aeris
/
cryptcheck
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Some fixes

v1
Nicolas Vinot 6 years ago
parent
0559ed0597
commit
340c4a445d
22 changed files with 838 additions and 113 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +39
    -20
      Makefile
  2. +3
    -1
      bin/check_https_alexa
  3. +17
    -0
      bin/check_smtp
  4. +7
    -0
      lib/cryptcheck.rb
  5. +71
    -0
      lib/cryptcheck/tls.rb
  6. +3
    -63
      lib/cryptcheck/tls/https.rb
  7. +1
    -3
      lib/cryptcheck/tls/https/server.rb
  8. +13
    -10
      lib/cryptcheck/tls/server.rb
  9. +9
    -0
      lib/cryptcheck/tls/smtp.rb
  10. +8
    -0
      lib/cryptcheck/tls/smtp/grade.rb
  11. +35
    -0
      lib/cryptcheck/tls/smtp/server.rb
  12. +1
    -1
      lib/cryptcheck/tls/xmpp.rb
  13. +0
    -2
      lib/cryptcheck/tls/xmpp/server.rb
  14. +69
    -0
      output/ca.yml
  15. +5
    -4
      output/https.erb
  16. +89
    -6
      output/index.yml
  17. +35
    -0
      output/press.yml
  18. +25
    -0
      output/securedrop.yml
  19. +192
    -0
      output/smtp.erb
  20. +205
    -0
      output/smtp.yml
  21. +7
    -3
      output/xmpp.erb
  22. +4
    -0
      output/xmpp.yml

+ 39
- 20
Makefile View File

@@ -1,38 +1,57 @@
PWD = $(shell pwd)
export CPATH = $(PWD)/openssl/include
export LIBRARY_PATH = $(PWD)/openssl
OPENSSL_VERSION = OpenSSL_1_0_1j
RUBY_VERSION = 2.1.5
RUBY_OPENSSL_EXT_DIR = ruby-$(RUBY_VERSION)/ext/openssl
OPENSSL_VERSION = 1.0.1m
OPENSSL_DIR = openssl-$(OPENSSL_VERSION)
RUBY_MAJOR_VERSION = 2.2
RUBY_VERSION = $(RUBY_MAJOR_VERSION).2
RUBY_DIR = ruby-$(RUBY_VERSION)
RUBY_OPENSSL_EXT_DIR = $(RUBY_DIR)/ext/openssl
export LIBRARY_PATH = $(PWD)/lib
export C_INCLUDE_PATH = $(PWD)/$(OPENSSL_DIR)/include

all: lib/libssl.so.1.0.0 lib/libcrypto.so.1.0.0 lib/openssl.so
.SECONDARY:

all: libs ext

clean:
rm -rf ruby-$(RUBY_VERSION) openssl
rm -rf $(RUBY_DIR) $(OPENSSL_DIR)

mr-proper: clean
rm -rf lib/libcrypto.so* lib/libssl.so* lib/openssl.so

$(OPENSSL_DIR)/:
wget https://www.openssl.org/source/$(OPENSSL_DIR).tar.gz
tar xf $(OPENSSL_DIR).tar.gz
rm -rf $(OPENSSL_DIR).tar.gz

openssl:
git clone https://github.com/openssl/openssl -b $(OPENSSL_VERSION)
$(OPENSSL_DIR)/Makefile: $(OPENSSL_DIR)/
cd $(OPENSSL_DIR); ./config shared

openssl/Makefile: openssl
cd openssl; ./config shared
$(OPENSSL_DIR)/libssl.so.1.0.0 $(OPENSSL_DIR)/libcrypto.so.1.0.0: $(OPENSSL_DIR)/Makefile
$(MAKE) -C $(OPENSSL_DIR) depend build_libs

openssl/libssl.so: openssl/Makefile
cd openssl; $(MAKE) depend all
lib/%.so.1.0.0: $(OPENSSL_DIR)/%.so.1.0.0
cp $< $@

lib/%.so: lib/%.so.1.0.0
ln -s $(notdir $<) $@

lib/%.so.1.0.0: openssl/%.so
cp $^ $@
libs: lib/libssl.so lib/libcrypto.so

ruby-$(RUBY_VERSION):
wget http://cache.ruby-lang.org/pub/ruby/2.1/ruby-$(RUBY_VERSION).tar.gz
tar xf ruby-$(RUBY_VERSION).tar.gz
rm -f ruby-$(RUBY_VERSION).tar.gz
$(RUBY_DIR):
wget http://cache.ruby-lang.org/pub/ruby/$(RUBY_MAJOR_VERSION)/$(RUBY_DIR).tar.gz
tar xf $(RUBY_DIR).tar.gz
rm -f $(RUBY_DIR).tar.gz

$(RUBY_OPENSSL_EXT_DIR)/Makefile: ruby-$(RUBY_VERSION)
$(RUBY_OPENSSL_EXT_DIR)/Makefile: libs $(RUBY_DIR)
cd $(RUBY_OPENSSL_EXT_DIR); ruby extconf.rb
patch $@ patch

$(RUBY_OPENSSL_EXT_DIR)/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/Makefile
cd $(RUBY_OPENSSL_EXT_DIR); $(MAKE); $(MAKE) install
$(RUBY_OPENSSL_EXT_DIR)/openssl.so: libs $(RUBY_OPENSSL_EXT_DIR)/Makefile
$(MAKE) -C $(RUBY_OPENSSL_EXT_DIR)

lib/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/openssl.so
cp $< $@

ext: lib/openssl.so

+ 3
- 1
bin/check_https_alexa View File

@@ -3,6 +3,8 @@ $:.unshift 'lib'
require 'logging'
require 'cryptcheck'

GROUP_NAME = 'Top 100 Alexa'

::Logging.logger.root.appenders = ::Logging.appenders.stdout
::Logging.logger.root.level = :error

@@ -10,7 +12,7 @@ hosts = []
::File.open('top-1m.csv', 'r') do |file|
i = 0
while line = file.gets
hosts << ['Top 100 Alexa', line.strip.split(',')[1]]
hosts << [GROUP_NAME, line.strip.split(',')[1]]
i += 1
break if i == 100
end


+ 17
- 0
bin/check_smtp View File

@@ -0,0 +1,17 @@
#!/usr/bin/env ruby
$:.unshift 'lib'
require 'logging'
require 'cryptcheck'

name = ARGV[0]
unless name
::CryptCheck::Tls::Smtp.analyze_from_file 'output/smtp.yml', 'output/smtp.html'
else
::Logging.logger.root.appenders = ::Logging.appenders.stdout
::Logging.logger.root.level = :warn

server = ::CryptCheck::Tls::Smtp::Server.new(ARGV[0], ARGV[1] || 25)
p grade = ::CryptCheck::Tls::Smtp::Grade.new(server)
end



+ 7
- 0
lib/cryptcheck.rb View File

@@ -1,4 +1,5 @@
module CryptCheck
autoload :Tls, 'cryptcheck/tls'
module Tls
autoload :Server, 'cryptcheck/tls/server'
autoload :TcpServer, 'cryptcheck/tls/server'
@@ -18,5 +19,11 @@ module CryptCheck
autoload :Server, 'cryptcheck/tls/xmpp/server'
autoload :Grade, 'cryptcheck/tls/xmpp/grade'
end

autoload :Smtp, 'cryptcheck/tls/smtp'
module Smtp
autoload :Server, 'cryptcheck/tls/smtp/server'
autoload :Grade, 'cryptcheck/tls/smtp/grade'
end
end
end

+ 71
- 0
lib/cryptcheck/tls.rb View File

@@ -0,0 +1,71 @@
require 'erb'
require 'logging'
require 'parallel'

module CryptCheck
module Tls
MAX_ANALYSIS_DURATION = 600
PARALLEL_ANALYSIS = 10
@@log = ::Logging.logger[Tls]

def self.grade(hostname, port, server_class:, grade_class:)
timeout MAX_ANALYSIS_DURATION do
grade_class.new server_class.new hostname, port
end
rescue ::Exception => e
@@log.error { "Error during #{hostname}:#{port} analysis : #{e}" }
TlsNotSupportedGrade.new TlsNotSupportedServer.new hostname, port
end

def self.analyze(hosts, template, output, groups = nil, port:, server_class:, grade_class:)
results = {}
semaphore = ::Mutex.new
::Parallel.each hosts, progress: 'Analysing', in_threads: PARALLEL_ANALYSIS, finish: lambda { |item, _, _| puts item[1] } do |description, host|
result = grade host.strip, port, server_class: server_class, grade_class: grade_class
semaphore.synchronize do
if results.include? description
results[description] << result
else
results[description] = [result]
end
end
end

results = ::Hash[groups.collect { |g| [g, results[g]] }] if groups

results.each do |d, _|
results[d].sort! do |a, b|
cmp = score(a) <=> score(b)
if cmp == 0
cmp = b.score <=> a.score
if cmp == 0
cmp = a.server.hostname <=> b.server.hostname
end
end
cmp
end
end

::File.write output, ::ERB.new(::File.read(template)).result(binding)
end

def self.analyze_from_file(file, template, output, port:, server_class:, grade_class:)
config = ::YAML.load_file file
hosts = []
groups = []
config.each do |c|
d, hs = c['description'], c['hostnames']
groups << d
hs.each { |host| hosts << [d, host] }
end
self.analyze hosts, template, output, groups, port: port, server_class: server_class, grade_class: grade_class
end

private
SCORES = %w(A+ A A- B C D E F T M X)

def self.score(a)
SCORES.index a.grade
end
end
end

+ 3
- 63
lib/cryptcheck/tls/https.rb View File

@@ -1,72 +1,12 @@
require 'erb'
require 'logging'
require 'parallel'

module CryptCheck
module Tls
module Https
MAX_ANALYSIS_DURATION = 600
PARALLEL_ANALYSIS = 10
@@log = ::Logging.logger[Https]

def self.grade(hostname, port=443)
timeout MAX_ANALYSIS_DURATION do
Grade.new Server.new hostname, port
end
rescue ::Exception => e
@@log.error { "Error during #{hostname}:#{port} analysis : #{e}" }
TlsNotSupportedGrade.new TlsNotSupportedServer.new hostname, port
end

def self.analyze(hosts, output, groups = nil)
results = {}
semaphore = ::Mutex.new
::Parallel.each hosts, progress: 'Analysing', in_threads: PARALLEL_ANALYSIS, finish: lambda { |item, _, _| puts item[1] } do |description, host|
result = grade host.strip
semaphore.synchronize do
if results.include? description
results[description] << result
else
results[description] = [result]
end
end
end

results = ::Hash[groups.collect { |g| [g, results[g]] }] if groups

results.each do |d, _|
results[d].sort! do |a, b|
cmp = score(a) <=> score(b)
if cmp == 0
cmp = b.score <=> a.score
if cmp == 0
cmp = a.server.hostname <=> b.server.hostname
end
end
cmp
end
end

::File.write output, ::ERB.new(::File.read('output/https.erb')).result(binding)
def self.analyze(hosts, output)
Tls.analyze hosts, 'output/https.erb', output, nil, port: 443, server_class: Server, grade_class: Grade
end

def self.analyze_from_file(file, output)
config = ::YAML.load_file file
hosts = []
groups = []
config.each do |c|
d, hs = c['description'], c['hostnames']
groups << d
hs.each { |host| hosts << [d, host] }
end
self.analyze hosts, output, groups
end

private
SCORES = %w(A+ A A- B C D E F T M X)

def self.score(a)
SCORES.index a.grade
Tls.analyze_from_file file, 'output/https.erb', output, port: 443, server_class: Server, grade_class: Grade
end
end
end


+ 1
- 3
lib/cryptcheck/tls/https/server.rb View File

@@ -1,5 +1,3 @@
require 'socket'
require 'openssl'
require 'httparty'

module CryptCheck
@@ -17,7 +15,7 @@ module CryptCheck
port = @port == 443 ? '' : ":#{@port}"

response = nil
@methods.each do |method|
EXISTING_METHODS.each do |method|
begin
next unless SUPPORTED_METHODS.include? method
@log.debug { "Check HSTS with #{method}" }


+ 13
- 10
lib/cryptcheck/tls/server.rb View File

@@ -38,6 +38,7 @@ module CryptCheck
@port = port
@log.error { "Begin analysis" }
extract_cert
#@prefered_ciphers = @supported_ciphers = Hash[SUPPORTED_METHODS.collect { |m| [m, []]}]
fetch_prefered_ciphers
check_supported_cipher
@log.error { "End analysis" }
@@ -191,8 +192,8 @@ module CryptCheck
@log.debug { "Waiting for SSL write to #{@hostname}:#{@port}" }
raise TLSTimeout unless IO.select nil, [socket], nil, SSL_TIMEOUT
retry
rescue ::OpenSSL::SSL::SSLError => e
raise TLSException, e
rescue => e
raise TLSException, e
ensure
ssl_socket.close
end
@@ -283,14 +284,14 @@ module CryptCheck
def verify_trust(chain, cert)
store = ::OpenSSL::X509::Store.new
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
%w(mozilla cacert).each do |directory|
store.set_default_paths

%w(cacert).each do |directory|
::Dir.glob(::File.join '/usr/share/ca-certificates', directory, '*').each do |file|
::File.open file, 'r' do |file|
cert = ::OpenSSL::X509::Certificate.new file.read
begin
store.add_cert cert
rescue ::OpenSSL::X509::StoreError
end
cert = ::OpenSSL::X509::Certificate.new ::File.read file
begin
store.add_cert cert
rescue ::OpenSSL::X509::StoreError
end
end
end
@@ -300,7 +301,9 @@ module CryptCheck
rescue ::OpenSSL::X509::StoreError
end
end
store.verify cert
trusted = store.verify cert
p store.error_string unless trusted
trusted
end
end



+ 9
- 0
lib/cryptcheck/tls/smtp.rb View File

@@ -0,0 +1,9 @@
module CryptCheck
module Tls
module Smtp
def self.analyze_from_file(file, output)
Tls.analyze_from_file file, 'output/smtp.erb', output, port: 25, server_class: Server, grade_class: Grade
end
end
end
end

+ 8
- 0
lib/cryptcheck/tls/smtp/grade.rb View File

@@ -0,0 +1,8 @@
module CryptCheck
module Tls
module Smtp
class Grade < Tls::Grade
end
end
end
end

+ 35
- 0
lib/cryptcheck/tls/smtp/server.rb View File

@@ -0,0 +1,35 @@
require 'resolv'

module CryptCheck
module Tls
module Smtp
class Server < Tls::TcpServer
RESOLVER = Resolv::DNS.new

attr_reader :domain

def initialize(domain, port=25)
@domain = domain
srv = RESOLVER.getresources(domain, Resolv::DNS::Resource::IN::MX).sort_by(&:preference).first
if srv
hostname = srv.exchange.to_s
else # DNS is not correctly set, guess config…
hostname = domain
end
super hostname, port
end

def ssl_connect(socket, context, method, &block)
socket.recv 1024
socket.write "EHLO #{Socket.gethostbyname(Socket.gethostname).first}\r\n"
features = socket.recv(1024).split "\r\n"
starttls = features.find { |f| /250[- ]STARTTLS/ =~ f }
raise TLSNotAvailableException unless starttls
socket.write "STARTTLS\r\n"
socket.recv 1024
super
end
end
end
end
end

+ 1
- 1
lib/cryptcheck/tls/xmpp.rb View File

@@ -7,7 +7,7 @@ module CryptCheck
module Xmpp
MAX_ANALYSIS_DURATION = 600
PARALLEL_ANALYSIS = 10
@@log = ::Logging.logger[Https]
@@log = ::Logging.logger[Xmpp]

def self.grade(hostname, type=:s2s)
timeout MAX_ANALYSIS_DURATION do


+ 0
- 2
lib/cryptcheck/tls/xmpp/server.rb View File

@@ -1,5 +1,3 @@
require 'socket'
require 'openssl'
require 'nokogiri'
require 'resolv'



+ 69
- 0
output/ca.yml View File

@@ -0,0 +1,69 @@
- description: Autorités de certification
hostnames:
- www.cacert.org
- acedicom.edicomgroup.com
- grca.nat.gov.tw
- pki.atos.net
- www.bundesdruckerei.de
- www.cybertrust.ne.jp
- www.logius.nl
- www.procert.net.ve
- www.s-trust.de
- webappsecurity.trendmicro.com
- www1.cnnic.cn
- www.actalis.it
- www.aoc.cat
- www.a-trust.at
- www.buypass.no
- www.camerfirma.com
- www.certicamara.com
- www.certigna.fr
- www.certinomis.com
- www.certsign.ro
- www.certum.pl
- www.cfca.com.cn
- www.cht.com.tw
- www.comodo.com
- www.comsign.co.il
- www.digicert.com
- www.disig.eu
- www.emc.com
- www.entrust.net
- www.e-szigno.hu
- www.etugra.com.tr
- www.firmaprofesional.com
- www.geotrust.com
- www.globalsign.com
- www.godaddy.com
- www.gpki.go.jp
- www.harica.gr
- www.hongkongpost.gov.hk
- www.identrust.com
- www.izenpe.com
- www.kamusm.gov.tr
- www.netlock.hu
- www.networksolutions.com
- www.opentrust.com
- www.pki.gva.es
- www.quovadisglobal.com
- www.secomtrust.net
- www.sgtrustservices.com
- www.sk.ee
- www.ssi.gouv.fr
- www.startssl.com
- www.swissdigicert.ch
- www.swisssign.com
- www.symantec.com
- www.teliasonera.com
- www.thawte.com
- www.trustcenter.de
- www.trustis.com
- www.trustwave.com
- www.t-systems.com
- www.turktrust.com.tr
- www.twca.com.tw
- www.verizon.com
- www.visa.com
- www.wellsfargo.com
- www.wisekey.com
- www.wosign.com

+ 5
- 4
output/https.erb View File

@@ -4,7 +4,7 @@
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Status SSL/TLS banque &amp; commerce en ligne</title>
<title>SSL/TLS &mdash; HTTP</title>
<link rel="stylesheet" href="bootstrap.min.css">
<style>
body {
@@ -77,9 +77,7 @@
%>
<tr>
<th id="<%= s.hostname %>">
<a href="https://www.ssllabs.com/ssltest/analyze.html?d=<%= s.hostname %>" target="_blank">
<%= s.hostname %>
</a>
<a href="#<%= s.hostname %>"><%= s.hostname %></a>
</th>
<% if s.is_a? Tls::TlsNotSupportedServer %>
<td class="critical" colspan="16">
@@ -189,6 +187,9 @@
<% end %>
</tbody>
</table>
<div class="pull-right">
Generated on <%= Time.now.strftime '%FT%T%:z' %>
</div>
</div>
</div>
</div>


+ 89
- 6
output/index.yml View File

@@ -7,7 +7,7 @@
- rss.decornulier.eu
- fralef.me
- jeekajoo.eu
- status.jbfavre.org
- jbfavre.org
- rosset.net
- owc.h.arysthaar.pw
- crifo.org
@@ -16,6 +16,12 @@
- komic.eu
- apericraft.ovh
- nicolas.legland.fr
- clauzel.eu
- vinilox.eu
- keuse.fr
- regar42.fr
- tcit.fr
- aplu.fr
- description: Associations
hostnames:
- april.org
@@ -30,11 +36,49 @@
- lea-linux.org
- framasoft.org
- gnu.org
- www.fdn.fr
- description: Framasoft
hostnames:
- framabag.org
- framabin.org
- framabag.org
- framadate.org
- framanews.org
- framasphere.org
- framacalc.org
- framakey.org
- framapic.org
- framindmap.org
- framacolibri.org
- framabee.org
- tontonroger.org
- trouvons.org
- frama.link
- huit.re
- lite.framapad.org
- lite2.framapad.org
- lite3.framapad.org
- lite4.framapad.org
- lite5.framapad.org
- lite6.framapad.org
- quotidien.framapad.org
- hebdo.framapad.org
- mensuel.framapad.org
- bimensuel.framapad.org
- semestriel.framapad.org
- annuel.framapad.org
- git.framasoft.org
- participer.framasoft.org
- contact.framasoft.org
- stats.framasoft.org
- status.framasoft.org
- soutenir.framasoft.org
- description: Banques en ligne
hostnames:
- www.labanquepostale.fr
- voscomptesenligne.labanquepostale.fr
- www.labanquepostale-cartesprepayees.fr
- www.secure.bnpparibas.net
- mabanque.bnpparibas
- www.axabanque.fr
- www.fortuneo.fr
- www.ca-paris.fr
@@ -51,7 +95,6 @@
- www.creditmutuel.fr
- www.caisse-epargne.fr
- paiement.systempay.fr
- cnce.wlp-acs.com
- www.cmb.fr
- www.ca-paris.fr
- www.ca-cotesdarmor.fr
@@ -70,6 +113,14 @@
- www.gmf.fr
- www.hsbc.fr
- www.monabanq.com
- www.ca-atlantique-vendee.fr
- description: 3D « Secure »
hostnames:
- ssl.paiement.cic-banques.fr
- cnce.wlp-acs.com
- ingdf.wlp-acs.com
- ca-sp.wlp-acs.com
- www.e-i.com
- description: Assurances
hostnames:
- www.actassur.com
@@ -135,6 +186,7 @@
- www.csf.fr
- client.gemoneybank.fr
- www.oney.fr
- www.cofidis.fr
- description: Webmails
hostnames:
- webmail.mailden.fr
@@ -167,6 +219,7 @@
- mon.rsi.fr
- jedeclare.com
- net-entreprises.fr
- www.i-cad.fr
- description: Sites de commerce en ligne
hostnames:
- signin.ebay.fr
@@ -182,10 +235,11 @@
- secure.fnac.com
- www.laredoute.fr
- online.carrefour.fr
- www.paymill.com
# - www.paymill.com
- paymium.com
- www.materiel.net
- www.topachat.com
- auth.topachat.com
- customer.rueducommerce.fr
- description: « Cloud » / Gestionnaires de mot de passe
hostnames:
- lastpass.com
@@ -198,10 +252,39 @@
- spideroak.com
- hubic.com
- box.com
- description: FAI
hostnames:
- www.bouyguestelecom.fr
- www.sfr.fr
- www.orange.com
- www.nordnet.com
- www.free.fr
- www.fdn.fr
- www.connexion-verte.fr
- www.budget-telecom.com
- www.quantic-telecom.net
- www.nerim.fr
- offres.numericable.fr
- portail.dartybox.com
- www.ovh.com
- www.coriolis.com
- www.prixtel.com
- www.virginmobile.fr
- www.wibox.fr
- www.wimifi.net
- www.viveole.fr
- www.societehautdebit.fr
- www.skydsl.eu
- www.ozone.net
- www.nomotech.com
- www.bollore.com
- www.ifw.fr
- www.wizeo.com
- www.infosat-telecom.fr
- description: Divers
hostnames:
- www.mailden.net
- www.sharypic.com
- google.fr
- duckduckgo.com
- octopuce.fr
- sharypic.com

+ 35
- 0
output/press.yml View File

@@ -0,0 +1,35 @@
- description: Journaux & Presse en ligne
hostnames:
- charliehebdo.fr
- tempsreel.nouvelobs.com
- www.20minutes.fr
- www.challenges.fr
- www.courrierinternational.com
- www.directmatin.fr
- www.francesoir.fr
- www.humanite.presse.fr
- www.la-croix.com
- www.latribune.fr
- www.lecanardenchaine.fr
- www.lefigaro.fr
- www.lejdd.fr
- www.lemonde.fr
- www.leparisien.fr
- www.lepoint.fr
- www.lequipe.fr
- www.lesechos.fr
- www.lexpress.fr
- www.liberation.fr
- www.lopinion.fr
- www.marianne.net
- www.mediapart.fr
- www.metronews.fr
- www.minute-hebdo.fr
- www.monde-diplomatique.fr
- www.monde-libertaire.fr
- www.parismatch.com
- www.telerama.fr
- www.vsd.fr
- www.slate.fr
- reader.fr
- www.arretsurimages.net

+ 25
- 0
output/securedrop.yml View File

@@ -0,0 +1,25 @@
- description: SecureDrop instances
hostnames:
- securedrop.propublica.org
- ssl.washingtonpost.com
- nrkbeta.no
- exposefacts.org
- firstlook.org
- www.safesource.org.nz
- safesource.forbes.com
- pressfreedomfoundation.org
- projects.newyorker.com
- securedrop.theguardian.com
- securedrop.pogo.org
- bayleaks.com
- securedrop.radio24syv.dk
- tcfmailvault.info
- www.balkanleaks.eu
- description: GlobalLeaks instances
hostnames:
- secure.publeaks.nl
- secure.wildleaks.org
- www.extremeleaks.org
- description: Misc
hostnames:
- secure.frenchleaks.fr

+ 192
- 0
output/smtp.erb View File

@@ -0,0 +1,192 @@
<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>SSL/TLS &mdash; SMTP</title>
<link rel="stylesheet" href="bootstrap.min.css">
<style>
body {
margin-top: 10px;
}

td {
text-align: center;
}

.critical {
background-color: #000;
color: #fff;
}

tr:hover > td.critical, td:hover.critical {
background-color: #333 !important;
}
</style>
</head>
<body>
<div class="container-fluid">
<div class="row">
<div class="col-md-12">
<table class="table table-bordered table-hover table-condensed">
<tbody>
<%
first = true
results.each do |r|
unless first
%>
<tr>
<th colspan="15">&nbsp;</th>
</tr>
<%
end
first = false
%>
<tr>
<th colspan="14" id="<%= r[0] %>"><%= r[0] %></th>
</tr>
<tr>
<th rowspan="2">Site</th>
<td rowspan="2">Grade</td>
<td colspan="2">Certificate</td>
<td colspan="4">Protocols</td>
<td colspan="5">Ciphers</td>
<td>Best practices</td>
</tr>
<tr>
<td>Key size (bits)</td>
<td class="warning">SHA1 sig</td>

<td class="critical">SSL v2</td>
<td class="critical">SSL v3</td>
<td class="success">TLS 1.2</td>
<td class="info">TLS</td>

<td>Strength (bits)</td>
<td class="critical">MD5</td>
<td class="warning">SHA1</td>
<td class="critical">DES/RC4</td>
<td class="danger">3DES</td>

<td class="info">PFS</td>
</tr>
<% r[1].each do |n|
s = n.server
%>
<tr>
<% if s.is_a? Tls::TlsNotSupportedServer %>
<th id="<%= s.hostname %>">
<a href="#<%= s.hostname %>"><%= s.hostname %></a>
</th>
<td class="critical" colspan="16">
No SSL/TLS
</td>
<%
else
rank_color = case n.grade
when 'A+' then :info
when 'A', 'A-' then :success
when 'B', 'C' then :warning
when 'T', 'M' then :critical
else :danger
end
%>
<th id="<%= s.domain %>"><%= s.domain %></th>
<td class="<%= rank_color %>">
<%= n.grade %>
</td>

<td class="<%= s.key_size < 2048 ? :danger : s.key_size < 4096 ? :warning : :success %>">
<% type, size = s.key %>
<%= "#{size} (#{type.to_s.upcase})" %>
<span class="sr-only">(<%= s.key_size < 2048 ? '☹' : '☺' %>)</span>
</td>
<td class="<%= s.sha1_sig? ? :warning : :success %>">
<%= s.sha1_sig? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.sha1_sig? ? '☹' : '☺' %>)</span>
</td>

<td class="<%= s.sslv2? ? :critical : :success %>">
<%= s.sslv2? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.sslv2? ? '☹' : '☺' %>)</span>
</td>
<td class="<%= s.sslv3? ? :critical : :success %>">
<%= s.sslv3? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.sslv3? ? '☹' : '☺' %>)</span>
</td>
<td class="<%= s.tlsv1_2? ? :success : :danger %>">
<%= s.tlsv1_2? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.tlsv1_2? ? '☺' : '☹' %>)</span>
</td>
<td class="<%= s.tls? ? (s.tls_only? ? :info : :success) : :danger %>">
<%= s.tls? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.tls? ? '☺' : '☹' %>)</span>
</td>

<% cipher_size = s.cipher_size[:worst] %>
<td class="<%= cipher_size < 112 ? :danger : cipher_size < 128 ? :warning : :success %>">
<%= cipher_size %>
<span class="sr-only">(<%= cipher_size < 128 ? '☹' : '☺' %>)</span>
</td>
<td class="<%= s.md5? ? :critical : :success %>">
<%= s.md5? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.md5? ? '☹' : '☺' %>)</span>
</td>
<td class="<%= s.sha1? ? :warning : :success %>">
<%= s.sha1? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.sha1? ? '☹' : '☺' %>)</span>
</td>
<td class="<%= (s.rc4? or s.des?) ? :critical : :success %>">
<%= (s.rc4? or s.des?) ? '✓' : '✗' %>
<span class="sr-only">(<%= (s.rc4? or s.des?) ? '☹' : '☺' %>)</span>
</td>
<td class="<%= s.des3? ? :danger : :success %>">
<%= s.des3? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.des3? ? '☹' : '☺' %>)</span>
</td>

<td class="<%= s.pfs? ? (s.pfs_only? ? :info : :success) : :danger %>">
<%= s.pfs? ? '✓' : '✗' %>
<span class="sr-only">(<%= s.pfs? ? '☺' : '☹' %>)</span>
</td>
<% end %>
</tr>
<% end %>
<tr>
<th rowspan="2">Site</th>
<td rowspan="2">Grade</td>

<td>Key size (bits)</td>
<td class="warning">SHA1 sig</td>

<td class="critical">SSL v2</td>
<td class="critical">SSL v3</td>
<td class="success">TLS 1.2</td>
<td class="info">TLS</td>

<td>Strength (bits)</td>
<td class="critical">MD5</td>
<td class="warning">SHA1</td>
<td class="critical">DES/RC4</td>
<td class="danger">3DES</td>

<td class="info">PFS</td>
</tr>
<tr>
<td colspan="2">Certificate</td>
<td colspan="4">Protocols</td>
<td colspan="5">Ciphers</td>
<td>Best practices</td>
</tr>
<% end %>
</tbody>
</table>
<div class="pull-right">
Generated on <%= Time.now.strftime '%FT%T%:z' %>
</div>
</div>
</div>
</div>
</body>
</html>

+ 205
- 0
output/smtp.yml View File

@@ -0,0 +1,205 @@
- description: Serveurs personnels
hostnames:
- imirhil.fr
- libwalk.so
- keltia.net
- demouliere.eu
- decornulier.eu
- fralef.me
- jeekajoo.eu
- jbfavre.org
- rosset.net
- arysthaar.pw
- crifo.org
- matlink.fr
- pfag.me
- komic.eu
- apericraft.ovh
- legland.fr
- description: Associations
hostnames:
- april.org
- laquadrature.net
- fsf.org
- ubuntu-paris.org
- parinux.org
- aful.org
- rmll.info
- ubuntu-fr.org
- linuxfr.org
- lea-linux.org
- framasoft.org
- gnu.org
- description: Banques en ligne
hostnames:
- labanquepostale.fr
- labanquepostale-cartesprepayees.fr
- bnpparibas.net
- axabanque.fr
- fortuneo.fr
- ca-paris.fr
- credit-cooperatif.coop
- coopanet.com
- cic.fr
- societegenerale.fr
- groupama.fr
- banquepopulaire.fr
- ca-des-savoie.fr
- lcl.fr
- boursorama.com
- bpe.fr
- creditmutuel.fr
- caisse-epargne.fr
- systempay.fr
- wlp-acs.com
- cmb.fr
- ca-paris.fr
- ca-cotesdarmor.fr
- ingdirect.fr
- banque-accord.fr
- banque-casino.fr
- bforbank.com
- hellobank.fr
- carrefour-banque.fr
- agf.fr
- banque-casino.fr
- palatine.fr
- bpi-online.net
- barclays.fr
- credit-du-nord.fr
- gmf.fr
- hsbc.fr
- monabanq.com
- description: Assurances
hostnames:
- actassur.com
- gie-afer.fr
- ag2rlamondiale.fr
- consultations.agipi.com
- agpm.fr
- alptis.org
- altaprofits.com
- amv.fr
- apicil.com
- april.fr
- fapes-diffusion.fr
- assu2000.fr
- assurone.com
- avip.fr
- avivadirect.fr
- canisante.com
- carac.fr
- cegema.com
- chienchatsante.com
- direct-assurance.fr
- euro-assurance.com
- eca-assurances.com
- fma.fr
- gaipare.com
- gapassurance.com
- generali.fr
- hedios.com
- ingdirect.fr
- conservateur.fr
- linxea.com
- maaf.fr
- macif.fr
- macsf.fr
- maif.fr
- matmut.fr
- mgel.fr
- mma.fr
- nationalesuisse.ch
- nexx.fr
- sainteauprevoyance.com
- santevet.com
- selfepargne.fr
- sicavonline.fr
- smabtp.fr
- cybermutuelle.com
- sollyazar.com
- swisslife.fr
- description: Organismes de crédit
hostnames:
- cetelem.fr
- cofinoga.fr
- sofinco.fr
- pret-dunion.fr
- franfinance.fr
- 123credit.com
- disponis.fr
- complicio.fr
- creditfoncier.fr
- credit.fr
- credit-immobilier-de-france.fr
- csf.fr
- gemoneybank.fr
- oney.fr
- description: Webmails
hostnames:
- mailden.fr
- free.fr
- numericable.fr
- orange-business.com
- orange.fr
- gandi.net
- sfr.fr
- online.net
- amen.fr
- ovh.com
- aliceadsl.fr
- laposte.net
- openmailbox.org
- description: Administration
hostnames:
- ameli.fr
- moncompte.mobi
- service-public.fr
- impots.gouv.fr
- pole-emploi.fr
- caf.fr
- justice.gouv.fr
- interieur.gouv.fr
- cnil.fr
- quechoisir.org
- rsi.fr
- jedeclare.com
- net-entreprises.fr
- description: Sites de commerce en ligne
hostnames:
- ebay.fr
- ldlc.com
- grosbill.com
- darty.com
- boulanger.fr
- capitainetrain.com
- voyages-sncf.com
- pixmania.fr
- cdiscount.com
- ikea.com
- fnac.com
- laredoute.fr
- carrefour.fr
- paymill.com
- paymium.com
- materiel.net
- topachat.com
- description: « Cloud » / Gestionnaires de mot de passe
hostnames:
- lastpass.com
- dashlane.com
- passpack.com
- clipperz.is
- mitro.co
- icloud.com
- dropbox.com
- spideroak.com
- hubic.com
- box.com
- description: Divers
hostnames:
- mailden.net
- sharypic.com
- google.fr
- duckduckgo.com
- octopuce.fr

+ 7
- 3
output/xmpp.erb View File

@@ -4,7 +4,7 @@
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>XMPP</title>
<title>SSL/TLS &mdash; XMPP</title>
<link rel="stylesheet" href="bootstrap.min.css">
<style>
body {
@@ -91,8 +91,10 @@
s = n.server
%>
<tr>
<th id="<%= s.hostname %>">
<a href="#<%= s.hostname %>"><%= s.hostname %></a>
</th>
<% if s.is_a? Tls::TlsNotSupportedServer %>
<th id="<%= s.hostname %>"><%= s.hostname %></th>
<td class="critical" colspan="16">
No SSL/TLS
</td>
@@ -104,7 +106,6 @@
when 'T', 'M' then :critical
else :danger
end %>
<th id="<%= s.domain %>"><%= s.domain %></th>
<td class="<%= rank_color %>">
<%= n.grade %>
</td>
@@ -171,6 +172,9 @@
<% end %>
</tbody>
</table>
<div class="pull-right">
Generated on <%= Time.now.strftime '%FT%T%:z' %>
</div>
</div>
</div>
</div>


+ 4
- 0
output/xmpp.yml View File

@@ -15,3 +15,7 @@
- citronna.de
- matlink.fr
- verry.org
- keuse.fr
- cappuccino.uk.to
- corzntin.fr
- fralef.me

Write Preview
Loading…
Cancel
Save