Beispiel #1
0
    def get_all_cipher_suites(cls,
                              tls_version: TlsVersionEnum) -> Set[CipherSuite]:
        """Get the list of cipher suites supported by OpenSSL for the given SSL/TLS version.
        """
        if tls_version in [
                TlsVersionEnum.SSL_2_0,
                TlsVersionEnum.SSL_3_0,
                TlsVersionEnum.TLS_1_0,
                TlsVersionEnum.TLS_1_1,
        ]:
            openssl_cipher_strings = cls._get_all_cipher_suites_with_legacy_openssl(
                tls_version)

        elif tls_version == TlsVersionEnum.TLS_1_2:
            # For TLS 1.2, we have to use both the legacy and modern OpenSSL to cover all cipher suites
            cipher_suites_from_legacy_openssl = cls._get_all_cipher_suites_with_legacy_openssl(
                tls_version)

            ssl_client_modern = SslClient(
                ssl_version=OpenSslVersionEnum(tls_version.value))
            ssl_client_modern.set_cipher_list("ALL:COMPLEMENTOFALL:-PSK:-SRP")
            ssl_client_modern.set_ciphersuites(
                "")  # Disable TLS 1.3 cipher suites
            cipher_suites_from_modern_openssl = set(
                ssl_client_modern.get_cipher_list())

            # Combine the two sets of cipher suites
            openssl_cipher_strings = cipher_suites_from_legacy_openssl.union(
                cipher_suites_from_modern_openssl)

        elif tls_version == TlsVersionEnum.TLS_1_3:
            ssl_client_modern = SslClient(
                ssl_version=OpenSslVersionEnum(tls_version.value))
            ssl_client_modern.set_cipher_list(
                "")  # Disable NON-TLS-1.3 cipher suites
            ssl_client_modern.set_ciphersuites(
                "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
                "TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256"
            )  # Enable all TLS 1.3 cipher suites
            openssl_cipher_strings = set(ssl_client_modern.get_cipher_list())

        else:
            raise ValueError("Should never happen")

        return {
            CipherSuite.from_openssl(cipher_str, tls_version)
            for cipher_str in openssl_cipher_strings
        }
    def process_task(self, server_connectivity_info, plugin_command, options_dict=None):
        if options_dict and "verbose" in options_dict.keys():
            verbose_mode = options_dict["verbose"]
        else:
            verbose_mode = False
        test_protocols = {"SSLv3", "TLSv1"}
        thread_pool = ThreadPool()
        ciphers_list = []
        support_protocol_list = []
        for proto in test_protocols:
            if self.test_protocol_support(PROTOCOL_VERSION[proto], server_connectivity_info):
                ssl_client = SslClient(ssl_version=PROTOCOL_VERSION[proto])
                ssl_client.set_cipher_list(proto)
                ciphers_list = ssl_client.get_cipher_list()
                for cipher in ciphers_list:
                    thread_pool.add_job(
                        (self._test_ciphersuite, (server_connectivity_info, PROTOCOL_VERSION[proto], cipher))
                    )
                support_protocol_list.append(proto)
        thread_pool.start(nb_threads=min(len(ciphers_list), self.MAX_THREADS))

        accept_ciphers = []
        reject_ciphers = []
        if verbose_mode:
            print "  VERBOSE MODE PRINT"
            print "  ------------------"

        for completed_job in thread_pool.get_result():
            (job, cipher_result) = completed_job
            if isinstance(cipher_result, AcceptCipher):
                accept_ciphers.append(cipher_result)
            elif isinstance(cipher_result, RejectCipher):
                reject_ciphers.append(cipher_result)
            else:
                raise ValueError("Unexpected result")
            if verbose_mode:
                cipher_result.print_cipher()

        if verbose_mode:
            print "  ----------------------"
            print "  END VERBOSE MODE PRINT"
            print "  ----------------------"

        for error_job in thread_pool.get_error():
            (_, exception) = error_job
            raise exception

        thread_pool.join()

        support_vulnerable_ciphers_set = self.get_vulnerable_ciphers(accept_ciphers)
        is_vulnerable = True if len(support_vulnerable_ciphers_set) > 0 else False

        return BEASTVulnerabilityTesterResult(
            server_connectivity_info,
            plugin_command,
            options_dict,
            support_vulnerable_ciphers_set,
            is_vulnerable,
            support_protocol_list,
        )
Beispiel #3
0
def _parse_all_cipher_suites() -> Dict[TlsVersionEnum, Set[CipherSuite]]:
    tls_version_to_cipher_suites: Dict[TlsVersionEnum, Set[CipherSuite]] = {}

    for tls_version in [
        TlsVersionEnum.SSL_2_0,
        TlsVersionEnum.SSL_3_0,
        TlsVersionEnum.TLS_1_0,
        TlsVersionEnum.TLS_1_1,
    ]:
        openssl_cipher_strings = _parse_all_cipher_suites_with_legacy_openssl(tls_version)
        tls_version_to_cipher_suites[tls_version] = set()
        for cipher_suite_openssl_name in openssl_cipher_strings:
            cipher_suite_rfc_name = _OPENSSL_TO_RFC_NAMES_MAPPING[tls_version][cipher_suite_openssl_name]
            tls_version_to_cipher_suites[tls_version].add(
                CipherSuite(
                    name=cipher_suite_rfc_name,
                    openssl_name=cipher_suite_openssl_name,
                    is_anonymous=True if "anon" in cipher_suite_rfc_name else False,
                    key_size=_RFC_NAME_TO_KEY_SIZE_MAPPING[cipher_suite_rfc_name],
                )
            )

    # For TLS 1.2, we have to use both the legacy and modern OpenSSL to cover all cipher suites
    cipher_suites_from_legacy_openssl = _parse_all_cipher_suites_with_legacy_openssl(TlsVersionEnum.TLS_1_2)

    ssl_client_modern = SslClient(ssl_version=OpenSslVersionEnum(TlsVersionEnum.TLS_1_2.value))
    ssl_client_modern.set_cipher_list("ALL:COMPLEMENTOFALL:-PSK:-SRP")
    cipher_suites_from_modern_openssl = set(ssl_client_modern.get_cipher_list())

    # Combine the two sets of cipher suites
    openssl_cipher_strings = cipher_suites_from_legacy_openssl.union(cipher_suites_from_modern_openssl)
    tls_version_to_cipher_suites[TlsVersionEnum.TLS_1_2] = set()
    for cipher_suite_openssl_name in openssl_cipher_strings:
        # Ignore TLS 1.3 cipher suites
        if cipher_suite_openssl_name in _TLS_1_3_CIPHER_SUITES:
            continue

        cipher_suite_rfc_name = _OPENSSL_TO_RFC_NAMES_MAPPING[TlsVersionEnum.TLS_1_2][cipher_suite_openssl_name]
        tls_version_to_cipher_suites[TlsVersionEnum.TLS_1_2].add(
            CipherSuite(
                name=cipher_suite_rfc_name,
                openssl_name=cipher_suite_openssl_name,
                is_anonymous=True if "anon" in cipher_suite_rfc_name else False,
                key_size=_RFC_NAME_TO_KEY_SIZE_MAPPING[cipher_suite_rfc_name],
            )
        )

    # TLS 1.3 - the list is just hardcoded
    tls_version_to_cipher_suites[TlsVersionEnum.TLS_1_3] = {
        CipherSuite(
            # For TLS 1.3 OpenSSL started using the official names
            name=cipher_suite_name,
            openssl_name=cipher_suite_name,
            is_anonymous=False,
            key_size=_RFC_NAME_TO_KEY_SIZE_MAPPING[cipher_suite_name],
        )
        for cipher_suite_name in _TLS_1_3_CIPHER_SUITES
    }

    return tls_version_to_cipher_suites
Beispiel #4
0
 def get_cipher_list(self, ssl_protocol):
     """Returns list of cipher suites available for protocol version, saves in parameter ssl_protocol.
 
         Args:
         ssl_protocol (str):.
     """
     ssl_client = SslClient(ssl_version=PROTOCOL_VERSION[ssl_protocol])
     ssl_client.set_cipher_list('ALL:COMPLEMENTOFALL')
     return ssl_client.get_cipher_list()
 def get_cipher_list(self, ssl_protocol):
     """Returns list of cipher suites available for protocol version, saves in parameter ssl_protocol.
 
         Args:
         ssl_protocol (str):.
     """
     ssl_client = SslClient(ssl_version=PROTOCOL_VERSION[ssl_protocol])
     ssl_client.set_cipher_list('ALL:COMPLEMENTOFALL')
     return ssl_client.get_cipher_list()
    def process_task(self,
                     server_connectivity_info,
                     plugin_command,
                     options_dict=None):
        ssl_version = self.SSL_VERSIONS_MAPPING[plugin_command]

        # Get the list of available cipher suites for the given ssl version
        ssl_client = SslClient(ssl_version=ssl_version)
        ssl_client.set_cipher_list('ALL:COMPLEMENTOFALL')
        cipher_list = ssl_client.get_cipher_list()

        # Scan for every available cipher suite
        thread_pool = ThreadPool()
        for cipher in cipher_list:
            thread_pool.add_job(
                (self._test_cipher_suite, (server_connectivity_info,
                                           ssl_version, cipher)))

        # Start processing the jobs; One thread per cipher
        thread_pool.start(nb_threads=min(len(cipher_list), self.MAX_THREADS))

        accepted_cipher_list = []
        rejected_cipher_list = []
        errored_cipher_list = []

        # Store the results as they come
        for completed_job in thread_pool.get_result():
            (job, cipher_result) = completed_job
            if isinstance(cipher_result, AcceptedCipherSuite):
                accepted_cipher_list.append(cipher_result)
            elif isinstance(cipher_result, RejectedCipherSuite):
                rejected_cipher_list.append(cipher_result)
            elif isinstance(cipher_result, ErroredCipherSuite):
                errored_cipher_list.append(cipher_result)
            else:
                raise ValueError('Unexpected result')

        # Store thread pool errors; only something completely unexpected would trigger an error
        for failed_job in thread_pool.get_error():
            (_, exception) = failed_job
            raise exception

        thread_pool.join()

        # Test for the cipher suite preference
        preferred_cipher = self._get_preferred_cipher_suite(
            server_connectivity_info, ssl_version, accepted_cipher_list)

        # Generate the results
        plugin_result = OpenSSLCipherSuitesResult(server_connectivity_info,
                                                  plugin_command, options_dict,
                                                  preferred_cipher,
                                                  accepted_cipher_list,
                                                  rejected_cipher_list,
                                                  errored_cipher_list)
        return plugin_result
Beispiel #7
0
    def process_task(self, server_connectivity_info, plugin_command, options_dict=None):
        ssl_version = self.SSL_VERSIONS_MAPPING[plugin_command]

        # Get the list of available cipher suites for the given ssl version
        ssl_client = SslClient(ssl_version=ssl_version)
        ssl_client.set_cipher_list('ALL:COMPLEMENTOFALL')
        cipher_list = ssl_client.get_cipher_list()

        # Scan for every available cipher suite
        thread_pool = ThreadPool()
        for cipher in cipher_list:
            thread_pool.add_job((self._test_cipher_suite, (server_connectivity_info, ssl_version, cipher)))

        # Start processing the jobs; One thread per cipher
        thread_pool.start(nb_threads=min(len(cipher_list), self.MAX_THREADS))

        accepted_cipher_list = []
        rejected_cipher_list = []
        errored_cipher_list = []

        # Store the results as they come
        for completed_job in thread_pool.get_result():
            (job, cipher_result) = completed_job
            if isinstance(cipher_result, AcceptedCipherSuite):
                accepted_cipher_list.append(cipher_result)
            elif isinstance(cipher_result, RejectedCipherSuite):
                rejected_cipher_list.append(cipher_result)
            elif isinstance(cipher_result, ErroredCipherSuite):
                errored_cipher_list.append(cipher_result)
            else:
                raise ValueError('Unexpected result')

        # Store thread pool errors; only something completely unexpected would trigger an error
        for failed_job in thread_pool.get_error():
            (_, exception) = failed_job
            raise exception

        thread_pool.join()

        # Test for the cipher suite preference
        preferred_cipher = self._get_preferred_cipher_suite(server_connectivity_info, ssl_version, accepted_cipher_list)

        # Generate the results
        plugin_result = OpenSSLCipherSuitesResult(server_connectivity_info, plugin_command, options_dict,
                                                  preferred_cipher, accepted_cipher_list, rejected_cipher_list,
                                                  errored_cipher_list)
        return plugin_result
Beispiel #8
0
    def test_set_ciphersuites(self):
        # Given an SslClient for TLS 1.3
        ssl_client = SslClient(
            ssl_version=OpenSslVersionEnum.TLSV1_3,
            ssl_verify=OpenSslVerifyEnum.NONE,
            ignore_client_authentication_requests=True,
        )

        # With the default list of cipher disabled
        ssl_client.set_cipher_list("")

        # When setting a specific TLS 1.3 cipher suite as the list of supported ciphers
        ssl_client.set_ciphersuites("TLS_CHACHA20_POLY1305_SHA256")

        # That one cipher suite is the only one enabled
        ciphers = ssl_client.get_cipher_list()
        assert ["TLS_CHACHA20_POLY1305_SHA256"] == ciphers
Beispiel #9
0
    def test_set_ciphersuites(self):
        # Given an SslClient for TLS 1.3
        ssl_client = SslClient(
            ssl_version=OpenSslVersionEnum.TLSV1_3,
            ssl_verify=OpenSslVerifyEnum.NONE,
            ignore_client_authentication_requests=True,
        )

        # With the default list of cipher disabled
        ssl_client.set_cipher_list('')

        # When setting a specific TLS 1.3 cipher suite as the list of supported ciphers
        ssl_client.set_ciphersuites('TLS_CHACHA20_POLY1305_SHA256')

        # That one cipher suite is the only one enabled
        ciphers = ssl_client.get_cipher_list()
        assert ['TLS_CHACHA20_POLY1305_SHA256'] == ciphers
 def get_ssl3_cipher_list(self):
     """Returns list of cipher suites available for protocol SSL 3.0
     """
     ssl_client = SslClient(ssl_version=SSLV3)
     ssl_client.set_cipher_list('SSLv3')
     return ssl_client.get_cipher_list()
    def process_task(self,
                     server_connectivity_info,
                     plugin_command,
                     options_dict=None):
        if options_dict and 'verbose' in options_dict.keys():
            verbose_mode = options_dict['verbose']
        else:
            verbose_mode = False
        test_protocols = {'SSLv3', 'TLSv1'}
        thread_pool = ThreadPool()
        ciphers_list = []
        support_protocol_list = []
        for proto in test_protocols:
            if self.test_protocol_support(PROTOCOL_VERSION[proto],
                                          server_connectivity_info):
                ssl_client = SslClient(ssl_version=PROTOCOL_VERSION[proto])
                ssl_client.set_cipher_list(proto)
                ciphers_list = ssl_client.get_cipher_list()
                for cipher in ciphers_list:
                    thread_pool.add_job((self._test_ciphersuite,
                                         (server_connectivity_info,
                                          PROTOCOL_VERSION[proto], cipher)))
                support_protocol_list.append(proto)
        thread_pool.start(nb_threads=min(len(ciphers_list), self.MAX_THREADS))

        accept_ciphers = []
        reject_ciphers = []
        if verbose_mode:
            print '  VERBOSE MODE PRINT'
            print '  ------------------'

        for completed_job in thread_pool.get_result():
            (job, cipher_result) = completed_job
            if isinstance(cipher_result, AcceptCipher):
                accept_ciphers.append(cipher_result)
            elif isinstance(cipher_result, RejectCipher):
                reject_ciphers.append(cipher_result)
            else:
                raise ValueError("Unexpected result")
            if verbose_mode:
                cipher_result.print_cipher()

        if verbose_mode:
            print '  ----------------------'
            print '  END VERBOSE MODE PRINT'
            print '  ----------------------'

        for error_job in thread_pool.get_error():
            (_, exception) = error_job
            raise exception

        thread_pool.join()

        support_vulnerable_ciphers_set = self.get_vulnerable_ciphers(
            accept_ciphers)
        is_vulnerable = True \
            if len(support_vulnerable_ciphers_set) > 0 \
            else False

        return BEASTVulnerabilityTesterResult(server_connectivity_info,
                                              plugin_command, options_dict,
                                              support_vulnerable_ciphers_set,
                                              is_vulnerable,
                                              support_protocol_list)
 def get_ssl3_cipher_list(self):
     """Returns list of cipher suites available for protocol SSL 3.0
     """
     ssl_client = SslClient(ssl_version=SSLV3)
     ssl_client.set_cipher_list('SSLv3')
     return ssl_client.get_cipher_list()
Beispiel #13
0
def _parse_all_cipher_suites() -> Dict[TlsVersionEnum, Set[CipherSuite]]:
    tls_version_to_cipher_suites: Dict[TlsVersionEnum, Set[CipherSuite]] = {}

    for tls_version in [
        TlsVersionEnum.SSL_2_0,
        TlsVersionEnum.SSL_3_0,
        TlsVersionEnum.TLS_1_0,
        TlsVersionEnum.TLS_1_1,
    ]:
        openssl_cipher_strings = _parse_all_cipher_suites_with_legacy_openssl(tls_version)
        tls_version_to_cipher_suites[tls_version] = set()
        for cipher_suite_openssl_name in openssl_cipher_strings:
            cipher_suite_rfc_name = _OPENSSL_TO_RFC_NAMES_MAPPING[tls_version][cipher_suite_openssl_name]
            tls_version_to_cipher_suites[tls_version].add(
                CipherSuite(
                    name=cipher_suite_rfc_name,
                    openssl_name=cipher_suite_openssl_name,
                    is_anonymous=True if "anon" in cipher_suite_rfc_name else False,
                    key_size=_RFC_NAME_TO_KEY_SIZE_MAPPING[cipher_suite_rfc_name],
                )
            )

        # For TLS 1.2, we have to use both the legacy and modern OpenSSL to cover all cipher suites
        cipher_suites_from_legacy_openssl = _parse_all_cipher_suites_with_legacy_openssl(TlsVersionEnum.TLS_1_2)

        ssl_client_modern = SslClient(ssl_version=OpenSslVersionEnum(TlsVersionEnum.TLS_1_2.value))
        ssl_client_modern.set_cipher_list("ALL:COMPLEMENTOFALL:-PSK:-SRP")
        ssl_client_modern.set_ciphersuites("")  # Disable TLS 1.3 cipher suites
        cipher_suites_from_modern_openssl = set(ssl_client_modern.get_cipher_list())

        # Combine the two sets of cipher suites
        openssl_cipher_strings = cipher_suites_from_legacy_openssl.union(cipher_suites_from_modern_openssl)
        tls_version_to_cipher_suites[TlsVersionEnum.TLS_1_2] = set()
        for cipher_suite_openssl_name in openssl_cipher_strings:
            cipher_suite_rfc_name = _OPENSSL_TO_RFC_NAMES_MAPPING[TlsVersionEnum.TLS_1_2][cipher_suite_openssl_name]
            tls_version_to_cipher_suites[TlsVersionEnum.TLS_1_2].add(
                CipherSuite(
                    name=cipher_suite_rfc_name,
                    openssl_name=cipher_suite_openssl_name,
                    is_anonymous=True if "anon" in cipher_suite_rfc_name else False,
                    key_size=_RFC_NAME_TO_KEY_SIZE_MAPPING[cipher_suite_rfc_name],
                )
            )

        # TLS 1.3
        ssl_client_modern = SslClient(ssl_version=OpenSslVersionEnum(TlsVersionEnum.TLS_1_3.value))
        ssl_client_modern.set_cipher_list("")  # Disable NON-TLS-1.3 cipher suites
        ssl_client_modern.set_ciphersuites(
            "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
            "TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256"
        )  # Enable all TLS 1.3 cipher suites
        openssl_cipher_strings = set(ssl_client_modern.get_cipher_list())

        tls_version_to_cipher_suites[TlsVersionEnum.TLS_1_3] = {
            CipherSuite(
                # For TLS 1.3 OpenSSL started using the official names
                name=cipher_suite_openssl_name,
                openssl_name=cipher_suite_openssl_name,
                is_anonymous=False,
                key_size=_RFC_NAME_TO_KEY_SIZE_MAPPING[cipher_suite_openssl_name],
            )
            for cipher_suite_openssl_name in openssl_cipher_strings
        }

    return tls_version_to_cipher_suites