Some fixes

Makefile

@@ -1,38 +1,57 @@
 PWD = $(shell pwd)
 export CPATH = $(PWD)/openssl/include
 export LIBRARY_PATH = $(PWD)/openssl
-OPENSSL_VERSION = OpenSSL_1_0_1j
-RUBY_VERSION = 2.1.5
-RUBY_OPENSSL_EXT_DIR = ruby-$(RUBY_VERSION)/ext/openssl
+OPENSSL_VERSION = 1.0.1m
+OPENSSL_DIR = openssl-$(OPENSSL_VERSION)
+RUBY_MAJOR_VERSION = 2.2
+RUBY_VERSION = $(RUBY_MAJOR_VERSION).2
+RUBY_DIR = ruby-$(RUBY_VERSION)
+RUBY_OPENSSL_EXT_DIR = $(RUBY_DIR)/ext/openssl
+export LIBRARY_PATH = $(PWD)/lib
+export C_INCLUDE_PATH = $(PWD)/$(OPENSSL_DIR)/include
 
-all: lib/libssl.so.1.0.0 lib/libcrypto.so.1.0.0 lib/openssl.so
+.SECONDARY:
+
+all: libs ext
 
 clean:
-	rm -rf ruby-$(RUBY_VERSION) openssl
+	rm -rf $(RUBY_DIR) $(OPENSSL_DIR)
+
+mr-proper: clean
+	rm -rf lib/libcrypto.so* lib/libssl.so* lib/openssl.so
+
+$(OPENSSL_DIR)/:
+	wget https://www.openssl.org/source/$(OPENSSL_DIR).tar.gz
+	tar xf $(OPENSSL_DIR).tar.gz
+	rm -rf $(OPENSSL_DIR).tar.gz
 
-openssl:
-	git clone https://github.com/openssl/openssl -b $(OPENSSL_VERSION)
+$(OPENSSL_DIR)/Makefile: $(OPENSSL_DIR)/
+	cd $(OPENSSL_DIR); ./config shared
 
-openssl/Makefile: openssl
-	cd openssl; ./config shared
+$(OPENSSL_DIR)/libssl.so.1.0.0 $(OPENSSL_DIR)/libcrypto.so.1.0.0: $(OPENSSL_DIR)/Makefile
+	$(MAKE) -C $(OPENSSL_DIR) depend build_libs
 
-openssl/libssl.so: openssl/Makefile
-	cd openssl; $(MAKE) depend all
+lib/%.so.1.0.0: $(OPENSSL_DIR)/%.so.1.0.0
+	cp $< $@
+
+lib/%.so: lib/%.so.1.0.0
+	ln -s $(notdir $<) $@
 
-lib/%.so.1.0.0: openssl/%.so
-	cp $^ $@
+libs: lib/libssl.so lib/libcrypto.so
 
-ruby-$(RUBY_VERSION):
-	wget http://cache.ruby-lang.org/pub/ruby/2.1/ruby-$(RUBY_VERSION).tar.gz
-	tar xf ruby-$(RUBY_VERSION).tar.gz
-	rm -f ruby-$(RUBY_VERSION).tar.gz
+$(RUBY_DIR):
+	wget http://cache.ruby-lang.org/pub/ruby/$(RUBY_MAJOR_VERSION)/$(RUBY_DIR).tar.gz
+	tar xf $(RUBY_DIR).tar.gz
+	rm -f $(RUBY_DIR).tar.gz
 
-$(RUBY_OPENSSL_EXT_DIR)/Makefile: ruby-$(RUBY_VERSION)
+$(RUBY_OPENSSL_EXT_DIR)/Makefile: libs $(RUBY_DIR)
 	cd $(RUBY_OPENSSL_EXT_DIR); ruby extconf.rb
 	patch $@ patch
 
-$(RUBY_OPENSSL_EXT_DIR)/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/Makefile
-	cd $(RUBY_OPENSSL_EXT_DIR); $(MAKE); $(MAKE) install
+$(RUBY_OPENSSL_EXT_DIR)/openssl.so: libs $(RUBY_OPENSSL_EXT_DIR)/Makefile
+	$(MAKE) -C $(RUBY_OPENSSL_EXT_DIR)
 
 lib/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/openssl.so
 	cp $< $@
+
+ext: lib/openssl.so

bin/check_https_alexa

@@ -3,6 +3,8 @@ $:.unshift 'lib'
 require 'logging'
 require 'cryptcheck'
 
+GROUP_NAME = 'Top 100 Alexa'
+
 ::Logging.logger.root.appenders = ::Logging.appenders.stdout
 ::Logging.logger.root.level = :error
 
@@ -10,7 +12,7 @@ hosts = []
 ::File.open('top-1m.csv', 'r') do |file|
 	i = 0
 	while line = file.gets
-		hosts << ['Top 100 Alexa', line.strip.split(',')[1]]
+		hosts << [GROUP_NAME, line.strip.split(',')[1]]
 		i += 1
 		break if i == 100
 	end

bin/check_smtp

@@ -0,0 +1,17 @@
+#!/usr/bin/env ruby
+$:.unshift 'lib'
+require 'logging'
+require 'cryptcheck'
+
+name = ARGV[0]
+unless name
+	::CryptCheck::Tls::Smtp.analyze_from_file 'output/smtp.yml', 'output/smtp.html'
+else
+	::Logging.logger.root.appenders = ::Logging.appenders.stdout
+	::Logging.logger.root.level = :warn
+
+	server = ::CryptCheck::Tls::Smtp::Server.new(ARGV[0], ARGV[1] || 25)
+	p grade = ::CryptCheck::Tls::Smtp::Grade.new(server)
+end
+
+

lib/cryptcheck.rb

@@ -1,4 +1,5 @@
 module CryptCheck
+	autoload :Tls, 'cryptcheck/tls'
 	module Tls
 		autoload :Server, 'cryptcheck/tls/server'
 		autoload :TcpServer, 'cryptcheck/tls/server'
@@ -18,5 +19,11 @@ module CryptCheck
 			autoload :Server, 'cryptcheck/tls/xmpp/server'
 			autoload :Grade, 'cryptcheck/tls/xmpp/grade'
 		end
+
+		autoload :Smtp, 'cryptcheck/tls/smtp'
+		module Smtp
+			autoload :Server, 'cryptcheck/tls/smtp/server'
+			autoload :Grade, 'cryptcheck/tls/smtp/grade'
+		end
 	end
 end

lib/cryptcheck/tls.rb

@@ -0,0 +1,71 @@
+require 'erb'
+require 'logging'
+require 'parallel'
+
+module CryptCheck
+	module Tls
+		MAX_ANALYSIS_DURATION = 600
+		PARALLEL_ANALYSIS = 10
+		@@log = ::Logging.logger[Tls]
+
+		def self.grade(hostname, port, server_class:, grade_class:)
+			timeout MAX_ANALYSIS_DURATION do
+				grade_class.new server_class.new hostname, port
+			end
+		rescue ::Exception => e
+			@@log.error { "Error during #{hostname}:#{port} analysis : #{e}" }
+			TlsNotSupportedGrade.new TlsNotSupportedServer.new hostname, port
+		end
+
+		def self.analyze(hosts, template, output, groups = nil, port:, server_class:, grade_class:)
+			results = {}
+			semaphore = ::Mutex.new
+			::Parallel.each hosts, progress: 'Analysing', in_threads: PARALLEL_ANALYSIS, finish: lambda { |item, _, _| puts item[1] } do |description, host|
+									 result = grade host.strip, port, server_class: server_class, grade_class: grade_class
+									 semaphore.synchronize do
+										 if results.include? description
+											 results[description] << result
+										 else
+											 results[description] = [result]
+										 end
+									 end
+								 end
+
+			results = ::Hash[groups.collect { |g| [g, results[g]] }] if groups
+
+			results.each do |d, _|
+				results[d].sort! do |a, b|
+					cmp = score(a) <=> score(b)
+					if cmp == 0
+						cmp = b.score <=> a.score
+						if cmp == 0
+							cmp = a.server.hostname <=> b.server.hostname
+						end
+					end
+					cmp
+				end
+			end
+
+			::File.write output, ::ERB.new(::File.read(template)).result(binding)
+		end
+
+		def self.analyze_from_file(file, template, output, port:, server_class:, grade_class:)
+			config = ::YAML.load_file file
+			hosts = []
+			groups = []
+			config.each do |c|
+				d, hs = c['description'], c['hostnames']
+				groups << d
+				hs.each { |host| hosts << [d, host] }
+			end
+			self.analyze hosts, template, output, groups, port: port, server_class: server_class, grade_class: grade_class
+		end
+
+		private
+		SCORES = %w(A+ A A- B C D E F T M X)
+
+		def self.score(a)
+			SCORES.index a.grade
+		end
+	end
+end

lib/cryptcheck/tls/https.rb

@@ -1,72 +1,12 @@
-require 'erb'
-require 'logging'
-require 'parallel'
-
 module CryptCheck
 	module Tls
 		module Https
-			MAX_ANALYSIS_DURATION = 600
-			PARALLEL_ANALYSIS = 10
-			@@log = ::Logging.logger[Https]
-
-			def self.grade(hostname, port=443)
-				timeout MAX_ANALYSIS_DURATION do
-					Grade.new Server.new hostname, port
-				end
-			rescue ::Exception => e
-				@@log.error { "Error during #{hostname}:#{port} analysis : #{e}" }
-				TlsNotSupportedGrade.new TlsNotSupportedServer.new hostname, port
-			end
-
-			def self.analyze(hosts, output, groups = nil)
-				results = {}
-				semaphore = ::Mutex.new
-				::Parallel.each hosts, progress: 'Analysing', in_threads: PARALLEL_ANALYSIS, finish: lambda { |item, _, _| puts item[1] } do |description, host|
-					result = grade host.strip
-					semaphore.synchronize do
-						if results.include? description
-							results[description] << result
-						else
-							results[description] = [result]
-						end
-					end
-				end
-
-				results = ::Hash[groups.collect { |g| [g, results[g]] }] if groups
-
-				results.each do |d, _|
-					results[d].sort! do |a, b|
-						cmp = score(a) <=> score(b)
-						if cmp == 0
-							cmp = b.score <=> a.score
-							if cmp == 0
-								cmp = a.server.hostname <=> b.server.hostname
-							end
-						end
-						cmp
-					end
-				end
-
-				::File.write output, ::ERB.new(::File.read('output/https.erb')).result(binding)
+			def self.analyze(hosts, output)
+				Tls.analyze hosts, 'output/https.erb', output, nil, port: 443, server_class: Server, grade_class: Grade
 			end
 
 			def self.analyze_from_file(file, output)
-				config = ::YAML.load_file file
-				hosts = []
-				groups = []
-				config.each do |c|
-					d, hs = c['description'], c['hostnames']
-					groups << d
-					hs.each { |host| hosts << [d, host] }
-				end
-				self.analyze hosts, output, groups
-			end
-
-			private
-			SCORES = %w(A+ A A- B C D E F T M X)
-
-			def self.score(a)
-				SCORES.index a.grade
+				Tls.analyze_from_file file, 'output/https.erb', output, port: 443, server_class: Server, grade_class: Grade
 			end
 		end
 	end

lib/cryptcheck/tls/https/server.rb

@@ -1,5 +1,3 @@
-require 'socket'
-require 'openssl'
 require 'httparty'
 
 module CryptCheck
@@ -17,7 +15,7 @@ module CryptCheck
 					port = @port == 443 ? '' : ":#{@port}"
 
 					response = nil
-					@methods.each do |method|
+					EXISTING_METHODS.each do |method|
 						begin
 							next unless SUPPORTED_METHODS.include? method
 							@log.debug { "Check HSTS with #{method}" }

lib/cryptcheck/tls/server.rb

@@ -38,6 +38,7 @@ module CryptCheck
 				@port = port
 				@log.error { "Begin analysis" }
 				extract_cert
+				#@prefered_ciphers = @supported_ciphers = Hash[SUPPORTED_METHODS.collect { |m| [m, []]}]
 				fetch_prefered_ciphers
 				check_supported_cipher
 				@log.error { "End analysis" }
@@ -191,8 +192,8 @@ module CryptCheck
 					@log.debug { "Waiting for SSL write to #{@hostname}:#{@port}" }
 					raise TLSTimeout unless IO.select nil, [socket], nil, SSL_TIMEOUT
 					retry
-				rescue ::OpenSSL::SSL::SSLError => e
-					raise TLSException, e
+                rescue => e
+                    raise TLSException, e
 				ensure
 					ssl_socket.close
 				end
@@ -283,14 +284,14 @@ module CryptCheck
 			def verify_trust(chain, cert)
 				store = ::OpenSSL::X509::Store.new
 				store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
-				%w(mozilla cacert).each do |directory|
+				store.set_default_paths
+
+				%w(cacert).each do |directory|
 					::Dir.glob(::File.join '/usr/share/ca-certificates', directory, '*').each do |file|
-						::File.open file, 'r' do |file|
-							cert = ::OpenSSL::X509::Certificate.new file.read
-							begin
-								store.add_cert cert
-							rescue ::OpenSSL::X509::StoreError
-							end
+						cert = ::OpenSSL::X509::Certificate.new ::File.read file
+						begin
+							store.add_cert cert
+						rescue ::OpenSSL::X509::StoreError
 						end
 					end
 				end
@@ -300,7 +301,9 @@ module CryptCheck
 					rescue ::OpenSSL::X509::StoreError
 					end
 				end
-				store.verify cert
+				trusted = store.verify cert
+				p store.error_string unless trusted
+				trusted
 			end
 		end
 

lib/cryptcheck/tls/smtp.rb

@@ -0,0 +1,9 @@
+module CryptCheck
+	module Tls
+		module Smtp
+			def self.analyze_from_file(file, output)
+				Tls.analyze_from_file file, 'output/smtp.erb', output, port: 25, server_class: Server, grade_class: Grade
+			end
+		end
+	end
+end

lib/cryptcheck/tls/smtp/grade.rb

@@ -0,0 +1,8 @@
+module CryptCheck
+	module Tls
+		module Smtp
+			class Grade < Tls::Grade
+			end
+		end
+	end
+end

lib/cryptcheck/tls/smtp/server.rb

@@ -0,0 +1,35 @@
+require 'resolv'
+
+module CryptCheck
+	module Tls
+		module Smtp
+			class Server < Tls::TcpServer
+				RESOLVER = Resolv::DNS.new
+
+				attr_reader :domain
+
+				def initialize(domain, port=25)
+					@domain = domain
+					srv = RESOLVER.getresources(domain, Resolv::DNS::Resource::IN::MX).sort_by(&:preference).first
+					if srv
+						hostname = srv.exchange.to_s
+					else # DNS is not correctly set, guess config…
+						hostname = domain
+					end
+					super hostname, port
+				end
+
+				def ssl_connect(socket, context, method, &block)
+					socket.recv 1024
+					socket.write "EHLO #{Socket.gethostbyname(Socket.gethostname).first}\r\n"
+					features = socket.recv(1024).split "\r\n"
+					starttls = features.find { |f| /250[- ]STARTTLS/ =~ f }
+					raise TLSNotAvailableException unless starttls
+					socket.write "STARTTLS\r\n"
+					socket.recv 1024
+					super
+				end
+			end
+		end
+	end
+end

lib/cryptcheck/tls/xmpp.rb

@@ -7,7 +7,7 @@ module CryptCheck
 		module Xmpp
 			MAX_ANALYSIS_DURATION = 600
 			PARALLEL_ANALYSIS = 10
-			@@log = ::Logging.logger[Https]
+			@@log = ::Logging.logger[Xmpp]
 
 			def self.grade(hostname, type=:s2s)
 				timeout MAX_ANALYSIS_DURATION do

lib/cryptcheck/tls/xmpp/server.rb

@@ -1,5 +1,3 @@
-require 'socket'
-require 'openssl'
 require 'nokogiri'
 require 'resolv'
 

output/ca.yml

@@ -0,0 +1,69 @@
+- description: Autorités de certification
+  hostnames:
+  - www.cacert.org
+  - acedicom.edicomgroup.com
+  - grca.nat.gov.tw
+  - pki.atos.net
+  - www.bundesdruckerei.de
+  - www.cybertrust.ne.jp
+  - www.logius.nl
+  - www.procert.net.ve
+  - www.s-trust.de
+  - webappsecurity.trendmicro.com
+  - www1.cnnic.cn
+  - www.actalis.it
+  - www.aoc.cat
+  - www.a-trust.at
+  - www.buypass.no
+  - www.camerfirma.com
+  - www.certicamara.com
+  - www.certigna.fr
+  - www.certinomis.com
+  - www.certsign.ro
+  - www.certum.pl
+  - www.cfca.com.cn
+  - www.cht.com.tw
+  - www.comodo.com
+  - www.comsign.co.il
+  - www.digicert.com
+  - www.disig.eu
+  - www.emc.com
+  - www.entrust.net
+  - www.e-szigno.hu
+  - www.etugra.com.tr
+  - www.firmaprofesional.com
+  - www.geotrust.com
+  - www.globalsign.com
+  - www.godaddy.com
+  - www.gpki.go.jp
+  - www.harica.gr
+  - www.hongkongpost.gov.hk
+  - www.identrust.com
+  - www.izenpe.com
+  - www.kamusm.gov.tr
+  - www.netlock.hu
+  - www.networksolutions.com
+  - www.opentrust.com
+  - www.pki.gva.es
+  - www.quovadisglobal.com
+  - www.secomtrust.net
+  - www.sgtrustservices.com
+  - www.sk.ee
+  - www.ssi.gouv.fr
+  - www.startssl.com
+  - www.swissdigicert.ch
+  - www.swisssign.com
+  - www.symantec.com
+  - www.teliasonera.com
+  - www.thawte.com
+  - www.trustcenter.de
+  - www.trustis.com
+  - www.trustwave.com
+  - www.t-systems.com
+  - www.turktrust.com.tr
+  - www.twca.com.tw
+  - www.verizon.com
+  - www.visa.com
+  - www.wellsfargo.com
+  - www.wisekey.com
+  - www.wosign.com

output/https.erb

@@ -4,7 +4,7 @@
 		<meta charset="utf-8">
 		<meta http-equiv="X-UA-Compatible" content="IE=edge">
 		<meta name="viewport" content="width=device-width, initial-scale=1">
-		<title>Status SSL/TLS banque &amp; commerce en ligne</title>
+		<title>SSL/TLS &mdash; HTTP</title>
 		<link rel="stylesheet" href="bootstrap.min.css">
 		<style>
 			body {
@@ -77,9 +77,7 @@
 							%>
 							<tr>
 								<th id="<%= s.hostname %>">
-									<a href="https://www.ssllabs.com/ssltest/analyze.html?d=<%= s.hostname %>" target="_blank">
-										<%= s.hostname %>
-									</a>
+									<a href="#<%= s.hostname %>"><%= s.hostname %></a>
 								</th>
 								<% if s.is_a? Tls::TlsNotSupportedServer %>
 								<td class="critical" colspan="16">
@@ -189,6 +187,9 @@
 							<% end %>
 						</tbody>
 					</table>
+					<div class="pull-right">
+						Generated on <%= Time.now.strftime '%FT%T%:z' %>
+					</div>
 				</div>
 			</div>
 		</div>

output/index.yml

@@ -7,7 +7,7 @@
   - rss.decornulier.eu
   - fralef.me
   - jeekajoo.eu
-  - status.jbfavre.org
+  - jbfavre.org
   - rosset.net
   - owc.h.arysthaar.pw
   - crifo.org
@@ -16,6 +16,12 @@
   - komic.eu
   - apericraft.ovh
   - nicolas.legland.fr
+  - clauzel.eu
+  - vinilox.eu
+  - keuse.fr
+  - regar42.fr
+  - tcit.fr
+  - aplu.fr
 - description: Associations
   hostnames:
   - april.org
@@ -30,11 +36,49 @@
   - lea-linux.org
   - framasoft.org
   - gnu.org
+  - www.fdn.fr
+- description: Framasoft
+  hostnames:
+  - framabag.org
+  - framabin.org
+  - framabag.org
+  - framadate.org
+  - framanews.org
+  - framasphere.org
+  - framacalc.org
+  - framakey.org
+  - framapic.org
+  - framindmap.org
+  - framacolibri.org
+  - framabee.org
+  - tontonroger.org
+  - trouvons.org
+  - frama.link
+  - huit.re
+  - lite.framapad.org
+  - lite2.framapad.org
+  - lite3.framapad.org
+  - lite4.framapad.org
+  - lite5.framapad.org
+  - lite6.framapad.org
+  - quotidien.framapad.org
+  - hebdo.framapad.org
+  - mensuel.framapad.org
+  - bimensuel.framapad.org
+  - semestriel.framapad.org
+  - annuel.framapad.org
+  - git.framasoft.org
+  - participer.framasoft.org
+  - contact.framasoft.org
+  - stats.framasoft.org
+  - status.framasoft.org
+  - soutenir.framasoft.org
 - description: Banques en ligne
   hostnames:
-  - www.labanquepostale.fr
+  - voscomptesenligne.labanquepostale.fr
   - www.labanquepostale-cartesprepayees.fr
   - www.secure.bnpparibas.net
+  - mabanque.bnpparibas
   - www.axabanque.fr
   - www.fortuneo.fr
   - www.ca-paris.fr
@@ -51,7 +95,6 @@
   - www.creditmutuel.fr
   - www.caisse-epargne.fr
   - paiement.systempay.fr
-  - cnce.wlp-acs.com
   - www.cmb.fr
   - www.ca-paris.fr
   - www.ca-cotesdarmor.fr
@@ -70,6 +113,14 @@
   - www.gmf.fr
   - www.hsbc.fr
   - www.monabanq.com
+  - www.ca-atlantique-vendee.fr
+- description: 3D « Secure »
+  hostnames:
+  - ssl.paiement.cic-banques.fr
+  - cnce.wlp-acs.com
+  - ingdf.wlp-acs.com
+  - ca-sp.wlp-acs.com
+  - www.e-i.com
 - description: Assurances
   hostnames:
   - www.actassur.com
@@ -135,6 +186,7 @@
   - www.csf.fr
   - client.gemoneybank.fr
   - www.oney.fr
+  - www.cofidis.fr
 - description: Webmails
   hostnames:
   - webmail.mailden.fr
@@ -167,6 +219,7 @@
   - mon.rsi.fr
   - jedeclare.com
   - net-entreprises.fr
+  - www.i-cad.fr
 - description: Sites de commerce en ligne
   hostnames:
   - signin.ebay.fr
@@ -182,10 +235,11 @@
   - secure.fnac.com
   - www.laredoute.fr
   - online.carrefour.fr
-  - www.paymill.com
+#  - www.paymill.com
   - paymium.com
   - www.materiel.net
-  - www.topachat.com
+  - auth.topachat.com
+  - customer.rueducommerce.fr
 - description: « Cloud » / Gestionnaires de mot de passe
   hostnames:
   - lastpass.com
@@ -198,10 +252,39 @@
   - spideroak.com
   - hubic.com
   - box.com
+- description: FAI
+  hostnames:
+  - www.bouyguestelecom.fr
+  - www.sfr.fr
+  - www.orange.com
+  - www.nordnet.com
+  - www.free.fr
+  - www.fdn.fr
+  - www.connexion-verte.fr
+  - www.budget-telecom.com
+  - www.quantic-telecom.net
+  - www.nerim.fr
+  - offres.numericable.fr
+  - portail.dartybox.com
+  - www.ovh.com
+  - www.coriolis.com
+  - www.prixtel.com
+  - www.virginmobile.fr
+  - www.wibox.fr
+  - www.wimifi.net
+  - www.viveole.fr
+  - www.societehautdebit.fr
+  - www.skydsl.eu
+  - www.ozone.net
+  - www.nomotech.com
+  - www.bollore.com
+  - www.ifw.fr
+  - www.wizeo.com
+  - www.infosat-telecom.fr
 - description: Divers
   hostnames:
   - www.mailden.net
-  - www.sharypic.com
   - google.fr
   - duckduckgo.com
   - octopuce.fr
+  - sharypic.com

output/press.yml

@@ -0,0 +1,35 @@
+- description: Journaux & Presse en ligne
+  hostnames:
+  - charliehebdo.fr
+  - tempsreel.nouvelobs.com
+  - www.20minutes.fr
+  - www.challenges.fr
+  - www.courrierinternational.com
+  - www.directmatin.fr
+  - www.francesoir.fr
+  - www.humanite.presse.fr
+  - www.la-croix.com
+  - www.latribune.fr
+  - www.lecanardenchaine.fr
+  - www.lefigaro.fr
+  - www.lejdd.fr
+  - www.lemonde.fr
+  - www.leparisien.fr
+  - www.lepoint.fr
+  - www.lequipe.fr
+  - www.lesechos.fr
+  - www.lexpress.fr
+  - www.liberation.fr
+  - www.lopinion.fr
+  - www.marianne.net
+  - www.mediapart.fr
+  - www.metronews.fr
+  - www.minute-hebdo.fr
+  - www.monde-diplomatique.fr
+  - www.monde-libertaire.fr
+  - www.parismatch.com
+  - www.telerama.fr
+  - www.vsd.fr
+  - www.slate.fr
+  - reader.fr
+  - www.arretsurimages.net

output/securedrop.yml

@@ -0,0 +1,25 @@
+- description: SecureDrop instances
+  hostnames:
+  - securedrop.propublica.org
+  - ssl.washingtonpost.com
+  - nrkbeta.no
+  - exposefacts.org
+  - firstlook.org
+  - www.safesource.org.nz
+  - safesource.forbes.com
+  - pressfreedomfoundation.org
+  - projects.newyorker.com
+  - securedrop.theguardian.com
+  - securedrop.pogo.org
+  - bayleaks.com
+  - securedrop.radio24syv.dk
+  - tcfmailvault.info
+  - www.balkanleaks.eu
+- description: GlobalLeaks instances
+  hostnames:
+  - secure.publeaks.nl
+  - secure.wildleaks.org
+  - www.extremeleaks.org
+- description: Misc
+  hostnames:
+  - secure.frenchleaks.fr

output/smtp.erb

@@ -0,0 +1,192 @@
+<!DOCTYPE html>
+<html lang="fr">
+	<head>
+		<meta charset="utf-8">
+		<meta http-equiv="X-UA-Compatible" content="IE=edge">
+		<meta name="viewport" content="width=device-width, initial-scale=1">
+		<title>SSL/TLS &mdash; SMTP</title>
+		<link rel="stylesheet" href="bootstrap.min.css">
+		<style>
+			body {
+				margin-top: 10px;
+			}
+
+			td {
+				text-align: center;
+			}
+
+			.critical {
+				background-color: #000;
+				color: #fff;
+			}
+
+			tr:hover > td.critical, td:hover.critical {
+				background-color: #333 !important;
+			}
+		</style>
+	</head>
+	<body>
+		<div class="container-fluid">
+			<div class="row">
+				<div class="col-md-12">
+					<table class="table table-bordered table-hover table-condensed">
+						<tbody>
+							<%
+								first = true
+								results.each do |r|
+									unless first
+							%>
+							<tr>
+								<th colspan="15">&nbsp;</th>
+							</tr>
+							<%
+									end
+									first = false
+							%>
+							<tr>
+								<th colspan="14" id="<%= r[0] %>"><%= r[0] %></th>
+							</tr>
+							<tr>
+								<th rowspan="2">Site</th>
+								<td rowspan="2">Grade</td>
+								<td colspan="2">Certificate</td>
+								<td colspan="4">Protocols</td>
+								<td colspan="5">Ciphers</td>
+								<td>Best practices</td>
+							</tr>
+							<tr>
+								<td>Key size (bits)</td>
+								<td class="warning">SHA1 sig</td>
+
+								<td class="critical">SSL v2</td>
+								<td class="critical">SSL v3</td>
+								<td class="success">TLS 1.2</td>
+								<td class="info">TLS</td>
+
+								<td>Strength (bits)</td>
+								<td class="critical">MD5</td>
+								<td class="warning">SHA1</td>
+								<td class="critical">DES/RC4</td>
+								<td class="danger">3DES</td>
+
+								<td class="info">PFS</td>
+							</tr>
+							<% r[1].each do |n|
+							   s = n.server
+							%>
+							<tr>
+								<% if s.is_a? Tls::TlsNotSupportedServer %>
+								<th id="<%= s.hostname %>">
+									<a href="#<%= s.hostname %>"><%= s.hostname %></a>
+								</th>
+								<td class="critical" colspan="16">
+									No SSL/TLS
+								</td>
+								<%
+									else
+										rank_color = case n.grade
+											when 'A+' then :info
+											when 'A', 'A-' then :success
+											when 'B', 'C' then :warning
+											when 'T', 'M' then :critical
+											else :danger
+										end
+								%>
+								<th id="<%= s.domain %>"><%= s.domain %></th>
+								<td class="<%= rank_color %>">
+									<%= n.grade %>
+								</td>
+
+								<td class="<%= s.key_size < 2048 ? :danger : s.key_size < 4096 ? :warning : :success %>">
+									<% type, size = s.key %>
+									<%= "#{size} (#{type.to_s.upcase})" %>
+									<span class="sr-only">(<%= s.key_size < 2048 ? '☹' : '☺' %>)</span>
+								</td>
+								<td class="<%= s.sha1_sig? ? :warning : :success %>">
+									<%= s.sha1_sig? ? '✓' : '✗' %>
+									<span class="sr-only">(<%= s.sha1_sig? ? '☹' : '☺' %>)</span>
+								</td>
+
+								<td class="<%= s.sslv2? ? :critical : :success %>">
+									<%= s.sslv2? ? '✓' : '✗' %>
+									<span class="sr-only">(<%= s.sslv2? ? '☹' : '☺' %>)</span>
+								</td>
+								<td class="<%= s.sslv3? ? :critical : :success %>">
+									<%= s.sslv3? ? '✓' : '✗' %>
+									<span class="sr-only">(<%= s.sslv3? ? '☹' : '☺' %>)</span>
+								</td>
+								<td class="<%= s.tlsv1_2? ? :success : :danger %>">
+									<%= s.tlsv1_2? ? '✓' : '✗' %>
+									<span class="sr-only">(<%= s.tlsv1_2? ? '☺' : '☹' %>)</span>
+								</td>
+								<td class="<%= s.tls? ? (s.tls_only? ? :info : :success) : :danger %>">
+									<%= s.tls? ? '✓' : '✗' %>
+									<span class="sr-only">(<%= s.tls? ? '☺' : '☹' %>)</span>
+								</td>
+
+								<% cipher_size = s.cipher_size[:worst] %>
+								<td class="<%= cipher_size < 112 ? :danger : cipher_size < 128 ? :warning : :success %>">
+									<%= cipher_size %>
+									<span class="sr-only">(<%= cipher_size < 128 ? '☹' : '☺' %>)</span>
+								</td>
+								<td class="<%= s.md5? ? :critical : :success %>">
+									<%= s.md5? ? '✓' : '✗' %>
+									<span class="sr-only">(<%= s.md5? ? '☹' : '☺' %>)</span>
+								</td>
+								<td class="<%= s.sha1? ? :warning : :success %>">
+									<%= s.sha1? ? '✓' : '✗' %>
+									<span class="sr-only">(<%= s.sha1? ? '☹' : '☺' %>)</span>
+								</td>
+								<td class="<%= (s.rc4? or s.des?) ? :critical : :success %>">
+									<%= (s.rc4? or s.des?) ? '✓' : '✗' %>
+									<span class="sr-only">(<%= (s.rc4? or s.des?) ? '☹' : '☺' %>)</span>
+								</td>
+								<td class="<%= s.des3? ? :danger : :success %>">
+									<%= s.des3? ? '✓' : '✗' %>
+									<span class="sr-only">(<%= s.des3? ? '☹' : '☺' %>)</span>
+								</td>
+
+								<td class="<%= s.pfs? ? (s.pfs_only? ? :info : :success) : :danger %>">
+									<%= s.pfs? ? '✓' : '✗' %>
+									<span class="sr-only">(<%= s.pfs? ? '☺' : '☹' %>)</span>
+								</td>
+								<% end %>
+							</tr>
+							<% end %>
+							<tr>
+								<th rowspan="2">Site</th>
+								<td rowspan="2">Grade</td>
+
+								<td>Key size (bits)</td>
+								<td class="warning">SHA1 sig</td>
+
+								<td class="critical">SSL v2</td>
+								<td class="critical">SSL v3</td>
+								<td class="success">TLS 1.2</td>
+								<td class="info">TLS</td>
+
+								<td>Strength (bits)</td>
+								<td class="critical">MD5</td>
+								<td class="warning">SHA1</td>
+								<td class="critical">DES/RC4</td>
+								<td class="danger">3DES</td>
+
+								<td class="info">PFS</td>
+							</tr>
+							<tr>
+								<td colspan="2">Certificate</td>
+								<td colspan="4">Protocols</td>
+								<td colspan="5">Ciphers</td>
+								<td>Best practices</td>
+							</tr>
+							<% end %>
+						</tbody>
+					</table>
+					<div class="pull-right">
+						Generated on <%= Time.now.strftime '%FT%T%:z' %>
+					</div>
+				</div>
+			</div>
+		</div>
+	</body>
+</html>

output/smtp.yml

@@ -0,0 +1,205 @@
+- description: Serveurs personnels
+  hostnames:
+  - imirhil.fr
+  - libwalk.so
+  - keltia.net
+  - demouliere.eu
+  - decornulier.eu
+  - fralef.me
+  - jeekajoo.eu
+  - jbfavre.org
+  - rosset.net
+  - arysthaar.pw
+  - crifo.org
+  - matlink.fr
+  - pfag.me
+  - komic.eu
+  - apericraft.ovh
+  - legland.fr
+- description: Associations
+  hostnames:
+  - april.org
+  - laquadrature.net
+  - fsf.org
+  - ubuntu-paris.org
+  - parinux.org
+  - aful.org
+  - rmll.info
+  - ubuntu-fr.org
+  - linuxfr.org
+  - lea-linux.org
+  - framasoft.org
+  - gnu.org
+- description: Banques en ligne
+  hostnames:
+  - labanquepostale.fr
+  - labanquepostale-cartesprepayees.fr
+  - bnpparibas.net
+  - axabanque.fr
+  - fortuneo.fr
+  - ca-paris.fr
+  - credit-cooperatif.coop
+  - coopanet.com
+  - cic.fr
+  - societegenerale.fr
+  - groupama.fr
+  - banquepopulaire.fr
+  - ca-des-savoie.fr
+  - lcl.fr
+  - boursorama.com
+  - bpe.fr
+  - creditmutuel.fr
+  - caisse-epargne.fr
+  - systempay.fr
+  - wlp-acs.com
+  - cmb.fr
+  - ca-paris.fr
+  - ca-cotesdarmor.fr
+  - ingdirect.fr
+  - banque-accord.fr
+  - banque-casino.fr
+  - bforbank.com
+  - hellobank.fr
+  - carrefour-banque.fr
+  - agf.fr
+  - banque-casino.fr
+  - palatine.fr
+  - bpi-online.net
+  - barclays.fr
+  - credit-du-nord.fr
+  - gmf.fr
+  - hsbc.fr
+  - monabanq.com
+- description: Assurances
+  hostnames:
+  - actassur.com
+  - gie-afer.fr
+  - ag2rlamondiale.fr
+  - consultations.agipi.com
+  - agpm.fr
+  - alptis.org
+  - altaprofits.com
+  - amv.fr
+  - apicil.com
+  - april.fr
+  - fapes-diffusion.fr
+  - assu2000.fr
+  - assurone.com
+  - avip.fr
+  - avivadirect.fr
+  - canisante.com
+  - carac.fr
+  - cegema.com
+  - chienchatsante.com
+  - direct-assurance.fr
+  - euro-assurance.com
+  - eca-assurances.com
+  - fma.fr
+  - gaipare.com
+  - gapassurance.com
+  - generali.fr
+  - hedios.com
+  - ingdirect.fr
+  - conservateur.fr
+  - linxea.com
+  - maaf.fr
+  - macif.fr
+  - macsf.fr
+  - maif.fr
+  - matmut.fr
+  - mgel.fr
+  - mma.fr
+  - nationalesuisse.ch
+  - nexx.fr
+  - sainteauprevoyance.com
+  - santevet.com
+  - selfepargne.fr
+  - sicavonline.fr
+  - smabtp.fr
+  - cybermutuelle.com
+  - sollyazar.com
+  - swisslife.fr
+- description: Organismes de crédit
+  hostnames:
+  - cetelem.fr
+  - cofinoga.fr
+  - sofinco.fr
+  - pret-dunion.fr
+  - franfinance.fr
+  - 123credit.com
+  - disponis.fr
+  - complicio.fr
+  - creditfoncier.fr
+  - credit.fr
+  - credit-immobilier-de-france.fr
+  - csf.fr
+  - gemoneybank.fr
+  - oney.fr
+- description: Webmails
+  hostnames:
+  - mailden.fr
+  - free.fr
+  - numericable.fr
+  - orange-business.com
+  - orange.fr
+  - gandi.net
+  - sfr.fr
+  - online.net
+  - amen.fr
+  - ovh.com
+  - aliceadsl.fr
+  - laposte.net
+  - openmailbox.org
+- description: Administration
+  hostnames:
+  - ameli.fr
+  - moncompte.mobi
+  - service-public.fr
+  - impots.gouv.fr
+  - pole-emploi.fr
+  - caf.fr
+  - justice.gouv.fr
+  - interieur.gouv.fr
+  - cnil.fr
+  - quechoisir.org
+  - rsi.fr
+  - jedeclare.com
+  - net-entreprises.fr
+- description: Sites de commerce en ligne
+  hostnames:
+  - ebay.fr
+  - ldlc.com
+  - grosbill.com
+  - darty.com
+  - boulanger.fr
+  - capitainetrain.com
+  - voyages-sncf.com
+  - pixmania.fr
+  - cdiscount.com
+  - ikea.com
+  - fnac.com
+  - laredoute.fr
+  - carrefour.fr
+  - paymill.com
+  - paymium.com
+  - materiel.net
+  - topachat.com
+- description: « Cloud » / Gestionnaires de mot de passe
+  hostnames:
+  - lastpass.com
+  - dashlane.com
+  - passpack.com
+  - clipperz.is
+  - mitro.co
+  - icloud.com
+  - dropbox.com
+  - spideroak.com
+  - hubic.com
+  - box.com
+- description: Divers
+  hostnames:
+  - mailden.net
+  - sharypic.com
+  - google.fr
+  - duckduckgo.com
+  - octopuce.fr

output/xmpp.erb

@@ -4,7 +4,7 @@
 		<meta charset="utf-8">
 		<meta http-equiv="X-UA-Compatible" content="IE=edge">
 		<meta name="viewport" content="width=device-width, initial-scale=1">
-		<title>XMPP</title>
+		<title>SSL/TLS &mdash; XMPP</title>
 		<link rel="stylesheet" href="bootstrap.min.css">
 		<style>
 			body {
@@ -91,8 +91,10 @@
 								s = n.server
 							%>
 							<tr>
+								<th id="<%= s.hostname %>">
+									<a href="#<%= s.hostname %>"><%= s.hostname %></a>
+								</th>
 								<% if s.is_a? Tls::TlsNotSupportedServer %>
-								<th id="<%= s.hostname %>"><%= s.hostname %></th>
 								<td class="critical" colspan="16">
 									No SSL/TLS
 								</td>
@@ -104,7 +106,6 @@
 											when 'T', 'M' then :critical
 											else :danger
 										end %>
-								<th id="<%= s.domain %>"><%= s.domain %></th>
 								<td class="<%= rank_color %>">
 									<%= n.grade %>
 								</td>
@@ -171,6 +172,9 @@
 							<% end %>
 						</tbody>
 					</table>
+					<div class="pull-right">
+						Generated on <%= Time.now.strftime '%FT%T%:z' %>
+					</div>
 				</div>
 			</div>
 		</div>

output/xmpp.yml

@@ -15,3 +15,7 @@
 - citronna.de
 - matlink.fr
 - verry.org
+- keuse.fr
+- cappuccino.uk.to
+- corzntin.fr
+- fralef.me