(results):
status = "fubar ssl"
return status
def process_results(data):
results = dict()
try:
results = json.loads(data)
except ValueError, e:
print("invalid json data")
try:
if results:
print(results['target'] + " has " + evaluate(results))
except TypeError, e:
pass
def main():
global all_ciphers, old_ciphers, intermediate_ciphers, modern_ciphers, errors
all_ciphers = subprocess.check_output(['./openssl', 'ciphers', all_ciphersuite]).rstrip().split(':')
old_ciphers = subprocess.check_output(['./openssl', 'ciphers', old_ciphersuite]).rstrip().split(':')
intermediate_ciphers = subprocess.check_output(['./openssl', 'ciphers', intermediate_ciphersuite]).rstrip().split(':')
modern_ciphers = subprocess.check_output(['./openssl', 'ciphers', modern_ciphersuite]).rstrip().split(':')
if len(sys.argv) > 1:
# evaluate target specified as argument
data = subprocess.check_output(['./cipherscan', '-j', sys.argv[1]])
process_results(data)
else:
# take input from stdin
for data in fileinput.input():
if data:
process_results(data)
print errors
# from https://wiki.mozilla.org/Security/Server_Side_TLS
all_ciphersuite = "ALL:COMPLEMENTOFALL:+aRSA"
old_ciphersuite = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
intermediate_ciphersuite = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
modern_ciphersuite = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
errors = defaultdict(str)
if __name__ == "__main__":
main()