summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemy <relst@relst.nl>2015-10-17 17:54:36 +0200
committerRemy <relst@relst.nl>2015-10-17 17:54:36 +0200
commit8e5234177128a8c9d47fac1b1e32147372450ff0 (patch)
tree08474225138bb88535650c51be3d36e5b01b66cb
parent80b1fb7db9e3d7356f7cbb0285250c5ecc4fe09d (diff)
downloadssl-decoder-8e5234177128a8c9d47fac1b1e32147372450ff0.zip
ssl-decoder-8e5234177128a8c9d47fac1b1e32147372450ff0.tar.gz
ssl-decoder-8e5234177128a8c9d47fac1b1e32147372450ff0.tar.bz2
version 2.9
Diffstat
-rw-r--r--CHANGELOG.md8
-rw-r--r--README.md617
-rw-r--r--functions/connection.php714
-rw-r--r--functions/json.php41
-rw-r--r--functions/parse_certificate.php199
-rw-r--r--functions/textual.php1
-rw-r--r--functions/variables.php22
-rw-r--r--functions/verify_certifitcate.php5
-rw-r--r--inc/form.php6
-rw-r--r--index.php58
-rw-r--r--js/ajax.js15
-rw-r--r--json.php3
12 files changed, 1066 insertions, 623 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 662f4cc..0a94718 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,11 +1,17 @@
# Changelog
+## 2.9
+
+- Add certificate hashes (MD5, SHA1, SHA256, SHA384, SHA512).
+- Add TLSA validation check.
+- Add "fast check" option which disables connection data, dns and certificate transparancy submission to speed up the result (less remote requests).
+- Add loading cog to multiple endpoint chooser.
+
## 2.8
- Add Certificate Transparency Submission
- Small formatting changes
-
## 2.7
- Add debian weak keys check.
diff --git a/README.md b/README.md
index 2c242f4..6df975e 100644
--- a/README.md
+++ b/README.md
@@ -1,14 +1,16 @@
# SSL Decoder
-Simple PHP script which decodes an SSL connection and/or certificate and displays information.
+PHP script which decodes an SSL connection and/or certificate and displays information.
* Tries to give all the information you need instead of a rating.
* Open source, so you can self host it.
* Shows the entire certificate chain.
-* Allows to paste a CRL/Cert
-* Validates the certificate, chain, CRL and OCSP (of every cert in the chain)
-* Has easy copy-pastable PEM versions of certs
-* Ciphersuite enumeration as an option.
+* Allows to paste a CRL/Cert.
+* Allows a custom port (smtps, imaps, https, 8080, 8443, etc).
+* Validates the certificate, chain, CRL and OCSP (of every cert in the chain).
+* Has easy copy-pastable PEM versions of certs.
+* DNSSEC checks
+* Ciphersuite enumeration.
* JSON API
* Fast.
@@ -33,6 +35,9 @@ Simple PHP script which decodes an SSL connection and/or certificate and display
- Warnings for bad connection settings or certificate options
- Heartbleed test
- SNI specific testing
+- Certificate Transparency submission
+- DNSSEC check
+- Certificate Hash calculation
## Requirements
@@ -70,9 +75,9 @@ If you want to use the latest OpenSSL and your distro doesn't ship with it, you
## Demo
-See [https://tls.so](https://tls.so).
+See [https://ssldecoder.org](https://ssldecoder.org).
-<a href="https://tls.so"><img src="http://i.imgur.com/R1BQlLVm.png" /></a>
+<a href="https://ssldecoder.org"><img src="http://i.imgur.com/R1BQlLVm.png" /></a>
### License
@@ -177,6 +182,9 @@ Example Response:
"validTo": "170328111358Z",
"validFrom_time_t": "1427627638",
"validTo_time_t": "1490699638",
+ "signatureTypeSN": "RSA-SHA1",
+ "signatureTypeLN": "sha1WithRSAEncryption",
+ "signatureTypeNID": "65",
"extensions": {
"basicConstraints": "CA:TRUE",
"subjectKeyIdentifier": "AF:02:B6:2F:9D:07:8E:B8:D6:05:26:9F:4E:3C:5E:F3:EE:84:2B:34",
@@ -226,53 +234,67 @@ Example Response:
}
}
},
- "validation_type": "organisation",
+ "cert_issued_in_future": "",
+ "cert_expired": "",
+ "cert_expires_in_less_than_thirty_days": "",
+ "validation_type": "organization",
"crl": {
"1": {
"crl_uri": "http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl",
"status": "ok",
- "crl_last_update": "Mar 30 00:56:21 2015 GMT\n",
- "crl_next_update": "Apr 3 00:56:21 2015 GMT\n"
+ "crl_last_update": "Oct 17 03:05:20 2015 GMT\n",
+ "crl_next_update": "Oct 21 03:05:20 2015 GMT\n"
},
"2": {
"crl_uri": "http://crl.comodoca.com/COMODORSACertificationAuthority.crl",
"status": "ok",
- "crl_last_update": "Mar 29 19:04:22 2015 GMT\n",
- "crl_next_update": "Apr 2 19:04:22 2015 GMT\n"
+ "crl_last_update": "Oct 16 22:36:24 2015 GMT\n",
+ "crl_next_update": "Oct 20 22:36:24 2015 GMT\n"
},
"3": {
"crl_uri": "http://crl.pkioverheid.nl/RootLatestCRL-G2.crl",
"status": "ok",
- "crl_last_update": "Jan 8 10:19:45 2015 GMT\n",
- "crl_next_update": "Jan 8 10:24:45 2016 GMT\n"
+ "crl_last_update": "Oct 7 08:07:08 2015 GMT\n",
+ "crl_next_update": "Oct 6 08:07:08 2016 GMT\n"
},
"4": {
"crl_uri": "http://sr.symcb.com/sr.crl",
"status": "ok",
- "crl_last_update": "Mar 30 09:01:05 2015 GMT\n",
- "crl_next_update": "Apr 6 09:01:05 2015 GMT\n"
+ "crl_last_update": "Oct 17 09:01:05 2015 GMT\n",
+ "crl_next_update": "Oct 24 09:01:05 2015 GMT\n"
},
"5": {
"crl_uri": "http://crl.tcs.terena.org/TERENASSLCA.crl",
"status": "ok",
- "crl_last_update": "Mar 29 16:28:00 2015 GMT\n",
- "crl_next_update": "Apr 2 16:28:00 2015 GMT\n"
+ "crl_last_update": "Oct 16 19:51:43 2015 GMT\n",
+ "crl_next_update": "Oct 20 19:51:43 2015 GMT\n"
}
},
- "ocsp": "No OCSP URI found in certificate",
+ "ocsp": "No issuer cert provided. Unable to send OCSP request.",
"hostname_in_san_or_cn": "n/a; ca signing certificate",
- "serial": "3",
+ "serialNumber": "3",
+ "hash": {
+ "md5": "6b6d56a47b77e7359d4f8c70b1f111ed",
+ "sha1": "cec626a06d433e62dd58ff93c2b20276db94e94b",
+ "sha256": "d4293bf8b3e4adad6d5ffecff2df35b7cf70da1ae5ded60093d018b67ed3cd5b",
+ "sha384": "e63a3a581bafe44204d64270d28ec0a778ab7ebc4f8abed6f155e3f3915bf3f757e0511988fd5af5828fd39edd6382b7",
+ "sha512": "74241f5f1d6783988125d358eb2486ff72e6ec61efb1adce77058861a6da190eb4f03edcc4b7e0814c0a8b3763a38e8133c2d2be354b8c97febc224fcf30b355"
+ },
"key": {
"type": "rsa",
"bits": "4096",
"signature_algorithm": "sha1WithRSAEncryption",
- "certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIK[...]Q7pn4iA==\n-----END CERTIFICATE-----\n",
- "public_key_pem": "-----BEGIN PUBLIC KEY-----\nMIIC[...]UCAwEAAQ==\n-----END PUBLIC KEY-----\n",
+ "certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIKmDCCBoCgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCTkwx\nFTATBgNVBAgMDFp1aWQgSG9sbGFuZDESMBAGA1UEBwwJUm90dGVyZGFtMRowGAYD\nVQQKDBFTcGFya2xpbmcgTmV0d29yazEVMBMGA1UECwwMU3BhcmtsaW5nIENBMRUw\nEwYDVQQDDAxTcGFya2xpbmcgQ0EwHhcNMTUwMzI5MTExMzU4WhcNMTcwMzI4MTEx\nMzU4WjBvMRMwEQYDVQQDDApnb29nbGUuY29tMRIwEAYDVQQIDAlSb3R0ZXJkYW0x\nCzAJBgNVBAYTAk5MMRowGAYDVQQKDBFTcGFya2xpbmcgTmV0d29yazEbMBkGA1UE\nCwwSU3BhcmtsaW5nIFdlYnNpdGVzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC\nCgKCAgEAoi3dJz7UcdbIU+fM5S44tk8MM++PguUDVnC2wviFgpg6Q+INGnAofUoe\ny+CtiqNWZyey0QO9AglEX8Q0z3eTSTf29ntBgfMUwpMkkXuXDrdH78/zh83L4VkO\nr+87cRZi4clskcIE1DJrw/bN9oyRAjWdKZfpaMtLT9ab4yWNOCqy0gzxiG7NfAfv\nvqxF6Rwg9lNVJmRqwxP54qa2ayjmqVPhBgLqpRRfE2CPxxiCb8KdYhbFVaEraXKM\nRMFans+XSD6I5e0N3BTjAf2+v6Dzjyt9sQFh/EpjqZrTe2JCwg3C44hy8RdohuN+\nt0OsvAO46Xk7cP8Z/hqxSpcvNRhcjFQ6bCv74OXInVu5pSHydARSlM0FKfhAjaVl\ncu9Q/pkQ2rhFtvpKnJr+3tZiSlRpuK0MLDLMhgWopfMzXvBAzSxDC0hXODzjHA0M\noTbW4vDmAv6bn+JXzxHsaxjkbpr1x2FRbwj8ZuwIzUIZP46iRVzZ97p+6D9LK40q\nhI50eiuFQfigqXoe5BrniQtkZi293H4dKJzvoLSAbjYB0PLD6I7zkNt8QtVDLhSz\n5u7fC890VYK9DZZP1B8RAYn91SRRFBBnJDSRgvutA/RSkXkLXviCw4oDIfijTrg4\nW35ASS5LjAOwbucKY3lsbd2lbLGcyxro9Z9aeLxZEX49X3u1dhUCAwEAAaOCAykw\nggMlMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFK8Cti+dB4641gUmn048XvPu\nhCs0MB8GA1UdIwQYMBaAFKyJWGQeqG3MO7k4TliuqefL7do3MAsGA1UdDwQEAwIF\noDATBgNVHSUEDDAKBggrBgEFBQcDATCCASQGA1UdHwSCARswggEXMEmgR6BFhkNo\ndHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9u\nU2VjdXJlU2VydmVyQ0EuY3JsMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv\nbS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDA0oDKgMIYuaHR0\ncDovL2NybC5wa2lvdmVyaGVpZC5ubC9Sb290TGF0ZXN0Q1JMLUcyLmNybDAgoB6g\nHIYaaHR0cDovL3NyLnN5bWNiLmNvbS9zci5jcmwwL6AtoCuGKWh0dHA6Ly9jcmwu\ndGNzLnRlcmVuYS5vcmcvVEVSRU5BU1NMQ0EuY3JsMFEGA1UdEQRKMEiCCyouZ29v\nZ2xlLm5sggpnb29nbGUuY29tggwqLmdvb2dsZS5jb22CBSouY29tggpyYXltaWku\nb3JnggwqLnJheW1paS5vcmcwggEzBggrBgEFBQcBAQSCASUwggEhME8GCCsGAQUF\nBzAChkNodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxp\nZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCYGCCsGAQUFBzAChhpodHRwOi8vc3Iu\nc3ltY2IuY29tL3NyLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2Rv\nY2EuY29tMDcGCCsGAQUFBzABhitodHRwOi8vb2NzcC5kaWdpZGVudGl0eS5ldS9M\nNC9zZXJ2aWNlcy9vY3NwMB8GCCsGAQUFBzABhhNodHRwOi8vc3Iuc3ltY2QuY29t\nMCYGCCsGAQUFBzABhhpodHRwOi8vb2NzcC50Y3MudGVyZW5hLm9yZzANBgkqhkiG\n9w0BAQUFAAOCBAEAWM5iu/7PUCJyhN3nR77FxCWanLeAIWU8NJEpspjZgjH5j0Oc\n8mqYmJEzfrIg4O/9ZoqrUV1OiDW7fyf7DHW9yTwmcc/wute05TRN3dtUXmzNMk6B\nBfaBbwuXjL8ZEZcZnHKSvWxMmqG2Rx3csA68I53qluedP2b61dQiTwiBa1SH4v3G\n78ZeJi03RSoB6Fbn6l+cIfPNI877d+pzOvBs05Vj57bdb+7Ji0lzDWQNV7uuc3/R\nWVEfZv0ErBgVxlI3EautBQaGZCf1ltwyo2n8wTkVou6wFIX5K4LkWOYuSiu/cgB3\n+Ol21TGZf+oqhMCkmYp313MSbu8HUO7COpJI0B4IZ4Zm+YelKGjhDX8bx5l4TrGh\nfbsuoHpesRx3/zEnoP4VGAkuN7H5PALhF3G/RI8jKwBdLA3ANhochqsICmvu9Li2\nSJAxT87/h4azUYGvd9ZnEWl5rMSqZkFtZhw0y/PVKgw0rXuaVfvqqSuETeq6gGp1\nLYtJUq4LO4Yvg7QXxa1qCeZmTbea+QmE+Wsi0jPYQ3LkLkOpDh9nsuY3Ru7f+gIB\ndELs2TTpOKcg7eKLEpv8JGLXv0NYwc1aqKyL6jycjeGCC9riw8Xla3ZLgAx4IJyM\nJV7qRUxg4jMK+pQd5q1Z3RX5PIwPdzFkHdBnPH6k7GCOqEzQnmR8Hql9xUwi5svM\niitX4Y7FbXW1zxzaBX6SLCfE60lUhSh7ik+b9TK77Gg/uLDmdanXpFguSezGCHZ2\njL4mYLeXWV88WVXEH4tmXsCQrQsmnlcTAJpvXW7NvV8lCjqh3RbXXG7RHd2IEWfr\nZAAaT+nwNIW/x8mXJxUx9RpCKVS+Cm8Q/jDHT9X7DxdHlzzzvN+rv8yy6P/p8HGP\nY84H84qVP9uQgoAxArKRIVIO7ZjaT38V5tlidTxjyf38y0E/HV+LM2vjl3wsefQw\nU8dzNGCNvEWycVrBrZArjITkHFMq/3VUODlX4M3GTZ4XuZR+EGB0kF3uyApE/fLX\nP4qzfsTw/0p0Xn7K/f3HsYyyXbh17sR761gbQCXHJN1YE0F5U4F7DESgbhWZrLJ6\ntCG5Np/mrQ7rKIJxKqSdSKicKYgi0lSk0bq9eF0QLDvECiCiEDT33D8ju+KjPXie\nd6bddv3wUguPUOg7hYr1DLaRwZ9FtfM2UqYtEQxwuebDragUY2gO0tT2wtqNFhwl\nXnPFJhWi3Atz/cjvdlktvhhaqHJLUkmaXVsgys470rUUq+JETCUVM8dKYfC3Nir1\nPcl+ic8lyHLRserIynKLsnYlCgMb6DdbyMXWUUe2OGuUvz9OI09VjY8vAnKfM0E0\nQ3aqS6U2xoswso+ov1HkVOOlcNFpJAqQ7pn4iA==\n-----END CERTIFICATE-----\n",
+ "public_key_pem": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoi3dJz7UcdbIU+fM5S44\ntk8MM++PguUDVnC2wviFgpg6Q+INGnAofUoey+CtiqNWZyey0QO9AglEX8Q0z3eT\nSTf29ntBgfMUwpMkkXuXDrdH78/zh83L4VkOr+87cRZi4clskcIE1DJrw/bN9oyR\nAjWdKZfpaMtLT9ab4yWNOCqy0gzxiG7NfAfvvqxF6Rwg9lNVJmRqwxP54qa2ayjm\nqVPhBgLqpRRfE2CPxxiCb8KdYhbFVaEraXKMRMFans+XSD6I5e0N3BTjAf2+v6Dz\njyt9sQFh/EpjqZrTe2JCwg3C44hy8RdohuN+t0OsvAO46Xk7cP8Z/hqxSpcvNRhc\njFQ6bCv74OXInVu5pSHydARSlM0FKfhAjaVlcu9Q/pkQ2rhFtvpKnJr+3tZiSlRp\nuK0MLDLMhgWopfMzXvBAzSxDC0hXODzjHA0MoTbW4vDmAv6bn+JXzxHsaxjkbpr1\nx2FRbwj8ZuwIzUIZP46iRVzZ97p+6D9LK40qhI50eiuFQfigqXoe5BrniQtkZi29\n3H4dKJzvoLSAbjYB0PLD6I7zkNt8QtVDLhSz5u7fC890VYK9DZZP1B8RAYn91SRR\nFBBnJDSRgvutA/RSkXkLXviCw4oDIfijTrg4W35ASS5LjAOwbucKY3lsbd2lbLGc\nyxro9Z9aeLxZEX49X3u1dhUCAwEAAQ==\n-----END PUBLIC KEY-----\n",
"spki_hash": "MQEUI8vhXsSgP7y58AWpE3xfqepYOHILKdHRewQSWkE="
- }
+ },
+ "warning": [
+ "SHA-1 certificate. Upgrade (re-issue) to SHA-256 or better."
+ ]
}
}
- }
+ },
+ "version": "2.9"
}
@@ -280,97 +302,76 @@ Example Response:
Params:
- - `host:ip` = Hostname:IP address
+ - `host:ip` = Hostname:IP address (both required)
- `port` = port to test (443, 993, 465, 8443 etc).
- - ciphersuites = 1 to enumerate ciphersuites supported by the tested server. Takes longer. If not specified or not 1, ciphersuites will not be tested, used ciphersuite will be reported.
+ - `fastcheck` = 1 for fast check, anything else for regular check. Limited connection data enumeration, no certificate transparency submission. Only applicable when host:ip is used.
-Port is optional and defaults to 443. Ciphersuites is optional and defaults to 0.
+Port is optional and defaults to 443. Fastcheck is optional and defaults to 0.
-Example request:
+Example fast request:
- json.php?host=mijn.ing.nl&ciphersuites=1
+ json.php?host=xs4all.nl:194.109.6.93&port=443&fastcheck=1
-Example response:
+Example fast response:
{
"data": {
"connection": {
- "chain": {
- "0": {
- "name": "mijn.ing.nl",
- "issuer": "Symantec Class 3 EV SSL CA - G3"
- },
- "1": {
- "name": "Symantec Class 3 EV SSL CA - G3",
- "issuer": "VeriSign Class 3 Public Primary Certification Authority - G5"
+ "checked_hostname": "xs4all.nl",
+ "chain": [
+ {
+ "name": "*.xs4all.nl",
+ "issuer": "GlobalSign Domain Validation CA - SHA256 - G2"
},
- "validation": {
- "status": "success"
+ {
+ "name": "GlobalSign Domain Validation CA - SHA256 - G2",
+ "issuer": "GlobalSign Root CA"
}
+ ],
+ "validation": {
+ "status": "success"
},
- "ip": "145.221.194.139",
- "hostname": "145.221.194.139",
+ "ip": "194.109.6.93",
+ "hostname": "xs4all.nl",
"port": "443",
- "protocols": {
- "tlsv1.2": "1",
- "tlsv1.1": "",
- "tlsv1.0": "1",
- "sslv3": ""
- },
- "supported_ciphersuites": [
- "AES256-SHA256",
- "AES256-SHA",
- "AES128-SHA256",
- "AES128-SHA",
- "DES-CBC3-SHA"
- ],
- "tls_fallback_scsv": "unsupported",
- "strict_transport_security": "max-age=31622400",
- "public_key_pins": "not set",
- "ocsp_stapling": "not set",
- "openssl_version": "OpenSSL 1.0.2a 19 Mar 2015\n",
- "datetime_rfc2822": "Mon, 30 Mar 2015 12:18:11 +0200\n"
+ "openssl_version": "OpenSSL 1.0.1e-fips 11 Feb 2013\n",
+ "datetime_rfc2822": "Sat, 17 Oct 2015 17:34:10 +0200\n"
},
"chain": {
"1": {
"cert_data": {
- "name": "/jurisdictionC=NL/businessCategory=Private Organization/serialNumber=33031431/C=NL/postalCode=1102 MG/ST=Noord-Holland/L=Amsterdam Zuidoost/street=Bijlmerplein 888/O=ING BANK N.V./OU=Retail/CN=mijn.ing.nl",
+ "name": "/C=NL/OU=Domain Control Validated/CN=*.xs4all.nl",
"subject": {
- "jurisdictionC": "NL",
- "businessCategory": "Private Organization",
- "serialNumber": "33031431",
"C": "NL",
- "postalCode": "1102 MG",
- "ST": "Noord-Holland",
- "L": "Amsterdam Zuidoost",
- "street": "Bijlmerplein 888",
- "O": "ING BANK N.V.",
- "OU": "Retail",
- "CN": "mijn.ing.nl"
+ "OU": "Domain Control Validated",
+ "CN": "*.xs4all.nl"
},
- "hash": "0ede29ea",
+ "hash": "1b6ff7eb",
"issuer": {
- "C": "US",
- "O": "Symantec Corporation",
- "OU": "Symantec Trust Network",
- "CN": "Symantec Class 3 EV SSL CA - G3"
+ "C": "BE",
+ "O": "GlobalSign nv-sa",
+ "CN": "GlobalSign Domain Validation CA - SHA256 - G2"
},
"version": "2",
- "serialNumber": "58839941462596964668433973121388685875",
- "validFrom": "140918000000Z",
- "validTo": "161029235959Z",
- "validFrom_time_t": "1410998400",
- "validTo_time_t": "1477785599",
+ "serialNumber": "1492413605911531362906337146940506873397418",
+ "validFrom": "141128145702Z",
+ "validTo": "170707133301Z",
+ "validFrom_time_t": "1417186622",
+ "validTo_time_t": "1499434381",
+ "signatureTypeSN": "RSA-SHA256",
+ "signatureTypeLN": "sha256WithRSAEncryption",
+ "signatureTypeNID": "668",
"extensions": {
- "subjectAltName": "DNS:mijn.ing.nl",
- "basicConstraints": "CA:FALSE",
"keyUsage": "Digital Signature, Key Encipherment",
+ "certificatePolicies": "Policy: 2.23.140.1.2.1\n CPS: https://www.globalsign.com/repository/\n",
+ "subjectAltName": "DNS:*.xs4all.nl, DNS:xs4all.nl",
+ "basicConstraints": "CA:FALSE",
"extendedKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
- "certificatePolicies": "Policy: 2.16.840.1.113733.1.7.23.6\n CPS: https://d.symcb.com/cps\n User Notice:\n Explicit Text: https://d.symcb.com/rpa\n",
- "authorityKeyIdentifier": "keyid:01:59:AB:E7:DD:3A:0B:59:A6:64:63:D6:CF:20:07:57:D5:91:E7:6A\n",
- "crlDistributionPoints": "\nFull Name:\n URI:http://sr.symcb.com/sr.crl\n",
- "authorityInfoAccess": "OCSP - URI:http://sr.symcd.com\nCA Issuers - URI:http://sr.symcb.com/sr.crt\n"
+ "crlDistributionPoints": "\nFull Name:\n URI:http://crl.globalsign.com/gs/gsdomainvalsha2g2.crl\n",
+ "authorityInfoAccess": "CA Issuers - URI:http://secure.globalsign.com/cacert/gsdomainvalsha2g2r1.crt\nOCSP - URI:http://ocsp2.globalsign.com/gsdomainvalsha2g2\n",
+ "subjectKeyIdentifier": "80:38:0D:6B:57:B3:D5:98:E9:10:29:8E:5E:70:5C:B0:D2:CF:9E:93",
+ "authorityKeyIdentifier": "keyid:EA:4E:7C:D4:80:2D:E5:15:81:86:26:8C:82:6D:C0:98:A4:CF:97:0F\n"
},
"purposes": {
"sslclient": {
@@ -411,68 +412,85 @@ Example response:
}
}
},
- "validation_type": "extended",
+ "cert_issued_in_future": "",
+ "cert_expired": "",
+ "cert_expires_in_less_than_thirty_days": "",
+ "validation_type": "domain",
+ "issuer_valid": "1",
"crl": {
"1": {
- "crl_uri": "http://sr.symcb.com/sr.crl",
+ "crl_uri": "http://crl.globalsign.com/gs/gsdomainvalsha2g2.crl",
"status": "ok",
- "crl_last_update": "Mar 30 09:01:05 2015 GMT\n",
- "crl_next_update": "Apr 6 09:01:05 2015 GMT\n"
+ "crl_last_update": "Oct 16 23:00:00 2015 GMT\n",
+ "crl_next_update": "Oct 23 23:00:00 2015 GMT\n"
}
},
"ocsp": {
"1": {
"status": "good",
- "this_update": "Mar 27 09:39:42 2015 GMT",
- "next_update": "Apr 3 09:39:42 2015 GMT",
- "ocsp_uri": "http://sr.symcd.com"
+ "this_update": "Oct 17 12:11:04 2015 GMT",
+ "next_update": "Oct 18 00:11:04 2015 GMT",
+ "ocsp_uri": "http://ocsp2.globalsign.com/gsdomainvalsha2g2"
}
},
- "hostname_in_san_or_cn": "false",
- "serial": "319",
+ "hostname_checked": "xs4all.nl",
+ "hostname_in_san_or_cn": "true",
+ "serialNumber": "11:21:CF:35:4D:B8:66:6D:0C:BD:89:2D:DA:C8:AA:32:00:AA",
+ "hash": {
+ "md5": "f727346b711a0147b083a2499ef6fa6c",
+ "sha1": "4b8372cc8fe4bd48732e226d58dfb3aed1117b97",
+ "sha256": "223a6659d06e9a81390938659e9ef241579e82b820d6afd8e17d548aedea3f13",
+ "sha384": "746f62592a7204b26c584547dfff943b79efb862ab8f9fd748261e2d70838caf8c8b73ce7aa07ec85958419fd2670ccc",
+ "sha512": "790edcc263f90fd8c43d0bafc4bdb7f36f0609795bf0bb0c1e4cdc68bf3e716b389e58a914d4cbc91d277fd77dd5f2e2cea057dbee6b8fc0bc2e8cf27d2aa6e5"
+ },
+ "tlsa": {
+ "tlsa_hash": "223a6659d06e9a81390938659e9ef241579e82b820d6afd8e17d548aedea3f13",
+ "tlsa_usage": "1",
+ "tlsa_selector": "0",
+ "tlsa_matching_type": "1",
+ "error": "none"
+ },
"key": {
"type": "rsa",
- "bits": "2048",
+ "bits": "3072",
"signature_algorithm": "sha256WithRSAEncryption",
- "certificate_pem": "-----BEGIN CERTIFICATE-----\nMII[...]5rbdag==\n-----END CERTIFICATE-----\n",
- "public_key_pem": "-----BEGIN PUBLIC KEY-----\nMII[...]DAQAB\n-----END PUBLIC KEY-----\n",
- "spki_hash": "Y4ViGKugRm0tW3lflAY9ZGTj6xga6CtiZpMwzbCZARs="
+ "certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIFfDCCBGSgAwIBAgISESHPNU24Zm0MvYkt2siqMgCqMA0GCSqGSIb3DQEBCwUA\nMGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYD\nVQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g\nRzIwHhcNMTQxMTI4MTQ1NzAyWhcNMTcwNzA3MTMzMzAxWjBGMQswCQYDVQQGEwJO\nTDEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRQwEgYDVQQDDAsq\nLnhzNGFsbC5ubDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKeQ1ChO\nYwwmNtUCYtVOjBs0fYyFXxsgdvcYlCrUzwkStH5s/aOGKnH/VnR/6UJRGVHHyBYY\nAfxLLYOlnWNoe4NJBQw9BI0FOlbi7d99iVGSgmJVEYwbFspnpJ6NoIUY+yVMnV51\npPYPPHOxQX0xs6GnGpY+XE7TUueqqHuicFtgAe/7OUWo8sNgNE6JMewM5Y5JsRhh\nELTj938x6EeYybR+PZq5f5YS423ElGGn27w+8VK8/hcWQyoB8bgjRrory5GaaWg0\nKCF/9WC9vUbqhfMLzCy4YmfrHSrensKksrxP4/QbhsMTgTZ8FdNlNmi+f6ZMiD3l\n56vGuyaDLONNzCgY3wylI/561SNFtJmc7zMHp6B7Zlqug6rGPZbRfYJaGHYuYLhx\nKba1YWGOy6KBNuS4DfRDElUyuT1F7Jij1q2qcn40OBrVTDIyAnbMFAjyzRLBaFeR\nea8ykdevLPRO/Wnu6fp8d77SR4jEI2i3wFwm83sK/hqIO9ILq03+/d7T1wIDAQAB\no4IByDCCAcQwDgYDVR0PAQH/BAQDAgWgMEkGA1UdIARCMEAwPgYGZ4EMAQIBMDQw\nMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRv\ncnkvMCEGA1UdEQQaMBiCCyoueHM0YWxsLm5sggl4czRhbGwubmwwCQYDVR0TBAIw\nADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwQwYDVR0fBDwwOjA4oDag\nNIYyaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc2RvbWFpbnZhbHNoYTJn\nMi5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMEcGCCsGAQUFBzAChjtodHRwOi8vc2Vj\ndXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2RvbWFpbnZhbHNoYTJnMnIxLmNy\ndDA5BggrBgEFBQcwAYYtaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dzZG9t\nYWludmFsc2hhMmcyMB0GA1UdDgQWBBSAOA1rV7PVmOkQKY5ecFyw0s+ekzAfBgNV\nHSMEGDAWgBTqTnzUgC3lFYGGJoyCbcCYpM+XDzANBgkqhkiG9w0BAQsFAAOCAQEA\nFZZXPetKakrpMsZQGvr4W8ozBaZjx1HAjXDplq3q5u7fan4D7K5l++amy5GgYy4K\nETtpHm1KCXg15fysdZfzsL5TBu9IfpMNLMcMUqDZ+BBdJf3ajObYWMfA1IM45ekb\nMgaYZkX62hSuJADfAPwtIHohqAGJ8qH1WRpdakCEezgNx/reTUGpepZT3AWxDfJ9\n68P9dmIV30EUnrscJ22g8K53Pl47YYCEtBdrIw9KvX4Pi0x/ff+aN8lA+gFg9/8T\nulKeDQBOk1PHedes/HxugDxUEEqgSq7/sEoMGceywkczgvIi3vPuK1ClpwmBUjSs\nsLMOjC48NYY10+xsfcddbA==\n-----END CERTIFICATE-----\n",
+ "public_key_pem": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAp5DUKE5jDCY21QJi1U6M\nGzR9jIVfGyB29xiUKtTPCRK0fmz9o4Yqcf9WdH/pQlEZUcfIFhgB/Estg6WdY2h7\ng0kFDD0EjQU6VuLt332JUZKCYlURjBsWymekno2ghRj7JUydXnWk9g88c7FBfTGz\noacalj5cTtNS56qoe6JwW2AB7/s5Rajyw2A0Tokx7AzljkmxGGEQtOP3fzHoR5jJ\ntH49mrl/lhLjbcSUYafbvD7xUrz+FxZDKgHxuCNGuivLkZppaDQoIX/1YL29RuqF\n8wvMLLhiZ+sdKt6ewqSyvE/j9BuGwxOBNnwV02U2aL5/pkyIPeXnq8a7JoMs403M\nKBjfDKUj/nrVI0W0mZzvMwenoHtmWq6DqsY9ltF9gloYdi5guHEptrVhYY7LooE2\n5LgN9EMSVTK5PUXsmKPWrapyfjQ4GtVMMjICdswUCPLNEsFoV5F5rzKR168s9E79\nae7p+nx3vtJHiMQjaLfAXCbzewr+Gog70gurTf793tPXAgMBAAE=\n-----END PUBLIC KEY-----\n",
+ "spki_hash": "AjyEDlnyvgr9VisPwMkyfWzhfSlGRgPNBcMzFeXIVJc="
}
},
"2": {
"cert_data": {
- "name": "/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3",
+ "name": "/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2",
"subject": {
- "C": "US",
- "O": "Symantec Corporation",
- "OU": "Symantec Trust Network",
- "CN": "Symantec Class 3 EV SSL CA - G3"
+ "C": "BE",
+ "O": "GlobalSign nv-sa",
+ "CN": "GlobalSign Domain Validation CA - SHA256 - G2"
},
- "hash": "a0f7ac3e",
+ "hash": "d7d634d4",
"issuer": {
- "C": "US",
- "O": "VeriSign, Inc.",
- "OU": [
- "VeriSign Trust Network",
- "(c) 2006 VeriSign, Inc. - For authorized use only"
- ],
- "CN": "VeriSign Class 3 Public Primary Certification Authority - G5"
+ "C": "BE",
+ "O": "GlobalSign nv-sa",
+ "OU": "Root CA",
+ "CN": "GlobalSign Root CA"
},
"version": "2",
- "serialNumber": "168652503989349361584430187274382793396",
- "validFrom": "131031000000Z",
- "validTo": "231030235959Z",
- "validFrom_time_t": "1383177600",
- "validTo_time_t": "1698710399",
+ "serialNumber": "4835703278459909592596000",
+ "validFrom": "140220100000Z",
+ "validTo": "240220100000Z",
+ "validFrom_time_t": "1392890400",
+ "validTo_time_t": "1708423200",
+ "signatureTypeSN": "RSA-SHA256",
+ "signatureTypeLN": "sha256WithRSAEncryption",
+ "signatureTypeNID": "668",
"extensions": {
- "authorityInfoAccess": "OCSP - URI:http://s2.symcb.com\n",
- "basicConstraints": "CA:TRUE, pathlen:0",
- "certificatePolicies": "Policy: X509v3 Any Policy\n CPS: http://www.symauth.com/cps\n User Notice:\n Explicit Text: http://www.symauth.com/rpa\n",
- "crlDistributionPoints": "\nFull Name:\n URI:http://s1.symcb.com/pca3-g5.crl\n",
"keyUsage": "Certificate Sign, CRL Sign",
- "subjectAltName": "DirName: CN = SymantecPKI-1-533",
- "subjectKeyIdentifier": "01:59:AB:E7:DD:3A:0B:59:A6:64:63:D6:CF:20:07:57:D5:91:E7:6A",
- "authorityKeyIdentifier": "keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33\n"
+ "basicConstraints": "CA:TRUE, pathlen:0",
+ "subjectKeyIdentifier": "EA:4E:7C:D4:80:2D:E5:15:81:86:26:8C:82:6D:C0:98:A4:CF:97:0F",
+ "certificatePolicies": "Policy: X509v3 Any Policy\n CPS: https://www.globalsign.com/repository/\n",
+ "crlDistributionPoints": "\nFull Name:\n URI:http://crl.globalsign.net/root.crl\n",
+ "authorityInfoAccess": "OCSP - URI:http://ocsp.globalsign.com/rootr1\n",
+ "authorityKeyIdentifier": "keyid:60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B\n"
},
"purposes": {
"sslclient": {
@@ -513,67 +531,247 @@ Example response:
}
}
},
- "validation_type": "organisation",
+ "cert_issued_in_future": "",
+ "cert_expired": "",
+ "cert_expires_in_less_than_thirty_days": "",
+ "validation_type": "organization",
"crl": {
"1": {
- "crl_uri": "http://s1.symcb.com/pca3-g5.crl",
+ "crl_uri": "http://crl.globalsign.net/root.crl",
"status": "ok",
- "crl_last_update": "Mar 18 00:00:00 2015 GMT\n",
- "crl_next_update": "Jun 30 23:59:59 2015 GMT\n"
+ "crl_last_update": "Oct 7 00:00:00 2015 GMT\n",
+ "crl_next_update": "Jan 15 00:00:00 2016 GMT\n"
+ }
+ },
+ "ocsp": "No issuer cert provided. Unable to send OCSP request.",
+ "hostname_in_san_or_cn": "n/a; ca signing certificate",
+ "serialNumber": "40:00:00:00:00:14:44:EF:03:E2:0",
+ "hash": {
+ "md5": "ecf535c505b7752b0af188a915a23786",
+ "sha1": "736a4dc679d682da321563647c60f699f0dfc268",
+ "sha256": "bfdf4cf3f143ad0db912d8ab3a7c12f617b9ea60ce8b1f4e44f74270fb21b19b",
+ "sha384": "ad0a47cb5aacce9fb4549b4d586dd552cb5201192cfad8997eaab2ef4d9d489b432cecbf3a57f70d6c725aefdc265053",
+ "sha512": "0418e33fed6724155d2a6c702f99e2e8c9b0b7fd163d9b5c7afce9f01cb151242ae7a0111dbafee1948c5e05b928106c639ac0f3663abea2abcea83b2e3c1a0d"
+ },
+ "key": {
+ "type": "rsa",
+ "bits": "2048",
+ "signature_algorithm": "sha256WithRSAEncryption",
+ "certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIEYzCCA0ugAwIBAgILBAAAAAABRE7wPiAwDQYJKoZIhvcNAQELBQAwVzELMAkG\nA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv\nb3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw\nMDBaFw0yNDAyMjAxMDAwMDBaMGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i\nYWxTaWduIG52LXNhMTYwNAYDVQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0\naW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQCp3cwOs+IyOd1JIqgTaZOHiOEM7nF9vZCHll1Z8syz0lhXV/lG72wm2DZC\njn4wsy+aPlN7H262okxFHzzTFZMcie089Ffeyr3sBppqKqAZUn9R0XQ5CJ+r69eG\nExWXrjbDVGYOWvKgc4Ux47JkFGr/paKOJLu9hVIVonnu8LXuPbj0fYC82ZA1ZbgX\nqa2zmJ+gfn1u+z+tfMIbWTaW2jcyS0tdNQJjjtunz2LuzC7Ujcm9PGqRcqIip3It\nINH6yjfaGJjmFiRxJUvE5XuJUgkC/VkrBG7KB4HUs9ra2+PMgKhWBwZ8lgg3nds4\ntmI0kWIHdAE42HIw4uuQcSZiwFfzAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMC\nAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU6k581IAt5RWBhiaMgm3A\nmKTPlw8wRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8v\nd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCowKKAmoCSG\nImh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYBBQUHAQEE\nMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290\ncjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZIhvcNAQEL\nBQADggEBANdFnqDc4ONhWgt9d4QXLWVagpqNoycqhffJ7+mG/dRHzQFSlsVDvTex\n4bjyqdKKEYRxkRWJ3AKdC8tsM4U0KJ4gsrGX3G0LEME8zV/qXdeYMcU0mVwAYVXE\nGwJbxeOJyLS4bx448lYm6UHvPc2smU9ZSlctS32ux4j71pg79eXw6ImJuYsDy1oj\nH6T9uOr7Lp2uanMJvPzVoLVEgqtEkS5QLlfBQ9iRBIvpES5ftD953x77PzAAi1Pj\ntywdO02L3ORkHQRYM68bVeerDL8wBHTk8w4vMDmNSwSMHnVmZkngvkA0x1xaUZK6\nEjxS1QSCVS1npd+3lXzuP8MIugS+wEY=\n-----END CERTIFICATE-----\n",
+ "public_key_pem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqd3MDrPiMjndSSKoE2mT\nh4jhDO5xfb2Qh5ZdWfLMs9JYV1f5Ru9sJtg2Qo5+MLMvmj5Tex9utqJMRR880xWT\nHIntPPRX3sq97AaaaiqgGVJ/UdF0OQifq+vXhhMVl642w1RmDlryoHOFMeOyZBRq\n/6WijiS7vYVSFaJ57vC17j249H2AvNmQNWW4F6mts5ifoH59bvs/rXzCG1k2lto3\nMktLXTUCY47bp89i7swu1I3JvTxqkXKiIqdyLSDR+so32hiY5hYkcSVLxOV7iVIJ\nAv1ZKwRuygeB1LPa2tvjzICoVgcGfJYIN53bOLZiNJFiB3QBONhyMOLrkHEmYsBX\n8wIDAQAB\n-----END PUBLIC KEY-----\n",
+ "spki_hash": "PL1/TTDEe9Cm2lb2X0tixyQC7zaPREm/V0IHJscTCmw="
+ }
+ }
+ },
+ "certificate_transparency": []
+ },
+ "version": "2.9"
+ }
+
+Example regular request:
+
+ json.php?host=xs4all.nl:194.109.6.93&port=443
+
+Example regular response:
+
+ {
+ "data": {
+ "connection": {
+ "checked_hostname": "xs4all.nl",
+ "chain": [
+ {
+ "name": "*.xs4all.nl",
+ "issuer": "GlobalSign Domain Validation CA - SHA256 - G2"
+ },
+ {
+ "name": "GlobalSign Domain Validation CA - SHA256 - G2",
+ "issuer": "GlobalSign Root CA"
+ }
+ ],
+ "validation": {
+ "status": "success"
+ },
+ "ip": "194.109.6.93",
+ "hostname": "xs4all.nl",
+ "port": "443",
+ "heartbleed": "not_vulnerable",
+ "compression": "",
+ "protocols": {
+ "tlsv1.2": "1",
+ "tlsv1.1": "1",
+ "tlsv1.0": "1",
+ "sslv3": "",
+ "sslv2": ""
+ },
+ "used_ciphersuite": {
+ "name": "ECDHE-RSA-AES256-GCM-SHA384",
+ "bits": "256"
+ },
+ "tls_fallback_scsv": "supported",
+ "strict_transport_security": "not set",
+ "warning": [
+ "HTTP Strict Transport Security not set.",
+ "OCSP Stapling not enabled."
+ ],
+ "public_key_pins": "not set",
+ "ocsp_stapling": "not set",
+ "heartbeat": "1",
+ "openssl_version": "OpenSSL 1.0.1e-fips 11 Feb 2013\n",
+ "datetime_rfc2822": "Sat, 17 Oct 2015 17:34:58 +0200\n"
+ },
+ "chain": {
+ "1": {
+ "cert_data": {
+ "name": "/C=NL/OU=Domain Control Validated/CN=*.xs4all.nl",
+ "subject": {
+ "C": "NL",
+ "OU": "Domain Control Validated",
+ "CN": "*.xs4all.nl"
+ },
+ "hash": "1b6ff7eb",
+ "issuer": {
+ "C": "BE",
+ "O": "GlobalSign nv-sa",
+ "CN": "GlobalSign Domain Validation CA - SHA256 - G2"
+ },
+ "version": "2",
+ "serialNumber": "1492413605911531362906337146940506873397418",
+ "validFrom": "141128145702Z",
+ "validTo": "170707133301Z",
+ "validFrom_time_t": "1417186622",
+ "validTo_time_t": "1499434381",
+ "signatureTypeSN": "RSA-SHA256",
+ "signatureTypeLN": "sha256WithRSAEncryption",
+ "signatureTypeNID": "668",
+ "extensions": {
+ "keyUsage": "Digital Signature, Key Encipherment",
+ "certificatePolicies": "Policy: 2.23.140.1.2.1\n CPS: https://www.globalsign.com/repository/\n",
+ "subjectAltName": "DNS:*.xs4all.nl, DNS:xs4all.nl",
+ "basicConstraints": "CA:FALSE",
+ "extendedKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
+ "crlDistributionPoints": "\nFull Name:\n URI:http://crl.globalsign.com/gs/gsdomainvalsha2g2.crl\n",
+ "authorityInfoAccess": "CA Issuers - URI:http://secure.globalsign.com/cacert/gsdomainvalsha2g2r1.crt\nOCSP - URI:http://ocsp2.globalsign.com/gsdomainvalsha2g2\n",
+ "subjectKeyIdentifier": "80:38:0D:6B:57:B3:D5:98:E9:10:29:8E:5E:70:5C:B0:D2:CF:9E:93",
+ "authorityKeyIdentifier": "keyid:EA:4E:7C:D4:80:2D:E5:15:81:86:26:8C:82:6D:C0:98:A4:CF:97:0F\n"
+ },
+ "purposes": {
+ "sslclient": {
+ "ca": "",
+ "general": "1"
+ },
+ "sslserver": {
+ "ca": "",
+ "general": "1"
+ },
+ "nssslserver": {
+ "ca": "",
+ "general": "1"
+ },
+ "smimesign": {
+ "ca": "",
+ "general": ""
+ },
+ "smimeencrypt": {
+ "ca": "",
+ "general": ""
+ },
+ "crlsign": {
+ "ca": "",
+ "general": ""
+ },
+ "any": {
+ "ca": "1",
+ "general": "1"
+ },
+ "ocsphelper": {
+ "ca": "",
+ "general": "1"
+ },
+ "timestampsign": {
+ "ca": "",
+ "general": ""
+ }
+ }
+ },
+ "cert_issued_in_future": "",
+ "cert_expired": "",
+ "cert_expires_in_less_than_thirty_days": "",
+ "validation_type": "domain",
+ "issuer_valid": "1",
+ "crl": {
+ "1": {
+ "crl_uri": "http://crl.globalsign.com/gs/gsdomainvalsha2g2.crl",
+ "status": "ok",
+ "crl_last_update": "Oct 16 23:00:00 2015 GMT\n",
+ "crl_next_update": "Oct 23 23:00:00 2015 GMT\n"
}
},
"ocsp": {
"1": {
"status": "good",
- "this_update": "Mar 30 08:09:41 2015 GMT",
- "next_update": "Apr 6 08:09:41 2015 GMT",
- "ocsp_uri": "http://s2.symcb.com"
+ "this_update": "Oct 17 12:11:04 2015 GMT",
+ "next_update": "Oct 18 00:11:04 2015 GMT",
+ "ocsp_uri": "http://ocsp2.globalsign.com/gsdomainvalsha2g2"
}
},
- "hostname_in_san_or_cn": "n/a; ca signing certificate",
- "serial": "105",
+ "hostname_checked": "xs4all.nl",
+ "hostname_in_san_or_cn": "true",
+ "serialNumber": "11:21:CF:35:4D:B8:66:6D:0C:BD:89:2D:DA:C8:AA:32:00:AA",
+ "hash": {
+ "md5": "f727346b711a0147b083a2499ef6fa6c",
+ "sha1": "4b8372cc8fe4bd48732e226d58dfb3aed1117b97",
+ "sha256": "223a6659d06e9a81390938659e9ef241579e82b820d6afd8e17d548aedea3f13",
+ "sha384": "746f62592a7204b26c584547dfff943b79efb862ab8f9fd748261e2d70838caf8c8b73ce7aa07ec85958419fd2670ccc",
+ "sha512": "790edcc263f90fd8c43d0bafc4bdb7f36f0609795bf0bb0c1e4cdc68bf3e716b389e58a914d4cbc91d277fd77dd5f2e2cea057dbee6b8fc0bc2e8cf27d2aa6e5"
+ },
+ "tlsa": {
+ "tlsa_hash": "223a6659d06e9a81390938659e9ef241579e82b820d6afd8e17d548aedea3f13",
+ "tlsa_usage": "1",
+ "tlsa_selector": "0",
+ "tlsa_matching_type": "1",
+ "error": "none"
+ },
"key": {
"type": "rsa",
- "bits": "2048",
+ "bits": "3072",
"signature_algorithm": "sha256WithRSAEncryption",
- "certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIF[...]tO7w+Q==\n-----END CERTIFICATE-----\n",
- "public_key_pem": "-----BEGIN PUBLIC KEY-----\nMII[...]ww0\nDwIDAQAB\n-----END PUBLIC KEY-----\n",
- "spki_hash": "gMxWOrX4PMQesK9qFNbYBxjBfjUvlkn/vN1n+L9lE5E="
+ "certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIFfDCCBGSgAwIBAgISESHPNU24Zm0MvYkt2siqMgCqMA0GCSqGSIb3DQEBCwUA\nMGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYD\nVQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g\nRzIwHhcNMTQxMTI4MTQ1NzAyWhcNMTcwNzA3MTMzMzAxWjBGMQswCQYDVQQGEwJO\nTDEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRQwEgYDVQQDDAsq\nLnhzNGFsbC5ubDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKeQ1ChO\nYwwmNtUCYtVOjBs0fYyFXxsgdvcYlCrUzwkStH5s/aOGKnH/VnR/6UJRGVHHyBYY\nAfxLLYOlnWNoe4NJBQw9BI0FOlbi7d99iVGSgmJVEYwbFspnpJ6NoIUY+yVMnV51\npPYPPHOxQX0xs6GnGpY+XE7TUueqqHuicFtgAe/7OUWo8sNgNE6JMewM5Y5JsRhh\nELTj938x6EeYybR+PZq5f5YS423ElGGn27w+8VK8/hcWQyoB8bgjRrory5GaaWg0\nKCF/9WC9vUbqhfMLzCy4YmfrHSrensKksrxP4/QbhsMTgTZ8FdNlNmi+f6ZMiD3l\n56vGuyaDLONNzCgY3wylI/561SNFtJmc7zMHp6B7Zlqug6rGPZbRfYJaGHYuYLhx\nKba1YWGOy6KBNuS4DfRDElUyuT1F7Jij1q2qcn40OBrVTDIyAnbMFAjyzRLBaFeR\nea8ykdevLPRO/Wnu6fp8d77SR4jEI2i3wFwm83sK/hqIO9ILq03+/d7T1wIDAQAB\no4IByDCCAcQwDgYDVR0PAQH/BAQDAgWgMEkGA1UdIARCMEAwPgYGZ4EMAQIBMDQw\nMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRv\ncnkvMCEGA1UdEQQaMBiCCyoueHM0YWxsLm5sggl4czRhbGwubmwwCQYDVR0TBAIw\nADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwQwYDVR0fBDwwOjA4oDag\nNIYyaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc2RvbWFpbnZhbHNoYTJn\nMi5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMEcGCCsGAQUFBzAChjtodHRwOi8vc2Vj\ndXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2RvbWFpbnZhbHNoYTJnMnIxLmNy\ndDA5BggrBgEFBQcwAYYtaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dzZG9t\nYWludmFsc2hhMmcyMB0GA1UdDgQWBBSAOA1rV7PVmOkQKY5ecFyw0s+ekzAfBgNV\nHSMEGDAWgBTqTnzUgC3lFYGGJoyCbcCYpM+XDzANBgkqhkiG9w0BAQsFAAOCAQEA\nFZZXPetKakrpMsZQGvr4W8ozBaZjx1HAjXDplq3q5u7fan4D7K5l++amy5GgYy4K\nETtpHm1KCXg15fysdZfzsL5TBu9IfpMNLMcMUqDZ+BBdJf3ajObYWMfA1IM45ekb\nMgaYZkX62hSuJADfAPwtIHohqAGJ8qH1WRpdakCEezgNx/reTUGpepZT3AWxDfJ9\n68P9dmIV30EUnrscJ22g8K53Pl47YYCEtBdrIw9KvX4Pi0x/ff+aN8lA+gFg9/8T\nulKeDQBOk1PHedes/HxugDxUEEqgSq7/sEoMGceywkczgvIi3vPuK1ClpwmBUjSs\nsLMOjC48NYY10+xsfcddbA==\n-----END CERTIFICATE-----\n",
+ "public_key_pem": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAp5DUKE5jDCY21QJi1U6M\nGzR9jIVfGyB29xiUKtTPCRK0fmz9o4Yqcf9WdH/pQlEZUcfIFhgB/Estg6WdY2h7\ng0kFDD0EjQU6VuLt332JUZKCYlURjBsWymekno2ghRj7JUydXnWk9g88c7FBfTGz\noacalj5cTtNS56qoe6JwW2AB7/s5Rajyw2A0Tokx7AzljkmxGGEQtOP3fzHoR5jJ\ntH49mrl/lhLjbcSUYafbvD7xUrz+FxZDKgHxuCNGuivLkZppaDQoIX/1YL29RuqF\n8wvMLLhiZ+sdKt6ewqSyvE/j9BuGwxOBNnwV02U2aL5/pkyIPeXnq8a7JoMs403M\nKBjfDKUj/nrVI0W0mZzvMwenoHtmWq6DqsY9ltF9gloYdi5guHEptrVhYY7LooE2\n5LgN9EMSVTK5PUXsmKPWrapyfjQ4GtVMMjICdswUCPLNEsFoV5F5rzKR168s9E79\nae7p+nx3vtJHiMQjaLfAXCbzewr+Gog70gurTf793tPXAgMBAAE=\n-----END PUBLIC KEY-----\n",
+ "spki_hash": "AjyEDlnyvgr9VisPwMkyfWzhfSlGRgPNBcMzFeXIVJc="
}
},
- "3": {
+ "2": {
"cert_data": {
- "name": "/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5",
+ "name": "/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2",
"subject": {
- "C": "US",
- "O": "VeriSign, Inc.",
- "OU": [
- "VeriSign Trust Network",
- "(c) 2006 VeriSign, Inc. - For authorized use only"
- ],
- "CN": "VeriSign Class 3 Public Primary Certification Authority - G5"
+ "C": "BE",
+ "O": "GlobalSign nv-sa",
+ "CN": "GlobalSign Domain Validation CA - SHA256 - G2"
},
- "hash": "b204d74a",
+ "hash": "d7d634d4",
"issuer": {
- "C": "US",
- "O": "VeriSign, Inc.",
- "OU": "Class 3 Public Primary Certification Authority"
+ "C": "BE",
+ "O": "GlobalSign nv-sa",
+ "OU": "Root CA",
+ "CN": "GlobalSign Root CA"
},
"version": "2",
- "serialNumber": "49248466687453522052688216172288342269",
- "validFrom": "061108000000Z",
- "validTo": "211107235959Z",
- "validFrom_time_t": "1162944000",
- "validTo_time_t": "1636329599",
+ "serialNumber": "4835703278459909592596000",
+ "validFrom": "140220100000Z",
+ "validTo": "240220100000Z",
+ "validFrom_time_t": "1392890400",
+ "validTo_time_t": "1708423200",
+ "signatureTypeSN": "RSA-SHA256",
+ "signatureTypeLN": "sha256WithRSAEncryption",
+ "signatureTypeNID": "668",
"extensions": {
- "basicConstraints": "CA:TRUE",
- "crlDistributionPoints": "\nFull Name:\n URI:http://crl.verisign.com/pca3.crl\n",
"keyUsage": "Certificate Sign, CRL Sign",
- "certificatePolicies": "Policy: X509v3 Any Policy\n CPS: https://www.verisign.com/cps\n",
- "subjectKeyIdentifier": "7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33",
- "1.3.6.1.5.5.7.1.12": "0_¡] [0Y0W0U\u0016\timage/gif0!0\u001f0\u0007\u0006\u0005+\u000e\u0003\u0002\u001a\u0004\u0014åÓ\u001a†¬ŽkÃπjÔH\u0018,{\u0019.0%\u0016#http://logo.verisign.com/vslogo.gif",
- "authorityInfoAccess": "OCSP - URI:http://ocsp.verisign.com\n",
- "extendedKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1"
+ "basicConstraints": "CA:TRUE, pathlen:0",
+ "subjectKeyIdentifier": "EA:4E:7C:D4:80:2D:E5:15:81:86:26:8C:82:6D:C0:98:A4:CF:97:0F",
+ "certificatePolicies": "Policy: X509v3 Any Policy\n CPS: https://www.globalsign.com/repository/\n",
+ "crlDistributionPoints": "\nFull Name:\n URI:http://crl.globalsign.net/root.crl\n",
+ "authorityInfoAccess": "OCSP - URI:http://ocsp.globalsign.com/rootr1\n",
+ "authorityKeyIdentifier": "keyid:60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B\n"
},
"purposes": {
"sslclient": {
@@ -589,11 +787,11 @@ Example response:
"general": ""
},
"smimesign": {
- "ca": "",
+ "ca": "1",
"general": ""
},
"smimeencrypt": {
- "ca": "",
+ "ca": "1",
"general": ""
},
"crlsign": {
@@ -614,27 +812,90 @@ Example response:
}
}
},
- "validation_type": "organisation",
+ "cert_issued_in_future": "",
+ "cert_expired": "",
+ "cert_expires_in_less_than_thirty_days": "",
+ "validation_type": "organization",
"crl": {
"1": {
- "crl_uri": "http://crl.verisign.com/pca3.crl",
+ "crl_uri": "http://crl.globalsign.net/root.crl",
"status": "ok",
- "crl_last_update": "Mar 18 00:00:00 2015 GMT\n",
- "crl_next_update": "Jun 30 23:59:59 2015 GMT\n"
+ "crl_last_update": "Oct 7 00:00:00 2015 GMT\n",
+ "crl_next_update": "Jan 15 00:00:00 2016 GMT\n"
}
},
- "ocsp": "No OCSP URI found in certificate",
+ "ocsp": "No issuer cert provided. Unable to send OCSP request.",
"hostname_in_san_or_cn": "n/a; ca signing certificate",
- "serial": "234",
+ "serialNumber": "40:00:00:00:00:14:44:EF:03:E2:0",
+ "hash": {
+ "md5": "ecf535c505b7752b0af188a915a23786",
+ "sha1": "736a4dc679d682da321563647c60f699f0dfc268",
+ "sha256": "bfdf4cf3f143ad0db912d8ab3a7c12f617b9ea60ce8b1f4e44f74270fb21b19b",
+ "sha384": "ad0a47cb5aacce9fb4549b4d586dd552cb5201192cfad8997eaab2ef4d9d489b432cecbf3a57f70d6c725aefdc265053",
+ "sha512": "0418e33fed6724155d2a6c702f99e2e8c9b0b7fd163d9b5c7afce9f01cb151242ae7a0111dbafee1948c5e05b928106c639ac0f3663abea2abcea83b2e3c1a0d"
+ },
"key": {
"type": "rsa",
"bits": "2048",
- "signature_algorithm": "sha1WithRSAEncryption",
- "certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIE0DCCB[...]JjhJ+xr3/\n-----END CERTIFICATE-----\n",
- "public_key_pem": "-----BEGIN PUBLIC KEY-----\nMII[...]QAB\n-----END PUBLIC KEY-----\n",
- "spki_hash": "JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg="
+ "signature_algorithm": "sha256WithRSAEncryption",
+ "certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIEYzCCA0ugAwIBAgILBAAAAAABRE7wPiAwDQYJKoZIhvcNAQELBQAwVzELMAkG\nA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv\nb3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw\nMDBaFw0yNDAyMjAxMDAwMDBaMGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i\nYWxTaWduIG52LXNhMTYwNAYDVQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0\naW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQCp3cwOs+IyOd1JIqgTaZOHiOEM7nF9vZCHll1Z8syz0lhXV/lG72wm2DZC\njn4wsy+aPlN7H262okxFHzzTFZMcie089Ffeyr3sBppqKqAZUn9R0XQ5CJ+r69eG\nExWXrjbDVGYOWvKgc4Ux47JkFGr/paKOJLu9hVIVonnu8LXuPbj0fYC82ZA1ZbgX\nqa2zmJ+gfn1u+z+tfMIbWTaW2jcyS0tdNQJjjtunz2LuzC7Ujcm9PGqRcqIip3It\nINH6yjfaGJjmFiRxJUvE5XuJUgkC/VkrBG7KB4HUs9ra2+PMgKhWBwZ8lgg3nds4\ntmI0kWIHdAE42HIw4uuQcSZiwFfzAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMC\nAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU6k581IAt5RWBhiaMgm3A\nmKTPlw8wRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8v\nd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCowKKAmoCSG\nImh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYBBQUHAQEE\nMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290\ncjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZIhvcNAQEL\nBQADggEBANdFnqDc4ONhWgt9d4QXLWVagpqNoycqhffJ7+mG/dRHzQFSlsVDvTex\n4bjyqdKKEYRxkRWJ3AKdC8tsM4U0KJ4gsrGX3G0LEME8zV/qXdeYMcU0mVwAYVXE\nGwJbxeOJyLS4bx448lYm6UHvPc2smU9ZSlctS32ux4j71pg79eXw6ImJuYsDy1oj\nH6T9uOr7Lp2uanMJvPzVoLVEgqtEkS5QLlfBQ9iRBIvpES5ftD953x77PzAAi1Pj\ntywdO02L3ORkHQRYM68bVeerDL8wBHTk8w4vMDmNSwSMHnVmZkngvkA0x1xaUZK6\nEjxS1QSCVS1npd+3lXzuP8MIugS+wEY=\n-----END CERTIFICATE-----\n",
+ "public_key_pem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqd3MDrPiMjndSSKoE2mT\nh4jhDO5xfb2Qh5ZdWfLMs9JYV1f5Ru9sJtg2Qo5+MLMvmj5Tex9utqJMRR880xWT\nHIntPPRX3sq97AaaaiqgGVJ/UdF0OQifq+vXhhMVl642w1RmDlryoHOFMeOyZBRq\n/6WijiS7vYVSFaJ57vC17j249H2AvNmQNWW4F6mts5ifoH59bvs/rXzCG1k2lto3\nMktLXTUCY47bp89i7swu1I3JvTxqkXKiIqdyLSDR+so32hiY5hYkcSVLxOV7iVIJ\nAv1ZKwRuygeB1LPa2tvjzICoVgcGfJYIN53bOLZiNJFiB3QBONhyMOLrkHEmYsBX\n8wIDAQAB\n-----END PUBLIC KEY-----\n",
+ "spki_hash": "PL1/TTDEe9Cm2lb2X0tixyQC7zaPREm/V0IHJscTCmw="
}
}
+ },
+ "certificate_transparency": {
+ "https://ct.ws.symantec.com": {
+ "error_message": "Root certificate is not trusted.",
+ "success": ""
+ },
+ "https://ct.googleapis.com/pilot": {
+ "sct_version": "0",
+ "id": "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=",
+ "timestamp": "1417969515094",
+ "extensions": "",
+ "signature": "BAMARzBFAiEAlhYyYtcLnWz4V5QiaVlmGFuTAxzF4zJ1k86UUBL66jQCIFobWJkRKhwJMdRK76qNGpcsvHKgTyB0vABoKkgbDi/z"
+ },
+ "https://ct.googleapis.com/aviator": {
+ "sct_version": "0",
+ "id": "aPaY+B9kgr46jO65KB1M/HFRXWeT1ETRCmesu09P+8Q=",
+ "timestamp": "1417983849982",
+ "extensions": "",
+ "signature": "BAMARzBFAiBHbD9Lk3v2PSRLWnNxbOgQ6Hr6wPu8iQvhuF+uvHfdGAIhAOqIbuRYl160Vb0fKy/a4PEmS4pif5Chxm05Y2SNNiNk"
+ },
+ "https://ct.googleapis.com/rocketeer": {
+ "sct_version": "0",
+ "id": "7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/cs=",
+ "timestamp": "1418006457229",
+ "extensions": "",
+ "signature": "BAMARjBEAiAoPi1qugNgCyhrOLQ9pM1I3JjqipZpQN5EQdMPnPQO+wIgAc/56CEaTEHZiEAqbLSy8s2bIG/izHjLhtJmFou7vPc="
+ },
+ "https://ct1.digicert-ct.com/log": {
+ "sct_version": "0",
+ "id": "VhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0=",
+ "timestamp": "1443089839391",
+ "extensions": "",
+ "signature": "BAMARzBFAiEA1SP2iUkCyj6Zk3TvvLD0vjiAjMXB1sMeABzeQAYqjQcCIC57eYUFwMHDCaNuFKtJhpXSwF7+BTIJIP6oS+OuyGCC"
+ },
+ "https://ct.izenpe.com": {
+ "error_message": "could not verify certificate chain",
+ "success": ""
+ },
+ "https://ctlog.api.venafi.com": {
+ "sct_version": "0",
+ "id": "rDua7X+pZ0dXFZ5tfVdWcvnZgQCUHpve/+yhMTt1eC0=",
+ "timestamp": "1443089840283",
+ "extensions": "",
+ "signature": "BAEBAE+SeC3on+3HB5MH5ynSJF0q0xLGLy+mpMRsWClGT/1p3a4Bek3XSVuMNye6pSmg8m3gKmb0UTDbSVp37dNWfWbEdAD+aX1BsU538ZW1QVsssountJdcEO0ECUpfu6ZvvVyHRZvqo3rwQG3xcF4BZIu3XSa3g8jUgdOFloGWSpCLYmG1ngOGD7w9ch/zvobCM84Q6u6NadH1g/CQL84xAzu167nnbaPnMPF2bI2n1gEV3IdmSPu51zuMce1a1EwbSAYlTenI00zSVUpM66LgesluvRn90+XqI1oLZpqwqY21eaAQXefCd3RwFPaL77aVN+azdhvnrk9/1qQGF9iJyy4="
+ },
+ "https://log.certly.io": {
+ "sct_version": "0",
+ "id": "zbUXm3/BwEb+6jETaj+PAC5hgvr4iW/syLL1tatgSQA=",
+ "timestamp": "1443089852702",
+ "extensions": "",
+ "signature": "BAMASDBGAiEAoy6MEGaNGNB2xCuRI8+c6opl+osD9M6czjFodbLKSBUCIQCgaZws1gzcwpisy6z0lUpEFjfznkbBjCsGd4TdJJl7vg=="
+ }
}
- }
- }
+ },
+ "version": "2.9"
+ } \ No newline at end of file
diff --git a/functions/connection.php b/functions/connection.php
index 6ee5159..a30150d 100644
--- a/functions/connection.php
+++ b/functions/connection.php
@@ -288,7 +288,7 @@ function ssl_conn_protocols($host, $ip, $port) {
return $results;
}
-function ssl_conn_metadata($data) {
+function ssl_conn_metadata($data,$fastcheck=0) {
global $random_blurp;
global $current_folder;
$chain_length = count($data["chain"]);
@@ -351,61 +351,61 @@ function ssl_conn_metadata($data) {
echo "</td>";
echo "</tr>";
}
- // protocols
- echo "<tr>";
- echo "<td>Protocols</td>";
- echo "<td>";
- $protocols = $data["protocols"];
- foreach ($protocols as $key => $value) {
- if ( $value == true ) {
- if ( $key == "tlsv1.2") {
- echo '<p><span class="text-success glyphicon glyphicon-ok"></span> - <span class="text-success">TLSv1.2 (Supported)</span></p>';
- } else if ( $key == "tlsv1.1") {
- echo '<p><span class="glyphicon glyphicon-ok"></span> - TLSv1.1 (Supported)</p>';
- } else if ( $key == "tlsv1.0") {
- echo '<p><span class="glyphicon glyphicon-ok"></span> - TLSv1.0 (Supported)</p>';
- } else if ( $key == "sslv3") {
- echo '<p><span class="text-danger glyphicon glyphicon-ok"></span> - <span class="text-danger">SSLv3 (Supported) </span>';
- echo "<a href='https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/' data-toggle='tooltip' data-placement='top' title='SSLv3 is old and broken. It makes you vulerable for the POODLE attack. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a></p>";
- } else if ( $key == "sslv2") {
- echo '<p><span class="text-danger glyphicon glyphicon-ok"></span> - <span class="text-danger">SSLv2 (Supported) </span>';
- echo "<a href='http://www.rapid7.com/db/vulnerabilities/sslv2-and-up-enabled' data-toggle='tooltip' data-placement='top' title='SSLv2 is old and broken. It was replaced by SSLv3 in 1996. It does not support intermediate certs and has flaws in the crypto. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a></p>";
- } else {
- echo '<p><span class="glyphicon glyphicon-ok"></span> - <span>'.$key.' (Supported)</span></p>';
- }
- } else {
- if ( $key == "tlsv1.2") {
- echo '<p><span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">TLSv1.2 (Not supported)</span> ';
- echo "<a href='http://www.yassl.com/yaSSL/Blog/Entries/2010/10/7_Differences_between_SSL_and_TLS_Protocol_Versions.html' data-toggle='tooltip' data-placement='top' title='TLSv1.2 was released in 2008. It is the most recent and secure version of the protocol. It adds TLS extensions and the AES ciphersuites plus other features and fixes. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a></p>";
- } else if ( $key == "tlsv1.1") {
- echo '<p><span class="glyphicon glyphicon-remove"></span> - TLSv1.1 (Not supported)</p>';
- } else if ( $key == "tlsv1.0") {
- echo '<p><span class="glyphicon glyphicon-remove"></span> - TLSv1.0 (Not supported)</p>';
- } else if ( $key == "sslv3") {
- echo '<p><span class="text-success glyphicon glyphicon-remove"></span> - <span class="text-success">SSLv3 (Not supported)</span></p>';
- } else if ( $key == "sslv2") {
- echo '<p><span class="text-success glyphicon glyphicon-remove"></span> - <span class="text-success">SSLv2 (Not supported)</span></p>';
+ if($fastcheck == 0) {
+ // protocols
+ echo "<tr>";
+ echo "<td>Protocols</td>";
+ echo "<td>";
+ $protocols = $data["protocols"];
+ foreach ($protocols as $key => $value) {
+ if ( $value == true ) {
+ if ( $key == "tlsv1.2") {
+ echo '<p><span class="text-success glyphicon glyphicon-ok"></span> - <span class="text-success">TLSv1.2 (Supported)</span></p>';
+ } else if ( $key == "tlsv1.1") {
+ echo '<p><span class="glyphicon glyphicon-ok"></span> - TLSv1.1 (Supported)</p>';
+ } else if ( $key == "tlsv1.0") {
+ echo '<p><span class="glyphicon glyphicon-ok"></span> - TLSv1.0 (Supported)</p>';
+ } else if ( $key == "sslv3") {
+ echo '<p><span class="text-danger glyphicon glyphicon-ok"></span> - <span class="text-danger">SSLv3 (Supported) </span>';
+ echo "<a href='https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/' data-toggle='tooltip' data-placement='top' title='SSLv3 is old and broken. It makes you vulerable for the POODLE attack. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a></p>";
+ } else if ( $key == "sslv2") {
+ echo '<p><span class="text-danger glyphicon glyphicon-ok"></span> - <span class="text-danger">SSLv2 (Supported) </span>';
+ echo "<a href='http://www.rapid7.com/db/vulnerabilities/sslv2-and-up-enabled' data-toggle='tooltip' data-placement='top' title='SSLv2 is old and broken. It was replaced by SSLv3 in 1996. It does not support intermediate certs and has flaws in the crypto. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a></p>";
+ } else {
+ echo '<p><span class="glyphicon glyphicon-ok"></span> - <span>'.$key.' (Supported)</span></p>';
+ }
} else {
- echo '<p><span class="glyphicon glyphicon-remove"></span> - <span>'.$key.'(Not supported)</span></p>';
+ if ( $key == "tlsv1.2") {
+ echo '<p><span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">TLSv1.2 (Not supported)</span> ';
+ echo "<a href='http://www.yassl.com/yaSSL/Blog/Entries/2010/10/7_Differences_between_SSL_and_TLS_Protocol_Versions.html' data-toggle='tooltip' data-placement='top' title='TLSv1.2 was released in 2008. It is the most recent and secure version of the protocol. It adds TLS extensions and the AES ciphersuites plus other features and fixes. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a></p>";
+ } else if ( $key == "tlsv1.1") {
+ echo '<p><span class="glyphicon glyphicon-remove"></span> - TLSv1.1 (Not supported)</p>';
+ } else if ( $key == "tlsv1.0") {
+ echo '<p><span class="glyphicon glyphicon-remove"></span> - TLSv1.0 (Not supported)</p>';
+ } else if ( $key == "sslv3") {
+ echo '<p><span class="text-success glyphicon glyphicon-remove"></span> - <span class="text-success">SSLv3 (Not supported)</span></p>';
+ } else if ( $key == "sslv2") {
+ echo '<p><span class="text-success glyphicon glyphicon-remove"></span> - <span class="text-success">SSLv2 (Not supported)</span></p>';
+ } else {
+ echo '<p><span class="glyphicon glyphicon-remove"></span> - <span>'.$key.'(Not supported)</span></p>';
+ }
}
}
- }
- echo "</td>";
- echo "</tr>";
- echo "<tr>";
- echo "<td>SSL Compression</td>";
- echo "<td>";
- if ($data['compression'] == false) {
- echo '<p><span class="text-success glyphicon glyphicon-ok"></span> - <span class="text-success">SSL Compression disabled</span></p>';
- } else {
- echo '<p><span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">SSL Compression enabled</span> ';
+ echo "</td>";
+ echo "</tr>";
+ echo "<tr>";
+ echo "<td>SSL Compression</td>";
+ echo "<td>";
+ if ($data['compression'] == false) {
+ echo '<p><span class="text-success glyphicon glyphicon-ok"></span> - <span class="text-success">SSL Compression disabled</span></p>';
+ } else {
+ echo '<p><span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">SSL Compression enabled</span> ';
- echo "<a href='https://isecpartners.com/blog/2012/september/details-on-the-crime-attack.aspx' data-toggle='tooltip' data-placement='top' title='SSL Compression makes you vulnerable to the CRIME attack. Click the question mark for more info about it.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a></p>";
- }
- echo "</td>";
- echo "</tr>";
- //ciphersuites
- if ($_GET['ciphersuites'] == 1) {
+ echo "<a href='https://isecpartners.com/blog/2012/september/details-on-the-crime-attack.aspx' data-toggle='tooltip' data-placement='top' title='SSL Compression makes you vulnerable to the CRIME attack. Click the question mark for more info about it.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a></p>";
+ }
+ echo "</td>";
+ echo "</tr>";
+ //ciphersuites
echo "<tr>";
echo "<td>Ciphersuites supported by server</td>";
echo "<td>";
@@ -477,122 +477,113 @@ function ssl_conn_metadata($data) {
}
echo "</td>";
echo "</tr>";
- } else {
+ //tls fallback scsv
echo "<tr>";
- echo "<td>Ciphersuite Used</td>";
echo "<td>";
- echo htmlspecialchars($data['used_ciphersuite']['name']);
- echo " (".htmlspecialchars($data['used_ciphersuite']['bits'])." bits)";
+ echo "TLS_FALLBACK_SCSV";
+ echo "</td>";
+ echo "<td>";
+
+ if ($data["tls_fallback_scsv"] == "supported") {
+ echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>TLS_FALLBACK_SCSV supported. </span>";
+ } elseif ($data["tls_fallback_scsv"] == "unsupported") {
+ echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>TLS_FALLBACK_SCSV not supported. </span>";
+ } else {
+ echo "Only 1 protocol enabled, fallback not possible, TLS_FALLBACK_SCSV not required. ";
+ }
+ echo "<a href='http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html' data-toggle='tooltip' data-placement='top' title='TLS_FALLBACK_SCSV provides protocol downgrade protection. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a>";
echo "</td>";
echo "</tr>";
- }
- //tls fallback scsv
- echo "<tr>";
- echo "<td>";
- echo "TLS_FALLBACK_SCSV";
- echo "</td>";
- echo "<td>";
- if ($data["tls_fallback_scsv"] == "supported") {
- echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>TLS_FALLBACK_SCSV supported. </span>";
- } elseif ($data["tls_fallback_scsv"] == "unsupported") {
- echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>TLS_FALLBACK_SCSV not supported. </span>";
- } else {
- echo "Only 1 protocol enabled, fallback not possible, TLS_FALLBACK_SCSV not required. ";
- }
- echo "<a href='http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html' data-toggle='tooltip' data-placement='top' title='TLS_FALLBACK_SCSV provides protocol downgrade protection. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a>";
- echo "</td>";
- echo "</tr>";
+ //heartbleed
+ if ($data['heartbleed'] != 'python2error') {
+ echo "<tr>";
+ echo "<td>";
+ echo "Heartbleed";
+ echo "</td>";
+ echo "<td>";
+
+ if ($data["heartbleed"] == "not_vulnerable") {
+ echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>Not vulnerable. </span>";
+ } elseif ($data["heartbleed"] == "vulnerable") {
+ echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>Vulnerable. </span>";
+ }
+ echo "<a href='http://heartbleed.com/' data-toggle='tooltip' data-placement='top' title='Heartbleed is a serious vulnerability exposing server memory and thus private data to an attacker. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a>";
+ echo "</td>";
+ echo "</tr>";
+ }
- //heartbleed
- if ($data['heartbleed'] != 'python2error') {
echo "<tr>";
echo "<td>";
- echo "Heartbleed";
+ echo "Heartbeat Extension";
echo "</td>";
echo "<td>";
- if ($data["heartbleed"] == "not_vulnerable") {
- echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>Not vulnerable. </span>";
- } elseif ($data["heartbleed"] == "vulnerable") {
- echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>Vulnerable. </span>";
+ if ($data["heartbeat"] == "1") {
+ echo "Extension enabled.";
+ } else {
+ echo "Extenstion not enabled.";
}
- echo "<a href='http://heartbleed.com/' data-toggle='tooltip' data-placement='top' title='Heartbleed is a serious vulnerability exposing server memory and thus private data to an attacker. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a>";
echo "</td>";
echo "</tr>";
- }
- echo "<tr>";
- echo "<td>";
- echo "Heartbeat Extension";
- echo "</td>";
- echo "<td>";
-
- if ($data["heartbeat"] == "1") {
- echo "Extension enabled.";
- } else {
- echo "Extenstion not enabled.";
- }
- echo "</td>";
- echo "</tr>";
-
- // headers
- echo "<tr>";
- echo "<td>";
- echo "<a href='https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html'>Strict Transport Security</a>";
- echo "</td>";
- echo "<td>";
- // hsts
- if ( $data["strict_transport_security"] == "not set" ) {
- echo '<span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">Not Set</span>';
- } else {
- echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>";
- echo htmlspecialchars($data["strict_transport_security"]);
- echo "</span>";
- }
- echo " <a href='https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html' data-toggle='tooltip' data-placement='top' title='Strict Transport Security lets visitors know that your website should only be visitid via HTTPS. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a>";
- echo "</td>";
- echo "</tr>";
- echo "<tr>";
- echo "<td>";
- echo "<a href='https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html'>HTTP Public Key Pinning Extension (HPKP)</a>";
- echo "</td>";
- echo "<td>";
- //hpkp
- if ( $data["public_key_pins"] == "not set" ) {
- echo '<span>Not Set</span>';
- } else {
- echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>";
- echo htmlspecialchars($data["public_key_pins"]);
- }
- if ( $data["public_key-pins_report_only"] ) {
- echo "<b>Report Only</b>: ";
- echo htmlspecialchars($data["public_key_pins_report_only"]);
- }
+ // headers
+ echo "<tr>";
+ echo "<td>";
+ echo "<a href='https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html'>Strict Transport Security</a>";
+ echo "</td>";
+ echo "<td>";
+ // hsts
+ if ( $data["strict_transport_security"] == "not set" ) {
+ echo '<span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">Not Set</span>';
+ } else {
+ echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>";
+ echo htmlspecialchars($data["strict_transport_security"]);
+ echo "</span>";
+ }
+ echo " <a href='https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html' data-toggle='tooltip' data-placement='top' title='Strict Transport Security lets visitors know that your website should only be visitid via HTTPS. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a>";
+ echo "</td>";
+ echo "</tr>";
+ echo "<tr>";
+ echo "<td>";
+ echo "<a href='https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html'>HTTP Public Key Pinning Extension (HPKP)</a>";
+ echo "</td>";
+ echo "<td>";
+ //hpkp
+ if ( $data["public_key_pins"] == "not set" ) {
+ echo '<span>Not Set</span>';
+ } else {
+ echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>";
+ echo htmlspecialchars($data["public_key_pins"]);
+ }
+ if ( $data["public_key-pins_report_only"] ) {
+ echo "<b>Report Only</b>: ";
+ echo htmlspecialchars($data["public_key_pins_report_only"]);
+ }
- echo "</td>";
- echo "</tr>";
- // ocsp stapling
- echo "<tr>";
- echo "<td>OCSP Stapling</td>";
- echo "<td>";
- if (isset($data["ocsp_stapling"]["working"])) {
- if($data["ocsp_stapling"]["working"] == 1) {
- echo "<table class='table'>";
- foreach ($data["ocsp_stapling"] as $key => $value) {
- if ($key != "working") {
- echo "<tr><td>" . htmlspecialchars(ucfirst(str_replace('_', ' ', $key))) . "</td><td>" . htmlspecialchars($value) . "</td></tr>";
- }
- }
- echo "</table>";
+ echo "</td>";
+ echo "</tr>";
+ // ocsp stapling
+ echo "<tr>";
+ echo "<td>OCSP Stapling</td>";
+ echo "<td>";
+ if (isset($data["ocsp_stapling"]["working"])) {
+ if($data["ocsp_stapling"]["working"] == 1) {
+ echo "<table class='table'>";
+ foreach ($data["ocsp_stapling"] as $key => $value) {
+ if ($key != "working") {
+ echo "<tr><td>" . htmlspecialchars(ucfirst(str_replace('_', ' ', $key))) . "</td><td>" . htmlspecialchars($value) . "</td></tr>";
+ }
+ }
+ echo "</table>";
+ } else {
+ echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>No OCSP stapling response received.</span>";
+ }
} else {
echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>No OCSP stapling response received.</span>";
}
- } else {
- echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>No OCSP stapling response received.</span>";
+ echo "</td>";
}
- echo "</td>";
-
// openssl version
echo "</tr>";
echo "<tr>";
@@ -614,7 +605,7 @@ function ssl_conn_metadata($data) {
-function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=null) {
+function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=null,$fastcheck=0) {
$result = array();
global $random_blurp;
global $current_folder;
@@ -689,238 +680,239 @@ function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=nul
}
$result["port"] = $port;
- //heartbleed
- $result['heartbleed'] = test_heartbleed($ip, $port);
- if ($result['heartbleed'] == "vulnerable") {
- $result["warning"][] = 'Vulnerable to the Heartbleed bug. Please update your OpenSSL ASAP!';
- }
+ if($fastcheck == 0) {
+ //heartbleed
+ $result['heartbleed'] = test_heartbleed($ip, $port);
+ if ($result['heartbleed'] == "vulnerable") {
+ $result["warning"][] = 'Vulnerable to the Heartbleed bug. Please update your OpenSSL ASAP!';
+ }
- // compression
- $compression = conn_compression($host, $ip, $port);
- if ($compression == false) {
- $result["compression"] = false;
- } else {
- if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
- // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest)
- $result["warning"][] = 'SSL compression not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.';
+ // compression
+ $compression = conn_compression($host, $ip, $port);
+ if ($compression == false) {
+ $result["compression"] = false;
} else {
- $result["compression"] = true;
- $result["warning"][] = 'SSL compression enabled. Please disable to prevent attacks like CRIME.';
+ if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+ // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest)
+ $result["warning"][] = 'SSL compression not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.';
+ } else {
+ $result["compression"] = true;
+ $result["warning"][] = 'SSL compression enabled. Please disable to prevent attacks like CRIME.';
+ }
+
}
-
- }
- // protocols
- $result["protocols"] = array_reverse(ssl_conn_protocols($host, $ip, $port));
- foreach ($result["protocols"] as $key => $value) {
- if ( $value == true ) {
- if ( $key == "sslv2") {
- $result["warning"][] = 'SSLv2 supported. Please disable ASAP and upgrade to a newer protocol like TLSv1.2.';
- }
- if ( $key == "sslv3") {
- $result["warning"][] = 'SSLv3 supported. Please disable and upgrade to a newer protocol like TLSv1.2.';
- }
- } else {
- if ( $key == "tlsv1.2") {
- $result["warning"][] = 'TLSv1.2 unsupported. Please enable TLSv1.2.';
+ // protocols
+ $result["protocols"] = array_reverse(ssl_conn_protocols($host, $ip, $port));
+ foreach ($result["protocols"] as $key => $value) {
+ if ( $value == true ) {
+ if ( $key == "sslv2") {
+ $result["warning"][] = 'SSLv2 supported. Please disable ASAP and upgrade to a newer protocol like TLSv1.2.';
+ }
+ if ( $key == "sslv3") {
+ $result["warning"][] = 'SSLv3 supported. Please disable and upgrade to a newer protocol like TLSv1.2.';
+ }
+ } else {
+ if ( $key == "tlsv1.2") {
+ $result["warning"][] = 'TLSv1.2 unsupported. Please enable TLSv1.2.';
+ }
}
}
- }
- // ciphersuites
- if ($_GET['ciphersuites'] == 1) {
- $ciphersuites_to_test = array('ECDHE-RSA-AES256-GCM-SHA384',
- 'ECDHE-ECDSA-AES256-GCM-SHA384',
- 'ECDHE-RSA-AES256-SHA384',
- 'ECDHE-ECDSA-AES256-SHA384',
- 'ECDHE-RSA-AES256-SHA',
- 'ECDHE-ECDSA-AES256-SHA',
- 'SRP-DSS-AES-256-CBC-SHA',
- 'SRP-RSA-AES-256-CBC-SHA',
- 'SRP-AES-256-CBC-SHA',
- 'DH-DSS-AES256-GCM-SHA384',
- 'DHE-DSS-AES256-GCM-SHA384',
- 'DH-RSA-AES256-GCM-SHA384',
- 'DHE-RSA-AES256-GCM-SHA384',
- 'DHE-RSA-AES256-SHA256',
- 'DHE-DSS-AES256-SHA256',
- 'DH-RSA-AES256-SHA256',
- 'DH-DSS-AES256-SHA256',
- 'DHE-RSA-AES256-SHA',
- 'DHE-DSS-AES256-SHA',
- 'DH-RSA-AES256-SHA',
- 'DH-DSS-AES256-SHA',
- 'DHE-RSA-CAMELLIA256-SHA',
- 'DHE-DSS-CAMELLIA256-SHA',
- 'DH-RSA-CAMELLIA256-SHA',
- 'DH-DSS-CAMELLIA256-SHA',
- 'ECDH-RSA-AES256-GCM-SHA384',
- 'ECDH-ECDSA-AES256-GCM-SHA384',
- 'ECDH-RSA-AES256-SHA384',
- 'ECDH-ECDSA-AES256-SHA384',
- 'ECDH-RSA-AES256-SHA',
- 'ECDH-ECDSA-AES256-SHA',
- 'AES256-GCM-SHA384',
- 'AES256-SHA256',
- 'AES256-SHA',
- 'CAMELLIA256-SHA',
- 'PSK-AES256-CBC-SHA',
- 'ECDHE-RSA-AES128-GCM-SHA256',
- 'ECDHE-ECDSA-AES128-GCM-SHA256',
- 'ECDHE-RSA-AES128-SHA256',
- 'ECDHE-ECDSA-AES128-SHA256',
- 'ECDHE-RSA-AES128-SHA',
- 'ECDHE-ECDSA-AES128-SHA',
- 'SRP-DSS-AES-128-CBC-SHA',
- 'SRP-RSA-AES-128-CBC-SHA',
- 'SRP-AES-128-CBC-SHA',
- 'DH-DSS-AES128-GCM-SHA256',
- 'DHE-DSS-AES128-GCM-SHA256',
- 'DH-RSA-AES128-GCM-SHA256',
- 'DHE-RSA-AES128-GCM-SHA256',
- 'DHE-RSA-AES128-SHA256',
- 'DHE-DSS-AES128-SHA256',
- 'DH-RSA-AES128-SHA256',
- 'DH-DSS-AES128-SHA256',
- 'DHE-RSA-AES128-SHA',
- 'DHE-DSS-AES128-SHA',
- 'DH-RSA-AES128-SHA',
- 'DH-DSS-AES128-SHA',
- 'DHE-RSA-SEED-SHA',
- 'DHE-DSS-SEED-SHA',
- 'DH-RSA-SEED-SHA',
- 'DH-DSS-SEED-SHA',
- 'DHE-RSA-CAMELLIA128-SHA',
- 'DHE-DSS-CAMELLIA128-SHA',
- 'DH-RSA-CAMELLIA128-SHA',
- 'DH-DSS-CAMELLIA128-SHA',
- 'ECDH-RSA-AES128-GCM-SHA256',
- 'ECDH-ECDSA-AES128-GCM-SHA256',
- 'ECDH-RSA-AES128-SHA256',
- 'ECDH-ECDSA-AES128-SHA256',
- 'ECDH-RSA-AES128-SHA',
- 'ECDH-ECDSA-AES128-SHA',
- 'AES128-GCM-SHA256',
- 'AES128-SHA256',
- 'AES128-SHA',
- 'SEED-SHA',
- 'CAMELLIA128-SHA',
- 'IDEA-CBC-SHA',
- 'PSK-AES128-CBC-SHA',
- 'ECDHE-RSA-RC4-SHA',
- 'ECDHE-ECDSA-RC4-SHA',
- 'ECDH-RSA-RC4-SHA',
- 'ECDH-ECDSA-RC4-SHA',
- 'RC4-SHA',
- 'RC4-MD5',
- 'PSK-RC4-SHA',
- 'ECDHE-RSA-DES-CBC3-SHA',
- 'ECDHE-ECDSA-DES-CBC3-SHA',
- 'SRP-DSS-3DES-EDE-CBC-SHA',
- 'SRP-RSA-3DES-EDE-CBC-SHA',
- 'SRP-3DES-EDE-CBC-SHA',
- 'EDH-RSA-DES-CBC3-SHA',
- 'EDH-DSS-DES-CBC3-SHA',
- 'DH-RSA-DES-CBC3-SHA',
- 'DH-DSS-DES-CBC3-SHA',
- 'ECDH-RSA-DES-CBC3-SHA',
- 'ECDH-ECDSA-DES-CBC3-SHA',
- 'DES-CBC3-SHA',
- 'PSK-3DES-EDE-CBC-SHA',
- 'EDH-RSA-DES-CBC-SHA',
- 'EDH-DSS-DES-CBC-SHA',
- 'DH-RSA-DES-CBC-SHA',
- 'DH-DSS-DES-CBC-SHA',
- 'DES-CBC-SHA',
- 'EXP-EDH-RSA-DES-CBC-SHA',
- 'EXP-EDH-DSS-DES-CBC-SHA',
- 'EXP-DH-RSA-DES-CBC-SHA',
- 'EXP-DH-DSS-DES-CBC-SHA',
- 'EXP-DES-CBC-SHA',
- 'EXP-RC2-CBC-MD5',
- 'EXP-RC4-MD5',
- 'ECDHE-RSA-NULL-SHA',
- 'ECDHE-ECDSA-NULL-SHA',
- 'AECDH-NULL-SHA',
- 'ECDH-RSA-NULL-SHA',
- 'ECDH-ECDSA-NULL-SHA',
- 'NULL-SHA256',
- 'NULL-SHA',
- 'NULL-MD5');
- $tested_ciphersuites = ssl_conn_ciphersuites($host, $ip, $port, $ciphersuites_to_test);
- $result["supported_ciphersuites"] = array();
- foreach ($tested_ciphersuites as $key => $value) {
- if ($value == true) {
- $result["supported_ciphersuites"][] = $key;
+ // ciphersuites
+ if ($_GET['ciphersuites'] == 1) {
+ $ciphersuites_to_test = array('ECDHE-RSA-AES256-GCM-SHA384',
+ 'ECDHE-ECDSA-AES256-GCM-SHA384',
+ 'ECDHE-RSA-AES256-SHA384',
+ 'ECDHE-ECDSA-AES256-SHA384',
+ 'ECDHE-RSA-AES256-SHA',
+ 'ECDHE-ECDSA-AES256-SHA',
+ 'SRP-DSS-AES-256-CBC-SHA',
+ 'SRP-RSA-AES-256-CBC-SHA',
+ 'SRP-AES-256-CBC-SHA',
+ 'DH-DSS-AES256-GCM-SHA384',
+ 'DHE-DSS-AES256-GCM-SHA384',
+ 'DH-RSA-AES256-GCM-SHA384',
+ 'DHE-RSA-AES256-GCM-SHA384',
+ 'DHE-RSA-AES256-SHA256',
+ 'DHE-DSS-AES256-SHA256',
+ 'DH-RSA-AES256-SHA256',
+ 'DH-DSS-AES256-SHA256',
+ 'DHE-RSA-AES256-SHA',
+ 'DHE-DSS-AES256-SHA',
+ 'DH-RSA-AES256-SHA',
+ 'DH-DSS-AES256-SHA',
+ 'DHE-RSA-CAMELLIA256-SHA',
+ 'DHE-DSS-CAMELLIA256-SHA',
+ 'DH-RSA-CAMELLIA256-SHA',
+ 'DH-DSS-CAMELLIA256-SHA',
+ 'ECDH-RSA-AES256-GCM-SHA384',
+ 'ECDH-ECDSA-AES256-GCM-SHA384',
+ 'ECDH-RSA-AES256-SHA384',
+ 'ECDH-ECDSA-AES256-SHA384',
+ 'ECDH-RSA-AES256-SHA',
+ 'ECDH-ECDSA-AES256-SHA',
+ 'AES256-GCM-SHA384',
+ 'AES256-SHA256',
+ 'AES256-SHA',
+ 'CAMELLIA256-SHA',
+ 'PSK-AES256-CBC-SHA',
+ 'ECDHE-RSA-AES128-GCM-SHA256',
+ 'ECDHE-ECDSA-AES128-GCM-SHA256',
+ 'ECDHE-RSA-AES128-SHA256',
+ 'ECDHE-ECDSA-AES128-SHA256',
+ 'ECDHE-RSA-AES128-SHA',
+ 'ECDHE-ECDSA-AES128-SHA',
+ 'SRP-DSS-AES-128-CBC-SHA',
+ 'SRP-RSA-AES-128-CBC-SHA',
+ 'SRP-AES-128-CBC-SHA',
+ 'DH-DSS-AES128-GCM-SHA256',
+ 'DHE-DSS-AES128-GCM-SHA256',
+ 'DH-RSA-AES128-GCM-SHA256',
+ 'DHE-RSA-AES128-GCM-SHA256',
+ 'DHE-RSA-AES128-SHA256',
+ 'DHE-DSS-AES128-SHA256',
+ 'DH-RSA-AES128-SHA256',
+ 'DH-DSS-AES128-SHA256',
+ 'DHE-RSA-AES128-SHA',
+ 'DHE-DSS-AES128-SHA',
+ 'DH-RSA-AES128-SHA',
+ 'DH-DSS-AES128-SHA',
+ 'DHE-RSA-SEED-SHA',
+ 'DHE-DSS-SEED-SHA',
+ 'DH-RSA-SEED-SHA',
+ 'DH-DSS-SEED-SHA',
+ 'DHE-RSA-CAMELLIA128-SHA',
+ 'DHE-DSS-CAMELLIA128-SHA',
+ 'DH-RSA-CAMELLIA128-SHA',
+ 'DH-DSS-CAMELLIA128-SHA',
+ 'ECDH-RSA-AES128-GCM-SHA256',
+ 'ECDH-ECDSA-AES128-GCM-SHA256',
+ 'ECDH-RSA-AES128-SHA256',
+ 'ECDH-ECDSA-AES128-SHA256',
+ 'ECDH-RSA-AES128-SHA',
+ 'ECDH-ECDSA-AES128-SHA',
+ 'AES128-GCM-SHA256',
+ 'AES128-SHA256',
+ 'AES128-SHA',
+ 'SEED-SHA',
+ 'CAMELLIA128-SHA',
+ 'IDEA-CBC-SHA',
+ 'PSK-AES128-CBC-SHA',
+ 'ECDHE-RSA-RC4-SHA',
+ 'ECDHE-ECDSA-RC4-SHA',
+ 'ECDH-RSA-RC4-SHA',
+ 'ECDH-ECDSA-RC4-SHA',
+ 'RC4-SHA',
+ 'RC4-MD5',
+ 'PSK-RC4-SHA',
+ 'ECDHE-RSA-DES-CBC3-SHA',
+ 'ECDHE-ECDSA-DES-CBC3-SHA',
+ 'SRP-DSS-3DES-EDE-CBC-SHA',
+ 'SRP-RSA-3DES-EDE-CBC-SHA',
+ 'SRP-3DES-EDE-CBC-SHA',
+ 'EDH-RSA-DES-CBC3-SHA',
+ 'EDH-DSS-DES-CBC3-SHA',
+ 'DH-RSA-DES-CBC3-SHA',
+ 'DH-DSS-DES-CBC3-SHA',
+ 'ECDH-RSA-DES-CBC3-SHA',
+ 'ECDH-ECDSA-DES-CBC3-SHA',
+ 'DES-CBC3-SHA',
+ 'PSK-3DES-EDE-CBC-SHA',
+ 'EDH-RSA-DES-CBC-SHA',
+ 'EDH-DSS-DES-CBC-SHA',
+ 'DH-RSA-DES-CBC-SHA',
+ 'DH-DSS-DES-CBC-SHA',
+ 'DES-CBC-SHA',
+ 'EXP-EDH-RSA-DES-CBC-SHA',
+ 'EXP-EDH-DSS-DES-CBC-SHA',
+ 'EXP-DH-RSA-DES-CBC-SHA',
+ 'EXP-DH-DSS-DES-CBC-SHA',
+ 'EXP-DES-CBC-SHA',
+ 'EXP-RC2-CBC-MD5',
+ 'EXP-RC4-MD5',
+ 'ECDHE-RSA-NULL-SHA',
+ 'ECDHE-ECDSA-NULL-SHA',
+ 'AECDH-NULL-SHA',
+ 'ECDH-RSA-NULL-SHA',
+ 'ECDH-ECDSA-NULL-SHA',
+ 'NULL-SHA256',
+ 'NULL-SHA',
+ 'NULL-MD5');
+ $tested_ciphersuites = ssl_conn_ciphersuites($host, $ip, $port, $ciphersuites_to_test);
+ $result["supported_ciphersuites"] = array();
+ foreach ($tested_ciphersuites as $key => $value) {
+ if ($value == true) {
+ $result["supported_ciphersuites"][] = $key;
+ }
}
+
+ } else {
+ $result["used_ciphersuite"]["name"] = $context_meta['cipher_name'];
+ $result["used_ciphersuite"]["bits"] = $context_meta['cipher_bits'];
}
-
- } else {
- $result["used_ciphersuite"]["name"] = $context_meta['cipher_name'];
- $result["used_ciphersuite"]["bits"] = $context_meta['cipher_bits'];
- }
- // tls_fallback_scsv
- $fallback = tls_fallback_scsv($host, $ip, $port);
- if ($fallback['protocol_count'] == 1) {
- $result["tls_fallback_scsv"] = "Only 1 protocol enabled, fallback not possible, TLS_FALLBACK_SCSV not required.";
- } else {
- if ($fallback['tls_fallback_scsv_support'] == 1) {
- $result["tls_fallback_scsv"] = "supported";
+ // tls_fallback_scsv
+ $fallback = tls_fallback_scsv($host, $ip, $port);
+ if ($fallback['protocol_count'] == 1) {
+ $result["tls_fallback_scsv"] = "Only 1 protocol enabled, fallback not possible, TLS_FALLBACK_SCSV not required.";
} else {
- if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
- // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest)
- $result["warning"][] = 'TLS_FALLBACK_SCSV not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.';
+ if ($fallback['tls_fallback_scsv_support'] == 1) {
+ $result["tls_fallback_scsv"] = "supported";
} else {
- $result["tls_fallback_scsv"] = "unsupported";
- $result["warning"][] = "TLS_FALLBACK_SCSV unsupported. Please upgrade OpenSSL to enable. This offers downgrade attack protection.";
+ if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+ // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest)
+ $result["warning"][] = 'TLS_FALLBACK_SCSV not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.';
+ } else {
+ $result["tls_fallback_scsv"] = "unsupported";
+ $result["warning"][] = "TLS_FALLBACK_SCSV unsupported. Please upgrade OpenSSL to enable. This offers downgrade attack protection.";
+ }
}
}
- }
- //hsts
- $headers = server_http_headers($host, $ip, $port);
- if ($headers["strict-transport-security"]) {
- if ( is_array($headers["strict-transport-security"])) {
- $result["strict_sransport-security"] = substr($headers["strict-transport-security"][0], 0, 50);
- } else {
- $result["strict_transport_security"] = substr($headers["strict-transport-security"], 0, 50);
- }
- } else {
- $result["strict_transport_security"] = 'not set';
- $result["warning"][] = "HTTP Strict Transport Security not set.";
- }
- //hpkp
- if ( $headers["public-key-pins"] ) {
- if ( is_array($headers["public-key-pins"])) {
- $result["public_key_pins"] = substr($headers["public-key-pins"][0], 0, 255);
+ //hsts
+ $headers = server_http_headers($host, $ip, $port);
+ if ($headers["strict-transport-security"]) {
+ if ( is_array($headers["strict-transport-security"])) {
+ $result["strict_sransport-security"] = substr($headers["strict-transport-security"][0], 0, 50);
+ } else {
+ $result["strict_transport_security"] = substr($headers["strict-transport-security"], 0, 50);
+ }
} else {
- $result["public_key_pins"] = substr($headers["public-key-pins"], 0, 255);
+ $result["strict_transport_security"] = 'not set';
+ $result["warning"][] = "HTTP Strict Transport Security not set.";
}
- } else {
- $result["public_key_pins"] = 'not set';
- }
- if ( $headers["public-key-pins-report-only"] ) {
- if ( is_array($headers["public-key-pins-report-only"])) {
- $result["public_key_pins_report_only"] = substr($headers["public-key-pins-report-only"][0], 0, 255);
+ //hpkp
+ if ( $headers["public-key-pins"] ) {
+ if ( is_array($headers["public-key-pins"])) {
+ $result["public_key_pins"] = substr($headers["public-key-pins"][0], 0, 255);
+ } else {
+ $result["public_key_pins"] = substr($headers["public-key-pins"], 0, 255);
+ }
} else {
- $result["public_key_pins_report_only"] = substr($headers["public-key-pins-report-only"], 0, 255);
+ $result["public_key_pins"] = 'not set';
}
- }
- // ocsp stapling
- $stapling = ocsp_stapling($host, $ip, $port);
- if($stapling["working"] == 1) {
- $result["ocsp_stapling"] = $stapling;
- } else {
- if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
- // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest)
- $result["warning"][] = 'OCSP Stapling not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.';
+ if ( $headers["public-key-pins-report-only"] ) {
+ if ( is_array($headers["public-key-pins-report-only"])) {
+ $result["public_key_pins_report_only"] = substr($headers["public-key-pins-report-only"][0], 0, 255);
+ } else {
+ $result["public_key_pins_report_only"] = substr($headers["public-key-pins-report-only"], 0, 255);
+ }
+ }
+ // ocsp stapling
+ $stapling = ocsp_stapling($host, $ip, $port);
+ if($stapling["working"] == 1) {
+ $result["ocsp_stapling"] = $stapling;
} else {
- $result["ocsp_stapling"] = "not set";
- $result["warning"][] = "OCSP Stapling not enabled.";
+ if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+ // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest)
+ $result["warning"][] = 'OCSP Stapling not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.';
+ } else {
+ $result["ocsp_stapling"] = "not set";
+ $result["warning"][] = "OCSP Stapling not enabled.";
+ }
}
+
+ $result["heartbeat"] = heartbeat_test($host, $port);
}
-
- $result["heartbeat"] = heartbeat_test($host, $port);
-
$result["openssl_version"] = shell_exec("openssl version");
$result["datetime_rfc2822"] = shell_exec("date --rfc-2822");
}
diff --git a/functions/json.php b/functions/json.php
index 997e892..3fae962 100644
--- a/functions/json.php
+++ b/functions/json.php
@@ -14,9 +14,10 @@
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-function check_json($host,$ip,$port) {
+function check_json($host,$ip,$port,$fastcheck=0) {
global $timeout;
+ global $max_chain_length;
+ global $ct_urls;
$data = [];
$stream = stream_context_create (array("ssl" =>
array("capture_peer_cert" => true,
@@ -42,7 +43,7 @@ function check_json($host,$ip,$port) {
$cert_data = openssl_x509_parse($context["options"]["ssl"]["peer_certificate"]);
$chain_data = $context["options"]["ssl"]["peer_certificate_chain"];
$chain_length = count($chain_data);
- if (isset($chain_data) && $chain_length < 10) {
+ if (isset($chain_data) && $chain_length < $max_chain_length) {
$chain_length = count($chain_data);
$chain_arr_keys = ($chain_data);
foreach(array_keys($chain_arr_keys) as $key) {
@@ -51,30 +52,24 @@ function check_json($host,$ip,$port) {
$prev = $chain_data[$key-1];
$chain_key = (string)$key+1;
if ($key == 0) {
- $data["connection"] = ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data);
- $data["chain"][$chain_key] = cert_parse_json($curr, $next, $host, $ip, true);
+ $data["connection"] = ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data, $fastcheck);
+ $data["chain"][$chain_key] = cert_parse_json($curr, $next, $host, true, $port);
} else {
- $data["chain"][$chain_key] = cert_parse_json($curr, $next, null, false);
+ $data["chain"][$chain_key] = cert_parse_json($curr, $next, null, false, $port);
}
// certificate transparency
- $ct_urls = ["https://ct.ws.symantec.com",
- "https://ct.googleapis.com/pilot",
- "https://ct.googleapis.com/aviator",
- "https://ct.googleapis.com/rocketeer",
- "https://ct1.digicert-ct.com/log",
- "https://ct.izenpe.com",
- "https://ctlog.api.venafi.com",
- "https://log.certly.io"];
$data["certificate_transparency"] = [];
- foreach ($ct_urls as $ct_url) {
- $submitToCT = submitCertToCT($data["chain"], $ct_url);
- $ct_result = json_decode($submitToCT, TRUE);
- if ($ct_result === null
- && json_last_error() !== JSON_ERROR_NONE) {
- $result_ct = array('result' => $submitToCT);
- $data["certificate_transparency"][$ct_url] = $result_ct;
- } else {
- $data["certificate_transparency"][$ct_url] = $ct_result;
+ if($fastcheck == 0) {
+ foreach ($ct_urls as $ct_url) {
+ $submitToCT = submitCertToCT($data["chain"], $ct_url);
+ $ct_result = json_decode($submitToCT, TRUE);
+ if ($ct_result === null
+ && json_last_error() !== JSON_ERROR_NONE) {
+ $result_ct = array('result' => $submitToCT);
+ $data["certificate_transparency"][$ct_url] = $result_ct;
+ } else {
+ $data["certificate_transparency"][$ct_url] = $ct_result;
+ }
}
}
}
diff --git a/functions/parse_certificate.php b/functions/parse_certificate.php
index 791aa38..d342e4b 100644
--- a/functions/parse_certificate.php
+++ b/functions/parse_certificate.php
@@ -537,6 +537,121 @@ function cert_parse($data) {
echo $data["key"]["signature_algorithm"];
echo "</td>";
echo "</tr>";
+
+ echo "<tr>";
+ echo "<td>Hashes</td>";
+ echo "<td>";
+ echo "<table class='table table-striped'>";
+ foreach ($data["hash"] as $key => $value) {
+ echo "<tr><td>";
+ echo htmlspecialchars(strtoupper($key));
+ echo "</td><td><span style='font-family:monospace;'>";
+ echo wordwrap(htmlspecialchars($value), 64, "<br>\n", TRUE);
+ echo "</span></td></tr>";
+ }
+ echo "</table>";
+ echo "</td>";
+ echo "</tr>";
+
+ if ($_GET['fastcheck'] == 0) {
+ echo "<tr>";
+ echo "<td>TLSA DNS </td>";
+ echo "<td>";
+ if($data['tlsa']['error'] == 'none' && isset($data['tlsa'])) {
+ echo "<table class='table table-striped'>";
+ foreach ($data["tlsa"] as $key => $value) {
+ switch ($key) {
+ case 'tlsa_hash':
+ echo "<tr><td>Record Data</td><td>" . htmlspecialchars($value) . "</td></tr>";
+ break;
+ case 'tlsa_usage':
+ echo "<tr><td>Usage</td><td>";
+ switch ($value) {
+ case '0':
+ echo "0: PKIX-TA: Certificate Authority Constraint";
+ break;
+ case '1':
+ echo "1: PKIX-EE: Service Certificate Constraint";
+ break;
+ case '2':
+ echo "2: DANE-TA: Trust Anchor Assertion";
+ break;
+ case '3':
+ echo "3: DANE-EE: Domain Issued Certificate";
+ break;
+ default:
+ echo "<span class='text-danger glyphicon glyphicon-remove'></span><span class='text-danger'> - Incorrect usage parameter: ". htmlspecialchars($value) . "</span>";
+ break;
+ }
+ break;
+ case 'tlsa_selector':
+ echo "<tr><td>Selector</td><td>";
+ switch ($value) {
+ case '0':
+ echo "0: Cert: Use full certificate";
+ break;
+ case '1':
+ echo "1: SPKI: Use subject public key";
+ break;
+ default:
+ echo "<span class='text-danger glyphicon glyphicon-remove'></span><span class='text-danger'> - Incorrect selector parameter: ". htmlspecialchars($value) . "</span>";
+ break;
+ }
+ break;
+ case 'tlsa_matching_type':
+ echo "<tr><td>Matching Type</td><td>";
+ switch ($value) {
+ case '0':
+ echo "0: Full: No Hash";
+ break;
+ case '1':
+ echo "1: SHA-256 hash";
+ break;
+ case '2':
+ echo "2: SHA-512 hash";
+ break;
+ default:
+ echo "<span class='text-danger glyphicon glyphicon-remove'></span><span class='text-danger'> - Incorrect matching type parameter: ". htmlspecialchars($value) . "</span>";
+ break;
+ }
+ break;
+ }
+ echo "</td></tr>";
+ }
+ if ($data['tlsa']['tlsa_matching_type'] == "1" || $data['tlsa']['tlsa_matching_type'] == 2) {
+ echo "<tr><td>DNS Hash Matches Certificate Hash</td><td>";
+ if($data['tlsa']['tlsa_matching_type'] == '1') {
+ echo "SHA 256 ";
+ if ($data['tlsa']['tlsa_hash'] == $data['hash']['sha256']) {
+ echo "<span class='text-success glyphicon glyphicon-ok'></span><span class='text-success'> - Hash match</span>";
+ } else {
+ echo "<span class='text-danger glyphicon glyphicon-remove'></span><span class='text-danger'> - Hash does not match</span>";
+ }
+ }
+ if($data['tlsa']['tlsa_matching_type'] == '2') {
+ echo "SHA 512 ";
+ if ($data['tlsa']['tlsa_hash'] == $data['hash']['sha512']) {
+ echo "<span class='text-success glyphicon glyphicon-ok'></span><span class='text-success'> Hash match</span>";
+ } else {
+ echo "<span class='text-danger glyphicon glyphicon-remove'></span><span class='text-danger'> - Hash does not match</span>";
+ }
+ }
+ }
+ echo "</table>";
+ } else {
+ echo "<p>";
+ echo htmlspecialchars($data['tlsa']['error']);
+ if($data['tlsa']['example']) {
+ echo "Here's an example TLSA record based on this certificate's SHA-256 hash: <br><pre>";
+ echo htmlspecialchars($data['tlsa']['example']);
+ echo "</pre></p>";
+ }
+ }
+ echo "<p>Please note that the DNSSEC chain is not validated. The status of the DNSSEC signature will not show up here.<br><a href='https://wiki.mozilla.org/Security/DNSSEC-TLS-details'>More information about TLSA and DNSSEC.</a> - Simple TLSA record generator <a href='https://www.huque.com/bin/gen_tlsa'>here</a>.";
+ echo "</td>";
+ echo "</tr>";
+ }
+
if (count($data['cert_data']['extensions']) >= 1) {
echo "<tr>";
echo "<td>Extensions</td>";
@@ -699,9 +814,10 @@ function csr_parse_json($csr) {
return $result;
}
-function cert_parse_json($raw_cert_data, $raw_next_cert_data=null, $host=null, $validate_hostname=false) {
+function cert_parse_json($raw_cert_data, $raw_next_cert_data=null, $host=null, $validate_hostname=false, $port="443") {
global $random_blurp;
global $ev_oids;
+ global $timeout;
$result = array();
$cert_data = openssl_x509_parse($raw_cert_data);
if (isset($raw_next_cert_data)) {
@@ -836,40 +952,79 @@ function cert_parse_json($raw_cert_data, $raw_next_cert_data=null, $host=null, $
// key details
$key_details = openssl_pkey_get_details(openssl_pkey_get_public($raw_cert_data));
$export_pem = "";
-
openssl_x509_export($raw_cert_data, $export_pem);
+ //hashes
+ $string = $export_pem;
+ $pattern = '/-----(.*)-----/';
+ $replacement = '';
+ $string = preg_replace($pattern, $replacement, $string);
+
+ $pattern = '/\n/';
+ $replacement = '';
+ $export_pem_preg = preg_replace($pattern, $replacement, $string);
+ $export_pem_preg = wordwrap($export_pem_preg, 77, "\n", TRUE);
+ //pre_dump("export preg: " . $export_pem_preg);
+ //pre_dump("end");
+ $result['hash']['md5'] = cert_hash('md5', $export_pem_preg);
+ $result['hash']['sha1'] = cert_hash('sha1', $export_pem_preg);
+ $result['hash']['sha256'] = cert_hash('sha256', $export_pem_preg);
+ $result['hash']['sha384'] = cert_hash('sha384', $export_pem_preg);
+ $result['hash']['sha512'] = cert_hash('sha512', $export_pem_preg);
+
+ //TLSA check
+ if (isset($cert_data['subject']['CN']) && isset($host)) {
+ if ($validate_hostname == true) {
+ $tlsa_record = shell_exec("timeout " . $timeout . " dig +short +dnssec +time=" . $timeout . " TLSA _" . escapeshellcmd($port) . "._tcp." . escapeshellcmd($host) . " 2>&1 | head -n 1");
+ if (!empty($tlsa_record)) {
+ $tlsa = explode(" ", $tlsa_record, 4);
+ $pattern = '/ /';
+ $replacement = '';
+ $result['tlsa']['tlsa_hash'] = trim(strtolower(preg_replace($pattern, $replacement, $tlsa[3])));
+ $result['tlsa']['tlsa_usage'] = $tlsa[0];
+ $result['tlsa']['tlsa_selector'] = $tlsa[1];
+ $result['tlsa']['tlsa_matching_type'] = $tlsa[2];
+ $result['tlsa']['error'] = 'none';
+ } else {
+
+ $result['tlsa']['error'] = 'No TLSA record found.';
+ $result['tlsa']['example'] = '_'. htmlspecialchars($port) . '._tcp.' . htmlspecialchars($host) . ' IN TLSA 3 0 1 ' . $result['hash']['sha256'] . ';';
+ }
+ } else {
+ $result['tlsa']['error'] = 'CA certificate, TLSA not applicable.';
+ }
+ }
if (isset($key_details['rsa'])) {
$result["key"]["type"] = "rsa";
$result["key"]["bits"] = $key_details['bits'];
if ($key_details['bits'] < 2048) {
$result['warning'][] = $key_details['bits'] . " bit RSA key is not safe. Upgrade to at least 4096 bits.";
}
- // weak debian key check
- $bin_modulus = $key_details['rsa']['n'];
- # blacklist format requires sha1sum of output from "openssl x509 -noout -modulus" including the Modulus= and newline.
- # create the blacklist:
- # https://packages.debian.org/source/squeeze/openssl-blacklist
- # svn co svn://svn.debian.org/pkg-openssl/openssl-blacklist/
- # find openssl-blacklist/trunk/blacklists/ -iname "*.db" -exec cat {} >> unsorted_blacklist.db \;
- # sort -u unsorted_blacklist.db > debian_blacklist.db
-
- $mod_sha1sum = sha1("Modulus=" . strtoupper(bin2hex($bin_modulus)) . "\n");
- #pre_dump($mod_sha1sum);
- $blacklist_file = fopen('inc/debian_blacklist.db', 'r');
- $key_in_blacklist = false;
- while (($buffer = fgets($blacklist_file)) !== false) {
- if (strpos($buffer, $mod_sha1sum) !== false) {
- $key_in_blacklist = true;
- break;
- }
+
+ // weak debian key check
+ $bin_modulus = $key_details['rsa']['n'];
+ # blacklist format requires sha1sum of output from "openssl x509 -noout -modulus" including the Modulus= and newline.
+ # create the blacklist:
+ # https://packages.debian.org/source/squeeze/openssl-blacklist
+ # svn co svn://svn.debian.org/pkg-openssl/openssl-blacklist/
+ # find openssl-blacklist/trunk/blacklists/ -iname "*.db" -exec cat {} >> unsorted_blacklist.db \;
+ # sort -u unsorted_blacklist.db > debian_blacklist.db
+
+ $mod_sha1sum = sha1("Modulus=" . strtoupper(bin2hex($bin_modulus)) . "\n");
+ $blacklist_file = fopen('inc/debian_blacklist.db', 'r');
+ $key_in_blacklist = false;
+ while (($buffer = fgets($blacklist_file)) !== false) {
+ if (strpos($buffer, $mod_sha1sum) !== false) {
+ $key_in_blacklist = true;
+ break;
+ }
}
fclose($blacklist_file);
if ($key_in_blacklist == true) {
$result["key"]["weak_debian_rsa_key"] = "true";
- $result['warning'][] = "Weak Debian key found. Remove this key right now and create a new one.";
+ $result['warning'][] = "Weak debian key found. Remove this key right now and create a new one.";
}
} else if (isset($key_details['dsa'])) {
- $result["key"]["type"] = "dsa";
+ $result["key"]["type"] = "dsa";
$result["key"]["bits"] = $key_details['bits'];
} else if (isset($key_details['dh'])) {
$result["key"]["type"] = "dh";
diff --git a/functions/textual.php b/functions/textual.php
index d33d184..0d05ded 100644
--- a/functions/textual.php
+++ b/functions/textual.php
@@ -54,6 +54,7 @@ function get_current_folder(){
return $folder;
}
+$current_folder = get_current_folder();
function gen_uuid() {
return sprintf( '%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
diff --git a/functions/variables.php b/functions/variables.php
index 94b4411..9e598e8 100644
--- a/functions/variables.php
+++ b/functions/variables.php
@@ -17,10 +17,13 @@
# timeout in seconds
$timeout = 2;
+# max chain length (big chain slows down checks)
+$max_chain_length = 10;
+
# Don't change stuff down here.
date_default_timezone_set('UTC');
-$version = 2.8;
+$version = 2.9;
ini_set('default_socket_timeout', 2);
@@ -40,9 +43,6 @@ $ct_urls = ["https://ct.ws.symantec.com",
$ev_oids = array("1.3.6.1.4.1.34697.2.1", "1.3.6.1.4.1.34697.2.2", "1.3.6.1.4.1.34697.2.3", "1.3.6.1.4.1.34697.2.4", "1.2.40.0.17.1.22", "2.16.578.1.26.1.3.3", "1.3.6.1.4.1.17326.10.14.2.1.2", "1.3.6.1.4.1.17326.10.8.12.1.2", "1.3.6.1.4.1.6449.1.2.1.5.1", "2.16.840.1.114412.2.1", "2.16.840.1.114412.1.3.0.2", "2.16.528.1.1001.1.1.1.12.6.1.1.1", "2.16.840.1.114028.10.1.2", "0.4.0.2042.1.4", "0.4.0.2042.1.5", "1.3.6.1.4.1.13177.10.1.3.10", "1.3.6.1.4.1.14370.1.6", "1.3.6.1.4.1.4146.1.1", "2.16.840.1.114413.1.7.23.3", "1.3.6.1.4.1.14777.6.1.1", "2.16.792.1.2.1.1.5.7.1.9", "1.3.6.1.4.1.22234.2.5.2.3.1", "1.3.6.1.4.1.782.1.2.1.8.1", "1.3.6.1.4.1.8024.0.2.100.1.2", "1.2.392.200091.100.721.1", "2.16.840.1.114414.1.7.23.3", "1.3.6.1.4.1.23223.2", "1.3.6.1.4.1.23223.1.1.1", "2.16.756.1.83.21.0", "2.16.756.1.89.1.2.1.1", "2.16.840.1.113733.1.7.48.1", "2.16.840.1.114404.1.1.2.4.1", "2.16.840.1.113733.1.7.23.6", "1.3.6.1.4.1.6334.1.100.1", "2.16.840.1.114171.500.9", "1.3.6.1.4.1.36305.2");
-
-$current_folder = get_current_folder();
-
function parse_hostname($u_hostname){
# format raymii.org:1.2.34.56 should do SNI request to that ip.
# parts[0]=host, parts[1]=ip
@@ -86,7 +86,7 @@ function parse_hostname($u_hostname){
return $result;
}
-function choose_endpoint($ips, $host, $port, $ciphersuites) {
+function choose_endpoint($ips, $host, $port, $fastcheck) {
global $version;
echo "<div id='page-content-wrapper'>\n";
echo "<div class='container-fluid'>\n";
@@ -110,13 +110,13 @@ function choose_endpoint($ips, $host, $port, $ciphersuites) {
echo "</p>\n";
echo "</div>\n";
echo "<div id='resultDiv'></div>\n";
- echo "<div class='content'>\n<section id='choose_endpoint'>\n";
+ echo "<div class='content' id='choose_endp'>\n<section id='choose_endpoint'>\n";
echo "<header>\n<h2>Multiple endpoints for " . htmlspecialchars($host) . "</h2>\n</header>\n";
echo "<p>We've found multiple results for " . htmlspecialchars($host) . ". Please choose the host you want to scan from the list below:</p>\n<br>\n";
echo "<ul>\n";
foreach ($ips as $ip) {
echo "<li>";
- echo "<a href=\"";
+ echo "<a onclick=\"showdiv('preloader'); hidediv('choose_endp');\" href=\"";
echo htmlspecialchars($current_folder);
echo "?host=";
echo htmlspecialchars($host);
@@ -130,11 +130,11 @@ function choose_endpoint($ips, $host, $port, $ciphersuites) {
}
echo "&port=";
echo htmlspecialchars($port);
- echo "&ciphersuites=";
- if ($ciphersuites == 1) {
- echo "1";
+ echo "&fastcheck=";
+ if ($fastcheck == 1) {
+ echo 1;
} else {
- echo "0";
+ echo 0;
}
echo "\">";
if ($ip['type'] == 'A') {
diff --git a/functions/verify_certifitcate.php b/functions/verify_certifitcate.php
index 86312a1..e639cff 100644
--- a/functions/verify_certifitcate.php
+++ b/functions/verify_certifitcate.php
@@ -14,6 +14,11 @@
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
+function cert_hash($hash_alg, $raw_cert_to_hash) {
+ $cert_hash = hash($hash_alg, base64_decode($raw_cert_to_hash));
+ return $cert_hash;
+}
+
function verify_certificate_hostname($raw_cert, $host) {
$cert_data = openssl_x509_parse($raw_cert);
if ($cert_data['subject']['CN']) {
diff --git a/inc/form.php b/inc/form.php
index 725f20e..6ae632c 100644
--- a/inc/form.php
+++ b/inc/form.php
@@ -22,9 +22,9 @@
<div class="form-group">
<div class="col-md-4 col-md-offset-1">
<div class="checkbox">
- <label for="ciphersuites">
- <input type="checkbox" name="ciphersuites" id="ciphersuites" value="1" checked="checked">
- Enumerate Ciphersuites (takes longer)
+ <label for="fastcheck">
+ <input type="checkbox" name="fastcheck" id="fastcheck" value="yes">
+ Fast check (no connection details, no TLSA check, no certificate transparancy submission)
</label>
</div>
</div>
diff --git a/index.php b/index.php
index fc46689..cb04f20 100644
--- a/index.php
+++ b/index.php
@@ -18,7 +18,6 @@
error_reporting(E_ALL & ~E_NOTICE);
ob_start();
$write_cache = 0;
-
foreach (glob("functions/*.php") as $filename) {
include $filename;
}
@@ -52,10 +51,15 @@ foreach (glob("functions/*.php") as $filename) {
$port = 443;
}
if ($hostname['multiple_ip']) {
- choose_endpoint($hostname['multiple_ip'], $host, $port, $_GET['ciphersuites']);
+ choose_endpoint($hostname['multiple_ip'], $host, $port, $_GET['fastcheck']);
}
+ if($_GET['fastcheck'] == 1) {
+ $fastcheck = 1;
+ } else {
+ $fastcheck = 0;
+ }
$ip = $hostname['ip'];
- $data["data"] = check_json($host,$ip,$port);
+ $data["data"] = check_json($host,$ip,$port,$fastcheck);
if(isset($data["data"]["error"])) {
$data["error"] = $data["data"]["error"];
unset($data["data"]);
@@ -81,15 +85,21 @@ foreach (glob("functions/*.php") as $filename) {
?>
<li><a href="#conndata"><strong>0</strong>: Connection Data <?php echo $warntxt; $warntxt = ''; ?></a></li>
<?php
+ $menucount = 1;
foreach ($chain_data as $key => $value) {
if (count($value['warning']) >= 1) {
$warntxt = " <sup>(<strong>".htmlspecialchars(count($value['warning']))."</strong>)</sup>";
}
- echo "<li><a href='#cert".(string)$key."'><strong>".$key."</strong> : ". htmlspecialchars($value["cert_data"]["subject"]["CN"]) . $warntxt . "</a></li>";
+ echo "<li><a href='#cert".(string)$key."'><strong>".htmlspecialchars($key)."</strong> : ". htmlspecialchars($value["cert_data"]["subject"]["CN"]) . $warntxt . "</a></li>";
$warntxt = "";
+ $menucount += 1;
+ }
+ if ($_GET['fastcheck'] == 0) {
+ ?>
+ <li><a href="#ctsubmit"><strong><?php echo htmlspecialchars($menucount); ?></strong> : Certificate Transparency</a></li>
+ <?php
}
?>
- <li><a href="#ctsubmit">Certificate Transparency</a></li>
<li><a href="<?php echo(htmlspecialchars($current_folder)); ?>">Try another website</a></li>
<li><hr></li>
@@ -136,7 +146,6 @@ foreach (glob("functions/*.php") as $filename) {
echo "<hr>";
$write_cache = 0;
} else {
-
$hostfilename = preg_replace("([^\w\s\d\-_~,;:\[\]\(\).])", '', $host);
$hostfilename = preg_replace("([\.]{2,})", '', $host);
$hostfilename = preg_replace("([^a-z0-9])", '', $host);
@@ -155,10 +164,13 @@ foreach (glob("functions/*.php") as $filename) {
echo "<p>Receive notifications when this certificate is about to expire with my other service, <a href='https://certificatemonitor.org/'>Certificate Monitor</a>.</p>";
- // connection data
+ // connection data
echo "<div class='content'><section id='conndata'>";
echo "<header><h2>Connection Data for " . htmlspecialchars($host) . " / " . htmlspecialchars($ip) . "</h2></header>";
- ssl_conn_metadata($data["data"]["connection"]);
+ ssl_conn_metadata($data["data"]["connection"], $fastcheck);
+ if ($_GET['fastcheck'] == 1) {
+ echo "<p>Fast check selected, therefore Connection Data enumeration is limited.</p>";
+ }
echo "</section></div>";
// certificates
@@ -170,18 +182,13 @@ foreach (glob("functions/*.php") as $filename) {
}
// submit to certificate transparency
- echo "<div class='content'><section id='ctsubmit'>";
- echo "<header><h2>Certificate Transparency Submission</h2></header>";
- echo "<p><a href='http://www.certificate-transparency.org/'>Information about Certificate Transparency</a></p>";
- foreach ($ct_urls as $ct_url) {
- echo "<table class='table table-striped table-bordered'>";
- echo "<tr><td>CT Log URL</td><td>" . htmlspecialchars($ct_url) . "</td></tr>";
- $submitToCT = submitCertToCT($data["data"]["chain"], $ct_url);
- $ct_result = json_decode($submitToCT, TRUE);
- if ($ct_result === null
- && json_last_error() !== JSON_ERROR_NONE) {
- echo "<tr><td width='20%'>Result</td><td width='80%' style='font-family:monospace;'>". htmlspecialchars($submitToCT) . "</td></tr>";
- } else {
+ if ($_GET['fastcheck'] == 0) {
+ echo "<div class='content'><section id='ctsubmit'>";
+ echo "<header><h2>Certificate Transparency Submission</h2></header>";
+ echo "<p><a href='http://www.certificate-transparency.org/'>Information about Certificate Transparency</a></p>";
+ foreach ($data["data"]['certificate_transparency'] as $ct_url => $ct_result) {
+ echo "<table class='table table-striped table-bordered'>";
+ echo "<tr><td>CT Log URL</td><td>" . htmlspecialchars($ct_url) . "</td></tr>";
if (is_array($ct_result)) {
foreach ($ct_result as $key => $value) {
if (is_bool($key)) {
@@ -190,15 +197,20 @@ foreach (glob("functions/*.php") as $filename) {
if (is_bool($value)) {
$value = ($value) ? 'True' : 'False';
}
-
echo "<tr><td width='20%'>" . htmlspecialchars(ucfirst(str_replace('_', ' ', $key))) . "</td><td width='80%' style='font-family:monospace;'>" . wordwrap(htmlspecialchars($value), 65, "<br />", 1) . "</td></tr>";
-
}
+ } else {
+ echo "<tr><td>Error</td><td>No result returned</td></tr>";
}
}
echo "</table>";
+ echo "</section></div>";
+ } else {
+ echo "<div class='content'><section id='ctsubmit'>";
+ echo "<header><h2>Certificate Transparency Submission</h2></header>";
+ echo "Fast check selected, therefore Certificate Transparancy submission is disabled.";
+ echo "</section></div><p><hr></p>";
}
- echo "</section></div>";
}
} elseif (!empty($_GET['csr']) ) {
$data = csr_parse_json($_GET['csr']);
diff --git a/js/ajax.js b/js/ajax.js
index 88404ea..4d21cf3 100644
--- a/js/ajax.js
+++ b/js/ajax.js
@@ -13,6 +13,21 @@
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
+var _targetdiv = null;
+function showdiv(id) {
+ if(_targetdiv)
+ _targetdiv.style.display = 'none';
+ _targetdiv = document.getElementById(id);
+ _targetdiv.style.display = 'block';
+}
+
+function hidediv(id) {
+ if(_targetdiv)
+ _targetdiv.style.display = 'block';
+ _targetdiv = document.getElementById(id);
+ _targetdiv.style.display = 'none';
+}
+
var request = createRequestObject();
var dataReturn='';
var ajaxTimeout='';
diff --git a/json.php b/json.php
index a915c38..e922095 100644
--- a/json.php
+++ b/json.php
@@ -20,12 +20,13 @@ if ( isset($_GET['host']) && !empty($_GET['host'])) {
if ( !is_numeric($port) ) {
$port = 443;
}
+ $fastcheck = $_GET['fastcheck'];
$write_cache = 1;
$hostfilename = preg_replace("([^\w\s\d\-_~,;:\[\]\(\).])", '', $host);
$hostfilename = preg_replace("([\.]{2,})", '', $host);
$hostfilename = preg_replace("([^a-z0-9])", '', $host);
$cache_filename = (string) "results/saved." . $hostfilename . "." . $epoch . "." . $random_bla . ".api.json";
- $data["data"] = check_json($host, $ip, $port);
+ $data["data"] = check_json($host, $ip, $port, $fastcheck);
} elseif(isset($_GET['csr']) && !empty($_GET['csr'])) {
$write_cache = 1;
$cache_filename = (string) "results/saved.csr." . $epoch . "." . $random_bla . ".api.json";
generated by cgit v1.1 at 2025-05-10 21:05:22 +0000