Browse Source

Improving output

new-scoring
aeris 2 years ago
parent
commit
d92523e4f2
3 changed files with 68 additions and 29 deletions
  1. 8
    3
      lib/cryptcheck/tls/cipher.rb
  2. 3
    3
      lib/cryptcheck/tls/https/server.rb
  3. 57
    23
      lib/cryptcheck/tls/server.rb

+ 8
- 3
lib/cryptcheck/tls/cipher.rb View File

@@ -141,9 +141,14 @@ module CryptCheck
141 141
 				@status = Status[@states.reject { |_, v| v.empty? }.keys]
142 142
 			end
143 143
 
144
-			def to_s
145
-				states = @states.collect { |k, vs| vs.collect { |v| v.to_s.colorize k }}.flatten.join ' '
146
-				"#{@method} #{@name.colorize @status} [#{states}]"
144
+			def to_s(type = :long)
145
+				case type
146
+					when :long
147
+						states = @states.collect { |k, vs| vs.collect { |v| v.to_s.colorize k }}.flatten.join ' '
148
+						"#{@method} #{@name.colorize @status} [#{states}]"
149
+					when :short
150
+						@name.colorize @status
151
+				end
147 152
 			end
148 153
 
149 154
 			PRIORITY = { good: 1, none: 2, warning: 3, error: 4, critical: 5 }

+ 3
- 3
lib/cryptcheck/tls/https/server.rb View File

@@ -20,14 +20,14 @@ module CryptCheck
20 20
 														   follow_redirects: false,
21 21
 														   verify:           false,
22 22
 														   timeout:          SSL_TIMEOUT,
23
-														   ssl_version:      self.supported_protocols.first,
24
-														   ciphers:          'ALL:COMPLEMENTOFALL'
23
+														   ssl_version:      @supported_methods.first.name,
24
+														   ciphers:          Cipher::ALL
25 25
 												   }
26 26
 						if header = response.headers['strict-transport-security']
27 27
 							name, value = header.split '='
28 28
 							if name == 'max-age'
29 29
 								@hsts = value.to_i
30
-								Logger.info { "HSTS : #{@hsts.to_s.colorize hsts_long? ? :good : nil}" }
30
+								Logger.info { 'HSTS : ' + @hsts.to_s.colorize(hsts_long? ? :good : nil) }
31 31
 								return
32 32
 							end
33 33
 						end

+ 57
- 23
lib/cryptcheck/tls/server.rb View File

@@ -43,38 +43,40 @@ module CryptCheck
43 43
 				fetch_ecdsa_certs
44 44
 				fetch_supported_curves
45 45
 
46
+				fetch_ciphers_preferences
47
+
46 48
 				# verify_certs
47 49
 
48 50
 				check_fallback_scsv
49
-
50
-				exit
51 51
 			end
52 52
 
53 53
 			def supported_method?(method)
54 54
 				ssl_client method
55
-				Logger.info { "Supported method : #{method}" }
55
+				Logger.info { "Method #{method} : supported" }
56 56
 				true
57 57
 			rescue TLSException
58
-				Logger.debug { "Method not supported : #{method}" }
58
+				Logger.debug { "Method #{method} : not supported" }
59 59
 				false
60 60
 			end
61 61
 
62 62
 			def fetch_supported_methods
63 63
 				Logger.info { '' }
64
+				Logger.info { 'Supported methods' }
64 65
 				@supported_methods = Method.select { |m| supported_method? m }
65 66
 			end
66 67
 
67 68
 			def supported_cipher?(method, cipher)
68 69
 				connection = ssl_client method, cipher
69
-				Logger.info { "Supported cipher #{cipher}" }
70
+				Logger.info { "Cipher #{cipher} : supported" }
70 71
 				connection
71 72
 			rescue TLSException
72
-				Logger.debug { "Not supported cipher #{cipher}" }
73
+				Logger.debug { "Cipher #{cipher} : not supported" }
73 74
 				nil
74 75
 			end
75 76
 
76 77
 			def fetch_supported_ciphers
77 78
 				Logger.info { '' }
79
+				Logger.info { 'Supported ciphers' }
78 80
 				@supported_ciphers = @supported_methods.collect do |method|
79 81
 					ciphers = Cipher[method].collect do |cipher|
80 82
 						connection = supported_cipher? method, cipher
@@ -108,6 +110,7 @@ module CryptCheck
108 110
 
109 111
 			def fetch_supported_curves
110 112
 				Logger.info { '' }
113
+				Logger.info { 'Supported elliptic curves' }
111 114
 
112 115
 				ecdsa_curve = @ecdsa_certs.keys.first
113 116
 				if ecdsa_curve
@@ -128,9 +131,9 @@ module CryptCheck
128 131
 								curve      = dh.curve
129 132
 								supported  = curve != ecdsa_curve
130 133
 								if supported
131
-									Logger.info { "Supported ECC curve #{curve}" }
134
+									Logger.info { "ECC curve #{curve} : supported" }
132 135
 								else
133
-									Logger.debug { "Not supported ECC curve #{curve}" }
136
+									Logger.debug { "ECC curve #{curve} : not supported" }
134 137
 								end
135 138
 								supported
136 139
 							rescue TLSException
@@ -148,9 +151,9 @@ module CryptCheck
148 151
 						@supported_curves = Curve.select do |curve|
149 152
 							begin
150 153
 								ssl_client method, ecdh, curves: curve
151
-								Logger.info { "Supported ECC curve #{curve}" }
154
+								Logger.info { "ECC curve #{curve} : supported" }
152 155
 							rescue TLSException
153
-								Logger.debug { "Not supported ECC curve #{curve}" }
156
+								Logger.debug { "ECC curve #{curve} : not supported" }
154 157
 								false
155 158
 							end
156 159
 						end
@@ -159,7 +162,39 @@ module CryptCheck
159 162
 				end
160 163
 			end
161 164
 
165
+			def fetch_ciphers_preferences
166
+				Logger.info { '' }
167
+				Logger.info { 'Server preferences' }
168
+
169
+				@preferences = @supported_ciphers.collect do |method, ciphers|
170
+					ciphers = ciphers.keys
171
+					if ciphers.size < 2
172
+						Logger.info { "Preference not applicable for #{method}" }
173
+					else
174
+						a, b, _ = ciphers
175
+						ab      = ssl_client(method, [a, b]).cipher.first
176
+						ba      = ssl_client(method, [b, a]).cipher.first
177
+						if ab != ba
178
+							Logger.info { 'Server use client preference for '.colorize(:warning) + method.to_s }
179
+							:client
180
+						else
181
+							sort        = -> (a, b) do
182
+								connection = ssl_client method, [a, b]
183
+								cipher     = connection.cipher.first
184
+								cipher == a.name ? -1 : 1
185
+							end
186
+							preferences = ciphers.sort &sort
187
+							Logger.info { "Cipher preference for #{method} is #{preferences.collect { |c| c.to_s :short }.join ':'}" }
188
+							preferences
189
+						end
190
+					end
191
+					[method, preferences]
192
+				end.to_h
193
+			end
194
+
162 195
 			def check_fallback_scsv
196
+				Logger.info { '' }
197
+
163 198
 				@fallback_scsv = false
164 199
 				if @supported_methods.size > 1
165 200
 					# We will try to connect to the not better supported method
@@ -174,16 +209,15 @@ module CryptCheck
174 209
 					@fallback_scsv = nil
175 210
 				end
176 211
 
177
-				Logger.info { '' }
178 212
 				text, color = case @fallback_scsv
179 213
 								  when true
180
-									  ['Supported', :good]
214
+									  ['supported', :good]
181 215
 								  when false
182
-									  ['Not supported', :error]
216
+									  ['not supported', :error]
183 217
 								  when nil
184
-									  ['Not applicable', :unknown]
218
+									  ['not applicable', :unknown]
185 219
 							  end
186
-				Logger.info { "Fallback SCSV : #{text.colorize color}" }
220
+				Logger.info { 'Fallback SCSV : ' + text.colorize(color) }
187 221
 			end
188 222
 
189 223
 			Method.each do |method|
@@ -297,16 +331,16 @@ module CryptCheck
297 331
 					retry
298 332
 				rescue ::OpenSSL::SSL::SSLError => e
299 333
 					case e.message
300
-						when /state=SSLv3 read server hello A$/
301
-							raise TLSNotAvailableException, e
302
-						when /state=SSLv3 read server hello A: wrong version number$/
303
-							raise MethodNotAvailable, e
304
-						when /state=SSLv3 read server hello A: tlsv1 alert protocol version$/
334
+						when /state=SSLv3 read server hello A$/,
335
+								/state=SSLv3 read server hello A: wrong version number$/,
336
+								/state=SSLv3 read server hello A: tlsv1 alert protocol version$/
305 337
 							raise MethodNotAvailable, e
306
-						when /state=error: no ciphers available$/,
307
-								/state=SSLv3 read server hello A: sslv3 alert handshake failure$/
338
+						when /state=SSLv2 read server hello A: peer error no cipher/,
339
+								/state=error: no ciphers available$/,
340
+								/state=SSLv3 read server hello A: sslv3 alert handshake failure$/,
341
+								/state=error: missing export tmp dh key/
308 342
 							raise CipherNotAvailable, e
309
-						when /state=SSLv3 read server hello A: tlsv3 alert inappropriate fallback$/
343
+						when /state=SSLv3 read server hello A: tlsv1 alert inappropriate fallback$/
310 344
 							raise InappropriateFallback, e
311 345
 					end
312 346
 					raise

Loading…
Cancel
Save