def process_task(self, target, command, args):
MAX_THREADS = 30
sslVersionDict = {'sslv2': SSLV2,
'sslv3': SSLV3,
'tlsv1': TLSV1,
'tlsv1_1': TLSV1_1,
'tlsv1_2': TLSV1_2}
try:
sslVersion = sslVersionDict[command]
except KeyError:
raise Exception("PluginOpenSSLCipherSuites: Unknown command.")
# Get the list of available cipher suites for the given ssl version
sslClient = SslClient(sslVersion=sslVersion)
sslClient.set_cipher_list('ALL:COMPLEMENTOFALL')
cipher_list = sslClient.get_cipher_list()
# Create a thread pool
NB_THREADS = min(len(cipher_list), MAX_THREADS) # One thread per cipher
thread_pool = ThreadPool()
# Scan for every available cipher suite
for cipher in cipher_list:
thread_pool.add_job((self._test_ciphersuite,
(target, sslVersion, cipher)))
# Scan for the preferred cipher suite
thread_pool.add_job((self._pref_ciphersuite,
(target, sslVersion)))
# Start processing the jobs
thread_pool.start(NB_THREADS)
result_dicts = {'preferredCipherSuite':{}, 'acceptedCipherSuites':{},
'rejectedCipherSuites':{}, 'errors':{}}
# Store the results as they come
for completed_job in thread_pool.get_result():
(job, result) = completed_job
if result is not None:
(result_type, ssl_cipher, keysize, msg) = result
(result_dicts[result_type])[ssl_cipher] = (msg, keysize)
# Store thread pool errors
for failed_job in thread_pool.get_error():
(job, exception) = failed_job
ssl_cipher = str(job[1][2])
error_msg = str(exception.__class__.__module__) + '.' \
+ str(exception.__class__.__name__) + ' - ' + str(exception)
result_dicts['errors'][ssl_cipher] = (error_msg, None)
thread_pool.join()
# Generate results
return PluginBase.PluginResult(self._generate_text_output(result_dicts, command),
self._generate_xml_output(result_dicts, command))
def test_cipher_list_for_differences():
from nassl.SslClient import SslClient
from nassl import SSLV2, SSLV3, TLSV1, TLSV1_1, TLSV1_2
set2 = set(MAPPING2)
set3 = set(MAPPING3)
for sslVersion in (SSLV2, SSLV3, TLSV1, TLSV1_1, TLSV1_2):
logging.info("Starting test for SSLV2")
ssl_client = SslClient(sslVersion=sslVersion)
ssl_client.set_cipher_list('ALL:COMPLEMENTOFALL')
current = set(ssl_client.get_cipher_list())
if sslVersion == SSLV2:
statset = set2
else:
statset = set3
logging.info("SSLv/TLSv (%d)" % sslVersion)
logging.info("Only in currentVersion %s" % (current - statset))
logging.info("Only in statisticVersion %s" % (statset - current))
logging.info("In both versions %s" % (current & statset))
logging.info("-----")
def process_task(self, target, command, args):
MAX_THREADS = 15
sslVersionDict = {
'sslv2': SSLV2,
'sslv3': SSLV3,
'tlsv1': TLSV1,
'tlsv1_1': TLSV1_1,
'tlsv1_2': TLSV1_2
}
try:
sslVersion = sslVersionDict[command]
except KeyError:
raise Exception("PluginOpenSSLCipherSuites: Unknown command.")
# Get the list of available cipher suites for the given ssl version
sslClient = SslClient(sslVersion=sslVersion)
sslClient.set_cipher_list('ALL:COMPLEMENTOFALL')
cipher_list = sslClient.get_cipher_list()
# Create a thread pool
NB_THREADS = min(len(cipher_list),
MAX_THREADS) # One thread per cipher
thread_pool = ThreadPool()
# Scan for every available cipher suite
for cipher in cipher_list:
thread_pool.add_job(
(self._test_ciphersuite, (target, sslVersion, cipher)))
# Scan for the preferred cipher suite
thread_pool.add_job((self._pref_ciphersuite, (target, sslVersion)))
# Start processing the jobs
thread_pool.start(NB_THREADS)
result_dicts = {
'preferredCipherSuite': {},
'acceptedCipherSuites': {},
'rejectedCipherSuites': {},
'errors': {}
}
# Store the results as they come
for completed_job in thread_pool.get_result():
(job, result) = completed_job
if result is not None:
(result_type, ssl_cipher, keysize, dh_infos, msg) = result
(result_dicts[result_type])[ssl_cipher] = (msg, keysize,
dh_infos)
# Store thread pool errors
for failed_job in thread_pool.get_error():
(job, exception) = failed_job
ssl_cipher = str(job[1][2])
error_msg = str(
exception.__class__.__name__) + ' - ' + str(exception)
result_dicts['errors'][ssl_cipher] = (error_msg, None, None)
thread_pool.join()
# Generate results
return PluginBase.PluginResult(
self._generate_text_output(result_dicts, command),
self._generate_xml_output(result_dicts, command))
def process_task(self, target, command, args):
if 'algorithm' in self._shared_settings and self._shared_settings[
'algorithm']:
algorithm = self._shared_settings['algorithm']
else:
algorithm = 'naive'
logging.info("SUBSTART\t%s\t%s\t%s\t%s\t%s" %
(datetime.utcnow(), self._shared_settings['targets_in'],
target[0], command, algorithm))
MAX_THREADS = 15
sslVersionDict = {
'sslv2': SSLV2,
'sslv3': SSLV3,
'tlsv1': TLSV1,
'tlsv1_1': TLSV1_1,
'tlsv1_2': TLSV1_2
}
result_dicts = {
'preferredCipherSuite': {},
'acceptedCipherSuites': {},
'rejectedCipherSuites': {},
'errors': {}
}
try:
sslVersion = sslVersionDict[command]
except KeyError:
raise Exception("PluginOpenSSLCipherSuites: Unknown command.")
# Get the list of available cipher suites for the given ssl version
sslClient = SslClient(sslVersion=sslVersion)
sslClient.set_cipher_list('ALL:COMPLEMENTOFALL')
cipher_list = sslClient.get_cipher_list()
NB_THREADS = min(len(cipher_list),
MAX_THREADS) # One thread per cipher
# Create a thread pool
thread_pool = ThreadPool()
# First add the "pref" job to only execute it once
# Scan for the preferred cipher suite
if algorithm != 'connopt':
thread_pool.add_job((self._pref_ciphersuite, (target, sslVersion)))
log_round_counter = 0
while (len(result_dicts['acceptedCipherSuites']) +
len(result_dicts['rejectedCipherSuites']) +
len(result_dicts['errors']) < len(cipher_list)):
log_round_counter += 1
new_jobs = self._calculate_jobs(sslVersion, cipher_list,
result_dicts, algorithm, target[2])
for job in new_jobs:
thread_pool.add_job(
(self._test_ciphersuite, (target, sslVersion, job)))
# logging.debug("Adding following jobs:\n%s" % pprint.pformat(new_jobs))
# logging.debug("%s: round=%d, new_jobs=%d, algorithm=%s" % (sslVersion,
# log_round_counter,
# len(new_jobs),
# algorithm))
# Start processing the jobs
thread_pool.start(NB_THREADS)
# Store the results as they come
for completed_job in thread_pool.get_result():
(job, results) = completed_job
for result in results:
(result_type, ssl_cipher, keysize, dh_infos, msg) = result
(result_dicts[result_type])[ssl_cipher] = (msg, keysize,
dh_infos)
# Store thread pool errors
for failed_job in thread_pool.get_error():
(job, exception) = failed_job
# job[1][2] is a list of cipher suites now
ssl_ciphers = job[1][2]
error_msg = str(
exception.__class__.__name__) + ' - ' + str(exception)
for ssl_cipher in ssl_ciphers:
result_dicts['errors'][ssl_cipher] = (error_msg, None,
None)
thread_pool.join()
# Reset thread pool
thread_pool = ThreadPool()
# logging.debug("ciphers total %d results a: %d, r: %d, e: %d after %d connections" % (
# len(cipher_list),
# len(result_dicts['acceptedCipherSuites']),
# len(result_dicts['rejectedCipherSuites']),
# len(result_dicts['errors']),
# self.log_connection_counter))
timedelta = datetime.now() - self.log_starttime
logging.info("RESULT\t%s\t%s\t%s" % (target[0], command, ",".join(
stats.get_pattern_for_result_dict(sslVersion, result_dicts))))
logging.info("SUBEND\t%s\t%s\t%s\t%s\t%s\t%s\t%s" %
(datetime.utcnow(), self._shared_settings['targets_in'],
target[0], command, algorithm, timedelta.total_seconds(),
self.log_connection_counter))
increment(self.log_connection_counter)
# Generate results
return PluginBase.PluginResult(
self._generate_text_output(result_dicts, command),
self._generate_xml_output(result_dicts, command))
def process_task(self, target, command, args):
MAX_THREADS = 15
sslVersionDict = {"sslv2": SSLV2, "sslv3": SSLV3, "tlsv1": TLSV1, "tlsv1_1": TLSV1_1, "tlsv1_2": TLSV1_2}
try:
sslVersion = sslVersionDict[command]
except KeyError:
raise Exception("PluginOpenSSLCipherSuites: Unknown command.")
# Get the list of available cipher suites for the given ssl version
sslClient = SslClient(sslVersion=sslVersion)
sslClient.set_cipher_list("ALL:COMPLEMENTOFALL")
cipher_list = sslClient.get_cipher_list()
# Create a thread pool
NB_THREADS = min(len(cipher_list), MAX_THREADS) # One thread per cipher
thread_pool = ThreadPool()
cipher_whitelist = [
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"DHE-RSA-AES128-GCM-SHA256",
"DHE-DSS-AES128-GCM-SHA256",
"kEDH+AESGCM",
"ECDHE-RSA-AES128-SHA256",
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA",
"ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-AES256-SHA384",
"ECDHE-RSA-AES256-SHA",
"ECDHE-ECDSA-AES256-SHA",
"DHE-RSA-AES128-SHA256",
"DHE-RSA-AES128-SHA",
"DHE-DSS-AES128-SHA256",
"DHE-RSA-AES256-SHA256",
"DHE-DSS-AES256-SHA",
"DHE-RSA-AES256-SHA",
]
cipher_blacklist = ["RC4", "EXPORT", "DES", "aNULL", "eNULL", "MD5"]
version_whitelist = ["TLSV1_1", "TLSV1_2"]
version_blacklist = ["SSLV2", "SSLV3"]
cdict = {"whitelist": cipher_whitelist, "blacklist": cipher_blacklist}
verdict = {"whitelist": version_whitelist, "blacklist": version_blacklist}
# Scan for every available cipher suite
for cipher in cipher_list:
thread_pool.add_job((self._test_ciphersuite, (target, sslVersion, cipher, cdict)))
# Scan for the preferred cipher suite
thread_pool.add_job((self._pref_ciphersuite, (target, sslVersion, cdict)))
# Start processing the jobs
thread_pool.start(NB_THREADS)
result_dicts = {
"preferredCipherSuite": {},
"acceptedCipherSuites": {},
"rejectedCipherSuites": {},
"errors": {},
}
# Store the results as they come
for completed_job in thread_pool.get_result():
(job, result) = completed_job
if result is not None:
(result_type, ssl_cipher, keysize, dh_infos, msg) = result
(result_dicts[result_type])[ssl_cipher] = (msg, keysize, dh_infos)
# Store thread pool errors
for failed_job in thread_pool.get_error():
(job, exception) = failed_job
ssl_cipher = str(job[1][2])
error_msg = str(exception.__class__.__name__) + " - " + str(exception)
result_dicts["errors"][ssl_cipher] = (error_msg, None, None)
thread_pool.join()
# Generate results
return PluginBase.PluginResult(
self._generate_text_output(result_dicts, command, verdict),
self._generate_xml_output(result_dicts, command, verdict),
)
