def process_task(self, target, command, args):
ctSSL_initialize()
try:
(can_reneg, is_secure) = self._test_renegotiation(target)
finally:
ctSSL_cleanup()
# Text output
reneg_txt = 'Honored' if can_reneg else 'Rejected'
secure_txt = 'Supported' if is_secure else 'Not supported'
cmd_title = 'Session Renegotiation'
txt_result = [self.PLUGIN_TITLE_FORMAT.format(cmd_title)]
RENEG_FORMAT = ' {0:<35} {1}'
txt_result.append(
RENEG_FORMAT.format('Client-initiated Renegotiations:', reneg_txt))
txt_result.append(
RENEG_FORMAT.format('Secure Renegotiation: ', secure_txt))
# XML output
xml_reneg_attr = {
'canBeClientInitiated': str(can_reneg),
'isSecure': str(is_secure)
}
xml_reneg = Element('sessionRenegotiation', attrib=xml_reneg_attr)
xml_result = Element(command, title=cmd_title)
xml_result.append(xml_reneg)
return PluginBase.PluginResult(txt_result, xml_result)
def process_task(self, target, command, args):
ctSSL_initialize()
try:
(can_reneg, is_secure) = self._test_renegotiation(target)
finally:
ctSSL_cleanup()
# Text output
reneg_txt = 'Honored' if can_reneg else 'Rejected'
secure_txt = 'Supported' if is_secure else 'Not supported'
cmd_title = 'Session Renegotiation'
txt_result = [self.PLUGIN_TITLE_FORMAT.format(cmd_title)]
RENEG_FORMAT = ' {0:<35} {1}'
txt_result.append(RENEG_FORMAT.format('Client-initiated Renegotiations:', reneg_txt))
txt_result.append(RENEG_FORMAT.format('Secure Renegotiation: ', secure_txt))
# XML output
xml_reneg_attr = {'canBeClientInitiated' : str(can_reneg),
'isSecure' : str(is_secure)}
xml_reneg = Element('sessionRenegotiation', attrib = xml_reneg_attr)
xml_result = Element(command, title = cmd_title)
xml_result.append(xml_reneg)
return PluginBase.PluginResult(txt_result, xml_result)
def process_task(self, target, command, args):
output_format = ' {0:<25} {1}'
ctSSL_initialize(zlib=True)
ssl_ctx = SSL_CTX.SSL_CTX('tlsv1') # sslv23 hello will fail for specific servers such as post.craigslist.org
ssl_connect = SSLyzeSSLConnection(self._shared_settings, target,ssl_ctx,
hello_workaround=True)
try: # Perform the SSL handshake
ssl_connect.connect()
compression_status = ssl_connect._ssl.get_current_compression()
finally:
ssl_connect.close()
ctSSL_cleanup()
# Text output
if compression_status:
comp_txt = 'Enabled ' + compression_status
comp_xml = {'isSupported':'True','type':compression_status.strip('()')}
else:
comp_txt = 'Disabled'
comp_xml = {'isSupported':'False'}
cmd_title = 'Compression'
txt_result = [self.PLUGIN_TITLE_FORMAT.format(cmd_title)]
txt_result.append(output_format.format("Compression Support:", comp_txt))
# XML output
xml_el = Element('compression', comp_xml)
xml_result = Element(command, title = cmd_title)
xml_result.append(xml_el)
return PluginBase.PluginResult(txt_result, xml_result)
def process_task(self, target, command, args):
output_format = ' {0:<25} {1}'
ctSSL_initialize(zlib=True)
ssl_ctx = SSL_CTX.SSL_CTX('tlsv1') # sslv23 hello will fail for specific servers such as post.craigslist.org
ssl_connect = SSLyzeSSLConnection(self._shared_settings, target,ssl_ctx,
hello_workaround=True)
try: # Perform the SSL handshake
ssl_connect.connect()
compression_status = ssl_connect._ssl.get_current_compression()
finally:
ssl_connect.close()
ctSSL_cleanup()
# Text output
if compression_status:
comp_txt = 'Enabled ' + compression_status
comp_xml = {'isSupported':'True','type':compression_status.strip('()')}
else:
comp_txt = 'Disabled'
comp_xml = {'isSupported':'False'}
cmd_title = 'Compression'
txt_result = [self.PLUGIN_TITLE_FORMAT.format(cmd_title)]
txt_result.append(output_format.format("Compression Support:", comp_txt))
# XML output
xml_el = Element('compression', comp_xml)
xml_result = Element(command, title = cmd_title)
xml_result.append(xml_el)
return PluginBase.PluginResult(txt_result, xml_result)
def process_task(self, target, command, args):
MAX_THREADS = 30
if command in ['sslv2', 'sslv3', 'tlsv1', 'tlsv1_1', 'tlsv1_2']:
ssl_version = command
else:
raise Exception("PluginOpenSSLCipherSuites: Unknown command.")
# Get the list of available cipher suites for the given ssl version
ctSSL_initialize(multithreading=True)
ctx = SSL_CTX.SSL_CTX(ssl_version)
ctx.set_cipher_list('ALL:NULL:@STRENGTH')
ssl = SSL.SSL(ctx)
cipher_list = ssl.get_cipher_list()
# Create a thread pool
NB_THREADS = min(len(cipher_list), MAX_THREADS) # One thread per cipher
thread_pool = ThreadPool()
# Scan for every available cipher suite
for cipher in cipher_list:
thread_pool.add_job((self._test_ciphersuite,
(target, ssl_version, cipher)))
# Scan for the preferred cipher suite
thread_pool.add_job((self._pref_ciphersuite,
(target, ssl_version)))
# Start processing the jobs
thread_pool.start(NB_THREADS)
result_dicts = {'preferredCipherSuite':{}, 'acceptedCipherSuites':{},
'rejectedCipherSuites':{}, 'errors':{}}
# Store the results as they come
for completed_job in thread_pool.get_result():
(job, result) = completed_job
if result is not None:
(result_type, ssl_cipher, keysize, msg) = result
(result_dicts[result_type])[ssl_cipher] = (msg, keysize)
# Store thread pool errors
for failed_job in thread_pool.get_error():
(job, exception) = failed_job
ssl_cipher = str(job[1][2])
error_msg = str(exception.__class__.__module__) + '.' \
+ str(exception.__class__.__name__) + ' - ' + str(exception)
result_dicts['errors'][ssl_cipher] = (error_msg, None)
thread_pool.join()
ctSSL_cleanup()
# Generate results
return PluginBase.PluginResult(self._generate_txt_result(result_dicts, command),
self._generate_xml_result(result_dicts, command))
def process_task(self, target, command, args):
ctSSL_initialize(multithreading=True)
try:
if command == 'resum':
result = self._command_resum(target)
elif command == 'resum_rate':
result = self._command_resum_rate(target)
else:
raise Exception("PluginSessionResumption: Unknown command.")
finally:
ctSSL_cleanup()
return result
def process_task(self, target, command, args):
ctSSL_initialize(multithreading=True)
try:
if command == 'resum':
result = self._command_resum(target)
elif command == 'resum_rate':
result = self._command_resum_rate(target)
else:
raise Exception("PluginSessionResumption: Unknown command.")
finally:
ctSSL_cleanup()
return result
def process_task(self, target, command, arg):
ctSSL_initialize()
cert_trusted = False
try: # First verify the server's certificate
cert = self._get_cert(target, verify_cert=True)
cert_trusted = True
except errors.SSLErrorSSL as e:
# Recover the server's certificate without verifying it
if 'certificate verify failed' in str(e.args):
cert = self._get_cert(target, verify_cert=False)
else:
ctSSL_cleanup()
raise
result_dict = {'basic': self._get_basic,
'detail': self._get_detail,
'full': self._get_full}
(cert_txt, cert_xml) = result_dict[arg](cert)
# Text output
cmd_title = 'Certificate'
txt_result = [self.PLUGIN_TITLE_FORMAT.format(cmd_title)]
trust_txt = 'Certificate is Trusted' if cert_trusted \
else 'Certificate is NOT Trusted'
txt_result.append(self.FIELD_FORMAT.format("Validation w/ Mozilla's CA Store:", trust_txt))
txt_result.extend(cert_txt)
# XML output
xml_result = Element(self.__class__.__name__, command = command,
argument = arg, title = cmd_title)
trust_xml_attr = {'trusted-by-mozilla' : str(cert_trusted)}
trust_xml = Element('certificate', attrib = trust_xml_attr)
for elem_xml in cert_xml:
trust_xml.append(elem_xml)
xml_result.append(trust_xml)
ctSSL_cleanup()
return PluginBase.PluginResult(txt_result, xml_result)
def process_task(self, target, command, arg):
ctSSL_initialize()
try: # Get the certificate
(cert, verify_result) = self._get_cert(target)
except:
ctSSL_cleanup()
raise
# Figure out if/why the verification failed
untrusted_reason = None
is_cert_trusted = True
if verify_result != 0:
is_cert_trusted = False
untrusted_reason = X509_V_CODES.X509_V_CODES[verify_result]
# Results formatting
cert_parsed = X509CertificateHelper(cert)
cert_dict = cert_parsed.parse_certificate()
# Text output
if arg == 'basic':
cert_txt = self._get_basic_text(cert, cert_dict)
elif arg == 'full':
cert_txt = [cert.as_text()]
else:
raise Exception("PluginCertInfo: Unknown command.")
fingerprint = cert.get_fingerprint()
cmd_title = 'Certificate'
txt_result = [self.PLUGIN_TITLE_FORMAT.format(cmd_title)]
trust_txt = 'Certificate is Trusted' if is_cert_trusted \
else 'Certificate is NOT Trusted'
is_ev = self._is_ev_certificate(cert_dict)
if is_ev:
trust_txt = trust_txt + ' - Extended Validation'
if untrusted_reason:
trust_txt = trust_txt + ': ' + untrusted_reason
txt_result.append(self.FIELD_FORMAT.format("Validation w/ Mozilla's CA Store:", trust_txt))
is_host_valid = self._is_hostname_valid(cert_dict, target)
host_txt = 'OK - ' + is_host_valid + ' Matches' if is_host_valid \
else 'MISMATCH'
txt_result.append(self.FIELD_FORMAT.format("Hostname Validation:", host_txt))
txt_result.append(self.FIELD_FORMAT.format('SHA1 Fingerprint:', fingerprint))
txt_result.append('')
txt_result.extend(cert_txt)
# XML output: always return the full certificate
host_xml = True if is_host_valid \
else False
xml_result = Element(command, argument = arg, title = cmd_title)
trust_xml_attr = {'isTrustedByMozillaCAStore' : str(is_cert_trusted),
'sha1Fingerprint' : fingerprint,
'isExtendedValidation' : str(is_ev),
'hasMatchingHostname' : str(host_xml)}
if untrusted_reason:
trust_xml_attr['reasonWhyNotTrusted'] = untrusted_reason
trust_xml = Element('certificate', attrib = trust_xml_attr)
for elem_xml in cert_parsed.parse_certificate_to_xml():
trust_xml.append(elem_xml)
xml_result.append(trust_xml)
ctSSL_cleanup()
return PluginBase.PluginResult(txt_result, xml_result)
def process_task(self, target, command, args):
MAX_THREADS = 30
if command in ['sslv2', 'sslv3', 'tlsv1', 'tlsv1_1', 'tlsv1_2']:
ssl_version = command
else:
raise Exception("PluginOpenSSLCipherSuites: Unknown command.")
# Get the list of available cipher suites for the given ssl version
ctSSL_initialize(multithreading=True)
ctx = SSL_CTX.SSL_CTX(ssl_version)
ctx.set_cipher_list('ALL:NULL:@STRENGTH')
ssl = SSL.SSL(ctx)
cipher_list = ssl.get_cipher_list()
# Create a thread pool
NB_THREADS = min(len(cipher_list),
MAX_THREADS) # One thread per cipher
thread_pool = ThreadPool()
# Scan for every available cipher suite
for cipher in cipher_list:
thread_pool.add_job(
(self._test_ciphersuite, (target, ssl_version, cipher)))
# Scan for the preferred cipher suite
thread_pool.add_job((self._pref_ciphersuite, (target, ssl_version)))
# Start processing the jobs
thread_pool.start(NB_THREADS)
result_dicts = {
'preferredCipherSuite': {},
'acceptedCipherSuites': {},
'rejectedCipherSuites': {},
'errors': {}
}
# Store the results as they come
for completed_job in thread_pool.get_result():
(job, result) = completed_job
if result is not None:
(result_type, ssl_cipher, keysize, msg) = result
(result_dicts[result_type])[ssl_cipher] = (msg, keysize)
# Store thread pool errors
for failed_job in thread_pool.get_error():
(job, exception) = failed_job
ssl_cipher = str(job[1][2])
error_msg = str(exception.__class__.__module__) + '.' \
+ str(exception.__class__.__name__) + ' - ' + str(exception)
result_dicts['errors'][ssl_cipher] = (error_msg, None)
thread_pool.join()
ctSSL_cleanup()
# Generate results
return PluginBase.PluginResult(
self._generate_txt_result(result_dicts, command),
self._generate_xml_result(result_dicts, command))
def process_task(self, target, command, arg):
ctSSL_initialize()
try: # Get the certificate
(cert, verify_result) = self._get_cert(target)
except:
ctSSL_cleanup()
raise
# Figure out if/why the verification failed
untrusted_reason = None
is_cert_trusted = True
if verify_result != 0:
is_cert_trusted = False
untrusted_reason = X509_V_CODES.X509_V_CODES[verify_result]
# Results formatting
cert_parsed = X509CertificateHelper(cert)
cert_dict = cert_parsed.parse_certificate()
# Text output
if arg == 'basic':
cert_txt = self._get_basic_text(cert, cert_dict)
elif arg == 'full':
cert_txt = [cert.as_text()]
else:
raise Exception("PluginCertInfo: Unknown command.")
fingerprint = cert.get_fingerprint()
cmd_title = 'Certificate'
txt_result = [self.PLUGIN_TITLE_FORMAT.format(cmd_title)]
trust_txt = 'Certificate is Trusted' if is_cert_trusted \
else 'Certificate is NOT Trusted'
is_ev = self._is_ev_certificate(cert_dict)
if is_ev:
trust_txt = trust_txt + ' - Extended Validation'
if untrusted_reason:
trust_txt = trust_txt + ': ' + untrusted_reason
txt_result.append(self.FIELD_FORMAT.format("Validation w/ Mozilla's CA Store:", trust_txt))
is_host_valid = self._is_hostname_valid(cert_dict, target)
host_txt = 'OK - ' + is_host_valid + ' Matches' if is_host_valid \
else 'MISMATCH'
txt_result.append(self.FIELD_FORMAT.format("Hostname Validation:", host_txt))
txt_result.append(self.FIELD_FORMAT.format('SHA1 Fingerprint:', fingerprint))
txt_result.append('')
txt_result.extend(cert_txt)
# XML output: always return the full certificate
host_xml = True if is_host_valid \
else False
xml_result = Element(command, argument = arg, title = cmd_title)
trust_xml_attr = {'isTrustedByMozillaCAStore' : str(is_cert_trusted),
'sha1Fingerprint' : fingerprint,
'isExtendedValidation' : str(is_ev),
'hasMatchingHostname' : str(host_xml)}
if untrusted_reason:
trust_xml_attr['reasonWhyNotTrusted'] = untrusted_reason
trust_xml = Element('certificate', attrib = trust_xml_attr)
for elem_xml in cert_parsed.parse_certificate_to_xml():
trust_xml.append(elem_xml)
xml_result.append(trust_xml)
ctSSL_cleanup()
return PluginBase.PluginResult(txt_result, xml_result)
