aeris
/
cryptcheck
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Some fixes

v1
Nicolas Vinot 2015-07-11 21:36:54 +02:00
parent 0559ed0597
commit 340c4a445d
22 changed files with 838 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
Makefile
View File

@ -1,38 +1,57 @@
PWD = $(shell pwd)
export CPATH = $(PWD)/openssl/include
export LIBRARY_PATH = $(PWD)/openssl
OPENSSL_VERSION = OpenSSL_1_0_1j
RUBY_VERSION = 2.1.5
RUBY_OPENSSL_EXT_DIR = ruby-$(RUBY_VERSION)/ext/openssl
OPENSSL_VERSION = 1.0.1m
OPENSSL_DIR = openssl-$(OPENSSL_VERSION)
RUBY_MAJOR_VERSION = 2.2
RUBY_VERSION = $(RUBY_MAJOR_VERSION).2
RUBY_DIR = ruby-$(RUBY_VERSION)
RUBY_OPENSSL_EXT_DIR = $(RUBY_DIR)/ext/openssl
export LIBRARY_PATH = $(PWD)/lib
export C_INCLUDE_PATH = $(PWD)/$(OPENSSL_DIR)/include
all: lib/libssl.so.1.0.0 lib/libcrypto.so.1.0.0 lib/openssl.so
.SECONDARY:
all: libs ext
clean:
rm -rf ruby-$(RUBY_VERSION) openssl
rm -rf $(RUBY_DIR) $(OPENSSL_DIR)
openssl:
git clone https://github.com/openssl/openssl -b $(OPENSSL_VERSION)
mr-proper: clean
rm -rf lib/libcrypto.so* lib/libssl.so* lib/openssl.so
openssl/Makefile: openssl
cd openssl; ./config shared
$(OPENSSL_DIR)/:
wget https://www.openssl.org/source/$(OPENSSL_DIR).tar.gz
tar xf $(OPENSSL_DIR).tar.gz
rm -rf $(OPENSSL_DIR).tar.gz
openssl/libssl.so: openssl/Makefile
cd openssl; $(MAKE) depend all
$(OPENSSL_DIR)/Makefile: $(OPENSSL_DIR)/
cd $(OPENSSL_DIR); ./config shared
lib/%.so.1.0.0: openssl/%.so
cp $^ $@
$(OPENSSL_DIR)/libssl.so.1.0.0 $(OPENSSL_DIR)/libcrypto.so.1.0.0: $(OPENSSL_DIR)/Makefile
$(MAKE) -C $(OPENSSL_DIR) depend build_libs
ruby-$(RUBY_VERSION):
wget http://cache.ruby-lang.org/pub/ruby/2.1/ruby-$(RUBY_VERSION).tar.gz
tar xf ruby-$(RUBY_VERSION).tar.gz
rm -f ruby-$(RUBY_VERSION).tar.gz
lib/%.so.1.0.0: $(OPENSSL_DIR)/%.so.1.0.0
cp $< $@
$(RUBY_OPENSSL_EXT_DIR)/Makefile: ruby-$(RUBY_VERSION)
lib/%.so: lib/%.so.1.0.0
ln -s $(notdir $<) $@
libs: lib/libssl.so lib/libcrypto.so
$(RUBY_DIR):
wget http://cache.ruby-lang.org/pub/ruby/$(RUBY_MAJOR_VERSION)/$(RUBY_DIR).tar.gz
tar xf $(RUBY_DIR).tar.gz
rm -f $(RUBY_DIR).tar.gz
$(RUBY_OPENSSL_EXT_DIR)/Makefile: libs $(RUBY_DIR)
cd $(RUBY_OPENSSL_EXT_DIR); ruby extconf.rb
patch $@ patch
$(RUBY_OPENSSL_EXT_DIR)/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/Makefile
cd $(RUBY_OPENSSL_EXT_DIR); $(MAKE); $(MAKE) install
$(RUBY_OPENSSL_EXT_DIR)/openssl.so: libs $(RUBY_OPENSSL_EXT_DIR)/Makefile
$(MAKE) -C $(RUBY_OPENSSL_EXT_DIR)
lib/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/openssl.so
cp $< $@
ext: lib/openssl.so

4
bin/check_https_alexa
View File

@ -3,6 +3,8 @@ $:.unshift 'lib'
require 'logging'
require 'cryptcheck'
GROUP_NAME = 'Top 100 Alexa'
::Logging.logger.root.appenders = ::Logging.appenders.stdout
::Logging.logger.root.level = :error
@ -10,7 +12,7 @@ hosts = []
::File.open('top-1m.csv', 'r') do |file|
i = 0
while line = file.gets
hosts << ['Top 100 Alexa', line.strip.split(',')[1]]
hosts << [GROUP_NAME, line.strip.split(',')[1]]
i += 1
break if i == 100
end

17
bin/check_smtp 100755
View File

@ -0,0 +1,17 @@
#!/usr/bin/env ruby
$:.unshift 'lib'
require 'logging'
require 'cryptcheck'
name = ARGV[0]
unless name
::CryptCheck::Tls::Smtp.analyze_from_file 'output/smtp.yml', 'output/smtp.html'
else
::Logging.logger.root.appenders = ::Logging.appenders.stdout
::Logging.logger.root.level = :warn
server = ::CryptCheck::Tls::Smtp::Server.new(ARGV[0], ARGV[1] || 25)
p grade = ::CryptCheck::Tls::Smtp::Grade.new(server)
end

7
lib/cryptcheck.rb
View File

@ -1,4 +1,5 @@
module CryptCheck
autoload :Tls, 'cryptcheck/tls'
module Tls
autoload :Server, 'cryptcheck/tls/server'
autoload :TcpServer, 'cryptcheck/tls/server'
@ -18,5 +19,11 @@ module CryptCheck
autoload :Server, 'cryptcheck/tls/xmpp/server'
autoload :Grade, 'cryptcheck/tls/xmpp/grade'
end
autoload :Smtp, 'cryptcheck/tls/smtp'
module Smtp
autoload :Server, 'cryptcheck/tls/smtp/server'
autoload :Grade, 'cryptcheck/tls/smtp/grade'
end
end
end

71
lib/cryptcheck/tls.rb 100644
View File

@ -0,0 +1,71 @@
require 'erb'
require 'logging'
require 'parallel'
module CryptCheck
module Tls
MAX_ANALYSIS_DURATION = 600
PARALLEL_ANALYSIS = 10
@@log = ::Logging.logger[Tls]
def self.grade(hostname, port, server_class:, grade_class:)
timeout MAX_ANALYSIS_DURATION do
grade_class.new server_class.new hostname, port
end
rescue ::Exception => e
@@log.error { "Error during #{hostname}:#{port} analysis : #{e}" }
TlsNotSupportedGrade.new TlsNotSupportedServer.new hostname, port
end
def self.analyze(hosts, template, output, groups = nil, port:, server_class:, grade_class:)
results = {}
semaphore = ::Mutex.new
::Parallel.each hosts, progress: 'Analysing', in_threads: PARALLEL_ANALYSIS, finish: lambda { |item, _, _| puts item[1] } do |description, host|
result = grade host.strip, port, server_class: server_class, grade_class: grade_class
semaphore.synchronize do
if results.include? description
results[description] << result
else
results[description] = [result]
end
end
end
results = ::Hash[groups.collect { |g| [g, results[g]] }] if groups
results.each do |d, _|
results[d].sort! do |a, b|
cmp = score(a) <=> score(b)
if cmp == 0
cmp = b.score <=> a.score
if cmp == 0
cmp = a.server.hostname <=> b.server.hostname
end
end
cmp
end
end
::File.write output, ::ERB.new(::File.read(template)).result(binding)
end
def self.analyze_from_file(file, template, output, port:, server_class:, grade_class:)
config = ::YAML.load_file file
hosts = []
groups = []
config.each do |c|
d, hs = c['description'], c['hostnames']
groups << d
hs.each { |host| hosts << [d, host] }
end
self.analyze hosts, template, output, groups, port: port, server_class: server_class, grade_class: grade_class
end
private
SCORES = %w(A+ A A- B C D E F T M X)
def self.score(a)
SCORES.index a.grade
end
end
end

66
lib/cryptcheck/tls/https.rb
View File

@ -1,72 +1,12 @@
require 'erb'
require 'logging'
require 'parallel'
module CryptCheck
module Tls
module Https
MAX_ANALYSIS_DURATION = 600
PARALLEL_ANALYSIS = 10
@@log = ::Logging.logger[Https]
def self.grade(hostname, port=443)
timeout MAX_ANALYSIS_DURATION do
Grade.new Server.new hostname, port
end
rescue ::Exception => e
@@log.error { "Error during #{hostname}:#{port} analysis : #{e}" }
TlsNotSupportedGrade.new TlsNotSupportedServer.new hostname, port
end
def self.analyze(hosts, output, groups = nil)
results = {}
semaphore = ::Mutex.new
::Parallel.each hosts, progress: 'Analysing', in_threads: PARALLEL_ANALYSIS, finish: lambda { |item, _, _| puts item[1] } do |description, host|
result = grade host.strip
semaphore.synchronize do
if results.include? description
results[description] << result
else
results[description] = [result]
end
end
end
results = ::Hash[groups.collect { |g| [g, results[g]] }] if groups
results.each do |d, _|
results[d].sort! do |a, b|
cmp = score(a) <=> score(b)
if cmp == 0
cmp = b.score <=> a.score
if cmp == 0
cmp = a.server.hostname <=> b.server.hostname
end
end
cmp
end
end
::File.write output, ::ERB.new(::File.read('output/https.erb')).result(binding)
def self.analyze(hosts, output)
Tls.analyze hosts, 'output/https.erb', output, nil, port: 443, server_class: Server, grade_class: Grade
end
def self.analyze_from_file(file, output)
config = ::YAML.load_file file
hosts = []
groups = []
config.each do |c|
d, hs = c['description'], c['hostnames']
groups << d
hs.each { |host| hosts << [d, host] }
end
self.analyze hosts, output, groups
end
private
SCORES = %w(A+ A A- B C D E F T M X)
def self.score(a)
SCORES.index a.grade
Tls.analyze_from_file file, 'output/https.erb', output, port: 443, server_class: Server, grade_class: Grade
end
end
end

4
lib/cryptcheck/tls/https/server.rb
View File

@ -1,5 +1,3 @@
require 'socket'
require 'openssl'
require 'httparty'
module CryptCheck
@ -17,7 +15,7 @@ module CryptCheck
port = @port == 443 ? '' : ":#{@port}"
response = nil
@methods.each do |method|
EXISTING_METHODS.each do |method|
begin
next unless SUPPORTED_METHODS.include? method
@log.debug { "Check HSTS with #{method}" }

23
lib/cryptcheck/tls/server.rb
View File

@ -38,6 +38,7 @@ module CryptCheck
@port = port
@log.error { "Begin analysis" }
extract_cert
#@prefered_ciphers = @supported_ciphers = Hash[SUPPORTED_METHODS.collect { |m| [m, []]}]
fetch_prefered_ciphers
check_supported_cipher
@log.error { "End analysis" }
@ -191,8 +192,8 @@ module CryptCheck
@log.debug { "Waiting for SSL write to #{@hostname}:#{@port}" }
raise TLSTimeout unless IO.select nil, [socket], nil, SSL_TIMEOUT
retry
rescue ::OpenSSL::SSL::SSLError => e
raise TLSException, e
rescue => e
raise TLSException, e
ensure
ssl_socket.close
end
@ -283,14 +284,14 @@ module CryptCheck
def verify_trust(chain, cert)
store = ::OpenSSL::X509::Store.new
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
%w(mozilla cacert).each do |directory|
store.set_default_paths
%w(cacert).each do |directory|
::Dir.glob(::File.join '/usr/share/ca-certificates', directory, '*').each do |file|
::File.open file, 'r' do |file|
cert = ::OpenSSL::X509::Certificate.new file.read
begin
store.add_cert cert
rescue ::OpenSSL::X509::StoreError
end
cert = ::OpenSSL::X509::Certificate.new ::File.read file
begin
store.add_cert cert
rescue ::OpenSSL::X509::StoreError
end
end
end
@ -300,7 +301,9 @@ module CryptCheck
rescue ::OpenSSL::X509::StoreError
end
end
store.verify cert
trusted = store.verify cert
p store.error_string unless trusted
trusted
end
end

9
lib/cryptcheck/tls/smtp.rb 100644
View File

@ -0,0 +1,9 @@
module CryptCheck
module Tls
module Smtp
def self.analyze_from_file(file, output)
Tls.analyze_from_file file, 'output/smtp.erb', output, port: 25, server_class: Server, grade_class: Grade
end
end
end
end

8
lib/cryptcheck/tls/smtp/grade.rb 100644
View File

@ -0,0 +1,8 @@
module CryptCheck
module Tls
module Smtp
class Grade < Tls::Grade
end
end
end
end

35
lib/cryptcheck/tls/smtp/server.rb 100644
View File

@ -0,0 +1,35 @@
require 'resolv'
module CryptCheck
module Tls
module Smtp
class Server < Tls::TcpServer
RESOLVER = Resolv::DNS.new
attr_reader :domain
def initialize(domain, port=25)
@domain = domain
srv = RESOLVER.getresources(domain, Resolv::DNS::Resource::IN::MX).sort_by(&:preference).first
if srv
hostname = srv.exchange.to_s
else # DNS is not correctly set, guess config…
hostname = domain
end
super hostname, port
end
def ssl_connect(socket, context, method, &block)
socket.recv 1024
socket.write "EHLO #{Socket.gethostbyname(Socket.gethostname).first}\r\n"
features = socket.recv(1024).split "\r\n"
starttls = features.find { |f| /250[- ]STARTTLS/ =~ f }
raise TLSNotAvailableException unless starttls
socket.write "STARTTLS\r\n"
socket.recv 1024
super
end
end
end
end
end

2
lib/cryptcheck/tls/xmpp.rb
View File

@ -7,7 +7,7 @@ module CryptCheck
module Xmpp
MAX_ANALYSIS_DURATION = 600
PARALLEL_ANALYSIS = 10
@@log = ::Logging.logger[Https]
@@log = ::Logging.logger[Xmpp]
def self.grade(hostname, type=:s2s)
timeout MAX_ANALYSIS_DURATION do

2
lib/cryptcheck/tls/xmpp/server.rb
View File

@ -1,5 +1,3 @@
require 'socket'
require 'openssl'
require 'nokogiri'
require 'resolv'

69
output/ca.yml 100644
View File

@ -0,0 +1,69 @@
- description: Autorités de certification
hostnames:
- www.cacert.org
- acedicom.edicomgroup.com
- grca.nat.gov.tw
- pki.atos.net
- www.bundesdruckerei.de
- www.cybertrust.ne.jp
- www.logius.nl
- www.procert.net.ve
- www.s-trust.de
- webappsecurity.trendmicro.com
- www1.cnnic.cn
- www.actalis.it
- www.aoc.cat
- www.a-trust.at
- www.buypass.no
- www.camerfirma.com
- www.certicamara.com
- www.certigna.fr
- www.certinomis.com
- www.certsign.ro
- www.certum.pl
- www.cfca.com.cn
- www.cht.com.tw
- www.comodo.com
- www.comsign.co.il
- www.digicert.com
- www.disig.eu
- www.emc.com
- www.entrust.net
- www.e-szigno.hu
- www.etugra.com.tr
- www.firmaprofesional.com
- www.geotrust.com
- www.globalsign.com
- www.godaddy.com
- www.gpki.go.jp
- www.harica.gr
- www.hongkongpost.gov.hk
- www.identrust.com
- www.izenpe.com
- www.kamusm.gov.tr
- www.netlock.hu
- www.networksolutions.com
- www.opentrust.com
- www.pki.gva.es
- www.quovadisglobal.com
- www.secomtrust.net
- www.sgtrustservices.com
- www.sk.ee
- www.ssi.gouv.fr
- www.startssl.com
- www.swissdigicert.ch
- www.swisssign.com
- www.symantec.com
- www.teliasonera.com
- www.thawte.com
- www.trustcenter.de
- www.trustis.com
- www.trustwave.com
- www.t-systems.com
- www.turktrust.com.tr
- www.twca.com.tw
- www.verizon.com
- www.visa.com
- www.wellsfargo.com
- www.wisekey.com
- www.wosign.com

9
output/https.erb
View File

@ -4,7 +4,7 @@
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Status SSL/TLS banque &amp; commerce en ligne</title>
<title>SSL/TLS &mdash; HTTP</title>
<link rel="stylesheet" href="bootstrap.min.css">
<style>
body {
@ -77,9 +77,7 @@
%>
<tr>
<th id="<%= s.hostname %>">
<a href="https://www.ssllabs.com/ssltest/analyze.html?d=<%= s.hostname %>" target="_blank">
<%= s.hostname %>
</a>
<a href="#<%= s.hostname %>"><%= s.hostname %></a>
</th>
<% if s.is_a? Tls::TlsNotSupportedServer %>
<td class="critical" colspan="16">
@ -189,6 +187,9 @@
<% end %>
</tbody>
</table>
<div class="pull-right">
Generated on <%= Time.now.strftime '%FT%T%:z' %>
</div>
</div>
</div>
</div>

95
output/index.yml
View File

@ -7,7 +7,7 @@
- rss.decornulier.eu
- fralef.me
- jeekajoo.eu
- status.jbfavre.org
- jbfavre.org
- rosset.net
- owc.h.arysthaar.pw
- crifo.org
@ -16,6 +16,12 @@
- komic.eu
- apericraft.ovh
- nicolas.legland.fr
- clauzel.eu
- vinilox.eu
- keuse.fr
- regar42.fr
- tcit.fr
- aplu.fr
- description: Associations
hostnames:
- april.org
@ -30,11 +36,49 @@
- lea-linux.org
- framasoft.org
- gnu.org
- www.fdn.fr
- description: Framasoft
hostnames:
- framabag.org
- framabin.org
- framabag.org
- framadate.org
- framanews.org
- framasphere.org
- framacalc.org
- framakey.org
- framapic.org
- framindmap.org
- framacolibri.org
- framabee.org
- tontonroger.org
- trouvons.org
- frama.link
- huit.re
- lite.framapad.org
- lite2.framapad.org
- lite3.framapad.org
- lite4.framapad.org
- lite5.framapad.org
- lite6.framapad.org
- quotidien.framapad.org
- hebdo.framapad.org
- mensuel.framapad.org
- bimensuel.framapad.org
- semestriel.framapad.org
- annuel.framapad.org
- git.framasoft.org
- participer.framasoft.org
- contact.framasoft.org
- stats.framasoft.org
- status.framasoft.org
- soutenir.framasoft.org
- description: Banques en ligne
hostnames:
- www.labanquepostale.fr
- voscomptesenligne.labanquepostale.fr
- www.labanquepostale-cartesprepayees.fr
- www.secure.bnpparibas.net
- mabanque.bnpparibas
- www.axabanque.fr
- www.fortuneo.fr
- www.ca-paris.fr
@ -51,7 +95,6 @@
- www.creditmutuel.fr
- www.caisse-epargne.fr
- paiement.systempay.fr
- cnce.wlp-acs.com
- www.cmb.fr
- www.ca-paris.fr
- www.ca-cotesdarmor.fr
@ -70,6 +113,14 @@
- www.gmf.fr
- www.hsbc.fr
- www.monabanq.com
- www.ca-atlantique-vendee.fr
- description: 3D « Secure »
hostnames:
- ssl.paiement.cic-banques.fr
- cnce.wlp-acs.com
- ingdf.wlp-acs.com
- ca-sp.wlp-acs.com
- www.e-i.com
- description: Assurances
hostnames:
- www.actassur.com
@ -135,6 +186,7 @@
- www.csf.fr
- client.gemoneybank.fr
- www.oney.fr
- www.cofidis.fr
- description: Webmails
hostnames:
- webmail.mailden.fr
@ -167,6 +219,7 @@
- mon.rsi.fr
- jedeclare.com
- net-entreprises.fr
- www.i-cad.fr
- description: Sites de commerce en ligne
hostnames:
- signin.ebay.fr
@ -182,10 +235,11 @@
- secure.fnac.com
- www.laredoute.fr
- online.carrefour.fr
- www.paymill.com
# - www.paymill.com
- paymium.com
- www.materiel.net
- www.topachat.com
- auth.topachat.com
- customer.rueducommerce.fr
- description: « Cloud » / Gestionnaires de mot de passe
hostnames:
- lastpass.com
@ -198,10 +252,39 @@
- spideroak.com
- hubic.com
- box.com
- description: FAI
hostnames:
- www.bouyguestelecom.fr
- www.sfr.fr
- www.orange.com
- www.nordnet.com
- www.free.fr
- www.fdn.fr
- www.connexion-verte.fr
- www.budget-telecom.com
- www.quantic-telecom.net
- www.nerim.fr
- offres.numericable.fr
- portail.dartybox.com
- www.ovh.com
- www.coriolis.com
- www.prixtel.com
- www.virginmobile.fr
- www.wibox.fr
- www.wimifi.net
- www.viveole.fr
- www.societehautdebit.fr
- www.skydsl.eu
- www.ozone.net
- www.nomotech.com
- www.bollore.com
- www.ifw.fr
- www.wizeo.com
- www.infosat-telecom.fr
- description: Divers
hostnames:
- www.mailden.net
- www.sharypic.com
- google.fr
- duckduckgo.com
- octopuce.fr
- sharypic.com

35
output/press.yml 100644
View File

@ -0,0 +1,35 @@
- description: Journaux & Presse en ligne
hostnames:
- charliehebdo.fr
- tempsreel.nouvelobs.com
- www.20minutes.fr
- www.challenges.fr
- www.courrierinternational.com
- www.directmatin.fr
- www.francesoir.fr
- www.humanite.presse.fr
- www.la-croix.com
- www.latribune.fr
- www.lecanardenchaine.fr
- www.lefigaro.fr
- www.lejdd.fr
- www.lemonde.fr
- www.leparisien.fr
- www.lepoint.fr
- www.lequipe.fr
- www.lesechos.fr
- www.lexpress.fr
- www.liberation.fr
- www.lopinion.fr
- www.marianne.net
- www.mediapart.fr
- www.metronews.fr
- www.minute-hebdo.fr
- www.monde-diplomatique.fr
- www.monde-libertaire.fr
- www.parismatch.com
- www.telerama.fr
- www.vsd.fr
- www.slate.fr
- reader.fr
- www.arretsurimages.net

25
output/securedrop.yml 100644
View File

@ -0,0 +1,25 @@
- description: SecureDrop instances
hostnames:
- securedrop.propublica.org
- ssl.washingtonpost.com
- nrkbeta.no
- exposefacts.org
- firstlook.org
- www.safesource.org.nz
- safesource.forbes.com
- pressfreedomfoundation.org
- projects.newyorker.com
- securedrop.theguardian.com
- securedrop.pogo.org
- bayleaks.com
- securedrop.radio24syv.dk
- tcfmailvault.info
- www.balkanleaks.eu
- description: GlobalLeaks instances
hostnames:
- secure.publeaks.nl
- secure.wildleaks.org
- www.extremeleaks.org
- description: Misc
hostnames:
- secure.frenchleaks.fr

192
output/smtp.erb 100644
View File

@ -0,0 +1,192 @@
<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>SSL/TLS &mdash; SMTP</title>
<link rel="stylesheet" href="bootstrap.min.css">
<style>
body {
margin-top: 10px;
}
td {
text-align: center;
}
.critical {
background-color: #000;
color: #fff;
}
tr:hover > td.critical, td:hover.critical {
background-color: #333 !important;
}
</style>
</head>
<body>
<div class="container-fluid">
<div class="row">
<div class="col-md-12">
<table class="table table-bordered table-hover table-condensed">
<tbody>
<%
first = true
results.each do |r|
unless first
%>
<tr>
<th colspan="15">&nbsp;</th>
</tr>
<%
end
first = false
%>
<tr>
<th colspan="14" id="<%= r[0] %>"><%= r[0] %></th>
</tr>
<tr>
<th rowspan="2">Site</th>
<td rowspan="2">Grade</td>
<td colspan="2">Certificate</td>
<td colspan="4">Protocols</td>
<td colspan="5">Ciphers</td>
<td>Best practices</td>
</tr>
<tr>
<td>Key size (bits)</td>
<td class="warning">SHA1 sig</td>
<td class="critical">SSL v2</td>
<td class="critical">SSL v3</td>
<td class="success">TLS 1.2</td>
<td class="info">TLS</td>
<td>Strength (bits)</td>
<td class="critical">MD5</td>
<td class="warning">SHA1</td>
<td class="critical">DES/RC4</td>
<td class="danger">3DES</td>
<td class="info">PFS</td>
</tr>
<% r[1].each do |n|
s = n.server
%>
<tr>
<% if s.is_a? Tls::TlsNotSupportedServer %>
<th id="<%= s.hostname %>">
<a href="#<%= s.hostname %>"><%= s.hostname %></a>
</th>
<td class="critical" colspan="16">
No SSL/TLS
</td>
<%
else
rank_color = case n.grade
when 'A+' then :info
when 'A', 'A-' then :success
when 'B', 'C' then :warning
when 'T', 'M' then :critical
else :danger
end
%>
<th id="<%= s.domain %>"><%= s.domain %></th>
<td class="<%= rank_color %>">
<%= n.grade %>
</td>
<td class="<%= s.key_size < 2048 ? :danger : s.key_size < 4096 ? :warning : :success %>">
<% type, size = s.key %>
<%= "#{size} (#{type.to_s.upcase})" %>
<span class="sr-only">(<%= s.key_size < 2048 ? '☹' : '☺' %>)</span>
</td>
<td class="<%= s.sha1_sig? ? :warning : :success %>">
<%= s.sha1_sig? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.sha1_sig? ? '☹' : '☺' %>)</span>
</td>
<td class="<%= s.sslv2? ? :critical : :success %>">
<%= s.sslv2? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.sslv2? ? '☹' : '☺' %>)</span>
</td>
<td class="<%= s.sslv3? ? :critical : :success %>">
<%= s.sslv3? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.sslv3? ? '☹' : '☺' %>)</span>
</td>
<td class="<%= s.tlsv1_2? ? :success : :danger %>">
<%= s.tlsv1_2? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.tlsv1_2? ? '☺' : '☹' %>)</span>
</td>
<td class="<%= s.tls? ? (s.tls_only? ? :info : :success) : :danger %>">
<%= s.tls? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.tls? ? '☺' : '☹' %>)</span>
</td>
<% cipher_size = s.cipher_size[:worst] %>
<td class="<%= cipher_size < 112 ? :danger : cipher_size < 128 ? :warning : :success %>">
<%= cipher_size %>
<span class="sr-only">(<%= cipher_size < 128 ? '☹' : '☺' %>)</span>
</td>
<td class="<%= s.md5? ? :critical : :success %>">
<%= s.md5? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.md5? ? '☹' : '☺' %>)</span>
</td>
<td class="<%= s.sha1? ? :warning : :success %>">
<%= s.sha1? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.sha1? ? '☹' : '☺' %>)</span>
</td>
<td class="<%= (s.rc4? or s.des?) ? :critical : :success %>">
<%= (s.rc4? or s.des?) ? '✓' : '✗' %>
<span class="sr-only">(<%= (s.rc4? or s.des?) ? '☹' : '☺' %>)</span>
</td>
<td class="<%= s.des3? ? :danger : :success %>">
<%= s.des3? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.des3? ? '☹' : '☺' %>)</span>
</td>
<td class="<%= s.pfs? ? (s.pfs_only? ? :info : :success) : :danger %>">
<%= s.pfs? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.pfs? ? '☺' : '☹' %>)</span>
</td>
<% end %>
</tr>
<% end %>
<tr>
<th rowspan="2">Site</th>
<td rowspan="2">Grade</td>
<td>Key size (bits)</td>
<td class="warning">SHA1 sig</td>
<td class="critical">SSL v2</td>
<td class="critical">SSL v3</td>
<td class="success">TLS 1.2</td>
<td class="info">TLS</td>
<td>Strength (bits)</td>
<td class="critical">MD5</td>
<td class="warning">SHA1</td>
<td class="critical">DES/RC4</td>
<td class="danger">3DES</td>
<td class="info">PFS</td>
</tr>
<tr>
<td colspan="2">Certificate</td>
<td colspan="4">Protocols</td>
<td colspan="5">Ciphers</td>
<td>Best practices</td>
</tr>
<% end %>
</tbody>
</table>
<div class="pull-right">
Generated on <%= Time.now.strftime '%FT%T%:z' %>
</div>
</div>
</div>
</div>
</body>
</html>

205
output/smtp.yml 100644
View File

@ -0,0 +1,205 @@
- description: Serveurs personnels
hostnames:
- imirhil.fr
- libwalk.so
- keltia.net
- demouliere.eu
- decornulier.eu
- fralef.me
- jeekajoo.eu
- jbfavre.org
- rosset.net
- arysthaar.pw
- crifo.org
- matlink.fr
- pfag.me
- komic.eu
- apericraft.ovh
- legland.fr
- description: Associations
hostnames:
- april.org
- laquadrature.net
- fsf.org
- ubuntu-paris.org
- parinux.org
- aful.org
- rmll.info
- ubuntu-fr.org
- linuxfr.org
- lea-linux.org
- framasoft.org
- gnu.org
- description: Banques en ligne
hostnames:
- labanquepostale.fr
- labanquepostale-cartesprepayees.fr
- bnpparibas.net
- axabanque.fr
- fortuneo.fr
- ca-paris.fr
- credit-cooperatif.coop
- coopanet.com
- cic.fr
- societegenerale.fr
- groupama.fr
- banquepopulaire.fr
- ca-des-savoie.fr
- lcl.fr
- boursorama.com
- bpe.fr
- creditmutuel.fr
- caisse-epargne.fr
- systempay.fr
- wlp-acs.com
- cmb.fr
- ca-paris.fr
- ca-cotesdarmor.fr
- ingdirect.fr
- banque-accord.fr
- banque-casino.fr
- bforbank.com
- hellobank.fr
- carrefour-banque.fr
- agf.fr
- banque-casino.fr
- palatine.fr
- bpi-online.net
- barclays.fr
- credit-du-nord.fr
- gmf.fr
- hsbc.fr
- monabanq.com
- description: Assurances
hostnames:
- actassur.com
- gie-afer.fr
- ag2rlamondiale.fr
- consultations.agipi.com
- agpm.fr
- alptis.org
- altaprofits.com
- amv.fr
- apicil.com
- april.fr
- fapes-diffusion.fr
- assu2000.fr
- assurone.com
- avip.fr
- avivadirect.fr
- canisante.com
- carac.fr
- cegema.com
- chienchatsante.com
- direct-assurance.fr
- euro-assurance.com
- eca-assurances.com
- fma.fr
- gaipare.com
- gapassurance.com
- generali.fr
- hedios.com
- ingdirect.fr
- conservateur.fr
- linxea.com
- maaf.fr
- macif.fr
- macsf.fr
- maif.fr
- matmut.fr
- mgel.fr
- mma.fr
- nationalesuisse.ch
- nexx.fr
- sainteauprevoyance.com
- santevet.com
- selfepargne.fr
- sicavonline.fr
- smabtp.fr
- cybermutuelle.com
- sollyazar.com
- swisslife.fr
- description: Organismes de crédit
hostnames:
- cetelem.fr
- cofinoga.fr
- sofinco.fr
- pret-dunion.fr
- franfinance.fr
- 123credit.com
- disponis.fr
- complicio.fr
- creditfoncier.fr
- credit.fr
- credit-immobilier-de-france.fr
- csf.fr
- gemoneybank.fr
- oney.fr
- description: Webmails
hostnames:
- mailden.fr
- free.fr
- numericable.fr
- orange-business.com
- orange.fr
- gandi.net
- sfr.fr
- online.net
- amen.fr
- ovh.com
- aliceadsl.fr
- laposte.net
- openmailbox.org
- description: Administration
hostnames:
- ameli.fr
- moncompte.mobi
- service-public.fr
- impots.gouv.fr
- pole-emploi.fr
- caf.fr
- justice.gouv.fr
- interieur.gouv.fr
- cnil.fr
- quechoisir.org
- rsi.fr
- jedeclare.com
- net-entreprises.fr
- description: Sites de commerce en ligne
hostnames:
- ebay.fr
- ldlc.com
- grosbill.com
- darty.com
- boulanger.fr
- capitainetrain.com
- voyages-sncf.com
- pixmania.fr
- cdiscount.com
- ikea.com
- fnac.com
- laredoute.fr
- carrefour.fr
- paymill.com
- paymium.com
- materiel.net
- topachat.com
- description: « Cloud » / Gestionnaires de mot de passe
hostnames:
- lastpass.com
- dashlane.com
- passpack.com
- clipperz.is
- mitro.co
- icloud.com
- dropbox.com
- spideroak.com
- hubic.com
- box.com
- description: Divers
hostnames:
- mailden.net
- sharypic.com
- google.fr
- duckduckgo.com
- octopuce.fr

10
output/xmpp.erb
View File

@ -4,7 +4,7 @@
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>XMPP</title>
<title>SSL/TLS &mdash; XMPP</title>
<link rel="stylesheet" href="bootstrap.min.css">
<style>
body {
@ -91,8 +91,10 @@
s = n.server
%>
<tr>
<th id="<%= s.hostname %>">
<a href="#<%= s.hostname %>"><%= s.hostname %></a>
</th>
<% if s.is_a? Tls::TlsNotSupportedServer %>
<th id="<%= s.hostname %>"><%= s.hostname %></th>
<td class="critical" colspan="16">
No SSL/TLS
</td>
@ -104,7 +106,6 @@
when 'T', 'M' then :critical
else :danger
end %>
<th id="<%= s.domain %>"><%= s.domain %></th>
<td class="<%= rank_color %>">
<%= n.grade %>
</td>
@ -171,6 +172,9 @@
<% end %>
</tbody>
</table>
<div class="pull-right">
Generated on <%= Time.now.strftime '%FT%T%:z' %>
</div>
</div>
</div>
</div>

4
output/xmpp.yml
View File

@ -15,3 +15,7 @@
- citronna.de
- matlink.fr
- verry.org
- keuse.fr
- cappuccino.uk.to
- corzntin.fr
- fralef.me