diff options
| author | Remy <relst@relst.nl> | 2015-02-26 14:09:00 +0100 |
|---|---|---|
| committer | Remy <relst@relst.nl> | 2015-02-26 14:09:00 +0100 |
| commit | b1f95ff20011624f9e6ea835a13c0f79ae73c97a (patch) | |
| tree | b39a1ac9679ad9ef1edde3368cf296ca1ed86dc4 | |
| parent | 6dcbad8cdac0eb43cb5fee1b24e679f1f1752ac4 (diff) | |
| download | ssl-decoder-b1f95ff20011624f9e6ea835a13c0f79ae73c97a.zip ssl-decoder-b1f95ff20011624f9e6ea835a13c0f79ae73c97a.tar.gz ssl-decoder-b1f95ff20011624f9e6ea835a13c0f79ae73c97a.tar.bz2 | |
add chain validation and make cipher suites red
| -rw-r--r-- | CHANGELOG.md | 5 | ||||
| -rw-r--r-- | functions/connection.php | 120 | ||||
| -rw-r--r-- | index.php | 2 | ||||
| -rw-r--r-- | js/ajax.js | 2 |
4 files changed, 109 insertions, 20 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b94b11..ec18f65 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## 1.8 + +- Add certificate chain validation. +- Make some chiphersuites red. + ## 1.7 - Split code up in seperate files diff --git a/functions/connection.php b/functions/connection.php index 7fcae27..949bd1a 100644 --- a/functions/connection.php +++ b/functions/connection.php @@ -142,6 +142,8 @@ function ssl_conn_ciphersuites($host, $port, $ciphersuites){ function ssl_conn_metadata($host, $port, $chain=null) { + global $random_blurp; + global $current_folder; $stream = stream_context_create (array("ssl" => array("verify_peer" => false, "capture_session_meta" => true, @@ -171,22 +173,52 @@ if ( $read_stream === false ) { <td>Chain sent by Server (in server order)</td> <td style="font-family: monospace;"> <?php - foreach ($chain as $key => $cert) { - if ( $key == 10) { - echo "<span class='text-danger'>Error: Certificate chain to large.</span><br>"; - continue; - } - if ( $key > 10) { - continue; - } - if (openssl_x509_parse($cert)['issuer']['CN'] && openssl_x509_parse($cert)['subject']['CN']) { - echo "Name...........: <i>"; - echo htmlspecialchars(openssl_x509_parse($cert)['subject']['CN']); - echo " </i><br>Issued by......:<i> "; - echo htmlspecialchars(openssl_x509_parse($cert)['issuer']['CN']); - echo "</i><br>"; + $chain_length = count($chain); + $certificate_chain = array(); + if ($chain_length <= 10) { + for ($i = 0; $i < $chain_length; $i++) { + if (openssl_x509_parse($chain[$i])['issuer']['CN'] && openssl_x509_parse($chain[$i])['subject']['CN']) { + echo "Name...........: <i>"; + echo htmlspecialchars(openssl_x509_parse($chain[$i])['subject']['CN']); + echo " </i><br>Issued by......:<i> "; + echo htmlspecialchars(openssl_x509_parse($chain[$i])['issuer']['CN']); + echo "</i><br>"; + + $export_pem = ""; + openssl_x509_export($chain[$i], $export_pem); + array_push($certificate_chain, $export_pem); + + if (openssl_x509_parse($chain[$i])['issuer']['CN'] == openssl_x509_parse($chain[$i + 1])['subject']['CN']){ + continue; + } else { + if ($i != $chain_length - 1) { + echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>Error: Issuer does not match the next certificate CN. Chain order is probaby wrong.</span><br><br>"; + } + } + } } + echo "<br>"; + } else { + echo "<span class='text-danger'>Error: Certificate chain to large.</span><br>"; } + + file_put_contents('/tmp/verify_cert.' . $random_blurp . '.pem', implode("\n", array_reverse($certificate_chain)).PHP_EOL , FILE_APPEND); + + $verify_output = 0; + $verify_exit_code = 0; + $verify_exec = exec(escapeshellcmd('openssl verify -verbose -purpose any -CAfile ' . getcwd() . '/cacert.pem /tmp/verify_cert.' . $random_blurp . '.pem') . "| grep -v OK", $verify_output, $verify_exit_code); + + if ($verify_exit_code != 1) { + echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>Error: Validating certificate chain failed:</span><br>"; + echo "<pre>"; + echo str_replace('/tmp/verify_cert.' . $random_blurp . '.pem: ', '', implode("\n", $verify_output)); + echo "</pre>"; + } else { + echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>Sucessfully validated certificate chain.</span><br>"; + } + + unlink('/tmp/verify_cert.' . $random_blurp . '.pem'); + ?> </td> </tr> @@ -369,14 +401,66 @@ if ( $read_stream === false ) { 'NULL-SHA256', 'NULL-SHA', 'NULL-MD5'); + + $bad_ciphersuites = array('ECDHE-RSA-DES-CBC3-SHA', + 'ECDHE-ECDSA-DES-CBC3-SHA', + 'EDH-RSA-DES-CBC3-SHA', + 'EDH-DSS-DES-CBC3-SHA', + 'DH-RSA-DES-CBC3-SHA', + 'DH-DSS-DES-CBC3-SHA', + 'ECDH-RSA-DES-CBC3-SHA', + 'ECDH-ECDSA-DES-CBC3-SHA', + 'DES-CBC3-SHA', + 'EDH-RSA-DES-CBC-SHA', + 'EDH-DSS-DES-CBC-SHA', + 'DH-RSA-DES-CBC-SHA', + 'DH-DSS-DES-CBC-SHA', + 'DES-CBC-SHA', + 'EXP-EDH-RSA-DES-CBC-SHA', + 'EXP-EDH-DSS-DES-CBC-SHA', + 'EXP-DH-RSA-DES-CBC-SHA', + 'EXP-DH-DSS-DES-CBC-SHA', + 'EXP-DES-CBC-SHA', + 'EXP-EDH-RSA-DES-CBC-SHA', + 'EXP-EDH-DSS-DES-CBC-SHA', + 'EXP-DH-RSA-DES-CBC-SHA', + 'EXP-DH-DSS-DES-CBC-SHA', + 'EXP-DES-CBC-SHA', + 'EXP-RC2-CBC-MD5', + 'EXP-RC4-MD5', + 'RC4-MD5', + 'EXP-RC2-CBC-MD5', + 'EXP-RC4-MD5', + 'ECDHE-RSA-RC4-SHA', + 'ECDHE-ECDSA-RC4-SHA', + 'ECDH-RSA-RC4-SHA', + 'ECDH-ECDSA-RC4-SHA', + 'RC4-SHA', + 'RC4-MD5', + 'PSK-RC4-SHA', + 'EXP-RC4-MD5', + 'ECDHE-RSA-NULL-SHA', + 'ECDHE-ECDSA-NULL-SHA', + 'AECDH-NULL-SHA', + 'RC4-SHA', + 'RC4-MD5', + 'ECDH-RSA-NULL-SHA', + 'ECDH-ECDSA-NULL-SHA', + 'NULL-SHA256', + 'NULL-SHA', + 'NULL-MD5'); $supported_ciphersuites = ssl_conn_ciphersuites($host, $port, $ciphersuites_to_test); - + foreach ($supported_ciphersuites as $key => $value) { if($value == true){ - echo ""; - echo "<span class='text-success glyphicon glyphicon-ok'></span> - "; + if (in_array($key, $bad_ciphersuites)) { + echo ""; + echo "<span class='text-danger glyphicon glyphicon-remove'> "; + } else { + echo "<span class='glyphicon glyphicon-minus'> "; + } echo htmlspecialchars($key); - echo "<br>"; + echo "</span><br>"; } else { echo "<!-- "; echo "<span class='glyphicon glyphicon-remove'></span> - "; @@ -89,7 +89,7 @@ foreach (glob("functions/*.php") as $filename) { <div class="form-group"> <div class="col-md-4"> <label class="col-md-2 col-md-offset-1 control-label" for="s"></label> - <button id="s" name="s" class="btn btn-primary" onsubmit="showElementbyID(true, 'preloader'); showElementbyID(false, 'sslform'); makeRequest('/ssl/?host=' + this.form.host.value + '&port=' + this.form.port.value + '&csr=' + this.form.csr.value + '&s=', 'showContent');return false" onclick="showElementbyID(true, 'preloader'); showElementbyID(false, 'sslform'); makeRequest('/ssl/?host=' + this.form.host.value + '&port=' + this.form.port.value + '&csr=' + this.form.csr.value + '&ciphersuites=' + this.form.ciphersuites.value + '&s=', 'showContent');return false">Submit</button> + <button id="s" name="s" class="btn btn-primary" onsubmit="showElementbyID(true, 'preloader'); showElementbyID(false, 'sslform'); makeRequest('/ssl/?port=' + this.form.port.value + '&csr=' + this.form.csr.value + '&s=&host=' + this.form.host.value,, 'showContent');return false" onclick="showElementbyID(true, 'preloader'); showElementbyID(false, 'sslform'); makeRequest('/ssl/?port=' + this.form.port.value + '&csr=' + this.form.csr.value + '&ciphersuites=' + this.form.ciphersuites.value + '&s=&host=' + this.form.host.value, 'showContent');return false">Submit</button> </div> </div> @@ -41,7 +41,7 @@ function makeRequest (url, fun) try{ request.send(null); - window.history.pushState('wut', 'SSL Decoder for ' + document.getElementById('host').value, '/ssl/?host=' + document.getElementById('host').value + '&port=' + document.getElementById('port').value + '&csr=' + document.getElementById('csr').value + '&s='); + window.history.pushState('wut', 'SSL Decoder for ' + document.getElementById('host').value, '/ssl/?port=' + document.getElementById('port').value + '&csr=' + document.getElementById('csr').value + '&s=&host=' + document.getElementById('host').value); } catch(err){ alert('Error occured: '+err); |