2015-01-21 23:11:30 +00:00
|
|
|
|
require 'socket'
|
|
|
|
|
|
require 'openssl'
|
|
|
|
|
|
require 'httparty'
|
|
|
|
|
|
|
|
|
|
|
|
module CryptCheck
|
|
|
|
|
|
module Tls
|
|
|
|
|
|
class Server
|
2015-08-12 23:51:14 +00:00
|
|
|
|
TCP_TIMEOUT = 10
|
|
|
|
|
|
SSL_TIMEOUT = 2*TCP_TIMEOUT
|
|
|
|
|
|
EXISTING_METHODS = %i(TLSv1_2 TLSv1_1 TLSv1 SSLv3 SSLv2)
|
2015-01-21 23:11:30 +00:00
|
|
|
|
SUPPORTED_METHODS = ::OpenSSL::SSL::SSLContext::METHODS
|
2016-05-06 17:59:13 +00:00
|
|
|
|
class TLSException < ::StandardError
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
|
|
|
|
|
class TLSNotAvailableException < TLSException
|
2016-05-06 17:59:13 +00:00
|
|
|
|
def to_s
|
|
|
|
|
|
'TLS seems not supported on this server'
|
|
|
|
|
|
end
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
2015-08-16 11:12:08 +00:00
|
|
|
|
class MethodNotAvailable < TLSException
|
|
|
|
|
|
end
|
2015-01-21 23:11:30 +00:00
|
|
|
|
class CipherNotAvailable < TLSException
|
|
|
|
|
|
end
|
2016-11-16 23:53:29 +00:00
|
|
|
|
class InappropriateFallback < TLSException
|
|
|
|
|
|
end
|
2016-05-06 17:59:13 +00:00
|
|
|
|
class Timeout < ::StandardError
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
2016-05-03 17:57:34 +00:00
|
|
|
|
class TLSTimeout < Timeout
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
2016-05-06 19:27:02 +00:00
|
|
|
|
class ConnectionError < ::StandardError
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
|
|
|
|
|
|
2016-02-21 23:01:39 +00:00
|
|
|
|
attr_reader :family, :ip, :port, :hostname, :prefered_ciphers, :cert, :cert_valid, :cert_trusted, :dh
|
2015-01-21 23:11:30 +00:00
|
|
|
|
|
2016-05-03 17:57:34 +00:00
|
|
|
|
def initialize(hostname, family, ip, port)
|
|
|
|
|
|
@hostname, @family, @ip, @port = hostname, family, ip, port
|
|
|
|
|
|
@dh = []
|
2016-11-16 23:53:29 +00:00
|
|
|
|
Logger.info { name.colorize :perfect }
|
2015-01-21 23:11:30 +00:00
|
|
|
|
extract_cert
|
2015-08-19 16:04:13 +00:00
|
|
|
|
Logger.info { '' }
|
2015-08-22 21:50:17 +00:00
|
|
|
|
Logger.info { "Key : #{Tls.key_to_s self.key}" }
|
2015-01-21 23:11:30 +00:00
|
|
|
|
fetch_prefered_ciphers
|
|
|
|
|
|
check_supported_cipher
|
2016-11-16 23:54:31 +00:00
|
|
|
|
check_fallback_scsv
|
2015-08-22 21:50:17 +00:00
|
|
|
|
uniq_dh
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
|
|
|
|
|
|
2015-08-22 21:50:17 +00:00
|
|
|
|
def key
|
|
|
|
|
|
@cert.public_key
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def cipher_size
|
2015-11-21 20:23:43 +00:00
|
|
|
|
supported_ciphers.collect { |c| c.size }.min
|
2015-08-22 21:50:17 +00:00
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def supported_protocols
|
|
|
|
|
|
@supported_ciphers.keys
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def supported_ciphers
|
|
|
|
|
|
@supported_ciphers.values.flatten 1
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def supported_ciphers_by_protocol(protocol)
|
|
|
|
|
|
@supported_ciphers[protocol]
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
EXISTING_METHODS.each do |method|
|
|
|
|
|
|
class_eval <<-RUBY_EVAL, __FILE__, __LINE__ + 1
|
|
|
|
|
|
def #{method.to_s.downcase}?
|
|
|
|
|
|
!prefered_ciphers[:#{method}].nil?
|
|
|
|
|
|
end
|
|
|
|
|
|
RUBY_EVAL
|
|
|
|
|
|
end
|
|
|
|
|
|
|
2016-11-16 23:53:29 +00:00
|
|
|
|
SIGNATURE_ALGORITHMS = {
|
|
|
|
|
|
'dsaWithSHA' => %i(sha1 dss),
|
|
|
|
|
|
'dsaWithSHA1' => %i(sha1 dss),
|
|
|
|
|
|
'dsaWithSHA1_2' => %i(sha1 dss),
|
|
|
|
|
|
'dsa_with_SHA224' => %i(sha2 dss),
|
|
|
|
|
|
'dsa_with_SHA256' => %i(sha2 dss),
|
|
|
|
|
|
|
|
|
|
|
|
'mdc2WithRSA' => %i(mdc2 rsa),
|
|
|
|
|
|
|
|
|
|
|
|
'md2WithRSAEncryption' => %i(md2 rsa),
|
|
|
|
|
|
|
|
|
|
|
|
'md4WithRSAEncryption' => %i(md4, rsa),
|
|
|
|
|
|
|
|
|
|
|
|
'md5WithRSA' => %i(md5 rsa),
|
|
|
|
|
|
'md5WithRSAEncryption' => %i(md5 rsa),
|
|
|
|
|
|
|
|
|
|
|
|
'shaWithRSAEncryption' => %i(sha rsa),
|
|
|
|
|
|
'sha1WithRSA' => %i(sha1 rsa),
|
|
|
|
|
|
'sha1WithRSAEncryption' => %i(sha1 rsa),
|
|
|
|
|
|
'sha224WithRSAEncryption' => %i(sha2 rsa),
|
|
|
|
|
|
'sha256WithRSAEncryption' => %i(sha2 rsa),
|
|
|
|
|
|
'sha384WithRSAEncryption' => %i(sha2 rsa),
|
|
|
|
|
|
'sha512WithRSAEncryption' => %i(sha2 rsa),
|
|
|
|
|
|
|
|
|
|
|
|
'ripemd160WithRSA' => %i(ripemd160 rsa),
|
|
|
|
|
|
|
|
|
|
|
|
'ecdsa-with-SHA1' => %i(sha1 ecc),
|
|
|
|
|
|
'ecdsa-with-SHA224' => %i(sha2 ecc),
|
|
|
|
|
|
'ecdsa-with-SHA256' => %i(sha2 ecc),
|
|
|
|
|
|
'ecdsa-with-SHA384' => %i(sha2 ecc),
|
|
|
|
|
|
'ecdsa-with-SHA512' => %i(sha2 ecc),
|
|
|
|
|
|
|
|
|
|
|
|
'id_GostR3411_94_with_GostR3410_2001' => %i(ghost),
|
|
|
|
|
|
'id_GostR3411_94_with_GostR3410_94' => %i(ghost),
|
|
|
|
|
|
'id_GostR3411_94_with_GostR3410_94_cc' => %i(ghost),
|
|
|
|
|
|
'id_GostR3411_94_with_GostR3410_2001_cc' => %i(ghost)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
%i(md2 mdc2 md4 md5 ripemd160 sha sha1 sha2 rsa dss ecc ghost).each do |name|
|
2015-01-21 23:11:30 +00:00
|
|
|
|
class_eval <<-RUBY_EVAL, __FILE__, __LINE__ + 1
|
2015-08-12 23:51:14 +00:00
|
|
|
|
def #{name}_sig?
|
2016-11-16 23:53:29 +00:00
|
|
|
|
SIGNATURE_ALGORITHMS[@cert.signature_algorithm].include? :#{name}
|
2015-08-12 23:51:14 +00:00
|
|
|
|
end
|
2015-01-21 23:11:30 +00:00
|
|
|
|
RUBY_EVAL
|
|
|
|
|
|
end
|
|
|
|
|
|
|
2015-08-22 21:50:17 +00:00
|
|
|
|
Cipher::TYPES.each do |type, _|
|
2015-01-21 23:11:30 +00:00
|
|
|
|
class_eval <<-RUBY_EVAL, __FILE__, __LINE__ + 1
|
2015-08-12 23:51:14 +00:00
|
|
|
|
def #{type}?
|
2015-08-22 21:50:17 +00:00
|
|
|
|
supported_ciphers.any? { |c| c.#{type}? }
|
2015-08-12 23:51:14 +00:00
|
|
|
|
end
|
2015-01-21 23:11:30 +00:00
|
|
|
|
RUBY_EVAL
|
|
|
|
|
|
end
|
|
|
|
|
|
|
2015-08-19 16:04:13 +00:00
|
|
|
|
def key_size
|
2016-11-11 15:59:33 +00:00
|
|
|
|
@cert.public_key.size
|
2015-08-19 16:04:13 +00:00
|
|
|
|
end
|
|
|
|
|
|
|
2015-01-21 23:11:30 +00:00
|
|
|
|
def ssl?
|
|
|
|
|
|
sslv2? or sslv3?
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def tls?
|
|
|
|
|
|
tlsv1? or tlsv1_1? or tlsv1_2?
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def tls_only?
|
|
|
|
|
|
tls? and !ssl?
|
|
|
|
|
|
end
|
|
|
|
|
|
|
2016-11-16 23:53:29 +00:00
|
|
|
|
def tlsv1_2_only?
|
|
|
|
|
|
tlsv1_2? and not ssl? and not tlsv1? and not tlsv1_1?
|
|
|
|
|
|
end
|
|
|
|
|
|
|
2015-01-21 23:11:30 +00:00
|
|
|
|
def pfs?
|
2015-08-22 21:50:17 +00:00
|
|
|
|
supported_ciphers.any? { |c| c.pfs? }
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def pfs_only?
|
2015-08-22 21:50:17 +00:00
|
|
|
|
supported_ciphers.all? { |c| c.pfs? }
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
|
|
|
|
|
|
2016-11-16 23:53:29 +00:00
|
|
|
|
def ecdhe?
|
|
|
|
|
|
supported_ciphers.any? { |c| c.ecdhe? }
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def ecdhe_only?
|
|
|
|
|
|
supported_ciphers.all? { |c| c.ecdhe? }
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def aead?
|
|
|
|
|
|
supported_ciphers.any? { |c| c.aead? }
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def aead_only?
|
|
|
|
|
|
supported_ciphers.all? { |c| c.aead? }
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def sweet32?
|
|
|
|
|
|
supported_ciphers.any? { |c| c.sweet32? }
|
|
|
|
|
|
end
|
|
|
|
|
|
|
2016-11-16 23:54:31 +00:00
|
|
|
|
def fallback_scsv?
|
|
|
|
|
|
@fallback_scsv
|
|
|
|
|
|
end
|
|
|
|
|
|
|
2016-11-17 00:12:50 +00:00
|
|
|
|
def must_staple?
|
|
|
|
|
|
@cert.extensions.any? { |e| e.oid == '1.3.6.1.5.5.7.1.24' }
|
|
|
|
|
|
end
|
|
|
|
|
|
|
2015-01-21 23:11:30 +00:00
|
|
|
|
private
|
2016-02-21 23:01:39 +00:00
|
|
|
|
def name
|
2016-05-06 17:59:13 +00:00
|
|
|
|
name = "#@ip:#@port"
|
|
|
|
|
|
name += " [#@hostname]" if @hostname
|
2016-02-21 23:01:39 +00:00
|
|
|
|
name
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def connect(&block)
|
|
|
|
|
|
socket = ::Socket.new @family, sock_type
|
|
|
|
|
|
sockaddr = ::Socket.sockaddr_in @port, @ip
|
2016-05-03 17:57:34 +00:00
|
|
|
|
Logger.trace { "Connecting to #{@ip}:#{@port}" }
|
2015-01-21 23:11:30 +00:00
|
|
|
|
begin
|
|
|
|
|
|
status = socket.connect_nonblock sockaddr
|
2016-05-03 17:57:34 +00:00
|
|
|
|
Logger.trace { "Connecting to #{@ip}:#{@port} status : #{status}" }
|
2015-01-21 23:11:30 +00:00
|
|
|
|
raise ConnectionError, status unless status == 0
|
2016-05-03 17:57:34 +00:00
|
|
|
|
Logger.trace { "Connected to #{@ip}:#{@port}" }
|
2015-01-21 23:11:30 +00:00
|
|
|
|
block_given? ? block.call(socket) : nil
|
|
|
|
|
|
rescue ::IO::WaitReadable
|
2016-05-03 17:57:34 +00:00
|
|
|
|
Logger.trace { "Waiting for read to #{@ip}:#{@port}" }
|
|
|
|
|
|
raise Timeout, "Timeout when connect to #{@ip}:#{@port} (max #{TCP_TIMEOUT.humanize})" unless IO.select [socket], nil, nil, TCP_TIMEOUT
|
2015-01-21 23:11:30 +00:00
|
|
|
|
retry
|
|
|
|
|
|
rescue ::IO::WaitWritable
|
2016-05-03 17:57:34 +00:00
|
|
|
|
Logger.trace { "Waiting for write to #{@ip}:#{@port}" }
|
|
|
|
|
|
raise Timeout, "Timeout when connect to #{@ip}:#{@port} (max #{TCP_TIMEOUT.humanize})" unless IO.select nil, [socket], nil, TCP_TIMEOUT
|
2015-01-21 23:11:30 +00:00
|
|
|
|
retry
|
|
|
|
|
|
ensure
|
|
|
|
|
|
socket.close
|
|
|
|
|
|
end
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def ssl_connect(socket, context, method, &block)
|
2015-08-12 23:51:14 +00:00
|
|
|
|
ssl_socket = ::OpenSSL::SSL::SSLSocket.new socket, context
|
2016-02-21 23:01:39 +00:00
|
|
|
|
ssl_socket.hostname = @hostname if @hostname and method != :SSLv2
|
|
|
|
|
|
Logger.trace { "SSL connecting to #{name}" }
|
2015-01-21 23:11:30 +00:00
|
|
|
|
begin
|
|
|
|
|
|
ssl_socket.connect_nonblock
|
2016-02-21 23:01:39 +00:00
|
|
|
|
Logger.trace { "SSL connected to #{name}" }
|
2015-01-21 23:11:30 +00:00
|
|
|
|
return block_given? ? block.call(ssl_socket) : nil
|
2016-11-16 23:53:29 +00:00
|
|
|
|
rescue ::OpenSSL::SSL::SSLErrorWaitReadable
|
2016-02-21 23:01:39 +00:00
|
|
|
|
Logger.trace { "Waiting for SSL read to #{name}" }
|
2016-05-03 17:57:34 +00:00
|
|
|
|
raise TLSTimeout, "Timeout when TLS connect to #{@ip}:#{@port} (max #{SSL_TIMEOUT.humanize})" unless IO.select [ssl_socket], nil, nil, SSL_TIMEOUT
|
2015-01-21 23:11:30 +00:00
|
|
|
|
retry
|
2016-11-16 23:53:29 +00:00
|
|
|
|
rescue ::OpenSSL::SSL::SSLErrorWaitWritable
|
2016-02-21 23:01:39 +00:00
|
|
|
|
Logger.trace { "Waiting for SSL write to #{name}" }
|
2016-05-03 17:57:34 +00:00
|
|
|
|
raise TLSTimeout, "Timeout when TLS connect to #{@ip}:#{@port} (max #{SSL_TIMEOUT.humanize})" unless IO.select nil, [ssl_socket], nil, SSL_TIMEOUT
|
2015-01-21 23:11:30 +00:00
|
|
|
|
retry
|
2015-08-16 11:12:08 +00:00
|
|
|
|
rescue ::OpenSSL::SSL::SSLError => e
|
2016-11-16 23:53:29 +00:00
|
|
|
|
case e.message
|
|
|
|
|
|
when /state=SSLv.* read server hello A$/
|
|
|
|
|
|
raise TLSNotAvailableException, e
|
|
|
|
|
|
when /state=SSLv.* read server hello A: wrong version number$/
|
2015-08-16 11:12:08 +00:00
|
|
|
|
raise MethodNotAvailable, e
|
|
|
|
|
|
when /state=error: no ciphers available$/,
|
2016-11-16 23:53:29 +00:00
|
|
|
|
/state=SSLv.* read server hello A: sslv.* alert handshake failure$/
|
2015-08-16 11:12:08 +00:00
|
|
|
|
raise CipherNotAvailable, e
|
2016-11-16 23:54:31 +00:00
|
|
|
|
when /state=SSLv.* read server hello A: tlsv.* alert inappropriate fallback$/
|
|
|
|
|
|
raise InappropriateFallback, e
|
2015-08-16 11:12:08 +00:00
|
|
|
|
end
|
2016-11-16 23:53:29 +00:00
|
|
|
|
raise
|
|
|
|
|
|
rescue ::SystemCallError => e
|
|
|
|
|
|
case e.message
|
|
|
|
|
|
when /^Connection reset by peer - SSL_connect$/
|
|
|
|
|
|
raise TLSNotAvailableException, e
|
2015-08-16 11:12:08 +00:00
|
|
|
|
end
|
2016-11-16 23:53:29 +00:00
|
|
|
|
raise
|
2015-01-21 23:11:30 +00:00
|
|
|
|
ensure
|
|
|
|
|
|
ssl_socket.close
|
|
|
|
|
|
end
|
|
|
|
|
|
end
|
|
|
|
|
|
|
2016-11-11 15:36:49 +00:00
|
|
|
|
# secp192r1 secp256r1
|
2016-11-16 23:53:29 +00:00
|
|
|
|
SUPPORTED_CURVES = %w(secp160k1 secp160r1 secp160r2 sect163k1
|
|
|
|
|
|
sect163r1 sect163r2 secp192k1 sect193r1 sect193r2 secp224k1
|
|
|
|
|
|
secp224r1 sect233k1 sect233r1 sect239k1 secp256k1 sect283k1
|
|
|
|
|
|
sect283r1 secp384r1 sect409k1 sect409r1 secp521r1 sect571k1
|
|
|
|
|
|
sect571r1)
|
2016-11-11 15:36:49 +00:00
|
|
|
|
|
2016-11-16 23:53:29 +00:00
|
|
|
|
def ssl_client(method, ciphers = nil, curves = nil, fallback: false, &block)
|
|
|
|
|
|
ssl_context = ::OpenSSL::SSL::SSLContext.new method
|
|
|
|
|
|
ssl_context.enable_fallback_scsv if fallback
|
|
|
|
|
|
ssl_context.ciphers = ciphers.join ':' if ciphers
|
2016-11-11 15:36:49 +00:00
|
|
|
|
|
|
|
|
|
|
ssl_context.ecdh_curves = curves.join ':' if curves
|
|
|
|
|
|
#ssl_context.ecdh_auto = false
|
|
|
|
|
|
#ecdh = OpenSSL::PKey::EC.new('sect163r1').generate_key
|
|
|
|
|
|
#ssl_context.tmp_ecdh_callback = proc { ecdh }
|
|
|
|
|
|
|
2015-08-12 23:51:14 +00:00
|
|
|
|
Logger.trace { "Try #{method} connection with #{ciphers}" }
|
2016-02-21 23:01:39 +00:00
|
|
|
|
connect do |socket|
|
|
|
|
|
|
ssl_connect socket, ssl_context, method do |ssl_socket|
|
|
|
|
|
|
return block_given? ? block.call(ssl_socket) : nil
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
|
|
|
|
|
end
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def extract_cert
|
2015-02-12 00:48:30 +00:00
|
|
|
|
EXISTING_METHODS.each do |method|
|
2015-01-21 23:11:30 +00:00
|
|
|
|
next unless SUPPORTED_METHODS.include? method
|
|
|
|
|
|
begin
|
|
|
|
|
|
@cert, @chain = ssl_client(method) { |s| [s.peer_cert, s.peer_cert_chain] }
|
2015-08-12 23:51:14 +00:00
|
|
|
|
Logger.debug { "Certificate #{@cert.subject}" }
|
2015-01-21 23:11:30 +00:00
|
|
|
|
break
|
2016-11-16 23:53:29 +00:00
|
|
|
|
rescue TLSTimeout, ::SystemCallError
|
|
|
|
|
|
raise
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
|
|
|
|
|
end
|
|
|
|
|
|
raise TLSNotAvailableException unless @cert
|
2016-02-21 23:01:39 +00:00
|
|
|
|
@cert_valid = ::OpenSSL::SSL.verify_certificate_identity @cert, (@hostname || @ip)
|
2015-01-21 23:11:30 +00:00
|
|
|
|
@cert_trusted = verify_trust @chain, @cert
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def prefered_cipher(method)
|
2016-11-11 15:36:49 +00:00
|
|
|
|
cipher = ssl_client(method, %w(ALL COMPLEMENTOFALL)) { |s| Cipher.new method, s.cipher, s.tmp_key }
|
2015-08-22 21:50:17 +00:00
|
|
|
|
Logger.info { "Prefered cipher for #{Tls.colorize method} : #{cipher.colorize}" }
|
2015-01-21 23:11:30 +00:00
|
|
|
|
cipher
|
2016-11-11 15:36:49 +00:00
|
|
|
|
rescue => e
|
2015-08-16 11:12:08 +00:00
|
|
|
|
Logger.debug { "Method #{Tls.colorize method} not supported : #{e}" }
|
2015-01-21 23:11:30 +00:00
|
|
|
|
nil
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def fetch_prefered_ciphers
|
|
|
|
|
|
@prefered_ciphers = {}
|
2015-02-12 00:48:30 +00:00
|
|
|
|
EXISTING_METHODS.each do |method|
|
2015-01-21 23:11:30 +00:00
|
|
|
|
next unless SUPPORTED_METHODS.include? method
|
|
|
|
|
|
@prefered_ciphers[method] = prefered_cipher method
|
|
|
|
|
|
end
|
2015-08-16 11:12:08 +00:00
|
|
|
|
raise TLSNotAvailableException unless @prefered_ciphers.any? { |_, c| !c.nil? }
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def available_ciphers(method)
|
2015-08-12 23:51:14 +00:00
|
|
|
|
context = ::OpenSSL::SSL::SSLContext.new method
|
2016-11-11 15:36:49 +00:00
|
|
|
|
context.ciphers = %w(ALL COMPLEMENTOFALL)
|
2015-08-12 23:51:14 +00:00
|
|
|
|
context.ciphers
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
|
|
|
|
|
|
2016-11-11 15:36:49 +00:00
|
|
|
|
def supported_cipher?(method, cipher, curves = nil)
|
|
|
|
|
|
dh = ssl_client(method, [cipher], curves) { |s| s.tmp_key }
|
2015-08-22 21:50:17 +00:00
|
|
|
|
@dh << dh if dh
|
|
|
|
|
|
cipher = Cipher.new method, cipher, dh
|
2016-11-16 23:53:29 +00:00
|
|
|
|
dh = dh ? " (#{'PFS'.colorize :good} : #{Tls.key_to_s dh})" : ''
|
|
|
|
|
|
|
|
|
|
|
|
states = cipher.states
|
|
|
|
|
|
text = %i(critical error warning good perfect best).collect do |s|
|
|
|
|
|
|
states[s].collect { |t| t.to_s.colorize s }.join ' '
|
|
|
|
|
|
end.reject &:empty?
|
|
|
|
|
|
text = text.join ' '
|
|
|
|
|
|
|
|
|
|
|
|
Logger.info { "#{Tls.colorize method} / #{cipher.colorize}#{dh} [#{text}]" }
|
|
|
|
|
|
|
2015-08-22 21:50:17 +00:00
|
|
|
|
cipher
|
2016-11-11 15:36:49 +00:00
|
|
|
|
rescue => e
|
2015-08-23 11:10:28 +00:00
|
|
|
|
cipher = Cipher.new method, cipher
|
2015-08-22 21:50:17 +00:00
|
|
|
|
Logger.debug { "#{Tls.colorize method} / #{cipher.colorize} : Not supported (#{e})" }
|
|
|
|
|
|
nil
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def check_supported_cipher
|
2015-08-12 23:51:14 +00:00
|
|
|
|
Logger.info { '' }
|
2015-01-21 23:11:30 +00:00
|
|
|
|
@supported_ciphers = {}
|
2015-02-12 00:48:30 +00:00
|
|
|
|
EXISTING_METHODS.each do |method|
|
2015-01-21 23:11:30 +00:00
|
|
|
|
next unless SUPPORTED_METHODS.include? method and @prefered_ciphers[method]
|
2016-11-11 15:36:49 +00:00
|
|
|
|
available_ciphers = available_ciphers method
|
|
|
|
|
|
available_ciphers = available_ciphers.inject [] do |cs, c|
|
|
|
|
|
|
cipher = Cipher.new method, c
|
|
|
|
|
|
if cipher.ecdhe?
|
|
|
|
|
|
c = SUPPORTED_CURVES.collect { |ec| [method, c.first, [ec]] }
|
|
|
|
|
|
else
|
|
|
|
|
|
c = [[method, c.first]]
|
|
|
|
|
|
end
|
|
|
|
|
|
cs + c
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
supported_ciphers = available_ciphers.collect { |c| supported_cipher? *c }.reject { |c| c.nil? }
|
2015-08-22 21:50:17 +00:00
|
|
|
|
Logger.info { '' } unless supported_ciphers.empty?
|
|
|
|
|
|
@supported_ciphers[method] = supported_ciphers
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
|
|
|
|
|
end
|
|
|
|
|
|
|
2016-11-16 23:54:31 +00:00
|
|
|
|
def check_fallback_scsv
|
|
|
|
|
|
@fallback_scsv = false
|
|
|
|
|
|
|
|
|
|
|
|
methods = @supported_ciphers.keys
|
|
|
|
|
|
if methods.size > 1
|
|
|
|
|
|
# We will try to connect to the not better supported method
|
|
|
|
|
|
method = methods[1]
|
|
|
|
|
|
|
|
|
|
|
|
begin
|
|
|
|
|
|
ssl_client method, fallback: true
|
|
|
|
|
|
rescue InappropriateFallback
|
|
|
|
|
|
@fallback_scsv = true
|
|
|
|
|
|
end
|
|
|
|
|
|
else
|
|
|
|
|
|
@fallback_scsv = nil
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
text, color = case @fallback_scsv
|
|
|
|
|
|
when true
|
|
|
|
|
|
['Supported', :good]
|
|
|
|
|
|
when false
|
|
|
|
|
|
['Not supported', :error]
|
|
|
|
|
|
when nil
|
|
|
|
|
|
['Not applicable', :unknown]
|
|
|
|
|
|
end
|
|
|
|
|
|
Logger.info { "Fallback SCSV : #{text.colorize color}" }
|
|
|
|
|
|
end
|
|
|
|
|
|
|
2015-01-21 23:11:30 +00:00
|
|
|
|
def verify_trust(chain, cert)
|
2015-08-12 23:51:14 +00:00
|
|
|
|
store = ::OpenSSL::X509::Store.new
|
2015-01-21 23:11:30 +00:00
|
|
|
|
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
|
2015-07-11 19:36:54 +00:00
|
|
|
|
store.set_default_paths
|
|
|
|
|
|
|
2016-01-09 15:19:13 +00:00
|
|
|
|
%w(/etc/ssl/certs).each do |directory|
|
|
|
|
|
|
::Dir.glob(::File.join directory, '*.pem').each do |file|
|
2015-07-11 19:36:54 +00:00
|
|
|
|
cert = ::OpenSSL::X509::Certificate.new ::File.read file
|
|
|
|
|
|
begin
|
|
|
|
|
|
store.add_cert cert
|
|
|
|
|
|
rescue ::OpenSSL::X509::StoreError
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
|
|
|
|
|
end
|
|
|
|
|
|
end
|
|
|
|
|
|
chain.each do |cert|
|
|
|
|
|
|
begin
|
|
|
|
|
|
store.add_cert cert
|
|
|
|
|
|
rescue ::OpenSSL::X509::StoreError
|
|
|
|
|
|
end
|
|
|
|
|
|
end
|
2015-07-11 19:36:54 +00:00
|
|
|
|
trusted = store.verify cert
|
|
|
|
|
|
p store.error_string unless trusted
|
|
|
|
|
|
trusted
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
2015-08-22 21:50:17 +00:00
|
|
|
|
|
|
|
|
|
|
def uniq_dh
|
|
|
|
|
|
dh, find = [], []
|
|
|
|
|
|
@dh.each do |k|
|
|
|
|
|
|
f = [k.type, k.size]
|
|
|
|
|
|
unless find.include? f
|
|
|
|
|
|
dh << k
|
|
|
|
|
|
find << f
|
|
|
|
|
|
end
|
|
|
|
|
|
end
|
|
|
|
|
|
@dh = dh
|
|
|
|
|
|
end
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
2015-02-25 19:42:51 +00:00
|
|
|
|
|
|
|
|
|
|
class TcpServer < Server
|
|
|
|
|
|
private
|
|
|
|
|
|
def sock_type
|
|
|
|
|
|
::Socket::SOCK_STREAM
|
|
|
|
|
|
end
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
class UdpServer < Server
|
|
|
|
|
|
private
|
|
|
|
|
|
def sock_type
|
|
|
|
|
|
::Socket::SOCK_DGRAM
|
|
|
|
|
|
end
|
|
|
|
|
|
end
|
2015-01-21 23:11:30 +00:00
|
|
|
|
end
|
|
|
|
|
|
end
|
