Browse Source
Better curve detection, detecting new corner case when server preference enforced
new-scoring
3 changed files with 25 additions and 8 deletions
+ 1
- 0
lib/cryptcheck.rb
View File
| @@ -95,6 +95,7 @@ module CryptCheck | |||
| else | |||
| server.new *a, **kargs | |||
| end | |||
| exit | |||
| if grade | |||
| g = grade.new s | |||
| Logger.info { '' } | |||
+ 13
- 2
lib/cryptcheck/tls/curve.rb
View File
| @@ -7,14 +7,14 @@ module CryptCheck | |||
| @name = name | |||
| end | |||
| # SUPPORTED = %w(sect163k1 sect163r1 sect163r2 sect193r1 | |||
| # SUPPORTED = %i(sect163k1 sect163r1 sect163r2 sect193r1 | |||
| # sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 | |||
| # sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 | |||
| # secp160r2 secp192k1 secp192r1 secp224k1 secp224r1 secp256k1 | |||
| # secp256r1 secp384r1 secp521r1 | |||
| # prime256v1 | |||
| # brainpoolP256r1 brainpoolP384r1 brainpoolP512r1) | |||
| SUPPORTED = %w(secp256k1 sect283k1 sect283r1 secp384r1 | |||
| SUPPORTED = %i(secp256k1 sect283k1 sect283r1 secp384r1 | |||
| sect409k1 sect409r1 secp521r1 sect571k1 sect571r1 | |||
| prime192v1 prime256v1 | |||
| brainpoolP256r1 brainpoolP384r1 brainpoolP512r1).collect { |c| self.new c }.freeze | |||
| @@ -28,6 +28,17 @@ module CryptCheck | |||
| def to_s | |||
| @name | |||
| end | |||
| def ==(other) | |||
| case other | |||
| when String | |||
| @name == other.to_sym | |||
| when Symbol | |||
| @name == other | |||
| else | |||
| @name == other.name | |||
| end | |||
| end | |||
| end | |||
| end | |||
| end | |||
+ 11
- 6
lib/cryptcheck/tls/server.rb
View File
| @@ -28,7 +28,7 @@ module CryptCheck | |||
| class ConnectionError < ::StandardError | |||
| end | |||
| attr_reader :certs, :keys, :dh | |||
| attr_reader :certs, :keys, :dh, :supported_curves | |||
| def initialize(hostname, family, ip, port) | |||
| @hostname, @family, @ip, @port = hostname, family, ip, port | |||
| @@ -168,15 +168,20 @@ module CryptCheck | |||
| begin | |||
| connection = ssl_client method, ecdsa, curves: [curve, ecdsa_curve] | |||
| # Not too fast !!! | |||
| # Handshake will **always** succeed, because ECDSA curve is always supported | |||
| # So, need to test for the real curve | |||
| # Handshake will **always** succeed, because ECDSA | |||
| # curve is always supported. | |||
| # So, we need to test for the real curve! | |||
| # Treaky case : if server preference is enforced, | |||
| # ECDSA curve can be prefered over ECDHE one and so | |||
| # really supported curve can be detected as not supported :( | |||
| dh = connection.tmp_key | |||
| negociated_curve = dh.curve | |||
| supported = negociated_curve != ecdsa_curve | |||
| supported = ecdsa_curve != negociated_curve | |||
| if supported | |||
| Logger.info { " ECC curve #{curve}" } | |||
| Logger.info { " ECC curve #{curve.name}" } | |||
| else | |||
| Logger.debug { " ECC curve #{curve} : not supported" } | |||
| Logger.debug { " ECC curve #{curve.name} : not supported" } | |||
| end | |||
| supported | |||
| rescue TLSException | |||
Loading…