def _get_cert(self, target):
"""
Connects to the target server and returns the server's certificate
"""
verify_result = None
ssl_ctx = SSL_CTX.SSL_CTX('tlsv1') # sslv23 hello will fail for specific servers such as post.craigslist.org
ssl_ctx.load_verify_locations(MOZILLA_CA_STORE)
ssl_ctx.set_verify(constants.SSL_VERIFY_NONE) # We'll use get_verify_result()
ssl_connect = SSLyzeSSLConnection(self._shared_settings, target,ssl_ctx,
hello_workaround=True)
try: # Perform the SSL handshake
ssl_connect.connect()
cert = ssl_connect._ssl.get_peer_certificate()
verify_result = ssl_connect._ssl.get_verify_result()
except ClientCertificateError: # The server asked for a client cert
# We can get the server cert anyway
cert = ssl_connect._ssl.get_peer_certificate()
verify_result = ssl_connect._ssl.get_verify_result()
finally:
ssl_connect.close()
return (cert, verify_result)
def process_task(self, target, command, args):
output_format = ' {0:<25} {1}'
ctSSL_initialize(zlib=True)
ssl_ctx = SSL_CTX.SSL_CTX('tlsv1') # sslv23 hello will fail for specific servers such as post.craigslist.org
ssl_connect = SSLyzeSSLConnection(self._shared_settings, target,ssl_ctx,
hello_workaround=True)
try: # Perform the SSL handshake
ssl_connect.connect()
compression_status = ssl_connect._ssl.get_current_compression()
finally:
ssl_connect.close()
ctSSL_cleanup()
# Text output
if compression_status:
comp_txt = 'Enabled ' + compression_status
comp_xml = {'isSupported':'True','type':compression_status.strip('()')}
else:
comp_txt = 'Disabled'
comp_xml = {'isSupported':'False'}
cmd_title = 'Compression'
txt_result = [self.PLUGIN_TITLE_FORMAT.format(cmd_title)]
txt_result.append(output_format.format("Compression Support:", comp_txt))
# XML output
xml_el = Element('compression', comp_xml)
xml_result = Element(command, title = cmd_title)
xml_result.append(xml_el)
return PluginBase.PluginResult(txt_result, xml_result)
def _pref_ciphersuite(self, target, ssl_version):
"""
Initiates a SSL handshake with the server, using the SSL version and cipher
suite specified.
"""
ssl_ctx = SSL_CTX.SSL_CTX(ssl_version)
ssl_ctx.set_verify(constants.SSL_VERIFY_NONE)
# ssl_connect can be an HTTPS connection or an SMTP STARTTLS connection
ssl_connect = SSLyzeSSLConnection(self._shared_settings,
target,
ssl_ctx,
hello_workaround=True)
try: # Perform the SSL handshake
ssl_connect.connect()
ssl_cipher = ssl_connect._ssl.get_current_cipher()
if 'ADH' in ssl_cipher or 'AECDH' in ssl_cipher:
keysize = 'Anon' # Anonymous, let s not care about the key size
else:
keysize = str(
ssl_connect._ssl.get_current_cipher_bits()) + ' bits'
status_msg = ssl_connect.post_handshake_check()
return ('preferredCipherSuite', ssl_cipher, keysize, status_msg)
except:
return None
finally:
ssl_connect.close()
return
def _test_renegotiation(self, target):
"""
Checks whether the server honors session renegotiation requests and
whether it supports secure renegotiation.
"""
ssl_ctx = SSL_CTX.SSL_CTX('tlsv1') # sslv23 hello will fail for specific servers such as post.craigslist.org
ssl_ctx.set_verify(constants.SSL_VERIFY_NONE)
ssl_connect = SSLyzeSSLConnection(self._shared_settings, target,ssl_ctx,
hello_workaround=True)
try:
ssl_connect.connect()
is_secure = ssl_connect._ssl.get_secure_renegotiation_support()
try: # Let's try to renegotiate
ssl_connect._ssl.renegotiate()
can_reneg = True
# Errors caused by a server rejecting the renegotiation
except errors.ctSSLUnexpectedEOF as e:
can_reneg = False
except socket.error as e:
if 'connection was forcibly closed' in str(e.args):
can_reneg = False
elif 'reset by peer' in str(e.args):
can_reneg = False
else:
raise
#except socket.timeout as e:
# result_reneg = 'Rejected (timeout)'
except errors.SSLError as e:
if 'handshake failure' in str(e.args):
can_reneg = False
elif 'no renegotiation' in str(e.args):
can_reneg = False
else:
raise
finally:
ssl_connect.close()
return (can_reneg, is_secure)
def _pref_ciphersuite(self, target, ssl_version):
"""
Initiates a SSL handshake with the server, using the SSL version and cipher
suite specified.
"""
ssl_ctx = SSL_CTX.SSL_CTX(ssl_version)
ssl_ctx.set_verify(constants.SSL_VERIFY_NONE)
# ssl_connect can be an HTTPS connection or an SMTP STARTTLS connection
ssl_connect = SSLyzeSSLConnection(self._shared_settings, target,ssl_ctx,
hello_workaround=True)
try: # Perform the SSL handshake
ssl_connect.connect()
ssl_cipher = ssl_connect._ssl.get_current_cipher()
if 'ADH' in ssl_cipher or 'AECDH' in ssl_cipher:
keysize = 'Anon' # Anonymous, let s not care about the key size
else:
keysize = str(ssl_connect._ssl.get_current_cipher_bits())+' bits'
status_msg = ssl_connect.post_handshake_check()
return ('preferredCipherSuite', ssl_cipher, keysize, status_msg)
except:
return None
finally:
ssl_connect.close()
return
def process_task(self, target, command, args):
output_format = ' {0:<25} {1}'
ctSSL_initialize(zlib=True)
ssl_ctx = SSL_CTX.SSL_CTX('tlsv1') # sslv23 hello will fail for specific servers such as post.craigslist.org
ssl_connect = SSLyzeSSLConnection(self._shared_settings, target,ssl_ctx,
hello_workaround=True)
try: # Perform the SSL handshake
ssl_connect.connect()
compression_status = ssl_connect._ssl.get_current_compression()
finally:
ssl_connect.close()
ctSSL_cleanup()
# Text output
if compression_status:
comp_txt = 'Enabled ' + compression_status
comp_xml = {'isSupported':'True','type':compression_status.strip('()')}
else:
comp_txt = 'Disabled'
comp_xml = {'isSupported':'False'}
cmd_title = 'Compression'
txt_result = [self.PLUGIN_TITLE_FORMAT.format(cmd_title)]
txt_result.append(output_format.format("Compression Support:", comp_txt))
# XML output
xml_el = Element('compression', comp_xml)
xml_result = Element(command, title = cmd_title)
xml_result.append(xml_el)
return PluginBase.PluginResult(txt_result, xml_result)
def _get_cert(self, target):
"""
Connects to the target server and returns the server's certificate
"""
verify_result = None
ssl_ctx = SSL_CTX.SSL_CTX('tlsv1') # sslv23 hello will fail for specific servers such as post.craigslist.org
ssl_ctx.load_verify_locations(MOZILLA_CA_STORE)
ssl_ctx.set_verify(constants.SSL_VERIFY_NONE) # We'll use get_verify_result()
ssl_connect = SSLyzeSSLConnection(self._shared_settings, target,ssl_ctx,
hello_workaround=True)
try: # Perform the SSL handshake
ssl_connect.connect()
cert = ssl_connect._ssl.get_peer_certificate()
verify_result = ssl_connect._ssl.get_verify_result()
except ClientCertificateError: # The server asked for a client cert
# We can get the server cert anyway
cert = ssl_connect._ssl.get_peer_certificate()
verify_result = ssl_connect._ssl.get_verify_result()
finally:
ssl_connect.close()
return (cert, verify_result)
def _test_renegotiation(self, target):
"""
Checks whether the server honors session renegotiation requests and
whether it supports secure renegotiation.
"""
ssl_ctx = SSL_CTX.SSL_CTX(
'tlsv1'
) # sslv23 hello will fail for specific servers such as post.craigslist.org
ssl_ctx.set_verify(constants.SSL_VERIFY_NONE)
ssl_connect = SSLyzeSSLConnection(self._shared_settings,
target,
ssl_ctx,
hello_workaround=True)
try:
ssl_connect.connect()
is_secure = ssl_connect._ssl.get_secure_renegotiation_support()
try: # Let's try to renegotiate
ssl_connect._ssl.renegotiate()
can_reneg = True
# Errors caused by a server rejecting the renegotiation
except errors.ctSSLUnexpectedEOF as e:
can_reneg = False
except socket.error as e:
if 'connection was forcibly closed' in str(e.args):
can_reneg = False
elif 'reset by peer' in str(e.args):
can_reneg = False
else:
raise
#except socket.timeout as e:
# result_reneg = 'Rejected (timeout)'
except errors.SSLError as e:
if 'handshake failure' in str(e.args):
can_reneg = False
elif 'no renegotiation' in str(e.args):
can_reneg = False
else:
raise
finally:
ssl_connect.close()
return (can_reneg, is_secure)
def _resume_ssl_session(self, target, ssl_ctx, ssl_session = None):
"""
Connect to the server and returns the session object that was assigned
for that connection.
If ssl_session is given, tries to resume that session.
"""
ssl_connect = SSLyzeSSLConnection(self._shared_settings, target,ssl_ctx,
hello_workaround=True)
if ssl_session:
ssl_connect._ssl.set_session(ssl_session)
try: # Perform the SSL handshake
ssl_connect.connect()
session = ssl_connect._ssl.get_session() # Get session data
finally:
ssl_connect.close()
return session
