Browse Source

Some fixes

Nicolas Vinot 3 years ago
parent
commit
340c4a445d

+ 39
- 20
Makefile View File

@@ -1,38 +1,57 @@
1 1
 PWD = $(shell pwd)
2 2
 export CPATH = $(PWD)/openssl/include
3 3
 export LIBRARY_PATH = $(PWD)/openssl
4
-OPENSSL_VERSION = OpenSSL_1_0_1j
5
-RUBY_VERSION = 2.1.5
6
-RUBY_OPENSSL_EXT_DIR = ruby-$(RUBY_VERSION)/ext/openssl
4
+OPENSSL_VERSION = 1.0.1m
5
+OPENSSL_DIR = openssl-$(OPENSSL_VERSION)
6
+RUBY_MAJOR_VERSION = 2.2
7
+RUBY_VERSION = $(RUBY_MAJOR_VERSION).2
8
+RUBY_DIR = ruby-$(RUBY_VERSION)
9
+RUBY_OPENSSL_EXT_DIR = $(RUBY_DIR)/ext/openssl
10
+export LIBRARY_PATH = $(PWD)/lib
11
+export C_INCLUDE_PATH = $(PWD)/$(OPENSSL_DIR)/include
7 12
 
8
-all: lib/libssl.so.1.0.0 lib/libcrypto.so.1.0.0 lib/openssl.so
13
+.SECONDARY:
14
+
15
+all: libs ext
9 16
 
10 17
 clean:
11
-	rm -rf ruby-$(RUBY_VERSION) openssl
18
+	rm -rf $(RUBY_DIR) $(OPENSSL_DIR)
19
+
20
+mr-proper: clean
21
+	rm -rf lib/libcrypto.so* lib/libssl.so* lib/openssl.so
22
+
23
+$(OPENSSL_DIR)/:
24
+	wget https://www.openssl.org/source/$(OPENSSL_DIR).tar.gz
25
+	tar xf $(OPENSSL_DIR).tar.gz
26
+	rm -rf $(OPENSSL_DIR).tar.gz
12 27
 
13
-openssl:
14
-	git clone https://github.com/openssl/openssl -b $(OPENSSL_VERSION)
28
+$(OPENSSL_DIR)/Makefile: $(OPENSSL_DIR)/
29
+	cd $(OPENSSL_DIR); ./config shared
15 30
 
16
-openssl/Makefile: openssl
17
-	cd openssl; ./config shared
31
+$(OPENSSL_DIR)/libssl.so.1.0.0 $(OPENSSL_DIR)/libcrypto.so.1.0.0: $(OPENSSL_DIR)/Makefile
32
+	$(MAKE) -C $(OPENSSL_DIR) depend build_libs
18 33
 
19
-openssl/libssl.so: openssl/Makefile
20
-	cd openssl; $(MAKE) depend all
34
+lib/%.so.1.0.0: $(OPENSSL_DIR)/%.so.1.0.0
35
+	cp $< $@
36
+
37
+lib/%.so: lib/%.so.1.0.0
38
+	ln -s $(notdir $<) $@
21 39
 
22
-lib/%.so.1.0.0: openssl/%.so
23
-	cp $^ $@
40
+libs: lib/libssl.so lib/libcrypto.so
24 41
 
25
-ruby-$(RUBY_VERSION):
26
-	wget http://cache.ruby-lang.org/pub/ruby/2.1/ruby-$(RUBY_VERSION).tar.gz
27
-	tar xf ruby-$(RUBY_VERSION).tar.gz
28
-	rm -f ruby-$(RUBY_VERSION).tar.gz
42
+$(RUBY_DIR):
43
+	wget http://cache.ruby-lang.org/pub/ruby/$(RUBY_MAJOR_VERSION)/$(RUBY_DIR).tar.gz
44
+	tar xf $(RUBY_DIR).tar.gz
45
+	rm -f $(RUBY_DIR).tar.gz
29 46
 
30
-$(RUBY_OPENSSL_EXT_DIR)/Makefile: ruby-$(RUBY_VERSION)
47
+$(RUBY_OPENSSL_EXT_DIR)/Makefile: libs $(RUBY_DIR)
31 48
 	cd $(RUBY_OPENSSL_EXT_DIR); ruby extconf.rb
32 49
 	patch $@ patch
33 50
 
34
-$(RUBY_OPENSSL_EXT_DIR)/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/Makefile
35
-	cd $(RUBY_OPENSSL_EXT_DIR); $(MAKE); $(MAKE) install
51
+$(RUBY_OPENSSL_EXT_DIR)/openssl.so: libs $(RUBY_OPENSSL_EXT_DIR)/Makefile
52
+	$(MAKE) -C $(RUBY_OPENSSL_EXT_DIR)
36 53
 
37 54
 lib/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/openssl.so
38 55
 	cp $< $@
56
+
57
+ext: lib/openssl.so

+ 3
- 1
bin/check_https_alexa View File

@@ -3,6 +3,8 @@ $:.unshift 'lib'
3 3
 require 'logging'
4 4
 require 'cryptcheck'
5 5
 
6
+GROUP_NAME = 'Top 100 Alexa'
7
+
6 8
 ::Logging.logger.root.appenders = ::Logging.appenders.stdout
7 9
 ::Logging.logger.root.level = :error
8 10
 
@@ -10,7 +12,7 @@ hosts = []
10 12
 ::File.open('top-1m.csv', 'r') do |file|
11 13
 	i = 0
12 14
 	while line = file.gets
13
-		hosts << ['Top 100 Alexa', line.strip.split(',')[1]]
15
+		hosts << [GROUP_NAME, line.strip.split(',')[1]]
14 16
 		i += 1
15 17
 		break if i == 100
16 18
 	end

+ 17
- 0
bin/check_smtp View File

@@ -0,0 +1,17 @@
1
+#!/usr/bin/env ruby
2
+$:.unshift 'lib'
3
+require 'logging'
4
+require 'cryptcheck'
5
+
6
+name = ARGV[0]
7
+unless name
8
+	::CryptCheck::Tls::Smtp.analyze_from_file 'output/smtp.yml', 'output/smtp.html'
9
+else
10
+	::Logging.logger.root.appenders = ::Logging.appenders.stdout
11
+	::Logging.logger.root.level = :warn
12
+
13
+	server = ::CryptCheck::Tls::Smtp::Server.new(ARGV[0], ARGV[1] || 25)
14
+	p grade = ::CryptCheck::Tls::Smtp::Grade.new(server)
15
+end
16
+
17
+

+ 7
- 0
lib/cryptcheck.rb View File

@@ -1,4 +1,5 @@
1 1
 module CryptCheck
2
+	autoload :Tls, 'cryptcheck/tls'
2 3
 	module Tls
3 4
 		autoload :Server, 'cryptcheck/tls/server'
4 5
 		autoload :TcpServer, 'cryptcheck/tls/server'
@@ -18,5 +19,11 @@ module CryptCheck
18 19
 			autoload :Server, 'cryptcheck/tls/xmpp/server'
19 20
 			autoload :Grade, 'cryptcheck/tls/xmpp/grade'
20 21
 		end
22
+
23
+		autoload :Smtp, 'cryptcheck/tls/smtp'
24
+		module Smtp
25
+			autoload :Server, 'cryptcheck/tls/smtp/server'
26
+			autoload :Grade, 'cryptcheck/tls/smtp/grade'
27
+		end
21 28
 	end
22 29
 end

+ 71
- 0
lib/cryptcheck/tls.rb View File

@@ -0,0 +1,71 @@
1
+require 'erb'
2
+require 'logging'
3
+require 'parallel'
4
+
5
+module CryptCheck
6
+	module Tls
7
+		MAX_ANALYSIS_DURATION = 600
8
+		PARALLEL_ANALYSIS = 10
9
+		@@log = ::Logging.logger[Tls]
10
+
11
+		def self.grade(hostname, port, server_class:, grade_class:)
12
+			timeout MAX_ANALYSIS_DURATION do
13
+				grade_class.new server_class.new hostname, port
14
+			end
15
+		rescue ::Exception => e
16
+			@@log.error { "Error during #{hostname}:#{port} analysis : #{e}" }
17
+			TlsNotSupportedGrade.new TlsNotSupportedServer.new hostname, port
18
+		end
19
+
20
+		def self.analyze(hosts, template, output, groups = nil, port:, server_class:, grade_class:)
21
+			results = {}
22
+			semaphore = ::Mutex.new
23
+			::Parallel.each hosts, progress: 'Analysing', in_threads: PARALLEL_ANALYSIS, finish: lambda { |item, _, _| puts item[1] } do |description, host|
24
+									 result = grade host.strip, port, server_class: server_class, grade_class: grade_class
25
+									 semaphore.synchronize do
26
+										 if results.include? description
27
+											 results[description] << result
28
+										 else
29
+											 results[description] = [result]
30
+										 end
31
+									 end
32
+								 end
33
+
34
+			results = ::Hash[groups.collect { |g| [g, results[g]] }] if groups
35
+
36
+			results.each do |d, _|
37
+				results[d].sort! do |a, b|
38
+					cmp = score(a) <=> score(b)
39
+					if cmp == 0
40
+						cmp = b.score <=> a.score
41
+						if cmp == 0
42
+							cmp = a.server.hostname <=> b.server.hostname
43
+						end
44
+					end
45
+					cmp
46
+				end
47
+			end
48
+
49
+			::File.write output, ::ERB.new(::File.read(template)).result(binding)
50
+		end
51
+
52
+		def self.analyze_from_file(file, template, output, port:, server_class:, grade_class:)
53
+			config = ::YAML.load_file file
54
+			hosts = []
55
+			groups = []
56
+			config.each do |c|
57
+				d, hs = c['description'], c['hostnames']
58
+				groups << d
59
+				hs.each { |host| hosts << [d, host] }
60
+			end
61
+			self.analyze hosts, template, output, groups, port: port, server_class: server_class, grade_class: grade_class
62
+		end
63
+
64
+		private
65
+		SCORES = %w(A+ A A- B C D E F T M X)
66
+
67
+		def self.score(a)
68
+			SCORES.index a.grade
69
+		end
70
+	end
71
+end

+ 3
- 63
lib/cryptcheck/tls/https.rb View File

@@ -1,72 +1,12 @@
1
-require 'erb'
2
-require 'logging'
3
-require 'parallel'
4
-
5 1
 module CryptCheck
6 2
 	module Tls
7 3
 		module Https
8
-			MAX_ANALYSIS_DURATION = 600
9
-			PARALLEL_ANALYSIS = 10
10
-			@@log = ::Logging.logger[Https]
11
-
12
-			def self.grade(hostname, port=443)
13
-				timeout MAX_ANALYSIS_DURATION do
14
-					Grade.new Server.new hostname, port
15
-				end
16
-			rescue ::Exception => e
17
-				@@log.error { "Error during #{hostname}:#{port} analysis : #{e}" }
18
-				TlsNotSupportedGrade.new TlsNotSupportedServer.new hostname, port
19
-			end
20
-
21
-			def self.analyze(hosts, output, groups = nil)
22
-				results = {}
23
-				semaphore = ::Mutex.new
24
-				::Parallel.each hosts, progress: 'Analysing', in_threads: PARALLEL_ANALYSIS, finish: lambda { |item, _, _| puts item[1] } do |description, host|
25
-					result = grade host.strip
26
-					semaphore.synchronize do
27
-						if results.include? description
28
-							results[description] << result
29
-						else
30
-							results[description] = [result]
31
-						end
32
-					end
33
-				end
34
-
35
-				results = ::Hash[groups.collect { |g| [g, results[g]] }] if groups
36
-
37
-				results.each do |d, _|
38
-					results[d].sort! do |a, b|
39
-						cmp = score(a) <=> score(b)
40
-						if cmp == 0
41
-							cmp = b.score <=> a.score
42
-							if cmp == 0
43
-								cmp = a.server.hostname <=> b.server.hostname
44
-							end
45
-						end
46
-						cmp
47
-					end
48
-				end
49
-
50
-				::File.write output, ::ERB.new(::File.read('output/https.erb')).result(binding)
4
+			def self.analyze(hosts, output)
5
+				Tls.analyze hosts, 'output/https.erb', output, nil, port: 443, server_class: Server, grade_class: Grade
51 6
 			end
52 7
 
53 8
 			def self.analyze_from_file(file, output)
54
-				config = ::YAML.load_file file
55
-				hosts = []
56
-				groups = []
57
-				config.each do |c|
58
-					d, hs = c['description'], c['hostnames']
59
-					groups << d
60
-					hs.each { |host| hosts << [d, host] }
61
-				end
62
-				self.analyze hosts, output, groups
63
-			end
64
-
65
-			private
66
-			SCORES = %w(A+ A A- B C D E F T M X)
67
-
68
-			def self.score(a)
69
-				SCORES.index a.grade
9
+				Tls.analyze_from_file file, 'output/https.erb', output, port: 443, server_class: Server, grade_class: Grade
70 10
 			end
71 11
 		end
72 12
 	end

+ 1
- 3
lib/cryptcheck/tls/https/server.rb View File

@@ -1,5 +1,3 @@
1
-require 'socket'
2
-require 'openssl'
3 1
 require 'httparty'
4 2
 
5 3
 module CryptCheck
@@ -17,7 +15,7 @@ module CryptCheck
17 15
 					port = @port == 443 ? '' : ":#{@port}"
18 16
 
19 17
 					response = nil
20
-					@methods.each do |method|
18
+					EXISTING_METHODS.each do |method|
21 19
 						begin
22 20
 							next unless SUPPORTED_METHODS.include? method
23 21
 							@log.debug { "Check HSTS with #{method}" }

+ 13
- 10
lib/cryptcheck/tls/server.rb View File

@@ -38,6 +38,7 @@ module CryptCheck
38 38
 				@port = port
39 39
 				@log.error { "Begin analysis" }
40 40
 				extract_cert
41
+				#@prefered_ciphers = @supported_ciphers = Hash[SUPPORTED_METHODS.collect { |m| [m, []]}]
41 42
 				fetch_prefered_ciphers
42 43
 				check_supported_cipher
43 44
 				@log.error { "End analysis" }
@@ -191,8 +192,8 @@ module CryptCheck
191 192
 					@log.debug { "Waiting for SSL write to #{@hostname}:#{@port}" }
192 193
 					raise TLSTimeout unless IO.select nil, [socket], nil, SSL_TIMEOUT
193 194
 					retry
194
-				rescue ::OpenSSL::SSL::SSLError => e
195
-					raise TLSException, e
195
+                rescue => e
196
+                    raise TLSException, e
196 197
 				ensure
197 198
 					ssl_socket.close
198 199
 				end
@@ -283,14 +284,14 @@ module CryptCheck
283 284
 			def verify_trust(chain, cert)
284 285
 				store = ::OpenSSL::X509::Store.new
285 286
 				store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
286
-				%w(mozilla cacert).each do |directory|
287
+				store.set_default_paths
288
+
289
+				%w(cacert).each do |directory|
287 290
 					::Dir.glob(::File.join '/usr/share/ca-certificates', directory, '*').each do |file|
288
-						::File.open file, 'r' do |file|
289
-							cert = ::OpenSSL::X509::Certificate.new file.read
290
-							begin
291
-								store.add_cert cert
292
-							rescue ::OpenSSL::X509::StoreError
293
-							end
291
+						cert = ::OpenSSL::X509::Certificate.new ::File.read file
292
+						begin
293
+							store.add_cert cert
294
+						rescue ::OpenSSL::X509::StoreError
294 295
 						end
295 296
 					end
296 297
 				end
@@ -300,7 +301,9 @@ module CryptCheck
300 301
 					rescue ::OpenSSL::X509::StoreError
301 302
 					end
302 303
 				end
303
-				store.verify cert
304
+				trusted = store.verify cert
305
+				p store.error_string unless trusted
306
+				trusted
304 307
 			end
305 308
 		end
306 309
 

+ 9
- 0
lib/cryptcheck/tls/smtp.rb View File

@@ -0,0 +1,9 @@
1
+module CryptCheck
2
+	module Tls
3
+		module Smtp
4
+			def self.analyze_from_file(file, output)
5
+				Tls.analyze_from_file file, 'output/smtp.erb', output, port: 25, server_class: Server, grade_class: Grade
6
+			end
7
+		end
8
+	end
9
+end

+ 8
- 0
lib/cryptcheck/tls/smtp/grade.rb View File

@@ -0,0 +1,8 @@
1
+module CryptCheck
2
+	module Tls
3
+		module Smtp
4
+			class Grade < Tls::Grade
5
+			end
6
+		end
7
+	end
8
+end

+ 35
- 0
lib/cryptcheck/tls/smtp/server.rb View File

@@ -0,0 +1,35 @@
1
+require 'resolv'
2
+
3
+module CryptCheck
4
+	module Tls
5
+		module Smtp
6
+			class Server < Tls::TcpServer
7
+				RESOLVER = Resolv::DNS.new
8
+
9
+				attr_reader :domain
10
+
11
+				def initialize(domain, port=25)
12
+					@domain = domain
13
+					srv = RESOLVER.getresources(domain, Resolv::DNS::Resource::IN::MX).sort_by(&:preference).first
14
+					if srv
15
+						hostname = srv.exchange.to_s
16
+					else # DNS is not correctly set, guess config…
17
+						hostname = domain
18
+					end
19
+					super hostname, port
20
+				end
21
+
22
+				def ssl_connect(socket, context, method, &block)
23
+					socket.recv 1024
24
+					socket.write "EHLO #{Socket.gethostbyname(Socket.gethostname).first}\r\n"
25
+					features = socket.recv(1024).split "\r\n"
26
+					starttls = features.find { |f| /250[- ]STARTTLS/ =~ f }
27
+					raise TLSNotAvailableException unless starttls
28
+					socket.write "STARTTLS\r\n"
29
+					socket.recv 1024
30
+					super
31
+				end
32
+			end
33
+		end
34
+	end
35
+end

+ 1
- 1
lib/cryptcheck/tls/xmpp.rb View File

@@ -7,7 +7,7 @@ module CryptCheck
7 7
 		module Xmpp
8 8
 			MAX_ANALYSIS_DURATION = 600
9 9
 			PARALLEL_ANALYSIS = 10
10
-			@@log = ::Logging.logger[Https]
10
+			@@log = ::Logging.logger[Xmpp]
11 11
 
12 12
 			def self.grade(hostname, type=:s2s)
13 13
 				timeout MAX_ANALYSIS_DURATION do

+ 0
- 2
lib/cryptcheck/tls/xmpp/server.rb View File

@@ -1,5 +1,3 @@
1
-require 'socket'
2
-require 'openssl'
3 1
 require 'nokogiri'
4 2
 require 'resolv'
5 3
 

+ 69
- 0
output/ca.yml View File

@@ -0,0 +1,69 @@
1
+- description: Autorités de certification
2
+  hostnames:
3
+  - www.cacert.org
4
+  - acedicom.edicomgroup.com
5
+  - grca.nat.gov.tw
6
+  - pki.atos.net
7
+  - www.bundesdruckerei.de
8
+  - www.cybertrust.ne.jp
9
+  - www.logius.nl
10
+  - www.procert.net.ve
11
+  - www.s-trust.de
12
+  - webappsecurity.trendmicro.com
13
+  - www1.cnnic.cn
14
+  - www.actalis.it
15
+  - www.aoc.cat
16
+  - www.a-trust.at
17
+  - www.buypass.no
18
+  - www.camerfirma.com
19
+  - www.certicamara.com
20
+  - www.certigna.fr
21
+  - www.certinomis.com
22
+  - www.certsign.ro
23
+  - www.certum.pl
24
+  - www.cfca.com.cn
25
+  - www.cht.com.tw
26
+  - www.comodo.com
27
+  - www.comsign.co.il
28
+  - www.digicert.com
29
+  - www.disig.eu
30
+  - www.emc.com
31
+  - www.entrust.net
32
+  - www.e-szigno.hu
33
+  - www.etugra.com.tr
34
+  - www.firmaprofesional.com
35
+  - www.geotrust.com
36
+  - www.globalsign.com
37
+  - www.godaddy.com
38
+  - www.gpki.go.jp
39
+  - www.harica.gr
40
+  - www.hongkongpost.gov.hk
41
+  - www.identrust.com
42
+  - www.izenpe.com
43
+  - www.kamusm.gov.tr
44
+  - www.netlock.hu
45
+  - www.networksolutions.com
46
+  - www.opentrust.com
47
+  - www.pki.gva.es
48
+  - www.quovadisglobal.com
49
+  - www.secomtrust.net
50
+  - www.sgtrustservices.com
51
+  - www.sk.ee
52
+  - www.ssi.gouv.fr
53
+  - www.startssl.com
54
+  - www.swissdigicert.ch
55
+  - www.swisssign.com
56
+  - www.symantec.com
57
+  - www.teliasonera.com
58
+  - www.thawte.com
59
+  - www.trustcenter.de
60
+  - www.trustis.com
61
+  - www.trustwave.com
62
+  - www.t-systems.com
63
+  - www.turktrust.com.tr
64
+  - www.twca.com.tw
65
+  - www.verizon.com
66
+  - www.visa.com
67
+  - www.wellsfargo.com
68
+  - www.wisekey.com
69
+  - www.wosign.com

+ 5
- 4
output/https.erb View File

@@ -4,7 +4,7 @@
4 4
 		<meta charset="utf-8">
5 5
 		<meta http-equiv="X-UA-Compatible" content="IE=edge">
6 6
 		<meta name="viewport" content="width=device-width, initial-scale=1">
7
-		<title>Status SSL/TLS banque &amp; commerce en ligne</title>
7
+		<title>SSL/TLS &mdash; HTTP</title>
8 8
 		<link rel="stylesheet" href="bootstrap.min.css">
9 9
 		<style>
10 10
 			body {
@@ -77,9 +77,7 @@
77 77
 							%>
78 78
 							<tr>
79 79
 								<th id="<%= s.hostname %>">
80
-									<a href="https://www.ssllabs.com/ssltest/analyze.html?d=<%= s.hostname %>" target="_blank">
81
-										<%= s.hostname %>
82
-									</a>
80
+									<a href="#<%= s.hostname %>"><%= s.hostname %></a>
83 81
 								</th>
84 82
 								<% if s.is_a? Tls::TlsNotSupportedServer %>
85 83
 								<td class="critical" colspan="16">
@@ -189,6 +187,9 @@
189 187
 							<% end %>
190 188
 						</tbody>
191 189
 					</table>
190
+					<div class="pull-right">
191
+						Generated on <%= Time.now.strftime '%FT%T%:z' %>
192
+					</div>
192 193
 				</div>
193 194
 			</div>
194 195
 		</div>

+ 89
- 6
output/index.yml View File

@@ -7,7 +7,7 @@
7 7
   - rss.decornulier.eu
8 8
   - fralef.me
9 9
   - jeekajoo.eu
10
-  - status.jbfavre.org
10
+  - jbfavre.org
11 11
   - rosset.net
12 12
   - owc.h.arysthaar.pw
13 13
   - crifo.org
@@ -16,6 +16,12 @@
16 16
   - komic.eu
17 17
   - apericraft.ovh
18 18
   - nicolas.legland.fr
19
+  - clauzel.eu
20
+  - vinilox.eu
21
+  - keuse.fr
22
+  - regar42.fr
23
+  - tcit.fr
24
+  - aplu.fr
19 25
 - description: Associations
20 26
   hostnames:
21 27
   - april.org
@@ -30,11 +36,49 @@
30 36
   - lea-linux.org
31 37
   - framasoft.org
32 38
   - gnu.org
39
+  - www.fdn.fr
40
+- description: Framasoft
41
+  hostnames:
42
+  - framabag.org
43
+  - framabin.org
44
+  - framabag.org
45
+  - framadate.org
46
+  - framanews.org
47
+  - framasphere.org
48
+  - framacalc.org
49
+  - framakey.org
50
+  - framapic.org
51
+  - framindmap.org
52
+  - framacolibri.org
53
+  - framabee.org
54
+  - tontonroger.org
55
+  - trouvons.org
56
+  - frama.link
57
+  - huit.re
58
+  - lite.framapad.org
59
+  - lite2.framapad.org
60
+  - lite3.framapad.org
61
+  - lite4.framapad.org
62
+  - lite5.framapad.org
63
+  - lite6.framapad.org
64
+  - quotidien.framapad.org
65
+  - hebdo.framapad.org
66
+  - mensuel.framapad.org
67
+  - bimensuel.framapad.org
68
+  - semestriel.framapad.org
69
+  - annuel.framapad.org
70
+  - git.framasoft.org
71
+  - participer.framasoft.org
72
+  - contact.framasoft.org
73
+  - stats.framasoft.org
74
+  - status.framasoft.org
75
+  - soutenir.framasoft.org
33 76
 - description: Banques en ligne
34 77
   hostnames:
35
-  - www.labanquepostale.fr
78
+  - voscomptesenligne.labanquepostale.fr
36 79
   - www.labanquepostale-cartesprepayees.fr
37 80
   - www.secure.bnpparibas.net
81
+  - mabanque.bnpparibas
38 82
   - www.axabanque.fr
39 83
   - www.fortuneo.fr
40 84
   - www.ca-paris.fr
@@ -51,7 +95,6 @@
51 95
   - www.creditmutuel.fr
52 96
   - www.caisse-epargne.fr
53 97
   - paiement.systempay.fr
54
-  - cnce.wlp-acs.com
55 98
   - www.cmb.fr
56 99
   - www.ca-paris.fr
57 100
   - www.ca-cotesdarmor.fr
@@ -70,6 +113,14 @@
70 113
   - www.gmf.fr
71 114
   - www.hsbc.fr
72 115
   - www.monabanq.com
116
+  - www.ca-atlantique-vendee.fr
117
+- description: 3D « Secure »
118
+  hostnames:
119
+  - ssl.paiement.cic-banques.fr
120
+  - cnce.wlp-acs.com
121
+  - ingdf.wlp-acs.com
122
+  - ca-sp.wlp-acs.com
123
+  - www.e-i.com
73 124
 - description: Assurances
74 125
   hostnames:
75 126
   - www.actassur.com
@@ -135,6 +186,7 @@
135 186
   - www.csf.fr
136 187
   - client.gemoneybank.fr
137 188
   - www.oney.fr
189
+  - www.cofidis.fr
138 190
 - description: Webmails
139 191
   hostnames:
140 192
   - webmail.mailden.fr
@@ -167,6 +219,7 @@
167 219
   - mon.rsi.fr
168 220
   - jedeclare.com
169 221
   - net-entreprises.fr
222
+  - www.i-cad.fr
170 223
 - description: Sites de commerce en ligne
171 224
   hostnames:
172 225
   - signin.ebay.fr
@@ -182,10 +235,11 @@
182 235
   - secure.fnac.com
183 236
   - www.laredoute.fr
184 237
   - online.carrefour.fr
185
-  - www.paymill.com
238
+#  - www.paymill.com
186 239
   - paymium.com
187 240
   - www.materiel.net
188
-  - www.topachat.com
241
+  - auth.topachat.com
242
+  - customer.rueducommerce.fr
189 243
 - description: « Cloud » / Gestionnaires de mot de passe
190 244
   hostnames:
191 245
   - lastpass.com
@@ -198,10 +252,39 @@
198 252
   - spideroak.com
199 253
   - hubic.com
200 254
   - box.com
255
+- description: FAI
256
+  hostnames:
257
+  - www.bouyguestelecom.fr
258
+  - www.sfr.fr
259
+  - www.orange.com
260
+  - www.nordnet.com
261
+  - www.free.fr
262
+  - www.fdn.fr
263
+  - www.connexion-verte.fr
264
+  - www.budget-telecom.com
265
+  - www.quantic-telecom.net
266
+  - www.nerim.fr
267
+  - offres.numericable.fr
268
+  - portail.dartybox.com
269
+  - www.ovh.com
270
+  - www.coriolis.com
271
+  - www.prixtel.com
272
+  - www.virginmobile.fr
273
+  - www.wibox.fr
274
+  - www.wimifi.net
275
+  - www.viveole.fr
276
+  - www.societehautdebit.fr
277
+  - www.skydsl.eu
278
+  - www.ozone.net
279
+  - www.nomotech.com
280
+  - www.bollore.com
281
+  - www.ifw.fr
282
+  - www.wizeo.com
283
+  - www.infosat-telecom.fr
201 284
 - description: Divers
202 285
   hostnames:
203 286
   - www.mailden.net
204
-  - www.sharypic.com
205 287
   - google.fr
206 288
   - duckduckgo.com
207 289
   - octopuce.fr
290
+  - sharypic.com

+ 35
- 0
output/press.yml View File

@@ -0,0 +1,35 @@
1
+- description: Journaux & Presse en ligne
2
+  hostnames:
3
+  - charliehebdo.fr
4
+  - tempsreel.nouvelobs.com
5
+  - www.20minutes.fr
6
+  - www.challenges.fr
7
+  - www.courrierinternational.com
8
+  - www.directmatin.fr
9
+  - www.francesoir.fr
10
+  - www.humanite.presse.fr
11
+  - www.la-croix.com
12
+  - www.latribune.fr
13
+  - www.lecanardenchaine.fr
14
+  - www.lefigaro.fr
15
+  - www.lejdd.fr
16
+  - www.lemonde.fr
17
+  - www.leparisien.fr
18
+  - www.lepoint.fr
19
+  - www.lequipe.fr
20
+  - www.lesechos.fr
21
+  - www.lexpress.fr
22
+  - www.liberation.fr
23
+  - www.lopinion.fr
24
+  - www.marianne.net
25
+  - www.mediapart.fr
26
+  - www.metronews.fr
27
+  - www.minute-hebdo.fr
28
+  - www.monde-diplomatique.fr
29
+  - www.monde-libertaire.fr
30
+  - www.parismatch.com
31
+  - www.telerama.fr
32
+  - www.vsd.fr
33
+  - www.slate.fr
34
+  - reader.fr
35
+  - www.arretsurimages.net

+ 25
- 0
output/securedrop.yml View File

@@ -0,0 +1,25 @@
1
+- description: SecureDrop instances
2
+  hostnames:
3
+  - securedrop.propublica.org
4
+  - ssl.washingtonpost.com
5
+  - nrkbeta.no
6
+  - exposefacts.org
7
+  - firstlook.org
8
+  - www.safesource.org.nz
9
+  - safesource.forbes.com
10
+  - pressfreedomfoundation.org
11
+  - projects.newyorker.com
12
+  - securedrop.theguardian.com
13
+  - securedrop.pogo.org
14
+  - bayleaks.com
15
+  - securedrop.radio24syv.dk
16
+  - tcfmailvault.info
17
+  - www.balkanleaks.eu
18
+- description: GlobalLeaks instances
19
+  hostnames:
20
+  - secure.publeaks.nl
21
+  - secure.wildleaks.org
22
+  - www.extremeleaks.org
23
+- description: Misc
24
+  hostnames:
25
+  - secure.frenchleaks.fr

+ 192
- 0
output/smtp.erb View File

@@ -0,0 +1,192 @@
1
+<!DOCTYPE html>
2
+<html lang="fr">
3
+	<head>
4
+		<meta charset="utf-8">
5
+		<meta http-equiv="X-UA-Compatible" content="IE=edge">
6
+		<meta name="viewport" content="width=device-width, initial-scale=1">
7
+		<title>SSL/TLS &mdash; SMTP</title>
8
+		<link rel="stylesheet" href="bootstrap.min.css">
9
+		<style>
10
+			body {
11
+				margin-top: 10px;
12
+			}
13
+
14
+			td {
15
+				text-align: center;
16
+			}
17
+
18
+			.critical {
19
+				background-color: #000;
20
+				color: #fff;
21
+			}
22
+
23
+			tr:hover > td.critical, td:hover.critical {
24
+				background-color: #333 !important;
25
+			}
26
+		</style>
27
+	</head>
28
+	<body>
29
+		<div class="container-fluid">
30
+			<div class="row">
31
+				<div class="col-md-12">
32
+					<table class="table table-bordered table-hover table-condensed">
33
+						<tbody>
34
+							<%
35
+								first = true
36
+								results.each do |r|
37
+									unless first
38
+							%>
39
+							<tr>
40
+								<th colspan="15">&nbsp;</th>
41
+							</tr>
42
+							<%
43
+									end
44
+									first = false
45
+							%>
46
+							<tr>
47
+								<th colspan="14" id="<%= r[0] %>"><%= r[0] %></th>
48
+							</tr>
49
+							<tr>
50
+								<th rowspan="2">Site</th>
51
+								<td rowspan="2">Grade</td>
52
+								<td colspan="2">Certificate</td>
53
+								<td colspan="4">Protocols</td>
54
+								<td colspan="5">Ciphers</td>
55
+								<td>Best practices</td>
56
+							</tr>
57
+							<tr>
58
+								<td>Key size (bits)</td>
59
+								<td class="warning">SHA1 sig</td>
60
+
61
+								<td class="critical">SSL v2</td>
62
+								<td class="critical">SSL v3</td>
63
+								<td class="success">TLS 1.2</td>
64
+								<td class="info">TLS</td>
65
+
66
+								<td>Strength (bits)</td>
67
+								<td class="critical">MD5</td>
68
+								<td class="warning">SHA1</td>
69
+								<td class="critical">DES/RC4</td>
70
+								<td class="danger">3DES</td>
71
+
72
+								<td class="info">PFS</td>
73
+							</tr>
74
+							<% r[1].each do |n|
75
+							   s = n.server
76
+							%>
77
+							<tr>
78
+								<% if s.is_a? Tls::TlsNotSupportedServer %>
79
+								<th id="<%= s.hostname %>">
80
+									<a href="#<%= s.hostname %>"><%= s.hostname %></a>
81
+								</th>
82
+								<td class="critical" colspan="16">
83
+									No SSL/TLS
84
+								</td>
85
+								<%
86
+									else
87
+										rank_color = case n.grade
88
+											when 'A+' then :info
89
+											when 'A', 'A-' then :success
90
+											when 'B', 'C' then :warning
91
+											when 'T', 'M' then :critical
92
+											else :danger
93
+										end
94
+								%>
95
+								<th id="<%= s.domain %>"><%= s.domain %></th>
96
+								<td class="<%= rank_color %>">
97
+									<%= n.grade %>
98
+								</td>
99
+
100
+								<td class="<%= s.key_size < 2048 ? :danger : s.key_size < 4096 ? :warning : :success %>">
101
+									<% type, size = s.key %>
102
+									<%= "#{size} (#{type.to_s.upcase})" %>
103
+									<span class="sr-only">(<%= s.key_size < 2048 ? '☹' : '☺' %>)</span>
104
+								</td>
105
+								<td class="<%= s.sha1_sig? ? :warning : :success %>">
106
+									<%= s.sha1_sig? ? '✓' : '✗' %>
107
+									<span class="sr-only">(<%= s.sha1_sig? ? '☹' : '☺' %>)</span>
108
+								</td>
109
+
110
+								<td class="<%= s.sslv2? ? :critical : :success %>">
111
+									<%= s.sslv2? ? '✓' : '✗' %>
112
+									<span class="sr-only">(<%= s.sslv2? ? '☹' : '☺' %>)</span>
113
+								</td>
114
+								<td class="<%= s.sslv3? ? :critical : :success %>">
115
+									<%= s.sslv3? ? '✓' : '✗' %>
116
+									<span class="sr-only">(<%= s.sslv3? ? '☹' : '☺' %>)</span>
117
+								</td>
118
+								<td class="<%= s.tlsv1_2? ? :success : :danger %>">
119
+									<%= s.tlsv1_2? ? '✓' : '✗' %>
120
+									<span class="sr-only">(<%= s.tlsv1_2? ? '☺' : '☹' %>)</span>
121
+								</td>
122
+								<td class="<%= s.tls? ? (s.tls_only? ? :info : :success) : :danger %>">
123
+									<%= s.tls? ? '✓' : '✗' %>
124
+									<span class="sr-only">(<%= s.tls? ? '☺' : '☹' %>)</span>
125
+								</td>
126
+
127
+								<% cipher_size = s.cipher_size[:worst] %>
128
+								<td class="<%= cipher_size < 112 ? :danger : cipher_size < 128 ? :warning : :success %>">
129
+									<%= cipher_size %>
130
+									<span class="sr-only">(<%= cipher_size < 128 ? '☹' : '☺' %>)</span>
131
+								</td>
132
+								<td class="<%= s.md5? ? :critical : :success %>">
133
+									<%= s.md5? ? '✓' : '✗' %>
134
+									<span class="sr-only">(<%= s.md5? ? '☹' : '☺' %>)</span>
135
+								</td>
136
+								<td class="<%= s.sha1? ? :warning : :success %>">
137
+									<%= s.sha1? ? '✓' : '✗' %>
138
+									<span class="sr-only">(<%= s.sha1? ? '☹' : '☺' %>)</span>
139
+								</td>
140
+								<td class="<%= (s.rc4? or s.des?) ? :critical : :success %>">
141
+									<%= (s.rc4? or s.des?) ? '✓' : '✗' %>
142
+									<span class="sr-only">(<%= (s.rc4? or s.des?) ? '☹' : '☺' %>)</span>
143
+								</td>
144
+								<td class="<%= s.des3? ? :danger : :success %>">
145
+									<%= s.des3? ? '✓' : '✗' %>
146
+									<span class="sr-only">(<%= s.des3? ? '☹' : '☺' %>)</span>
147
+								</td>
148
+
149
+								<td class="<%= s.pfs? ? (s.pfs_only? ? :info : :success) : :danger %>">
150
+									<%= s.pfs? ? '✓' : '✗' %>
151
+									<span class="sr-only">(<%= s.pfs? ? '☺' : '☹' %>)</span>
152
+								</td>
153
+								<% end %>
154
+							</tr>
155
+							<% end %>
156
+							<tr>
157
+								<th rowspan="2">Site</th>
158
+								<td rowspan="2">Grade</td>
159
+
160
+								<td>Key size (bits)</td>
161
+								<td class="warning">SHA1 sig</td>
162
+
163
+								<td class="critical">SSL v2</td>
164
+								<td class="critical">SSL v3</td>
165
+								<td class="success">TLS 1.2</td>
166
+								<td class="info">TLS</td>
167
+
168
+								<td>Strength (bits)</td>
169
+								<td class="critical">MD5</td>
170
+								<td class="warning">SHA1</td>
171
+								<td class="critical">DES/RC4</td>
172
+								<td class="danger">3DES</td>
173
+
174
+								<td class="info">PFS</td>
175
+							</tr>
176
+							<tr>
177
+								<td colspan="2">Certificate</td>
178
+								<td colspan="4">Protocols</td>
179
+								<td colspan="5">Ciphers</td>
180
+								<td>Best practices</td>
181
+							</tr>
182
+							<% end %>
183
+						</tbody>
184
+					</table>
185
+					<div class="pull-right">
186
+						Generated on <%= Time.now.strftime '%FT%T%:z' %>
187
+					</div>
188
+				</div>
189
+			</div>
190
+		</div>
191
+	</body>
192
+</html>

+ 205
- 0
output/smtp.yml View File

@@ -0,0 +1,205 @@
1
+- description: Serveurs personnels
2
+  hostnames:
3
+  - imirhil.fr
4
+  - libwalk.so
5
+  - keltia.net
6
+  - demouliere.eu
7
+  - decornulier.eu
8
+  - fralef.me
9
+  - jeekajoo.eu
10
+  - jbfavre.org
11
+  - rosset.net
12
+  - arysthaar.pw
13
+  - crifo.org
14
+  - matlink.fr
15
+  - pfag.me
16
+  - komic.eu
17
+  - apericraft.ovh
18
+  - legland.fr
19
+- description: Associations
20
+  hostnames:
21
+  - april.org
22
+  - laquadrature.net
23
+  - fsf.org
24
+  - ubuntu-paris.org
25
+  - parinux.org
26
+  - aful.org
27
+  - rmll.info
28
+  - ubuntu-fr.org
29
+  - linuxfr.org
30
+  - lea-linux.org
31
+  - framasoft.org
32
+  - gnu.org
33
+- description: Banques en ligne
34
+  hostnames:
35
+  - labanquepostale.fr
36
+  - labanquepostale-cartesprepayees.fr
37
+  - bnpparibas.net
38
+  - axabanque.fr
39
+  - fortuneo.fr
40
+  - ca-paris.fr
41
+  - credit-cooperatif.coop
42
+  - coopanet.com
43
+  - cic.fr
44
+  - societegenerale.fr
45
+  - groupama.fr
46
+  - banquepopulaire.fr
47
+  - ca-des-savoie.fr
48
+  - lcl.fr
49
+  - boursorama.com
50
+  - bpe.fr
51
+  - creditmutuel.fr
52
+  - caisse-epargne.fr
53
+  - systempay.fr
54
+  - wlp-acs.com
55
+  - cmb.fr
56
+  - ca-paris.fr
57
+  - ca-cotesdarmor.fr
58
+  - ingdirect.fr
59
+  - banque-accord.fr
60
+  - banque-casino.fr
61
+  - bforbank.com
62
+  - hellobank.fr
63
+  - carrefour-banque.fr
64
+  - agf.fr
65
+  - banque-casino.fr
66
+  - palatine.fr
67
+  - bpi-online.net
68
+  - barclays.fr
69
+  - credit-du-nord.fr
70
+  - gmf.fr
71
+  - hsbc.fr
72
+  - monabanq.com
73
+- description: Assurances
74
+  hostnames:
75
+  - actassur.com
76
+  - gie-afer.fr
77
+  - ag2rlamondiale.fr
78
+  - consultations.agipi.com
79
+  - agpm.fr
80
+  - alptis.org
81
+  - altaprofits.com
82
+  - amv.fr
83
+  - apicil.com
84
+  - april.fr
85
+  - fapes-diffusion.fr
86
+  - assu2000.fr
87
+  - assurone.com
88
+  - avip.fr
89
+  - avivadirect.fr
90
+  - canisante.com
91
+  - carac.fr
92
+  - cegema.com
93
+  - chienchatsante.com
94
+  - direct-assurance.fr
95
+  - euro-assurance.com
96
+  - eca-assurances.com
97
+  - fma.fr
98
+  - gaipare.com
99
+  - gapassurance.com
100
+  - generali.fr
101
+  - hedios.com
102
+  - ingdirect.fr
103
+  - conservateur.fr
104
+  - linxea.com
105
+  - maaf.fr
106
+  - macif.fr
107
+  - macsf.fr
108
+  - maif.fr
109
+  - matmut.fr
110
+  - mgel.fr
111
+  - mma.fr
112
+  - nationalesuisse.ch
113
+  - nexx.fr
114
+  - sainteauprevoyance.com
115
+  - santevet.com
116
+  - selfepargne.fr
117
+  - sicavonline.fr
118
+  - smabtp.fr
119
+  - cybermutuelle.com
120
+  - sollyazar.com
121
+  - swisslife.fr
122
+- description: Organismes de crédit
123
+  hostnames:
124
+  - cetelem.fr
125
+  - cofinoga.fr
126
+  - sofinco.fr
127
+  - pret-dunion.fr
128
+  - franfinance.fr
129
+  - 123credit.com
130
+  - disponis.fr
131
+  - complicio.fr
132
+  - creditfoncier.fr
133
+  - credit.fr
134
+  - credit-immobilier-de-france.fr
135
+  - csf.fr
136
+  - gemoneybank.fr
137
+  - oney.fr
138
+- description: Webmails
139
+  hostnames:
140
+  - mailden.fr
141
+  - free.fr
142
+  - numericable.fr
143
+  - orange-business.com
144
+  - orange.fr
145
+  - gandi.net
146
+  - sfr.fr
147
+  - online.net
148
+  - amen.fr
149
+  - ovh.com
150
+  - aliceadsl.fr
151
+  - laposte.net
152
+  - openmailbox.org
153
+- description: Administration
154
+  hostnames:
155
+  - ameli.fr
156
+  - moncompte.mobi
157
+  - service-public.fr
158
+  - impots.gouv.fr
159
+  - pole-emploi.fr
160
+  - caf.fr
161
+  - justice.gouv.fr
162
+  - interieur.gouv.fr
163
+  - cnil.fr
164
+  - quechoisir.org
165
+  - rsi.fr
166
+  - jedeclare.com
167
+  - net-entreprises.fr
168
+- description: Sites de commerce en ligne
169
+  hostnames:
170
+  - ebay.fr
171
+  - ldlc.com
172
+  - grosbill.com
173
+  - darty.com
174
+  - boulanger.fr
175
+  - capitainetrain.com
176
+  - voyages-sncf.com
177
+  - pixmania.fr
178
+  - cdiscount.com
179
+  - ikea.com
180
+  - fnac.com
181
+  - laredoute.fr
182
+  - carrefour.fr
183
+  - paymill.com
184
+  - paymium.com
185
+  - materiel.net
186
+  - topachat.com
187
+- description: « Cloud » / Gestionnaires de mot de passe
188
+  hostnames:
189
+  - lastpass.com
190
+  - dashlane.com
191
+  - passpack.com
192
+  - clipperz.is
193
+  - mitro.co
194
+  - icloud.com
195
+  - dropbox.com
196
+  - spideroak.com
197
+  - hubic.com
198
+  - box.com
199
+- description: Divers
200
+  hostnames:
201
+  - mailden.net
202
+  - sharypic.com
203
+  - google.fr
204
+  - duckduckgo.com
205
+  - octopuce.fr

+ 7
- 3
output/xmpp.erb View File

@@ -4,7 +4,7 @@
4 4
 		<meta charset="utf-8">
5 5
 		<meta http-equiv="X-UA-Compatible" content="IE=edge">
6 6
 		<meta name="viewport" content="width=device-width, initial-scale=1">
7
-		<title>XMPP</title>
7
+		<title>SSL/TLS &mdash; XMPP</title>
8 8
 		<link rel="stylesheet" href="bootstrap.min.css">
9 9
 		<style>
10 10
 			body {
@@ -91,8 +91,10 @@
91 91
 								s = n.server
92 92
 							%>
93 93
 							<tr>
94
+								<th id="<%= s.hostname %>">
95
+									<a href="#<%= s.hostname %>"><%= s.hostname %></a>
96
+								</th>
94 97
 								<% if s.is_a? Tls::TlsNotSupportedServer %>
95
-								<th id="<%= s.hostname %>"><%= s.hostname %></th>
96 98
 								<td class="critical" colspan="16">
97 99
 									No SSL/TLS
98 100
 								</td>
@@ -104,7 +106,6 @@
104 106
 											when 'T', 'M' then :critical
105 107
 											else :danger
106 108
 										end %>
107
-								<th id="<%= s.domain %>"><%= s.domain %></th>
108 109
 								<td class="<%= rank_color %>">
109 110
 									<%= n.grade %>
110 111
 								</td>
@@ -171,6 +172,9 @@
171 172
 							<% end %>
172 173
 						</tbody>
173 174
 					</table>
175
+					<div class="pull-right">
176
+						Generated on <%= Time.now.strftime '%FT%T%:z' %>
177
+					</div>
174 178
 				</div>
175 179
 			</div>
176 180
 		</div>

+ 4
- 0
output/xmpp.yml View File

@@ -15,3 +15,7 @@
15 15
 - citronna.de
16 16
 - matlink.fr
17 17
 - verry.org
18
+- keuse.fr
19
+- cappuccino.uk.to
20
+- corzntin.fr
21
+- fralef.me

Loading…
Cancel
Save