David Cooper
db4108cec5
Merge branch '2.9dev' into cipher_order_sockets
2017-01-24 08:46:40 -05:00
Dirk
2a5d56a9d6
help aviod misunderstanding, see #594 and some reordering
2017-01-24 08:37:19 +01:00
David Cooper
156787adec
Merge branch '2.9dev' into cipher_order_sockets
2017-01-23 11:22:42 -05:00
Dirk
4911aaf05b
Fix #593
2017-01-23 11:33:18 +01:00
Dirk Wetter
8988411fbc
Merge pull request #565 from dcooper16/run_server_preference_sockets
...
Use sockets in run_server_preference()
2017-01-21 19:55:37 +01:00
Dirk
f80e1ecfdb
- enable CAA per default ( #588 )
...
- hex2ascii() for converting strings
- swap quoted output in -S to italic (mostly)
2017-01-21 19:43:07 +01:00
Dirk
f2303a0d79
- poodle output polishing
...
- minor polish of #552
2017-01-21 18:08:31 +01:00
Dirk Wetter
d448ebbc77
Merge pull request #552 from dcooper16/run_beast_sockets
...
run_beast() speedup + sockets
2017-01-21 18:01:55 +01:00
Dirk
2b440f15ea
- polishing #570
...
- run_logjam() terminates if no local DH export ciphers are configured
2017-01-21 16:52:02 +01:00
Dirk Wetter
20cc3bc435
Merge pull request #570 from dcooper16/run_ssl_poodle_sockets
...
Use sockets for run_ssl_poodle()
2017-01-21 14:37:36 +01:00
Dirk
f3666a13c5
- add crypotsense prefined DH groups
...
- final FIX #589
2017-01-20 18:14:48 +01:00
Dirk
e083fab130
- run_logjam(): run_logjam(0 fixed error where logjam couldn't parse "ServerKeyExchange" message using SSL_NATIVE -- if TLS != 1.2 was returned
...
- run_logjam(): determine dh bit size and based on this mark the common primes as more or less vulnerable
- run_logjam(): renamed remaining dhe variable to dh
- further house keeping in run_logjam()
2017-01-19 14:45:19 +01:00
Dirk Wetter
9c3ab427b6
Merge pull request #590 from dcooper16/dhe_cipher_list
...
Generate list of all DHE ciphers
2017-01-18 22:08:43 +01:00
Dirk
e3d183e909
-output correction run_logjam
...
- rename dhe to dh
2017-01-18 22:05:27 +01:00
David Cooper
dcd37729f4
Generate list of all DHE ciphers
...
This PR adds a function that generates a list of all DHE ciphers for `run_logjam()`.
2017-01-18 15:16:13 -05:00
David Cooper
211ce0b3fd
Merge branch '2.9dev' into run_ssl_poodle_sockets
2017-01-18 15:00:32 -05:00
David Cooper
0cdbe95302
Merge branch '2.9dev' into run_beast_sockets
2017-01-18 14:59:53 -05:00
David Cooper
a016b946fd
Merge branch '2.9dev' into run_server_preference_sockets
2017-01-18 14:59:07 -05:00
David Cooper
86ac32cd0d
Merge branch '2.9dev' into cipher_order_sockets
2017-01-18 14:57:59 -05:00
Dirk
05d27ff1be
- FIX for the last mess submitted ;-)
2017-01-18 18:09:39 +01:00
Dirk
61b16a078a
- file etc/common-primes was not edited correctly!
2017-01-18 16:38:09 +01:00
Dirk
8bf7b6b31b
forgot to save work, followup to 4433345b16
, #120 , #589
2017-01-18 16:23:18 +01:00
Dirk
4433345b16
- first implementation (draft) of LOGJAM common primes, see #589 , #120
...
- output polishing of run_drown()
- polishing of run_logjam()
- decrease severity to high for LOGJAM, see CVE rating
2017-01-18 15:53:01 +01:00
Dirk
b1c80512e6
first bunch of common primes, see #589 + #576 + #120 . License of nmap is also GPLv2: no conflicts
2017-01-18 12:44:15 +01:00
David Cooper
643b80c541
Merge branch '2.9dev' into run_ssl_poodle_sockets
2017-01-17 09:07:21 -05:00
David Cooper
149c822f38
Merge branch '2.9dev' into run_beast_sockets
2017-01-17 09:05:52 -05:00
David Cooper
b8953fa31f
Merge branch '2.9dev' into run_server_preference_sockets
2017-01-17 09:04:40 -05:00
David Cooper
76f1cb18d0
Merge branch '2.9dev' into cipher_order_sockets
2017-01-17 09:03:13 -05:00
Dirk
e9916dd1f4
- FIX #566
...
- reorder get_<DNS>_record() for better overview
- move CMDLINE__IP away from main into determine_ip_addresses() where it belongs to
2017-01-17 13:57:14 +01:00
Dirk
e7a35934ae
add lf before -E
2017-01-17 12:00:18 +01:00
Dirk Wetter
5ea5ae5a53
Merge pull request #571 from dcooper16/run_freak_sockets
...
Use sockets for run_freak()
2017-01-17 11:41:50 +01:00
Dirk
a3a30c7fa5
- CAA RR (expertimental)
...
- replace some sed+grep by awk in get_mx_record()
2017-01-17 11:19:57 +01:00
Dirk
cdbdc51f5d
fix #587
2017-01-16 14:06:32 +01:00
Dirk Wetter
350c2e09bb
Merge pull request #576 from dcooper16/extend_logjam_phase_1
...
Extend logjam phase 1
2017-01-14 21:40:29 +01:00
Dirk Wetter
ad7eeddb96
Merge pull request #579 from dcooper16/run_crime_sockets
...
Use sockets for run_crime()
2017-01-14 13:18:22 +01:00
Dirk Wetter
354e0ed31a
Merge pull request #585 from dcooper16/show_selected_curve
...
Show selected curve
2017-01-14 12:12:33 +01:00
Dirk Wetter
32ef531cd1
Merge pull request #586 from dcooper16/find_encrypt_then_mac_extension
...
Detect support for encrypt-then-mac extension
2017-01-14 12:02:10 +01:00
David Cooper
c5dcaf476f
Remove redundant setting to success to 0
2017-01-13 12:18:32 -05:00
David Cooper
91e0da3485
Detect support for encrypt-then-mac extension
...
In some cases, the "TLS extensions" line output for the "--server-defaults" option will not show `"encrypt-then-mac/#22"` even if the server supports this extension. The reason is that a server will only include this extension in the ServerHello message if it supports the extension and the selected cipher is a CBC cipher. So, if `determine_tls_extensions()` connects to the server with a non-CBC cipher, then it will not detect if the server supports the encrypt-then-mac extension.
It is possible that support for the extension will be detected by `get_server_certificate()`, but only if one of the calls to that function results in a CBC cipher being selected and OpenSSL 1.1.0 is being used (as prior versions did not support the encrypt-then-mac extension).
In this PR, if `determine_tls_extensions()` is called and `$TLS_EXTENSIONS` does not already contain `"encrypt-then-mac/#22"`, then an attempt will be made to connect to the server with only CBC ciphers specified in the ClientHello. If the connection is not successful (presumably because the server does not support any CBC ciphers), then a second connection attempt will be made with the "default" ciphers being specified in the ClientHello.
en.wikipedia.org is an example of a server that supports the encrypt-then-mac extension, but for which the support is not currently detected (unless OpenSSL 1.1.0 is used) since in the call to `determine_tls_extension()` a non-CBC cipher is selected.
2017-01-13 12:13:20 -05:00
David Cooper
42da64d601
Show selected curve
...
This PR changes `read_dhbits_from_file()` so that, when the "quiet" parameter is absent, the selected curve is shown in addition to the number of bits. This PR only affects the output of `run_client_simulation()` and the `Negotiated cipher` in `run_server_preference()`.
2017-01-13 10:28:48 -05:00
David Cooper
77dbe7ed1b
Merge branch '2.9dev' into run_crime_sockets
2017-01-13 09:09:04 -05:00
David Cooper
859ea0c7d3
Merge branch '2.9dev' into run_freak_sockets
2017-01-13 09:08:02 -05:00
David Cooper
eabaa95163
Merge branch '2.9dev' into extend_logjam_phase_1
2017-01-13 09:07:12 -05:00
David Cooper
545a4543bc
Merge branch '2.9dev' into run_ssl_poodle_sockets
2017-01-13 09:06:04 -05:00
David Cooper
e2dca3e845
Merge branch '2.9dev' into run_beast_sockets
2017-01-13 09:05:02 -05:00
David Cooper
1169e3daef
Merge branch '2.9dev' into run_server_preference_sockets
2017-01-13 09:04:10 -05:00
David Cooper
43d495aa65
Merge branch '2.9dev' into cipher_order_sockets
2017-01-13 09:03:00 -05:00
Dirk Wetter
436326a547
Merge pull request #573 from dcooper16/run_std_cipherlists_sockets
...
Use sockets for run_std_cipherlists()
2017-01-13 14:44:43 +01:00
Dirk Wetter
bf87a9fe4a
Merge pull request #582 from dcooper16/generate_static_cipher_lists
...
Create static cipher lists for testssl.sh
2017-01-13 14:39:17 +01:00
Dirk Wetter
048f17ca9a
Merge pull request #583 from dcooper16/run_client_simulation_bugfix
...
run_client_simulation() bugfix
2017-01-13 14:38:05 +01:00