Aeris 3 роки тому
джерело
коміт
51216b0f0f
1 змінених файлів з 111 додано та 0 видалено
  1. 111
    0
      README.md

+ 111
- 0
README.md Переглянути файл

@@ -0,0 +1,111 @@
1
+# Introduction
2
+CryptCheck is a Ruby toolbox that help anybody to check for cryptography security
3
+level and best practices compliance.
4
+
5
+CryptCheck is released under
6
+[AGPLv3+](https://www.gnu.org/licenses/agpl-3.0.en.html) license.
7
+
8
+# Preliminary warning
9
+**/!\ This tool use custom weak builds of OpenSSL library and OpenSSL Ruby extension /!\**.
10
+
11
+Those builds are cryptographically weaken to be able to test for (very) weak and
12
+today totally deprecated ciphers.
13
+
14
+Don’t deploy it on production machine to avoid any security troubles, or use VM
15
+to isolate them !
16
+
17
+# Setup
18
+## Ruby
19
+You need a fully operationnal Ruby stack.
20
+Because of the warning above, don’t use your system Ruby.
21
+
22
+I recommend to use [RBEnv](https://github.com/sstephenson/rbenv) and it
23
+[Ruby-build](https://github.com/sstephenson/ruby-build) plugin to build a new
24
+ruby environment instead of your system one.
25
+
26
+Currently supported Ruby stack is v2.2.2.
27
+
28
+## OpenSSL library and Ruby extension
29
+To be able to test for (very) weak ciphers and to have access to DH parameters,
30
+CryptCheck need custom build of OpenSSL library and patched build of OpenSSL Ruby
31
+extension.
32
+
33
+
34
+Once you have cloned CryptCheck repository, just run `make` inside to
35
+build the needed libraries.
36
+
37
+If `make` fails with the following error :
38
+```
39
+make: *** No rule to make target 'lib/libssl.so.1.0.0', needed by 'libs'.  Stop.
40
+```
41
+just run again `make` (if you understand this problem, contact me !).
42
+
43
+The built libraries (*libcrypto.so*, *libssl.so* and *openssl.so*) are located
44
+under the *lib* directory.<br/>
45
+CryptCheck use *LD_LIBRARY_PATH* and Ruby load path hack to inject those weaken
46
+libraries instead of the system ones.
47
+
48
+## Ruby dependencies
49
+CryptCheck relies on few Ruby libraries, managed with [Bundler](http://bundler.io/).
50
+
51
+To fetch and install them, just run `bundle install`.
52
+
53
+# Usage
54
+Simply run the corresponding runner of what you want to test :
55
+
56
+ * HTTPS : ```bin/check_https example.org```
57
+ * XMPP : ```bin/check_xmpp example.org```
58
+ * SMTP : ```bin/check_smtp example.org```
59
+
60
+If you want more information of what is going on under the hood, run the command
61
+with debug enabled, like ```bin/check_https example.org debug```
62
+
63
+## Understanding results
64
+Rank goes from "A+" (perfect) to "F" (very weak).<br/>
65
+"M" means your certificate and your hostname mismatch.<br/>
66
+"T" means your certificate is not issued by a valid root certificate authority.
67
+
68
+Only a perfect setup gets a perfect score and a "A" rank :).<br/>
69
+"A" score is based on [RFC 7525](https://tools.ietf.org/html/rfc7525) recommandations.
70
+
71
+ * Protocol
72
+   * SSL (v2 and v3) are totally [deprecated](https://tools.ietf.org/html/rfc7568)
73
+     now, because of very serious known vulnerabilities
74
+     ([Poodle](https://www.openssl.org/~bodo/ssl-poodle.pdf)…).
75
+     Using one of them cap your rank to "F".
76
+   * TLSv1 and TLSv1.1 suffer of the
77
+     [Poodle TLS](https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls)
78
+     vulnerability.
79
+   * TLSv1.2 is the only remaining protocol with no known vulnerabilities, so if
80
+     you don’t support it, your rank is cap to "B".
81
+ * Key size
82
+   * If you use certificate key less than 2048 bits, your rank is cap to "B".
83
+ * Ciphers
84
+   * Very weak ciphers, including MD5 hash, anonymous DH parameters, NULL ciphers 
85
+     (yes, it exits…), export ciphers ([Freak](https://freakattack.com/)) or weak 
86
+     ciphers (RC4, DES…) cap your rank to "F".
87
+   * 3DES is considered weak and must be avoided, using it cap your score to "C".
88
+
89
+ * Score
90
+   * Protocol score is based on the **weakest** protocol you support :<br/>
91
+     SSLv2 = 0, SSLv3 = 20, TLSv1 = 60, TLSv1.1 = 80, TLSv1.2 = 100.
92
+   * Key score is based on your certificate key size :<br/>
93
+     <512 = 10, <1024 = 20, <2048 = 50, <4096 = 90, ≥4096 = 100.
94
+   * Cipher score is based on the **weakest** cipher you support :<br/>
95
+     0 = 0, <112 = 10, <128 = 50, <256 = 90, ≥256 = 100.
96
+   * Overall score is based on the other scores :<br/>
97
+     overall = 0.3 * protocol + 0.3 * key + 0.4 * cipher
98
+
99
+ * Best practices
100
+   * PFS : you gain this flag when you support **only**
101
+     [perfect forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy)
102
+     ciphers (DHE or ECDHE)
103
+   * HSTS : you gain this flag when you protect yourself with
104
+     [HTTP Strict Transport Security](https://tools.ietf.org/html/rfc6797).
105
+   * Long HSTS : you gain this flag when you support HSTS with a duration of at
106
+     least 6 monthes.
107
+
108
+ * Rank
109
+   * Rank is based on your overall score and above caps :<br/>
110
+     <20 = F, <35 = E, <50 = D, <65 = C, <80 = B, ≥80 = A.
111
+   * If you get an "A" and you have all the best practices above, you get "A+".

Завантаження…
Відмінити
Зберегти