diff options
| author | Remy <relst@relst.nl> | 2015-03-28 08:59:04 +0100 |
|---|---|---|
| committer | Remy <relst@relst.nl> | 2015-03-28 08:59:04 +0100 |
| commit | faa7f20fcc89bb1a1b77f2aaa78b88cda794b1b5 (patch) | |
| tree | 820b2a5da07726ec176961d4b83b89d5bd6821fb | |
| parent | b782322a10c5ca52e21bb2017dc8af7067220952 (diff) | |
| download | ssl-decoder-faa7f20fcc89bb1a1b77f2aaa78b88cda794b1b5.zip ssl-decoder-faa7f20fcc89bb1a1b77f2aaa78b88cda794b1b5.tar.gz ssl-decoder-faa7f20fcc89bb1a1b77f2aaa78b88cda794b1b5.tar.bz2 | |
add tls_fallback_scsv check
| -rw-r--r-- | CHANGELOG.md | 5 | ||||
| -rw-r--r-- | README.md | 17 | ||||
| -rw-r--r-- | functions/connection.php | 27 | ||||
| -rw-r--r-- | functions/crl.php | 2 | ||||
| -rw-r--r-- | functions/ocsp.php | 2 | ||||
| -rw-r--r-- | functions/tls_fallback_scsv.php | 36 | ||||
| -rw-r--r-- | index.php | 6 |
7 files changed, 83 insertions, 12 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index d75a867..bc8c22c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## 2.0 + +- Add TLS_FALLBACK_SCSV check +- Lower some timeouts from 5 to 2. + ## 1.9 - Add navigation menu @@ -1,8 +1,6 @@ # SSL Decoder -Simple PHP script which decodes an SSL connection or certificate and displays information. - -### Features +Simple PHP script which decodes an SSL connection and/or certificate and displays information. * Tries to give all the information you need instead of a rating. * Open source, so you can self host it. @@ -37,11 +35,20 @@ Simple PHP script which decodes an SSL connection or certificate and displays in - OpenSSL - PHP must allow shell_exec and remote fopen. +### Installation + +Unpack and go! + + cd /var/www + git clone https://github.com/RaymiiOrg/ssl-decoder.git + +Browse to https://your-server/ssl-decoder. + ### Demo -See [https://z1s.org/ssl/](https://z1s.org/ssl/). +See [https://tls.so](https://tls.so). -<a href="https://z1s.org/ssl/"><img src="http://i.imgur.com/R1BQlLVm.png" /></a> +<a href="https://tls.so"><img src="http://i.imgur.com/R1BQlLVm.png" /></a> ### License diff --git a/functions/connection.php b/functions/connection.php index 4280798..c9705ac 100644 --- a/functions/connection.php +++ b/functions/connection.php @@ -288,7 +288,6 @@ if ( $read_stream === false ) { 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-SHA384', 'ECDHE-ECDSA-AES256-SHA384', - 'TLS_FALLBACK_SCSV', 'ECDHE-RSA-AES256-SHA', 'ECDHE-ECDSA-AES256-SHA', 'SRP-DSS-AES-256-CBC-SHA', @@ -493,7 +492,31 @@ if ( $read_stream === false ) { </td> </tr> <?php - } + } + ?> + <tr> + <td> + <a href="http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html">TLS_FALLBACK_SCSV</a> + </td> + <td> + <?php + $fallback = tls_fallback_scsv($host, $port); + // echo "<pre>"; + // var_dump($fallback); + // echo "</pre>"; + if ($fallback['protocol_count'] == 1) { + echo "Only 1 protocol enabled, fallback not possible, TLS_FALLBACK_SCSV not required."; + } else { + if ($fallback['tls_fallback_scsv_support'] == 1) { + echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>TLS_FALLBACK_SCSV supported.</span>"; + } else { + echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>TLS_FALLBACK_SCSV not supported.</span>"; + } + } + ?> + </td> + </tr> + <?php $headers = server_http_headers($host, $port); ?> <tr> diff --git a/functions/crl.php b/functions/crl.php index af934da..3491a95 100644 --- a/functions/crl.php +++ b/functions/crl.php @@ -35,7 +35,7 @@ function crl_verify($raw_cert_data, $verbose=true) { if (0 === strpos($uri, 'http')) { $fp = fopen ("/tmp/" . $random_blurp . "." . $key . ".crl", 'w+'); $ch = curl_init(($uri)); - curl_setopt($ch, CURLOPT_TIMEOUT, 5); + curl_setopt($ch, CURLOPT_TIMEOUT, 2); curl_setopt($ch, CURLOPT_FILE, $fp); curl_setopt($ch, CURLOPT_FAILONERROR, true); curl_setopt($ch, CURLOPT_FRESH_CONNECT, true); diff --git a/functions/ocsp.php b/functions/ocsp.php index 37aec86..299a1fd 100644 --- a/functions/ocsp.php +++ b/functions/ocsp.php @@ -16,7 +16,7 @@ function ocsp_stapling($host, $port){ $result = ""; - $output = shell_exec('echo | timeout 5 openssl s_client -connect "' . escapeshellcmd($host) . ':' . escapeshellcmd($port) . '" -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"'); + $output = shell_exec('echo | timeout 2 openssl s_client -connect "' . escapeshellcmd($host) . ':' . escapeshellcmd($port) . '" -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"'); if (strpos($output, "no response sent") !== false) { $result = array("working" => 0, "cert_status" => "No response sent"); diff --git a/functions/tls_fallback_scsv.php b/functions/tls_fallback_scsv.php new file mode 100644 index 0000000..3cf0ea1 --- /dev/null +++ b/functions/tls_fallback_scsv.php @@ -0,0 +1,36 @@ +<?php +// Copyright (C) 2015 Remy van Elst + +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. + +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. + +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + +function tls_fallback_scsv($host,$port) { + + $result = []; + $protocols = ssl_conn_protocols($host, $port); + if (count(array_filter($protocols)) > 1) { + $result['protocol_count'] = count(array_filter($protocols)); + $fallback_test = shell_exec("echo | timeout 2 openssl s_client -connect " . escapeshellcmd($host) . ":" . escapeshellcmd($port) . " -fallback_scsv -no_tls1_2 2>&1 >/dev/null"); + // echo "<pre>"; + // var_dump($fallback_test); + // echo "</pre>"; + if ( stripos($fallback_test, "alert inappropriate fallback") !== false ) { + $result['tls_fallback_scsv_support'] = 1; + } + } else { + $result['protocol_count'] = 1; + } + return $result; +} + +?>
\ No newline at end of file @@ -62,7 +62,7 @@ foreach (glob("functions/*.php") as $filename) { "verify_peer_name" => false, "allow_self_signed" => true, "sni_enabled" => true))); - $read_stream = stream_socket_client("ssl://$host:$port", $errno, $errstr, 5, STREAM_CLIENT_CONNECT, $stream); + $read_stream = stream_socket_client("ssl://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream); if ( $read_stream !== false ) { $context = stream_context_get_params($read_stream); $chain_data = $context["options"]["ssl"]["peer_certificate_chain"]; @@ -204,7 +204,7 @@ foreach (glob("functions/*.php") as $filename) { "verify_peer_name" => false, "allow_self_signed" => true, "sni_enabled" => true))); - $read_stream = stream_socket_client("ssl://$host:$port", $errno, $errstr, 5, + $read_stream = stream_socket_client("ssl://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream); if ( $read_stream === false ) { @@ -314,7 +314,7 @@ foreach (glob("functions/*.php") as $filename) { ?> <div class="footer"> <div class="col-md-6 col-md-offset-1 container"> - <p class="text-muted">By <a href="https://raymii.org/s/software/OpenSSL_Decoder.html">Remy van Elst</a>. License: GNU AGPLv3. <a href="https://github.com/RaymiiOrg/ssl-decoder">Source code</a>. <strong><a href="https://cipherli.st/">Strong SSL Ciphers & Config settings @ Cipherli.st</a></strong>. Version: 1.9</p> + <p class="text-muted">By <a href="https://raymii.org/s/software/OpenSSL_Decoder.html">Remy van Elst</a>. License: GNU AGPLv3. <a href="https://github.com/RaymiiOrg/ssl-decoder">Source code</a>. <strong><a href="https://cipherli.st/">Strong SSL Ciphers & Config settings @ Cipherli.st</a></strong>. Version: 2.0</p> </div> </div> </div> |