Am wondering whether it'd be possible and/or within scope to add a 'valid for X days' to the tool, as well as an option to test the certificate only, including the chain (trusted/untrusted) without doing the full scan. As far as I can tell all the data that would be needed is already being gathered, and a simple certificate test would reduce the need for custom tools to do fill the gap?

Thanks!

My system is configured to use the P-384 curve rather than P-256, like so:

prio ciphersuite protocols pfs curves
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-384,384bits secp384r1

In this config, I get this output in analyze.py:

<site>:443 has intermediate ssl/tls
<snip "old">

Changes needed to match the intermediate level:
<cut for brevity>
* consider using DHE of at least 2048bits and ECC of at least 256bits

Changes needed to match the modern level:
<cut for brevity>
* disable TLSv1.1
* disable TLSv1
* use DHE of at least 2048bits and ECC of at least 256bits

This appears to be because intermediate and modern both set the "must_match" flag when calling has_good_pfs(), which means they require exactly those 2 bit levels (2048 for DHE, 256 for ECC), or will complain.

https://github.com/jvehent/cipherscan/blob/master/analyze.py#L24
https://github.com/jvehent/cipherscan/blob/master/analyze.py#L183
https://github.com/jvehent/cipherscan/blob/master/analyze.py#L238

"old" works fine- it specifies must_match=True as well, but it also recommends specific values to use for maximum compatibility, so this seems reasonable.

Currently in the non-JSON output, we summarize at the end of the results the "most recently witnessed" signature algorithm. We need an option to view the signature algorithm for each cipher tested, to handle circumstances where the presented certificate varies based on the selected cipher.

HTTP2 requires the server to select only secure ciphers

check if the server will not negotiate old ciphers when negotiating HTTP2 with ALPN

Please change the first line "#!/bin/bash" to "#!/usr/bin/env bash":
cscan.sh
top1m/make_ca_files.sh
top1m/make_ca_trusted.sh
top1m/process-certificate-statistics.sh

Thank you.

add test to verify if the ClientHello messages fragmented over multiple records are accepted
(also include a positive check verifying that the ClientHello messages equal in size to the first fragment are accepted)

Hi
I get this error message when I try to test a domain

./cipherscan --curves www.google.com
openssl s_client doesn't accept the -connect parameter, which is extremely strange; refusing to proceed.

Can you please tell me what I'm doing wrong?

Thanks a lot
Andrea

Hello.
When I run the script to check the site, I get this error.

$ ./analyze.py -t google.com 
Traceback (most recent call last):
  File "cscan.py", line 265, in <module>
    scan_TLS_intolerancies(host, port, hostname)
  File "cscan.py", line 146, in scan_TLS_intolerancies
    host_up = not all(conf_iterator(lambda conf: True))
  File "cscan.py", line 143, in <genexpr>
    if predicate(conf))
  File "cscan.py", line 126, in result_cache
    hostname))
  File "cscan.py", line 29, in scan_with_config
    ret = scanner.scan()
  File "/home/user/ssl/cipherscan/cscan/scanner.py", line 141, in scan
    msg = handshake_parser.parse(parser)
  File "/home/user/ssl/cipherscan/cscan/scanner.py", line 58, in parse
    msg.parse(parser)
  File "/home/user/ssl/cipherscan/cscan/messages.py", line 117, in parse
    self.certChain = certificate_list
AttributeError: can't set attribute
google.com:443 has intermediate ssl/tls

Changes needed to match the old level:
* enable SSLv3
* use a certificate with sha1WithRSAEncryption signature
* use DHE of 1024bits and ECC of 160bits
* consider enabling OCSP Stapling

Changes needed to match the intermediate level:
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher ECDHE-RSA-AES128-SHA
* remove cipher ECDHE-RSA-AES256-SHA
* remove cipher AES128-GCM-SHA256
* remove cipher AES256-GCM-SHA384
* remove cipher AES128-SHA
* remove cipher AES256-SHA
* remove cipher DES-CBC3-SHA
* disable TLSv1.1
* disable TLSv1
* consider enabling OCSP Stapling

I ran this and with port 443 and using local openssl. But it did not help.
I'm using Debian 9.4 and OpenSSL 1.1.0f 25 May 2017

How to fix this error?

When i use this command:
./cipherscan -j google.com
is there a way i can specify the IP address?

See #45 for context

STR:

1. ./analyze.py --help
2. Run the example ./analyze.py mozilla.org

Expected:
The example (or another domain substituted in) works.

Actual:

$ ./analyze.py mozilla.org
usage:
* Analyze a single target, invokes cipherscan: $ ./analyze.py -t [target]
* Evaluate json results passed through stdin:  $ python analyze.py < target_results.json
example: ./analyze.py mozilla.org
analyze.py: error: argument infile: can't open 'mozilla.org': [Errno 2] No such file or directory: 'mozilla.org'

I was going to just fix the usage example here:
https://github.com/jvehent/cipherscan/blob/18b0d1b952d027d20e38f07329817873ec077d26/analyze.py#L456

...however ideally the -t parameter would not be necessary, and the example as phrased would just work. Perhaps if the item passed as the first parameter doesn't exist as a file, analyze.py could prompt "Results file does not exist, is this a domain you wish to scan? [Yn]".

Cipherscan doesn't find my ECDSA ECC prime256v1 with SHA-512 certificate to be very secure. While I have my own CA, which contributes to some of the warnings, it seems to only recognize RSA key strength in both cipherscan and analyze.py. I think that 256-bit of my certificate's curve is plenty strong.

In the output of cipherscan, the 256 on the last line is in red (there is also no mention of the SHA512 cipher, but I'm not worried about that):

prio  ciphersuite                    protocols  pfs                 curves
1     ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2    ECDH,P-256,256bits  prime256v1
2     ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2    ECDH,P-256,256bits  prime256v1

Certificate: untrusted, 256 bits, sha512WithRSAEncryption signature

In the analyze.py output "things that are bad" section:

* don't use a public key smaller than 2048 bits

Currently, cipherscan ignores invalid options, which results in them being treated as the hostname. It should probably just abort when provided an unrecognized option instead.

I get the following error:
Error processing data: can only concatenate list (not "str") to list

JSON output from cipherscan follows:
{"target":"kfritz-990.shoretel.com:9392","utctimestamp":"2015-07-06T21:23:36.0Z","serverside":"False","ciphersuite": [{"cipher":"ECDHE-RSA-AES256-GCM-SHA384","protocols":["TLSv1.2"],"pubkey":["1024"],"sigalg":["sha1WithRSAEncryption"],"trusted":"False","ticket_hint":"None","ocsp_stapling":"False","pfs":"ECDH,P-521,521bits","curves":["secp521r1"]},{"cipher":"ECDHE-RSA-AES256-SHA","protocols":["TLSv1","TLSv1.1","TLSv1.2"],"pubkey":["1024"],"sigalg":["sha1WithRSAEncryption"],"trusted":"False","ticket_hint":"None","ocsp_stapling":"False","pfs":"ECDH,P-521,521bits","curves":["secp521r1"]},{"cipher":"AES256-SHA256","protocols":["TLSv1.2"],"pubkey":["1024"],"sigalg":["sha1WithRSAEncryption"],"trusted":"False","ticket_hint":"None","ocsp_stapling":"False","pfs":"None"},{"cipher":"AES256-SHA","protocols":["TLSv1","TLSv1.1","TLSv1.2"],"pubkey":["1024"],"sigalg":["sha1WithRSAEncryption"],"trusted":"False","ticket_hint":"None","ocsp_stapling":"False","pfs":"None"},{"cipher":"CAMELLIA256-SHA","protocols":["TLSv1","TLSv1.1","TLSv1.2"],"pubkey":["1024"],"sigalg":["sha1WithRSAEncryption"],"trusted":"False","ticket_hint":"None","ocsp_stapling":"False","pfs":"None"},{"cipher":"ECDHE-RSA-AES128-GCM-SHA256","protocols":["TLSv1.2"],"pubkey":["1024"],"sigalg":["sha1WithRSAEncryption"],"trusted":"False","ticket_hint":"None","ocsp_stapling":"False","pfs":"ECDH,P-521,521bits","curves":["secp521r1"]},{"cipher":"ECDHE-RSA-AES128-SHA256","protocols":["TLSv1.2"],"pubkey":["1024"],"sigalg":["sha1WithRSAEncryption"],"trusted":"False","ticket_hint":"None","ocsp_stapling":"False","pfs":"ECDH,P-521,521bits","curves":["secp521r1"]},{"cipher":"ECDHE-RSA-AES128-SHA","protocols":["TLSv1","TLSv1.1","TLSv1.2"],"pubkey":["1024"],"sigalg":["sha1WithRSAEncryption"],"trusted":"False","ticket_hint":"None","ocsp_stapling":"False","pfs":"ECDH,P-521,521bits","curves":["secp521r1"]},{"cipher":"AES128-GCM-SHA256","protocols":["TLSv1.2"],"pubkey":["1024"],"sigalg":["sha1WithRSAEncryption"],"trusted":"False","ticket_hint":"None","ocsp_stapling":"False","pfs":"None"},{"cipher":"AES128-SHA256","protocols":["TLSv1.2"],"pubkey":["1024"],"sigalg":["sha1WithRSAEncryption"],"trusted":"False","ticket_hint":"None","ocsp_stapling":"False","pfs":"None"},{"cipher":"AES128-SHA","protocols":["TLSv1","TLSv1.1","TLSv1.2"],"pubkey":["1024"],"sigalg":["sha1WithRSAEncryption"],"trusted":"False","ticket_hint":"None","ocsp_stapling":"False","pfs":"None"},{"cipher":"CAMELLIA128-SHA","protocols":["TLSv1","TLSv1.1","TLSv1.2"],"pubkey":["1024"],"sigalg":["sha1WithRSAEncryption"],"trusted":"False","ticket_hint":"None","ocsp_stapling":"False","pfs":"None"}]}

Hi I am trying to run cipherscan from a ubuntu docker image and get the following error ?

./cipherscan www.google.com:443
...................
Target: www.google.com:443

./cipherscan: line 512: column: command not found

Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: 100800
OCSP stapling: not supported
Server side cipher ordering

My example is
./cipherscan tickets.saparena.de

I guess, there seems to be some connection issue. I just see two dots and no results.

I'm curious as to if the last cipher listed (None) serves a purpose, or if it should be completely omitted.

Since openssl/openssl@552bf8e OpenSSL does also support proxy servers. Could you mention this also in the "Some useful OpenSSL options" sections within ciphertest?
Eg: "-proxy proxy:port Use a proxy server (req. OpenSSL 1.1)"

When trying to use cipherscan latest, I got observed color codes being output to non-terminal outputs.

This is due to mishandling of $OPENSSLBIN in all locations in the script.

It must be quoted, as in:

"$OPENSSLBIN" arg1 arg2 arg3

And various places where a command string is assembled of this form –

sslcommand="$TIMEOUTBIN $OPENSSLBIN ..."
...
$sslcommand arg1 arg2 arg3

– will need to be rewritten using arrays of this form to function correctly –

sslcommand=("$TIMEOUTBIN" "$OPENSSLBIN" ...)
...
"${sslcommand[@]}" arg1 arg2 arg3

Bash version 4 is required to run cipherscan.
Please upgrade your version of bash (ex: brew install bash).

I'm sure there's a good reason, but this just makes me feel like cipherscan wants to trample on my system because it's lazy. If it gave me more useful information, I could evaluate this request better.

(However, thanks very much for having such a clear message in the first place.)

Since copy pasting an address from Firefox a user will get a URL: "https://example.com" it would be easier for users if cipherscan could parse the hostname out of it.

some servers will negotiate SSL3 when getting a TLS 1.2 hello, but will negotate TLS 1.0 or TLS 1.1 when receiving respective hello's

add a check to detect that

Why is it considered bad practice to use ECDHE-RSA-AES128-GCM-SHA256 cipher ? I do not understand why ?

This cipher is considered safe and secure today.

Running the script on Ubuntu 15.04 64 Bit
I got this error.

$ ./cipherscan --curves -j www.phcorner.net | j
j: command not found

Hi,
i have the problem that i am forced to use OpenSSL1.1.0c to
see the CHACHA20-POLY1305 ciphers and the X25519 curve on modern
configured applications.
The rest is still fine and visible with the included OpenSSL of this project.
When i use now the new OpenSSL i can't see multiple curves.
There is only shown X25519 and not the other secp* curves.
Can u apply a patch or change to make this again possible?
Thanks Torsten

My Apache uses ECDHE-ECDSA-CHACHA20-POLY1305 for most connections, but for some reason I can't understand, cipherscan doesn't list it in its output. The local OpenSSL does have the CHACHA20-POLY1305 ciphers in the output of openssl ciphers -v 'ALL:COMPLEMENTOFALL:+aRSA', so you'd think cipherscan would test for it?

Analyze is throwing up bad cert errors, and it doesn't seem like it should:

From the webserver:
grep Cipher ssl.conf
# SSL Cipher Suite:
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
SSLHonorCipherOrder on

Given that config, here's what analyze says:

./analyze.py -t www.denali.net
www.denali.net:443 has bad ssl/tls

Things that are bad:

• remove cipher EDH-RSA-DES-CBC3-SHA

Changes needed to match the old level:

• remove cipher EDH-RSA-DES-CBC3-SHA
• consider enabling SSLv3
• use a certificate with sha1WithRSAEncryption signature
• use DHE of 1024bits and ECC of 256bits
• consider enabling OCSP Stapling

Changes needed to match the intermediate level:

• remove cipher ECDHE-RSA-DES-CBC3-SHA
• remove cipher EDH-RSA-DES-CBC3-SHA
• consider enabling OCSP Stapling

Changes needed to match the modern level:

• remove cipher AES128-SHA
• remove cipher DHE-RSA-CAMELLIA256-SHA
• remove cipher AES256-GCM-SHA384
• remove cipher AES256-SHA256
• remove cipher AES256-SHA
• remove cipher CAMELLIA256-SHA
• remove cipher ECDHE-RSA-DES-CBC3-SHA
• remove cipher EDH-RSA-DES-CBC3-SHA
• remove cipher DES-CBC3-SHA
• remove cipher DHE-RSA-CAMELLIA128-SHA
• remove cipher AES128-GCM-SHA256
• remove cipher AES128-SHA256
• remove cipher CAMELLIA128-SHA
• disable TLSv1
• consider enabling OCSP Stapling

.... but there are no DES protocols enabled (or camellia, or...)

And here's what cipherscan details show:

./cipherscan -a --curves www.denali.net
..................................
Target: www.denali.net:443

prio ciphersuite protocols pfs curves
1 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1
2 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,4096bits None
3 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None
4 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1
5 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1
6 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1
7 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,4096bits None
8 DHE-RSA-AES256-SHA256 TLSv1.2 DH,4096bits None
9 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,4096bits None
10 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,4096bits None
11 AES256-GCM-SHA384 TLSv1.2 None None
12 AES256-SHA256 TLSv1.2 None None
13 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None
14 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None None
15 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1
16 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,4096bits None
17 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None
18 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1
19 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1
20 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,4096bits None
21 DHE-RSA-AES128-SHA256 TLSv1.2 DH,4096bits None
22 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,4096bits None
23 AES128-GCM-SHA256 TLSv1.2 None None
24 AES128-SHA256 TLSv1.2 None None
25 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 None None

Certificate: trusted, 4096 bit, sha512WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: server
Curves fallback: False

All accepted ciphersuites
ADH-AES128-GCM-SHA256 fail
ADH-AES128-SHA fail
ADH-AES128-SHA256 fail
ADH-AES256-GCM-SHA384 fail
ADH-AES256-SHA fail
ADH-AES256-SHA256 fail
ADH-CAMELLIA128-SHA fail
ADH-CAMELLIA128-SHA256 fail
ADH-CAMELLIA256-SHA fail
ADH-CAMELLIA256-SHA256 fail
ADH-DES-CBC-SHA fail
ADH-DES-CBC3-SHA fail
ADH-RC4-MD5 fail
ADH-SEED-SHA fail
AECDH-AES128-SHA fail
AECDH-AES256-SHA fail
AECDH-DES-CBC3-SHA fail
AECDH-NULL-SHA fail
AECDH-RC4-SHA fail
AES128-GCM-SHA256 pass
AES128-SHA pass
AES128-SHA256 pass
AES256-GCM-SHA384 pass
AES256-SHA pass
AES256-SHA256 pass
CAMELLIA128-SHA pass
CAMELLIA128-SHA256 fail
CAMELLIA256-SHA pass
CAMELLIA256-SHA256 fail
DES-CBC-MD5 fail
DES-CBC-SHA fail
DES-CBC3-MD5 fail
DES-CBC3-SHA pass
DH-DSS-AES128-GCM-SHA256 fail
DH-DSS-AES128-SHA fail
DH-DSS-AES128-SHA256 fail
DH-DSS-AES256-GCM-SHA384 fail
DH-DSS-AES256-SHA fail
DH-DSS-AES256-SHA256 fail
DH-DSS-CAMELLIA128-SHA fail
DH-DSS-CAMELLIA128-SHA256 fail
DH-DSS-CAMELLIA256-SHA fail
DH-DSS-CAMELLIA256-SHA256 fail
DH-DSS-DES-CBC-SHA fail
DH-DSS-DES-CBC3-SHA fail
DH-DSS-SEED-SHA fail
DH-RSA-AES128-GCM-SHA256 fail
DH-RSA-AES128-SHA fail
DH-RSA-AES128-SHA256 fail
DH-RSA-AES256-GCM-SHA384 fail
DH-RSA-AES256-SHA fail
DH-RSA-AES256-SHA256 fail
DH-RSA-CAMELLIA128-SHA fail
DH-RSA-CAMELLIA128-SHA256 fail
DH-RSA-CAMELLIA256-SHA fail
DH-RSA-CAMELLIA256-SHA256 fail
DH-RSA-DES-CBC-SHA fail
DH-RSA-DES-CBC3-SHA fail
DH-RSA-SEED-SHA fail
DHE-DSS-AES128-GCM-SHA256 fail
DHE-DSS-AES128-SHA fail
DHE-DSS-AES128-SHA256 fail
DHE-DSS-AES256-GCM-SHA384 fail
DHE-DSS-AES256-SHA fail
DHE-DSS-AES256-SHA256 fail
DHE-DSS-CAMELLIA128-SHA fail
DHE-DSS-CAMELLIA128-SHA256 fail
DHE-DSS-CAMELLIA256-SHA fail
DHE-DSS-CAMELLIA256-SHA256 fail
DHE-DSS-RC4-SHA fail
DHE-DSS-SEED-SHA fail
DHE-RSA-AES128-GCM-SHA256 pass
DHE-RSA-AES128-SHA pass
DHE-RSA-AES128-SHA256 pass
DHE-RSA-AES256-GCM-SHA384 pass
DHE-RSA-AES256-SHA pass
DHE-RSA-AES256-SHA256 pass
DHE-RSA-CAMELLIA128-SHA pass
DHE-RSA-CAMELLIA128-SHA256 fail
DHE-RSA-CAMELLIA256-SHA pass
DHE-RSA-CAMELLIA256-SHA256 fail
DHE-RSA-CHACHA20-POLY1305 fail
DHE-RSA-SEED-SHA fail
ECDH-ECDSA-AES128-GCM-SHA256 fail
ECDH-ECDSA-AES128-SHA fail
ECDH-ECDSA-AES128-SHA256 fail
ECDH-ECDSA-AES256-GCM-SHA384 fail
ECDH-ECDSA-AES256-SHA fail
ECDH-ECDSA-AES256-SHA384 fail
ECDH-ECDSA-CAMELLIA128-SHA256 fail
ECDH-ECDSA-CAMELLIA256-SHA384 fail
ECDH-ECDSA-DES-CBC3-SHA fail
ECDH-ECDSA-NULL-SHA fail
ECDH-ECDSA-RC4-SHA fail
ECDH-RSA-AES128-GCM-SHA256 fail
ECDH-RSA-AES128-SHA fail
ECDH-RSA-AES128-SHA256 fail
ECDH-RSA-AES256-GCM-SHA384 fail
ECDH-RSA-AES256-SHA fail
ECDH-RSA-AES256-SHA384 fail
ECDH-RSA-CAMELLIA128-SHA256 fail
ECDH-RSA-CAMELLIA256-SHA384 fail
ECDH-RSA-DES-CBC3-SHA fail
ECDH-RSA-NULL-SHA fail
ECDH-RSA-RC4-SHA fail
ECDHE-ECDSA-AES128-GCM-SHA256 fail
ECDHE-ECDSA-AES128-SHA fail
ECDHE-ECDSA-AES128-SHA256 fail
ECDHE-ECDSA-AES256-GCM-SHA384 fail
ECDHE-ECDSA-AES256-SHA fail
ECDHE-ECDSA-AES256-SHA384 fail
ECDHE-ECDSA-CAMELLIA128-SHA256 fail
ECDHE-ECDSA-CAMELLIA256-SHA384 fail
ECDHE-ECDSA-CHACHA20-POLY1305 fail
ECDHE-ECDSA-DES-CBC3-SHA fail
ECDHE-ECDSA-NULL-SHA fail
ECDHE-ECDSA-RC4-SHA fail
.ECDHE-RSA-AES128-GCM-SHA256 pass
.ECDHE-RSA-AES128-SHA pass
.ECDHE-RSA-AES128-SHA256 pass
.ECDHE-RSA-AES256-GCM-SHA384 pass
.ECDHE-RSA-AES256-SHA pass
.ECDHE-RSA-AES256-SHA384 pass
ECDHE-RSA-CAMELLIA128-SHA256 fail
ECDHE-RSA-CAMELLIA256-SHA384 fail
ECDHE-RSA-CHACHA20-POLY1305 fail
.ECDHE-RSA-DES-CBC3-SHA pass
ECDHE-RSA-NULL-SHA fail
ECDHE-RSA-RC4-SHA fail
EDH-DSS-DES-CBC-SHA fail
EDH-DSS-DES-CBC3-SHA fail
EDH-RSA-DES-CBC-SHA fail
EDH-RSA-DES-CBC3-SHA pass
EXP-ADH-DES-CBC-SHA fail
EXP-ADH-RC4-MD5 fail
EXP-DES-CBC-SHA fail
EXP-DH-DSS-DES-CBC-SHA fail
EXP-DH-RSA-DES-CBC-SHA fail
EXP-EDH-DSS-DES-CBC-SHA fail
EXP-EDH-RSA-DES-CBC-SHA fail
EXP-RC2-CBC-MD5 fail
EXP-RC4-MD5 fail
EXP1024-DES-CBC-SHA fail
EXP1024-DHE-DSS-DES-CBC-SHA fail
EXP1024-DHE-DSS-RC4-SHA fail
EXP1024-RC4-SHA fail
IDEA-CBC-MD5 fail
IDEA-CBC-SHA fail
NULL-MD5 fail
NULL-SHA fail
NULL-SHA256 fail
PSK-3DES-EDE-CBC-SHA fail
PSK-AES128-CBC-SHA fail
PSK-AES256-CBC-SHA fail
PSK-RC4-SHA fail
RC2-CBC-MD5 fail
RC4-64-MD5 fail
RC4-MD5 fail
RC4-SHA fail
RSA-PSK-3DES-EDE-CBC-SHA fail
RSA-PSK-AES128-CBC-SHA fail
RSA-PSK-AES256-CBC-SHA fail
RSA-PSK-RC4-SHA fail
SEED-SHA fail
SRP-3DES-EDE-CBC-SHA fail
SRP-AES-128-CBC-SHA fail
SRP-AES-256-CBC-SHA fail
SRP-DSS-3DES-EDE-CBC-SHA fail
SRP-DSS-AES-128-CBC-SHA fail
SRP-DSS-AES-256-CBC-SHA fail
SRP-RSA-3DES-EDE-CBC-SHA fail
SRP-RSA-AES-128-CBC-SHA fail
SRP-RSA-AES-256-CBC-SHA fail

STR:

1. ./analyze.py

Expected:
Just the usage info, ie:

usage:
...

Actual:
An error prior to the usage info:

ERROR:root:invalid input file
usage:
...

The said message comes with Debian:

$ ./cipherscan www.somehost.example
/home/user/git/cipherscan/openssl s_client doesn't accept the -connect parameter, which is extremely strange; refusing to proceed.
$ ./openssl
./openssl: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.14' not found (required by ./openssl)
./openssl: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.15' not found (required by ./openssl)
$

Or maybe (better!) reconsider rewrititing it and avoid binary blobs (which may not run on all Linux distributions).

My host uses a certificate with a 256-bit ECC public/private key. analyze.py doesn't appreciate this:

hostname:443 has bad ssl/tls

Things that are bad:
* don't use a public key smaller than 2048 bits

The warning seems to only make sense for RSA certificates.

Perhaps the warning should only trigger if conn['sigalg'][0] contains 'RSA', as in sha256WithRSAEncryption?

diff --git a/analyze.py b/analyze.py
index e519a6f..021f52d 100755
--- a/analyze.py
+++ b/analyze.py
@@ -59,7 +59,7 @@ def is_fubar(results):
             has_ssl2 = True
             logging.debug('SSLv2 is in the list of fubar protocols')
             fubar = True
-        if int(conn['pubkey'][0]) < 2048:
+        if int(conn['pubkey'][0]) < 2048 and 'RSA' in conn['sigalg'][0]:
             has_wrong_pubkey = True
             logging.debug(conn['pubkey'][0] + ' is a fubar pubkey size')
             fubar = True

I updated my copy from 2015 year and i found, that the new version of analyze.py is not compatible with python3 due urllib2 import:

Traceback (most recent call last):
  File "./analyze.py", line 10, in <module>
    import sys, os, json, subprocess, logging, argparse, platform, urllib2, re
ModuleNotFoundError: No module named 'urllib2'

2to3 is able to solve it, but i did it manually to make it both py2 & py3 compatible:

diff --git a/analyze.py b/analyze.py
index c886ee8..32a16fe 100755
--- a/analyze.py
+++ b/analyze.py
@@ -7,7 +7,14 @@
 
 from __future__ import print_function
 
-import sys, os, json, subprocess, logging, argparse, platform, urllib2, re
+import sys, os, json, subprocess, logging, argparse, platform, re
+
+try:
+    from urllib2 import urlopen, URLError
+except ModuleNotFoundError:
+    from urllib.request import urlopen
+    from urllib.error import URLError
+
 from collections import namedtuple
 from datetime import datetime
 from copy import deepcopy
@@ -400,10 +407,10 @@ def build_ciphers_lists():
     sstlsurl = "https://statics.tls.security.mozilla.org/server-side-tls-conf.json"
     conf = dict()
     try:
-        raw = urllib2.urlopen(sstlsurl).read()
+        raw = urlopen(sstlsurl).read()
         conf = json.loads(raw)
         logging.debug('retrieving online server side tls recommendations from %s' % sstlsurl)
-    except urllib2.URLError:
+    except URLError:
         with open('server-side-tls-conf.json', 'r') as f:
             conf = json.load(f)
             logging.debug('Error connecting to %s; using local archive of server side tls recommendations' % sstlsurl)

regards

On x64 CentOS Linux release 7.1.1503 (Core) I get the error
./cipherscan: line 1919: [-1]: bad array subscript

bash -version
GNU bash, version 4.2.46(1)-release (x86_64-redhat-linux-gnu)

I just downloaded latest cipherscan for my CentOS 6.6 system and seems having problems.. any clues ?

./cipherscan -v google.com
Using trust anchors from /etc/pki/tls/certs/ca-bundle.crt
Loading 0 ciphersuites from 
.Connecting to 'google.com:443' with ciphersuite 'ALL:COMPLEMENTOFALL:+aRSA'
selected cipher is ''
using protocol ''
selected cipher is ''
using protocol ''
selected cipher is ''
using protocol ''
selected cipher is ''
using protocol ''
selected cipher is ''
using protocol ''
handshake failed, no ciphersuite was returned

Target: google.com:443


Certificate: UNTRUSTED,  bit,  signature
TLS ticket lifetime hint: 
OCSP stapling: not supported
Cipher ordering: server

thanks

It seems to me that 'the old level' is well past its due date, with recommendations like;

Changes needed to match the old level:
* consider enabling SSLv3
* use a certificate with sha1WithRSAEncryption signature
* use DHE of 1024bits and ECC of 256bits
* consider enabling OCSP Stapling

Perhaps it should be removed, limiting recommendations to the intermediate and modern levels only?

I got an error when a tried to analyze my configuration :

./analyze.py -t blog.meshup.net
invalid json data: Expecting value: line 1 column 1 (char 0)

If you're going to supply an openssl client binary, you should consider adding the IPv6-enabling patch that's floating about the interwebs.

That would be a great step forward for testing.

I caught myself twice today because I forgot to give -servername to cipherscan while scanning a site. I think it should become the default, as tons of sites depend on it nowadays. Any reason not to make it the default?

brew install https://gist.githubusercontent.com/steakknife/314591f74ffaff7bd58d/raw/cipher_scan.rb

All dependencies included and the OpenSSL fork vendored.

Because we're using OpenSSL CLI application for performing the scan, our control over the Client Hello sent is limited. For example we can't send TLSv1.3 Client Hello or we can't send a TLS1.2 client hello with TLS1.2 record layer version. We can't send an extension-less client hello if we use the system OpenSSL and so on...

While there is Python implementation of TLS in form of https://github.com/tomato42/tlslite-ng which does allow to do stuff like this, the main selling point for cipherscan is that it has minimal dependencies on the system - it can be run without root access and by just downloading the repo.

While it is possible to build a python tool and distribute it as a single binary (like we do with bundled openssl) that would leave the question of where should the code of this archive live. If in the same, then updating that code would be rather messy. And IMHO we should aim to drop binary files from the repo, not add more of them.

Alternatively we could make a shell wrapper around this python tool and make the wrapper download dependencies to local directory when it is run for the first time.

I'd prefer the second option, what about you @jvehent ?

There is the roca-detect library which can be used to detect ROCA-vulnerable certificates. It'd be nice to detect hosts with vulnerable keys as part of cipherscan.

I would like to propose that you change this variable to the system provided version of openssl. While the system provided version of openssl may not be the latest/greatest, I believe it makes best use of your script, and also may help you from any potential licensing terms with the OpenSSL license (IANAL).

Using fully patched Ubuntu Trusty Tahr (14.04.4 LTS), Python version 2.7.6, current cipherscan clone.

Error message:

Failed to retrieve JSON configurations from https://statics.tls.security.mozilla.org/server-side-tls-conf.json

This appears to be because 2.7.6 doesn't support the 'statics.tls.seecurity.mozilla.org' TLS configuration, and attempts to use SSL23

>>> urllib2.urlopen("https://statics.tls.security.mozilla.org/server-side-tls-conf.json").read()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 404, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 422, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1222, in https_open
    return self.do_open(httplib.HTTPSConnection, req)
  File "/usr/lib/python2.7/urllib2.py", line 1184, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [Errno 1] _ssl.c:510: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure>

This appears to be related to Python <2.7.8's inability to support SNI in certificates when using the standard library 'ssl' module (which urllib2 does). I found this issue with the Requests library that indicates the same problem/source, and a fix (changing to PyOpenSSL), however, for the use of cipherscan, might it be easier to just reference the JSON file locally, and put it in the git repo (with the nice side effect that it can now be used internally on systems that can't access the Internet)?

Alternatively, an indicator in the Readme (or a quick check of code version in the python file itself) that you must have SNI support in order to use the software (e.g. Py 2.7.8+) would work.

since now we can detect features of openssl s_client through -help message (see openssl/openssl@a7cb67f and openssl/openssl@ad775e0 for 1.0.2 and master patches) it will be possible to autodetect if we can do more advanced scanning.

Mozilla SSL Configuration Generator recommends the following ciphers for the Intermediate Profile:

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

When I scan my server using cipherscan, it returns the following message:

$ ./analyze.py -t gitlab.globoi.com
gitlab.globoi.com:443 has obscure or unknown ssl/tls

Changes needed to match the old level:
* consider enabling SSLv3
* use a certificate with sha1WithRSAEncryption signature
* use DHE of 1024bits and ECC of 256bits
* consider enabling OCSP Stapling

Changes needed to match the intermediate level:
* remove cipher ECDHE-RSA-DES-CBC3-SHA

There seems to be a mismatch between the Mozilla Configuration Generator and cipherscan.

According to the server-side-tls git, the following commit included 'ECDHE-RSA-DES-CBC3-SHA' to the Intermediate list:

https://github.com/mozilla/server-side-tls/pull/89/files

I'd like to rephrase the output of the tls intolerance test. the current output isn't very clear on what the information means:

Fallbacks required:
big-SSLv3 config not supported, connection failed
big-TLSv1.0 no fallback req, connected: TLSv1 AES128-SHA
big-TLSv1.1 no fallback req, connected: TLSv1 AES128-SHA
big-TLSv1.2 no fallback req, connected: TLSv1 AES128-SHA

• connection failed make it sound as if something bad happened, when in fact not having sslv3 is a good thing
• no fallback req, connected doesn't really say if the connection used what was expected, or if any intolerancy was detected

Maybe we could compress the terminal output by just showing Intolerancies: none [OK] when everything goes well, and dive into details when it doesn't.

@tomato42 : Thoughts?

because we default to using our custom openssl config file, on systems which have openssl compiled without support for GOST, it causes that version of openssl to abort with "no such engine" error

Is it possible to print the ip address of the server that cipherscan is talking to?
I tried with -v with no success.

I am trying to diagnose an issue where dns return different servers with tls/ssl not the same across the board.

Thanks for this piece of software!

$ cipherscan zk.gd
Bash version 4 is required to run cipherscan.
Please upgrade your version of bash (ex: brew install bash).
$ echo $SHELL      
/usr/local/bin/zsh

👎