def process_task(self, target, command, args): MAX_THREADS = 30 sslVersionDict = {'sslv2': SSLV2, 'sslv3': SSLV3, 'tlsv1': TLSV1, 'tlsv1_1': TLSV1_1, 'tlsv1_2': TLSV1_2} try: sslVersion = sslVersionDict[command] except KeyError: raise Exception("PluginOpenSSLCipherSuites: Unknown command.") # Get the list of available cipher suites for the given ssl version sslClient = SslClient(sslVersion=sslVersion) sslClient.set_cipher_list('ALL:COMPLEMENTOFALL') cipher_list = sslClient.get_cipher_list() # Create a thread pool NB_THREADS = min(len(cipher_list), MAX_THREADS) # One thread per cipher thread_pool = ThreadPool() # Scan for every available cipher suite for cipher in cipher_list: thread_pool.add_job((self._test_ciphersuite, (target, sslVersion, cipher))) # Scan for the preferred cipher suite thread_pool.add_job((self._pref_ciphersuite, (target, sslVersion))) # Start processing the jobs thread_pool.start(NB_THREADS) result_dicts = {'preferredCipherSuite':{}, 'acceptedCipherSuites':{}, 'rejectedCipherSuites':{}, 'errors':{}} # Store the results as they come for completed_job in thread_pool.get_result(): (job, result) = completed_job if result is not None: (result_type, ssl_cipher, keysize, msg) = result (result_dicts[result_type])[ssl_cipher] = (msg, keysize) # Store thread pool errors for failed_job in thread_pool.get_error(): (job, exception) = failed_job ssl_cipher = str(job[1][2]) error_msg = str(exception.__class__.__module__) + '.' \ + str(exception.__class__.__name__) + ' - ' + str(exception) result_dicts['errors'][ssl_cipher] = (error_msg, None) thread_pool.join() # Generate results return PluginBase.PluginResult(self._generate_text_output(result_dicts, command), self._generate_xml_output(result_dicts, command))
def test_cipher_list_for_differences(): from nassl.SslClient import SslClient from nassl import SSLV2, SSLV3, TLSV1, TLSV1_1, TLSV1_2 set2 = set(MAPPING2) set3 = set(MAPPING3) for sslVersion in (SSLV2, SSLV3, TLSV1, TLSV1_1, TLSV1_2): logging.info("Starting test for SSLV2") ssl_client = SslClient(sslVersion=sslVersion) ssl_client.set_cipher_list('ALL:COMPLEMENTOFALL') current = set(ssl_client.get_cipher_list()) if sslVersion == SSLV2: statset = set2 else: statset = set3 logging.info("SSLv/TLSv (%d)" % sslVersion) logging.info("Only in currentVersion %s" % (current - statset)) logging.info("Only in statisticVersion %s" % (statset - current)) logging.info("In both versions %s" % (current & statset)) logging.info("-----")
def process_task(self, target, command, args): MAX_THREADS = 15 sslVersionDict = { 'sslv2': SSLV2, 'sslv3': SSLV3, 'tlsv1': TLSV1, 'tlsv1_1': TLSV1_1, 'tlsv1_2': TLSV1_2 } try: sslVersion = sslVersionDict[command] except KeyError: raise Exception("PluginOpenSSLCipherSuites: Unknown command.") # Get the list of available cipher suites for the given ssl version sslClient = SslClient(sslVersion=sslVersion) sslClient.set_cipher_list('ALL:COMPLEMENTOFALL') cipher_list = sslClient.get_cipher_list() # Create a thread pool NB_THREADS = min(len(cipher_list), MAX_THREADS) # One thread per cipher thread_pool = ThreadPool() # Scan for every available cipher suite for cipher in cipher_list: thread_pool.add_job( (self._test_ciphersuite, (target, sslVersion, cipher))) # Scan for the preferred cipher suite thread_pool.add_job((self._pref_ciphersuite, (target, sslVersion))) # Start processing the jobs thread_pool.start(NB_THREADS) result_dicts = { 'preferredCipherSuite': {}, 'acceptedCipherSuites': {}, 'rejectedCipherSuites': {}, 'errors': {} } # Store the results as they come for completed_job in thread_pool.get_result(): (job, result) = completed_job if result is not None: (result_type, ssl_cipher, keysize, dh_infos, msg) = result (result_dicts[result_type])[ssl_cipher] = (msg, keysize, dh_infos) # Store thread pool errors for failed_job in thread_pool.get_error(): (job, exception) = failed_job ssl_cipher = str(job[1][2]) error_msg = str( exception.__class__.__name__) + ' - ' + str(exception) result_dicts['errors'][ssl_cipher] = (error_msg, None, None) thread_pool.join() # Generate results return PluginBase.PluginResult( self._generate_text_output(result_dicts, command), self._generate_xml_output(result_dicts, command))
def process_task(self, target, command, args): if 'algorithm' in self._shared_settings and self._shared_settings[ 'algorithm']: algorithm = self._shared_settings['algorithm'] else: algorithm = 'naive' logging.info("SUBSTART\t%s\t%s\t%s\t%s\t%s" % (datetime.utcnow(), self._shared_settings['targets_in'], target[0], command, algorithm)) MAX_THREADS = 15 sslVersionDict = { 'sslv2': SSLV2, 'sslv3': SSLV3, 'tlsv1': TLSV1, 'tlsv1_1': TLSV1_1, 'tlsv1_2': TLSV1_2 } result_dicts = { 'preferredCipherSuite': {}, 'acceptedCipherSuites': {}, 'rejectedCipherSuites': {}, 'errors': {} } try: sslVersion = sslVersionDict[command] except KeyError: raise Exception("PluginOpenSSLCipherSuites: Unknown command.") # Get the list of available cipher suites for the given ssl version sslClient = SslClient(sslVersion=sslVersion) sslClient.set_cipher_list('ALL:COMPLEMENTOFALL') cipher_list = sslClient.get_cipher_list() NB_THREADS = min(len(cipher_list), MAX_THREADS) # One thread per cipher # Create a thread pool thread_pool = ThreadPool() # First add the "pref" job to only execute it once # Scan for the preferred cipher suite if algorithm != 'connopt': thread_pool.add_job((self._pref_ciphersuite, (target, sslVersion))) log_round_counter = 0 while (len(result_dicts['acceptedCipherSuites']) + len(result_dicts['rejectedCipherSuites']) + len(result_dicts['errors']) < len(cipher_list)): log_round_counter += 1 new_jobs = self._calculate_jobs(sslVersion, cipher_list, result_dicts, algorithm, target[2]) for job in new_jobs: thread_pool.add_job( (self._test_ciphersuite, (target, sslVersion, job))) # logging.debug("Adding following jobs:\n%s" % pprint.pformat(new_jobs)) # logging.debug("%s: round=%d, new_jobs=%d, algorithm=%s" % (sslVersion, # log_round_counter, # len(new_jobs), # algorithm)) # Start processing the jobs thread_pool.start(NB_THREADS) # Store the results as they come for completed_job in thread_pool.get_result(): (job, results) = completed_job for result in results: (result_type, ssl_cipher, keysize, dh_infos, msg) = result (result_dicts[result_type])[ssl_cipher] = (msg, keysize, dh_infos) # Store thread pool errors for failed_job in thread_pool.get_error(): (job, exception) = failed_job # job[1][2] is a list of cipher suites now ssl_ciphers = job[1][2] error_msg = str( exception.__class__.__name__) + ' - ' + str(exception) for ssl_cipher in ssl_ciphers: result_dicts['errors'][ssl_cipher] = (error_msg, None, None) thread_pool.join() # Reset thread pool thread_pool = ThreadPool() # logging.debug("ciphers total %d results a: %d, r: %d, e: %d after %d connections" % ( # len(cipher_list), # len(result_dicts['acceptedCipherSuites']), # len(result_dicts['rejectedCipherSuites']), # len(result_dicts['errors']), # self.log_connection_counter)) timedelta = datetime.now() - self.log_starttime logging.info("RESULT\t%s\t%s\t%s" % (target[0], command, ",".join( stats.get_pattern_for_result_dict(sslVersion, result_dicts)))) logging.info("SUBEND\t%s\t%s\t%s\t%s\t%s\t%s\t%s" % (datetime.utcnow(), self._shared_settings['targets_in'], target[0], command, algorithm, timedelta.total_seconds(), self.log_connection_counter)) increment(self.log_connection_counter) # Generate results return PluginBase.PluginResult( self._generate_text_output(result_dicts, command), self._generate_xml_output(result_dicts, command))
def process_task(self, target, command, args): MAX_THREADS = 15 sslVersionDict = {"sslv2": SSLV2, "sslv3": SSLV3, "tlsv1": TLSV1, "tlsv1_1": TLSV1_1, "tlsv1_2": TLSV1_2} try: sslVersion = sslVersionDict[command] except KeyError: raise Exception("PluginOpenSSLCipherSuites: Unknown command.") # Get the list of available cipher suites for the given ssl version sslClient = SslClient(sslVersion=sslVersion) sslClient.set_cipher_list("ALL:COMPLEMENTOFALL") cipher_list = sslClient.get_cipher_list() # Create a thread pool NB_THREADS = min(len(cipher_list), MAX_THREADS) # One thread per cipher thread_pool = ThreadPool() cipher_whitelist = [ "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-GCM-SHA384", "DHE-RSA-AES128-GCM-SHA256", "DHE-DSS-AES128-GCM-SHA256", "kEDH+AESGCM", "ECDHE-RSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES256-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA", "ECDHE-ECDSA-AES256-SHA", "DHE-RSA-AES128-SHA256", "DHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA256", "DHE-RSA-AES256-SHA256", "DHE-DSS-AES256-SHA", "DHE-RSA-AES256-SHA", ] cipher_blacklist = ["RC4", "EXPORT", "DES", "aNULL", "eNULL", "MD5"] version_whitelist = ["TLSV1_1", "TLSV1_2"] version_blacklist = ["SSLV2", "SSLV3"] cdict = {"whitelist": cipher_whitelist, "blacklist": cipher_blacklist} verdict = {"whitelist": version_whitelist, "blacklist": version_blacklist} # Scan for every available cipher suite for cipher in cipher_list: thread_pool.add_job((self._test_ciphersuite, (target, sslVersion, cipher, cdict))) # Scan for the preferred cipher suite thread_pool.add_job((self._pref_ciphersuite, (target, sslVersion, cdict))) # Start processing the jobs thread_pool.start(NB_THREADS) result_dicts = { "preferredCipherSuite": {}, "acceptedCipherSuites": {}, "rejectedCipherSuites": {}, "errors": {}, } # Store the results as they come for completed_job in thread_pool.get_result(): (job, result) = completed_job if result is not None: (result_type, ssl_cipher, keysize, dh_infos, msg) = result (result_dicts[result_type])[ssl_cipher] = (msg, keysize, dh_infos) # Store thread pool errors for failed_job in thread_pool.get_error(): (job, exception) = failed_job ssl_cipher = str(job[1][2]) error_msg = str(exception.__class__.__name__) + " - " + str(exception) result_dicts["errors"][ssl_cipher] = (error_msg, None, None) thread_pool.join() # Generate results return PluginBase.PluginResult( self._generate_text_output(result_dicts, command, verdict), self._generate_xml_output(result_dicts, command, verdict), )