Codebase list sslscan / upstream/2.0.11
New upstream version 2.0.11 Sophie Brun 2 years ago
8 changed file(s) with 88 addition(s) and 13 deletion(s). Raw diff Collapse all Expand all
+7
-0
Changelog less more
00 Changelog
11 =========
2 Version: 2.0.11
3 Date : 16/12/2021
4 Author : rbsec <[email protected]>
5 Changes: The following are a list of changes
6 > Add --iana-names option to use IANA/RFC cipher names
7 > Improve signature algorithm detection
8
29 Version: 2.0.10
310 Date : 27/04/2021
411 Author : rbsec <[email protected]>
+11
-1
Makefile less more
88
99 # Detect OS
1010 OS := $(shell uname)
11 ARCH := $(shell uname -m)
1112
1213 # Handle different version of Make
1314 ifeq ($(OS), SunOS)
6061 PWD = $(shell pwd)/openssl
6162 LDFLAGS += -L${PWD}/
6263 CFLAGS += -I${PWD}/include/ -I${PWD}/
64 ifeq ($(OS), Darwin)
65 LIBS = ./openssl/libssl.a ./openssl/libcrypto.a -lz -lpthread
66 else
6367 LIBS = -lssl -lcrypto -lz -lpthread
68 endif
6469 ifneq ($(OS), FreeBSD)
6570 LIBS += -ldl
6671 endif
128133
129134 # Need to build OpenSSL differently on OSX
130135 ifeq ($(OS), Darwin)
136 ifeq ($(ARCH), arm64)
137 OSSL_TARGET=darwin64-arm64-cc
138 else
139 OSSL_TARGET=darwin64-x86_64-cc
140 endif
131141 openssl/Makefile: .openssl.is.fresh
132 cd ./openssl; ./Configure -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC enable-weak-ssl-ciphers zlib darwin64-x86_64-cc
142 cd ./openssl; ./Configure -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC enable-weak-ssl-ciphers zlib $(OSSL_TARGET)
133143 # Any other *NIX platform
134144 else
135145 openssl/Makefile: .openssl.is.fresh
+1
-0
README.md less more
6969 * Support STARTTLS for MySQL (credit bk2017).
7070 * Check for supported key exchange groups.
7171 * Check for supported server signature algorithms.
72 * Display IANA/RFC cipher names `--iana-names`
7273
7374 ### Building on Linux
7475
+1
-1
docker_test/expected_output/test_11.txt less more
88 TLSv1.0 enabled
99 TLSv1.1 enabled
1010 TLSv1.2 enabled
11 TLSv1.3 disabled
11 TLSv1.3 enabled
1212
1313 OCSP Stapling Request:
1414 OCSP Response Status: successful (0x0)
+1
-1
docker_test/expected_output/test_8.txt less more
7272
7373 SSL Certificate:
7474 Signature Algorithm: sha256WithRSAEncryption
75 RSA Key Strength: 32m30720m
75 RSA Key Strength: 3072
7676
7777 Subject: lmgtfy.com
7878 Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere
+3
-0
sslscan.1 less more
5858 .TP
5959 .B \-\-show\-cipher-ids
6060 Print the hexadecimal cipher IDs
61 .TP
62 .B \-\-iana\-names
63 Use IANA/RFC cipher names rather than OpenSSL ones
6164 .TP
6265 .B \-\-show\-times
6366 Show the time taken for each handshake in milliseconds. Note that only a single request is made with each cipher, and that the size of the ClientHello is not constant, so this should not be used for proper benchmarking or performance testing.
+63
-10
sslscan.c less more
17451745
17461746 printf_xml(" bits=\"%d\" cipher=\"%s\" id=\"%s\"", cipherbits, ciphername, hexCipherId);
17471747 if (strstr(ciphername, "NULL")) {
1748 printf("%s%-29s%s", COL_RED_BG, ciphername, RESET);
1748 if (options->ianaNames) {
1749 printf("%s%-45s%s", COL_RED_BG, ciphername, RESET);
1750 }
1751 else {
1752 printf("%s%-29s%s", COL_RED_BG, ciphername, RESET);
1753 }
17491754 strength = "null";
17501755 } else if (strstr(ciphername, "ADH") || strstr(ciphername, "AECDH") || strstr(ciphername, "_anon_")) {
1751 printf("%s%-29s%s", COL_PURPLE, ciphername, RESET);
1756 if (options->ianaNames) {
1757 printf("%s%-45s%s", COL_PURPLE, ciphername, RESET);
1758 }
1759 else {
1760 printf("%s%-29s%s", COL_PURPLE, ciphername, RESET);
1761 }
17521762 strength = "anonymous";
17531763 } else if (strstr(ciphername, "EXP")) {
1754 printf("%s%-29s%s", COL_RED, ciphername, RESET);
1764 if (options->ianaNames) {
1765 printf("%s%-45s%s", COL_RED, ciphername, RESET);
1766 }
1767 else {
1768 printf("%s%-29s%s", COL_RED, ciphername, RESET);
1769 }
17551770 strength = "weak";
17561771 } else if (strstr(ciphername, "RC4") || strstr(ciphername, "DES")) {
1757 printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
1772 if (options->ianaNames) {
1773 printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);
1774 }
1775 else {
1776 printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
1777 }
17581778 strength = "medium";
17591779 } else if (strstr(ciphername, "_SM4_")) { /* Developed by Chinese government */
1760 printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
1780 if (options->ianaNames) {
1781 printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);
1782 }
1783 else {
1784 printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
1785 }
17611786 strength = "medium";
17621787 } else if (strstr(ciphername, "_GOSTR341112_")) { /* Developed by Russian government */
1763 printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
1788 if (options->ianaNames) {
1789 printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);
1790 }
1791 else {
1792 printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
1793 }
17641794 strength = "medium";
17651795 } else if ((strstr(ciphername, "CHACHA20") || (strstr(ciphername, "GCM"))) && strstr(ciphername, "DHE")) {
1766 printf("%s%-29s%s", COL_GREEN, ciphername, RESET);
1796 if (options->ianaNames) {
1797 printf("%s%-45s%s", COL_GREEN, ciphername, RESET);
1798 }
1799 else {
1800 printf("%s%-29s%s", COL_GREEN, ciphername, RESET);
1801 }
17671802 strength = "strong";
17681803 } else {
1769 printf("%-29s", ciphername);
1804 if (options->ianaNames) {
1805 printf("%-45s", ciphername);
1806 }
1807 else {
1808 printf("%-29s", ciphername);
1809 }
17701810 strength = "acceptable";
17711811 }
17721812 printf_xml(" strength=\"%s\"", strength);
18471887 cipherid = SSL_CIPHER_get_id(sslCipherPointer);
18481888 cipherid = cipherid & 0x00ffffff; // remove first byte which is the version (0x03 for TLSv1/SSLv3)
18491889
1850 ciphername = SSL_CIPHER_get_name(sslCipherPointer);
1890 if (options->ianaNames)
1891 {
1892 ciphername = SSL_CIPHER_standard_name(sslCipherPointer);
1893 }
1894 else
1895 {
1896 ciphername = SSL_CIPHER_get_name(sslCipherPointer);
1897 }
1898
18511899
18521900 // Timing
18531901 if (options->showTimes) {
39213969 else if (strcmp("--show-sigs", argv[argLoop]) == 0)
39223970 options->signature_algorithms = true;
39233971
3972 // Show IANA/RFC cipher names in output
3973 else if (strcmp("--iana-names", argv[argLoop]) == 0)
3974 options->ianaNames = true;
3975
39243976 // StartTLS... FTP
39253977 else if (strcmp("--starttls-ftp", argv[argLoop]) == 0)
39263978 options->starttls_ftp = true;
42024254 printf(" %s--tlsall%s Only check TLS ciphers (all versions)\n", COL_GREEN, RESET);
42034255 printf(" %s--show-ciphers%s Show supported client ciphers\n", COL_GREEN, RESET);
42044256 printf(" %s--show-cipher-ids%s Show cipher ids\n", COL_GREEN, RESET);
4257 printf(" %s--iana-names%s Use IANA/RFC cipher names rather than OpenSSL ones\n", COL_GREEN, RESET);
42054258 printf(" %s--show-times%s Show handhake times in milliseconds\n", COL_GREEN, RESET);
42064259 printf("\n");
42074260 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
58495902 if (sig_id == BOGUS_SIG_ALG_ID) {
58505903 printf("%s%s Server accepts all signature algorithms.%s\n", getPrintableTLSName(tls_version), COL_RED, RESET);
58515904 printf_xml(" <connection-signature-algorithm sslversion=\"%s\" name=\"ANY\" id=\"0xfdff\" />\n", getPrintableTLSName(tls_version));
5852 goto done;
5905 break;
58535906 } else {
58545907 printf("%s %s%s%s\n", getPrintableTLSName(tls_version), color, sig_name, RESET);
58555908 printf_xml(" <connection-signature-algorithm sslversion=\"%s\" name=\"%s\" id=\"0x%04x\" />\n", getPrintableTLSName(tls_version), sig_name, sig_id);
+1
-0
sslscan.h less more
181181 int ipv4;
182182 int ipv6;
183183 int ocspStatus;
184 int ianaNames;
184185 char cipherstring[65536];
185186
186187 // File Handles...