示例#1
0
    def process_task(self, target, command, args):

        ctSSL_initialize()
        try:
            (can_reneg, is_secure) = self._test_renegotiation(target)
        finally:
            ctSSL_cleanup()

        # Text output
        reneg_txt = 'Honored' if can_reneg else 'Rejected'
        secure_txt = 'Supported' if is_secure else 'Not supported'
        cmd_title = 'Session Renegotiation'
        txt_result = [self.PLUGIN_TITLE_FORMAT.format(cmd_title)]

        RENEG_FORMAT = '      {0:<35} {1}'
        txt_result.append(
            RENEG_FORMAT.format('Client-initiated Renegotiations:', reneg_txt))
        txt_result.append(
            RENEG_FORMAT.format('Secure Renegotiation: ', secure_txt))

        # XML output
        xml_reneg_attr = {
            'canBeClientInitiated': str(can_reneg),
            'isSecure': str(is_secure)
        }
        xml_reneg = Element('sessionRenegotiation', attrib=xml_reneg_attr)

        xml_result = Element(command, title=cmd_title)
        xml_result.append(xml_reneg)

        return PluginBase.PluginResult(txt_result, xml_result)
    def process_task(self, target, command, args):

        ctSSL_initialize()
        try:
            (can_reneg, is_secure) = self._test_renegotiation(target)
        finally:
            ctSSL_cleanup()
        
        # Text output
        reneg_txt = 'Honored' if can_reneg else 'Rejected'
        secure_txt = 'Supported' if is_secure else 'Not supported'
        cmd_title = 'Session Renegotiation'
        txt_result = [self.PLUGIN_TITLE_FORMAT.format(cmd_title)]
        
        RENEG_FORMAT = '      {0:<35} {1}'
        txt_result.append(RENEG_FORMAT.format('Client-initiated Renegotiations:', reneg_txt))
        txt_result.append(RENEG_FORMAT.format('Secure Renegotiation: ', secure_txt))
        
        # XML output
        xml_reneg_attr = {'canBeClientInitiated' : str(can_reneg),
                          'isSecure' : str(is_secure)}
        xml_reneg = Element('sessionRenegotiation', attrib = xml_reneg_attr)
        
        xml_result = Element(command, title = cmd_title)
        xml_result.append(xml_reneg)
        
        return PluginBase.PluginResult(txt_result, xml_result)
    def process_task(self, target, command, args):
        output_format = '        {0:<25} {1}'

        ctSSL_initialize(zlib=True)

        ssl_ctx = SSL_CTX.SSL_CTX('tlsv1') # sslv23 hello will fail for specific servers such as post.craigslist.org
        ssl_connect = SSLyzeSSLConnection(self._shared_settings, target,ssl_ctx,
                                          hello_workaround=True)

        try: # Perform the SSL handshake
            ssl_connect.connect()
            compression_status = ssl_connect._ssl.get_current_compression()
        finally:
            ssl_connect.close()
            
        ctSSL_cleanup()

        # Text output
        if compression_status:
            comp_txt = 'Enabled ' +  compression_status
            comp_xml = {'isSupported':'True','type':compression_status.strip('()')}
        else:
            comp_txt = 'Disabled'
            comp_xml = {'isSupported':'False'}
            
        cmd_title = 'Compression'
        txt_result = [self.PLUGIN_TITLE_FORMAT.format(cmd_title)]
        txt_result.append(output_format.format("Compression Support:", comp_txt))

        # XML output
        xml_el = Element('compression', comp_xml)
        xml_result = Element(command, title = cmd_title)
        xml_result.append(xml_el)

        return PluginBase.PluginResult(txt_result, xml_result)
示例#4
0
    def process_task(self, target, command, args):
        output_format = '        {0:<25} {1}'

        ctSSL_initialize(zlib=True)

        ssl_ctx = SSL_CTX.SSL_CTX('tlsv1') # sslv23 hello will fail for specific servers such as post.craigslist.org
        ssl_connect = SSLyzeSSLConnection(self._shared_settings, target,ssl_ctx,
                                          hello_workaround=True)

        try: # Perform the SSL handshake
            ssl_connect.connect()
            compression_status = ssl_connect._ssl.get_current_compression()
        finally:
            ssl_connect.close()
            
        ctSSL_cleanup()

        # Text output
        if compression_status:
            comp_txt = 'Enabled ' +  compression_status
            comp_xml = {'isSupported':'True','type':compression_status.strip('()')}
        else:
            comp_txt = 'Disabled'
            comp_xml = {'isSupported':'False'}
            
        cmd_title = 'Compression'
        txt_result = [self.PLUGIN_TITLE_FORMAT.format(cmd_title)]
        txt_result.append(output_format.format("Compression Support:", comp_txt))

        # XML output
        xml_el = Element('compression', comp_xml)
        xml_result = Element(command, title = cmd_title)
        xml_result.append(xml_el)

        return PluginBase.PluginResult(txt_result, xml_result)
    def process_task(self, target, command, args):

        MAX_THREADS = 30
        
        if command in ['sslv2', 'sslv3', 'tlsv1', 'tlsv1_1', 'tlsv1_2']:
            ssl_version = command
        else:
            raise Exception("PluginOpenSSLCipherSuites: Unknown command.")

        # Get the list of available cipher suites for the given ssl version
        ctSSL_initialize(multithreading=True)
        ctx = SSL_CTX.SSL_CTX(ssl_version)
        ctx.set_cipher_list('ALL:NULL:@STRENGTH')
        ssl = SSL.SSL(ctx)
        cipher_list = ssl.get_cipher_list()

        # Create a thread pool
        NB_THREADS = min(len(cipher_list), MAX_THREADS) # One thread per cipher
        thread_pool = ThreadPool()

        # Scan for every available cipher suite
        for cipher in cipher_list:
            thread_pool.add_job((self._test_ciphersuite,
                                 (target, ssl_version, cipher)))

        # Scan for the preferred cipher suite
        thread_pool.add_job((self._pref_ciphersuite,
                             (target, ssl_version)))

        # Start processing the jobs
        thread_pool.start(NB_THREADS)

        result_dicts = {'preferredCipherSuite':{}, 'acceptedCipherSuites':{},
                        'rejectedCipherSuites':{}, 'errors':{}}
        
        # Store the results as they come
        for completed_job in thread_pool.get_result():
            (job, result) = completed_job
            if result is not None:
                (result_type, ssl_cipher, keysize, msg) = result
                (result_dicts[result_type])[ssl_cipher] = (msg, keysize)
                    
        # Store thread pool errors
        for failed_job in thread_pool.get_error():
            (job, exception) = failed_job
            ssl_cipher = str(job[1][2])
            error_msg = str(exception.__class__.__module__) + '.' \
                        + str(exception.__class__.__name__) + ' - ' + str(exception)
            result_dicts['errors'][ssl_cipher] = (error_msg, None)        
            
        thread_pool.join()
        ctSSL_cleanup()
        
        # Generate results
        return PluginBase.PluginResult(self._generate_txt_result(result_dicts, command),
                                       self._generate_xml_result(result_dicts, command))
    def process_task(self, target, command, args):

        ctSSL_initialize(multithreading=True)
        try:
            if command == 'resum':
                result = self._command_resum(target)
            elif command == 'resum_rate':
                result = self._command_resum_rate(target)
            else:
                raise Exception("PluginSessionResumption: Unknown command.")
        finally:
            ctSSL_cleanup()
            
        return result
    def process_task(self, target, command, args):

        ctSSL_initialize(multithreading=True)
        try:
            if command == 'resum':
                result = self._command_resum(target)
            elif command == 'resum_rate':
                result = self._command_resum_rate(target)
            else:
                raise Exception("PluginSessionResumption: Unknown command.")
        finally:
            ctSSL_cleanup()
            
        return result
示例#8
0
    def process_task(self, target, command, arg):

        ctSSL_initialize()
        cert_trusted = False

        try: # First verify the server's certificate
            cert = self._get_cert(target, verify_cert=True)
            cert_trusted = True

        except errors.SSLErrorSSL as e:
            # Recover the server's certificate without verifying it
            if 'certificate verify failed' in str(e.args):
                cert = self._get_cert(target, verify_cert=False)
            else:
                ctSSL_cleanup()
                raise
            
        result_dict = {'basic':     self._get_basic, 
                       'detail':     self._get_detail, 
                       'full':      self._get_full}

        (cert_txt, cert_xml) = result_dict[arg](cert)
        
        # Text output
        cmd_title = 'Certificate'
        txt_result = [self.PLUGIN_TITLE_FORMAT.format(cmd_title)]
        trust_txt = 'Certificate is Trusted' if cert_trusted \
                                             else 'Certificate is NOT Trusted'

        txt_result.append(self.FIELD_FORMAT.format("Validation w/ Mozilla's CA Store:", trust_txt))
        txt_result.extend(cert_txt)

        # XML output
        xml_result = Element(self.__class__.__name__, command = command, 
                             argument = arg, title = cmd_title)
        trust_xml_attr = {'trusted-by-mozilla' : str(cert_trusted)}
        trust_xml = Element('certificate', attrib = trust_xml_attr)
        for elem_xml in cert_xml:
            trust_xml.append(elem_xml)
        xml_result.append(trust_xml)
        
        ctSSL_cleanup()
        return PluginBase.PluginResult(txt_result, xml_result)
示例#9
0
    def process_task(self, target, command, arg):

        ctSSL_initialize()
        try: # Get the certificate
             (cert, verify_result) = self._get_cert(target)
        except:
            ctSSL_cleanup()
            raise
        
        # Figure out if/why the verification failed
        untrusted_reason = None
        is_cert_trusted = True
        if verify_result != 0:
            is_cert_trusted = False
            untrusted_reason = X509_V_CODES.X509_V_CODES[verify_result]
         
        # Results formatting
        cert_parsed = X509CertificateHelper(cert)
        cert_dict = cert_parsed.parse_certificate()
        
        # Text output
        if arg == 'basic':
            cert_txt = self._get_basic_text(cert, cert_dict)
        elif arg == 'full':
            cert_txt = [cert.as_text()]
        else:
            raise Exception("PluginCertInfo: Unknown command.")
            
        fingerprint = cert.get_fingerprint()
        cmd_title = 'Certificate'
        txt_result = [self.PLUGIN_TITLE_FORMAT.format(cmd_title)]
        trust_txt = 'Certificate is Trusted' if is_cert_trusted \
                                             else 'Certificate is NOT Trusted'

        is_ev = self._is_ev_certificate(cert_dict)
        if is_ev:
            trust_txt = trust_txt + ' - Extended Validation'
            
        if untrusted_reason:
            trust_txt = trust_txt + ': ' + untrusted_reason

        txt_result.append(self.FIELD_FORMAT.format("Validation w/ Mozilla's CA Store:", trust_txt))
        
        is_host_valid = self._is_hostname_valid(cert_dict, target)
        host_txt = 'OK - ' + is_host_valid + ' Matches' if is_host_valid \
                                         else 'MISMATCH'
        
        txt_result.append(self.FIELD_FORMAT.format("Hostname Validation:", host_txt))
        txt_result.append(self.FIELD_FORMAT.format('SHA1 Fingerprint:', fingerprint))
        txt_result.append('')
        txt_result.extend(cert_txt)

        # XML output: always return the full certificate
        host_xml = True if is_host_valid \
                        else False
            
        xml_result = Element(command, argument = arg, title = cmd_title)
        trust_xml_attr = {'isTrustedByMozillaCAStore' : str(is_cert_trusted),
                          'sha1Fingerprint' : fingerprint,
                          'isExtendedValidation' : str(is_ev),
                          'hasMatchingHostname' : str(host_xml)}
        if untrusted_reason:
            trust_xml_attr['reasonWhyNotTrusted'] = untrusted_reason
            
        trust_xml = Element('certificate', attrib = trust_xml_attr)
        for elem_xml in cert_parsed.parse_certificate_to_xml():
            trust_xml.append(elem_xml)
        xml_result.append(trust_xml)
        
        ctSSL_cleanup()
        return PluginBase.PluginResult(txt_result, xml_result)
示例#10
0
    def process_task(self, target, command, args):

        MAX_THREADS = 30

        if command in ['sslv2', 'sslv3', 'tlsv1', 'tlsv1_1', 'tlsv1_2']:
            ssl_version = command
        else:
            raise Exception("PluginOpenSSLCipherSuites: Unknown command.")

        # Get the list of available cipher suites for the given ssl version
        ctSSL_initialize(multithreading=True)
        ctx = SSL_CTX.SSL_CTX(ssl_version)
        ctx.set_cipher_list('ALL:NULL:@STRENGTH')
        ssl = SSL.SSL(ctx)
        cipher_list = ssl.get_cipher_list()

        # Create a thread pool
        NB_THREADS = min(len(cipher_list),
                         MAX_THREADS)  # One thread per cipher
        thread_pool = ThreadPool()

        # Scan for every available cipher suite
        for cipher in cipher_list:
            thread_pool.add_job(
                (self._test_ciphersuite, (target, ssl_version, cipher)))

        # Scan for the preferred cipher suite
        thread_pool.add_job((self._pref_ciphersuite, (target, ssl_version)))

        # Start processing the jobs
        thread_pool.start(NB_THREADS)

        result_dicts = {
            'preferredCipherSuite': {},
            'acceptedCipherSuites': {},
            'rejectedCipherSuites': {},
            'errors': {}
        }

        # Store the results as they come
        for completed_job in thread_pool.get_result():
            (job, result) = completed_job
            if result is not None:
                (result_type, ssl_cipher, keysize, msg) = result
                (result_dicts[result_type])[ssl_cipher] = (msg, keysize)

        # Store thread pool errors
        for failed_job in thread_pool.get_error():
            (job, exception) = failed_job
            ssl_cipher = str(job[1][2])
            error_msg = str(exception.__class__.__module__) + '.' \
                        + str(exception.__class__.__name__) + ' - ' + str(exception)
            result_dicts['errors'][ssl_cipher] = (error_msg, None)

        thread_pool.join()
        ctSSL_cleanup()

        # Generate results
        return PluginBase.PluginResult(
            self._generate_txt_result(result_dicts, command),
            self._generate_xml_result(result_dicts, command))
示例#11
0
    def process_task(self, target, command, arg):

        ctSSL_initialize()
        try: # Get the certificate
            (cert, verify_result) = self._get_cert(target)
        except:
            ctSSL_cleanup()
            raise
        
        # Figure out if/why the verification failed
        untrusted_reason = None
        is_cert_trusted = True
        if verify_result != 0:
            is_cert_trusted = False
            untrusted_reason = X509_V_CODES.X509_V_CODES[verify_result]
         
        # Results formatting
        cert_parsed = X509CertificateHelper(cert)
        cert_dict = cert_parsed.parse_certificate()
        
        # Text output
        if arg == 'basic':
            cert_txt = self._get_basic_text(cert, cert_dict)
        elif arg == 'full':
            cert_txt = [cert.as_text()]
        else:
            raise Exception("PluginCertInfo: Unknown command.")
            
        fingerprint = cert.get_fingerprint()
        cmd_title = 'Certificate'
        txt_result = [self.PLUGIN_TITLE_FORMAT.format(cmd_title)]
        trust_txt = 'Certificate is Trusted' if is_cert_trusted \
                                             else 'Certificate is NOT Trusted'

        is_ev = self._is_ev_certificate(cert_dict)
        if is_ev:
            trust_txt = trust_txt + ' - Extended Validation'
            
        if untrusted_reason:
            trust_txt = trust_txt + ': ' + untrusted_reason

        txt_result.append(self.FIELD_FORMAT.format("Validation w/ Mozilla's CA Store:", trust_txt))
        
        is_host_valid = self._is_hostname_valid(cert_dict, target)
        host_txt = 'OK - ' + is_host_valid + ' Matches' if is_host_valid \
                                         else 'MISMATCH'
        
        txt_result.append(self.FIELD_FORMAT.format("Hostname Validation:", host_txt))
        txt_result.append(self.FIELD_FORMAT.format('SHA1 Fingerprint:', fingerprint))
        txt_result.append('')
        txt_result.extend(cert_txt)

        # XML output: always return the full certificate
        host_xml = True if is_host_valid \
                        else False
            
        xml_result = Element(command, argument = arg, title = cmd_title)
        trust_xml_attr = {'isTrustedByMozillaCAStore' : str(is_cert_trusted),
                          'sha1Fingerprint' : fingerprint,
                          'isExtendedValidation' : str(is_ev),
                          'hasMatchingHostname' : str(host_xml)}
        if untrusted_reason:
            trust_xml_attr['reasonWhyNotTrusted'] = untrusted_reason
            
        trust_xml = Element('certificate', attrib = trust_xml_attr)
        for elem_xml in cert_parsed.parse_certificate_to_xml():
            trust_xml.append(elem_xml)
        xml_result.append(trust_xml)
        
        ctSSL_cleanup()
        return PluginBase.PluginResult(txt_result, xml_result)