diff options
| author | Remy <relst@relst.nl> | 2015-05-24 09:35:28 +0200 |
|---|---|---|
| committer | Remy <relst@relst.nl> | 2015-05-24 09:35:28 +0200 |
| commit | 988f08b9eb952404b94817a973d1a19ff7c6524b (patch) | |
| tree | b23c940603507f240f377ba9278b49ae97dc6190 /functions | |
| parent | 5e7e74fe94062683cce82c189cd43dd18c3aff9b (diff) | |
| download | ssl-decoder-988f08b9eb952404b94817a973d1a19ff7c6524b.zip ssl-decoder-988f08b9eb952404b94817a973d1a19ff7c6524b.tar.gz ssl-decoder-988f08b9eb952404b94817a973d1a19ff7c6524b.tar.bz2 | |
Add support for specific endpoints
Diffstat (limited to 'functions')
| -rw-r--r-- | functions/connection.php | 82 | ||||
| -rw-r--r-- | functions/crl.php | 8 | ||||
| -rw-r--r-- | functions/json.php | 15 | ||||
| -rw-r--r-- | functions/ocsp.php | 11 | ||||
| -rw-r--r-- | functions/tls_fallback_scsv.php | 11 | ||||
| -rw-r--r-- | functions/variables.php | 127 |
6 files changed, 188 insertions, 66 deletions
diff --git a/functions/connection.php b/functions/connection.php index 60b111f..5cb98ab 100644 --- a/functions/connection.php +++ b/functions/connection.php @@ -27,11 +27,13 @@ function get(&$var, $default=null) { return isset($var) ? $var : $default; } -function server_http_headers($host, $port){ +function server_http_headers($host, $ip, $port){ + global $timeout; // first check if server is http. otherwise long timeout. - $ch = curl_init(("https://" . $host . ":" . $port)); - curl_setopt($ch, CURLOPT_TIMEOUT, 2); + $ch = curl_init(("https://" . $ip . ":" . $port)); + curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); curl_setopt($ch, CURLOPT_NOBODY, true); + curl_setopt($ch, CURLOPT_HTTPHEADER, array("Host: $host")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_FAILONERROR, true); curl_setopt($ch, CURLOPT_FRESH_CONNECT, true); @@ -49,23 +51,25 @@ function server_http_headers($host, $port){ array("verify_peer" => false, "capture_session_meta" => true, "verify_peer_name" => false, + "peer_name" => $host, "allow_self_signed" => true, "sni_enabled" => true), 'http' => array( 'method' => 'GET', 'max_redirects' => 1, - 'timeout' => 2 + 'timeout' => $timeout ) ) ); - $headers = get_headers("https://$host:$port", 1); + $headers = get_headers("https://$ip:$port", 1); if (!empty($headers)) { $headers = array_change_key_case($headers, CASE_LOWER); return $headers; } } -function ssl_conn_ciphersuites($host, $port, $ciphersuites){ +function ssl_conn_ciphersuites($host, $ip, $port, $ciphersuites) { + global $timeout; $old_error_reporting = error_reporting(); error_reporting($old_error_reporting ^ E_WARNING); $results = array(); @@ -75,9 +79,10 @@ function ssl_conn_ciphersuites($host, $port, $ciphersuites){ array("verify_peer" => false, "verify_peer_name" => false, "allow_self_signed" => true, + "peer_name" => $host, 'ciphers' => $value, "sni_enabled" => true))); - $read_stream = stream_socket_client("ssl://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream); + $read_stream = stream_socket_client("ssl://$ip:$port", $errno, $errstr, $timeout, STREAM_CLIENT_CONNECT, $stream); if ( $read_stream === false ) { $results[$value] = false; } else { @@ -88,7 +93,7 @@ function ssl_conn_ciphersuites($host, $port, $ciphersuites){ return $results; } -function test_heartbleed($host, $port) { +function test_heartbleed($ip, $port) { global $current_folder; $exitstatus = 0; $output = 0; @@ -100,7 +105,7 @@ function test_heartbleed($host, $port) { # check if python2 is available exec("command -v python2 >/dev/null 2>&1", $cmdoutput, $cmdexitstatus); if ($cmdexitstatus != 1) { - exec("timeout 15 python2 " . getcwd() . "/inc/heartbleed.py " . escapeshellcmd($host) . " --json \"" . $tmpfile . "\" --threads 1 --port " . escapeshellcmd($port) . " --silent", $output, $exitstatus); + exec("timeout 15 python2 " . getcwd() . "/inc/heartbleed.py " . escapeshellcmd($ip) . " --json \"" . $tmpfile . "\" --threads 1 --port " . escapeshellcmd($port) . " --silent", $output, $exitstatus); if (file_exists($tmpfile)) { $json_data = json_decode(file_get_contents($tmpfile),true); foreach ($json_data as $key => $value) { @@ -118,10 +123,11 @@ function test_heartbleed($host, $port) { return $result; } -function test_sslv2($host, $port) { +function test_sslv2($ip, $port) { + global $timeout; $exitstatus = 0; $output = 0; - exec('echo | timeout 2 openssl s_client -connect "' . escapeshellcmd($host) . ':' . escapeshellcmd($port) . '" -ssl2 2>&1 >/dev/null', $output, $exitstatus); + exec('echo | timeout ' . $timeout . ' openssl s_client -connect "' . escapeshellcmd($ip) . ':' . escapeshellcmd($port) . '" -ssl2 2>&1 >/dev/null', $output, $exitstatus); if ($exitstatus == 0) { $result = true; } else { @@ -130,12 +136,12 @@ function test_sslv2($host, $port) { return $result; } -## python2 inc/heartbleed.py 85.222.224.236 --json tmp --max 1 --threads 1 --port 443 - -function conn_compression($host, $port) { +function conn_compression($host, $ip, $port) { + global $timeout; $exitstatus = 0; $output = 0; - exec('echo | timeout 2 openssl s_client -connect "' . escapeshellcmd($host) . ':' . escapeshellcmd($port) . '" -status -tlsextdebug 2>&1 | grep -qe "^Compression: NONE"', $output, $exitstatus); + //pre_dump('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect "' . escapeshellcmd($ip) . ':' . escapeshellcmd($port) . '" -status -tlsextdebug 2>&1 | grep -qe "^Compression: NONE"'); + exec('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect "' . escapeshellcmd($ip) . ':' . escapeshellcmd($port) . '" -status -tlsextdebug 2>&1 | grep -qe "^Compression: NONE"', $output, $exitstatus); if ($exitstatus == 0) { $result = false; } else { @@ -144,7 +150,8 @@ function conn_compression($host, $port) { return $result; } -function ssl_conn_protocols($host, $port){ +function ssl_conn_protocols($host, $ip, $port) { + global $timeout; $old_error_reporting = error_reporting(); error_reporting($old_error_reporting ^ E_WARNING); $results = array('sslv2' => false, @@ -159,10 +166,11 @@ function ssl_conn_protocols($host, $port){ array("verify_peer" => false, "capture_session_meta" => true, "verify_peer_name" => false, + "peer_name" => $host, "allow_self_signed" => true, 'crypto_method' => STREAM_CRYPTO_METHOD_SSLv3_CLIENT, "sni_enabled" => true))); - $read_stream_sslv3 = stream_socket_client("sslv3://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream_sslv3); + $read_stream_sslv3 = stream_socket_client("sslv3://$ip:$port", $errno, $errstr, $timeout, STREAM_CLIENT_CONNECT, $stream_sslv3); if ( $read_stream_sslv3 === false ) { $results['sslv3'] = false; } else { @@ -173,10 +181,11 @@ function ssl_conn_protocols($host, $port){ array("verify_peer" => false, "capture_session_meta" => true, "verify_peer_name" => false, + "peer_name" => $host, "allow_self_signed" => true, 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv_1_0_CLIENT, "sni_enabled" => true))); - $read_stream_tlsv10 = stream_socket_client("tlsv1.0://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream_tlsv10); + $read_stream_tlsv10 = stream_socket_client("tlsv1.0://$ip:$port", $errno, $errstr, $timeout, STREAM_CLIENT_CONNECT, $stream_tlsv10); if ( $read_stream_tlsv10 === false ) { $results['tlsv1.0'] = false; } else { @@ -188,9 +197,10 @@ function ssl_conn_protocols($host, $port){ "capture_session_meta" => true, "verify_peer_name" => false, "allow_self_signed" => true, + "peer_name" => $host, 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv_1_1_CLIENT, "sni_enabled" => true))); - $read_stream_tlsv11 = stream_socket_client("tlsv1.1://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream_tlsv11); + $read_stream_tlsv11 = stream_socket_client("tlsv1.1://$ip:$port", $errno, $errstr, $timeout, STREAM_CLIENT_CONNECT, $stream_tlsv11); if ( $read_stream_tlsv11 === false ) { $results['tlsv1.1'] = false; } else { @@ -202,9 +212,10 @@ function ssl_conn_protocols($host, $port){ "capture_session_meta" => true, "verify_peer_name" => false, "allow_self_signed" => true, + "peer_name" => $host, 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv_1_2_CLIENT, "sni_enabled" => true))); - $read_stream_tlsv12 = stream_socket_client("tlsv1.2://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream_tlsv12); + $read_stream_tlsv12 = stream_socket_client("tlsv1.2://$ip:$port", $errno, $errstr, $timeout, STREAM_CLIENT_CONNECT, $stream_tlsv12); if ( $read_stream_tlsv12 === false ) { $results['tlsv1.2'] = false; } else { @@ -228,7 +239,7 @@ function ssl_conn_metadata($data) { } foreach ($data["warning"] as $key => $value) { echo "<div class='alert alert-danger' role='alert'>"; - echo htmlspecialchars($value); + echo $value; echo "</div>"; } } @@ -525,13 +536,18 @@ function ssl_conn_metadata($data) { -function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) { +function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=null) { $result = array(); global $random_blurp; global $current_folder; $context = stream_context_get_params($read_stream); $context_meta = stream_context_get_options($read_stream)['ssl']['session_meta']; $cert_data = openssl_x509_parse($context["options"]["ssl"]["peer_certificate"])[0]; + + if (filter_var(preg_replace('/[^A-Za-z0-9\.\:-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 )) { + $result["warning"][] = "You are testing an IPv6 host. Due to <a href=\"https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest\">bugs</a> in OpenSSL's command line tools the results will be inaccurate. Known incorrect are OCSP Stapling, TLS_FALLBACK_SCSV and SSL Compression results, others may also be incorrect."; + } + $result["checked_hostname"] = $host; //chain if (isset($context_meta)) { @@ -573,20 +589,18 @@ function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) { unlink('/tmp/verify_cert.' . $random_blurp . '.pem'); } // hostname ip port - if (fixed_gethostbyname($host)) { - $result["ip"] = fixed_gethostbyname($host); - $result["hostname"] = gethostbyaddr(fixed_gethostbyname($host)); - $result["port"] = $port; - } + $result["ip"] = $ip; + $result["hostname"] = gethostbyaddr($ip); + $result["port"] = $port; //heartbleed - $result['heartbleed'] = test_heartbleed($host, $port); + $result['heartbleed'] = test_heartbleed($ip, $port); if ($result['heartbleed'] == "vulnerable") { $result["warning"][] = 'Vulnerable to the Heartbleed bug. Please update your OpenSSL ASAP!'; } // compression - $compression = conn_compression($host, $port); + $compression = conn_compression($host, $ip, $port); if ($compression == false) { $result["compression"] = false; } else { @@ -595,7 +609,7 @@ function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) { } // protocols - $result["protocols"] = array_reverse(ssl_conn_protocols($host, $port)); + $result["protocols"] = array_reverse(ssl_conn_protocols($host, $ip, $port)); foreach ($result["protocols"] as $key => $value) { if ( $value == true ) { if ( $key == "sslv2") { @@ -731,7 +745,7 @@ function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) { 'NULL-SHA256', 'NULL-SHA', 'NULL-MD5'); - $tested_ciphersuites = ssl_conn_ciphersuites($host, $port, $ciphersuites_to_test); + $tested_ciphersuites = ssl_conn_ciphersuites($host, $ip, $port, $ciphersuites_to_test); $result["supported_ciphersuites"] = array(); foreach ($tested_ciphersuites as $key => $value) { if ($value == true) { @@ -744,7 +758,7 @@ function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) { $result["used_ciphersuite"]["bits"] = $context_meta['cipher_bits']; } // tls_fallback_scsv - $fallback = tls_fallback_scsv($host, $port); + $fallback = tls_fallback_scsv($host, $ip, $port); if ($fallback['protocol_count'] == 1) { $result["tls_fallback_scsv"] = "Only 1 protocol enabled, fallback not possible, TLS_FALLBACK_SCSV not required."; } else { @@ -756,7 +770,7 @@ function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) { } } //hsts - $headers = server_http_headers($host, $port); + $headers = server_http_headers($host, $ip, $port); if ($headers["strict-transport-security"]) { if ( is_array($headers["strict-transport-security"])) { $result["strict_sransport-security"] = substr($headers["strict-transport-security"][0], 0, 50); @@ -785,7 +799,7 @@ function ssl_conn_metadata_json($host, $port, $read_stream, $chain_data=null) { } } // ocsp stapling - $stapling = ocsp_stapling($host,$port); + $stapling = ocsp_stapling($host, $ip, $port); if($stapling["working"] == 1) { $result["ocsp_stapling"] = $stapling; } else { diff --git a/functions/crl.php b/functions/crl.php index 34cc794..35e57a5 100644 --- a/functions/crl.php +++ b/functions/crl.php @@ -15,7 +15,7 @@ // along with this program. If not, see <http://www.gnu.org/licenses/>. function crl_verify($raw_cert_data, $verbose=true) { - global $random_blurp; + global $random_blurp, $timeout; $cert_data = openssl_x509_parse($raw_cert_data); $cert_serial_nm = strtoupper(bcdechex($cert_data['serialNumber'])); $crl_uris = []; @@ -35,7 +35,7 @@ function crl_verify($raw_cert_data, $verbose=true) { if (0 === strpos($uri, 'http')) { $fp = fopen ("/tmp/" . $random_blurp . "." . $key . ".crl", 'w+'); $ch = curl_init(($uri)); - curl_setopt($ch, CURLOPT_TIMEOUT, 2); + curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); curl_setopt($ch, CURLOPT_FILE, $fp); curl_setopt($ch, CURLOPT_FAILONERROR, true); curl_setopt($ch, CURLOPT_FRESH_CONNECT, true); @@ -100,7 +100,7 @@ function crl_verify($raw_cert_data, $verbose=true) { function crl_verify_json($raw_cert_data) { - global $random_blurp; + global $random_blurp, $timeout; $result = []; $cert_data = openssl_x509_parse($raw_cert_data); $cert_serial_nm = strtoupper(bcdechex($cert_data['serialNumber'])); @@ -121,7 +121,7 @@ function crl_verify_json($raw_cert_data) { $result[$crl_no]["crl_uri"] = $uri; $fp = fopen ("/tmp/" . $random_blurp . "." . $key . ".crl", 'w+'); $ch = curl_init(($uri)); - curl_setopt($ch, CURLOPT_TIMEOUT, 2); + curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); curl_setopt($ch, CURLOPT_FILE, $fp); curl_setopt($ch, CURLOPT_FAILONERROR, true); curl_setopt($ch, CURLOPT_FRESH_CONNECT, true); diff --git a/functions/json.php b/functions/json.php index bbd9983..0abed70 100644 --- a/functions/json.php +++ b/functions/json.php @@ -15,17 +15,24 @@ // along with this program. If not, see <http://www.gnu.org/licenses/>. -function check_json($host,$port) { +function check_json($host,$ip,$port) { + global $timeout; $data = []; $stream = stream_context_create (array("ssl" => array("capture_peer_cert" => true, "capture_peer_cert_chain" => true, "verify_peer" => false, + "peer_name" => $host, "verify_peer_name" => false, "allow_self_signed" => true, "capture_session_meta" => true, "sni_enabled" => true))); - $read_stream = stream_socket_client("ssl://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream); + if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 )) { + $connect_ip = "[" . $ip . "]"; + } else { + $connect_ip = $ip; + } + $read_stream = stream_socket_client("ssl://$connect_ip:$port", $errno, $errstr, $timeout, STREAM_CLIENT_CONNECT, $stream); if ( $read_stream === false ) { $data["error"] = ["Failed to connect: " . htmlspecialchars($errstr)]; return $data; @@ -44,8 +51,8 @@ function check_json($host,$port) { $prev = $chain_data[$key-1]; $chain_key = (string)$key+1; if ($key == 0) { - $data["connection"] = ssl_conn_metadata_json($host, $port, $read_stream, $chain_data); - $data["chain"][$chain_key] = cert_parse_json($curr, $next, $host, true); + $data["connection"] = ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data); + $data["chain"][$chain_key] = cert_parse_json($curr, $next, $host, $ip, true); } else { $data["chain"][$chain_key] = cert_parse_json($curr, $next, null, false); } diff --git a/functions/ocsp.php b/functions/ocsp.php index ca8ada6..99b5f2d 100644 --- a/functions/ocsp.php +++ b/functions/ocsp.php @@ -14,9 +14,10 @@ // You should have received a copy of the GNU Affero General Public License // along with this program. If not, see <http://www.gnu.org/licenses/>. -function ocsp_stapling($host, $port){ +function ocsp_stapling($host, $ip, $port) { + global $timeout; $result = ""; - $output = shell_exec('echo | timeout 2 openssl s_client -connect "' . escapeshellcmd($host) . ':' . escapeshellcmd($port) . '" -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"'); + $output = shell_exec('echo | timeout ' . $timeout . ' openssl s_client -servername "' . escapeshellcmd($host) . '" -connect "' . escapeshellcmd($ip) . ':' . escapeshellcmd($port) . '" -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"'); if (strpos($output, "no response sent") !== false) { $result = array("working" => 0, "cert_status" => "No response sent"); @@ -45,7 +46,7 @@ function ocsp_stapling($host, $port){ } function ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri) { - global $random_blurp; + global $random_blurp, $timeout; $result = array(); $tmp_dir = '/tmp/'; $root_ca = getcwd() . '/cacert.pem'; @@ -62,9 +63,9 @@ function ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri) { //pre_dump('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc.' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1'); - $output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc .' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1'); + $output = shell_exec('timeout ' . $timeout . ' | openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc .' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1'); - $filter_output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc .' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "'. $tmp_dir.$random_blurp.'.cert_client.pem"'); + $filter_output = shell_exec('timeout ' . $timeout . ' | openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc .' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "'. $tmp_dir.$random_blurp.'.cert_client.pem"'); $output = preg_replace("/[[:blank:]]+/"," ", $output); $ocsp_status_lines = explode("\n", $output); diff --git a/functions/tls_fallback_scsv.php b/functions/tls_fallback_scsv.php index 3cf0ea1..dc58f11 100644 --- a/functions/tls_fallback_scsv.php +++ b/functions/tls_fallback_scsv.php @@ -14,16 +14,13 @@ // You should have received a copy of the GNU Affero General Public License // along with this program. If not, see <http://www.gnu.org/licenses/>. -function tls_fallback_scsv($host,$port) { - +function tls_fallback_scsv($host, $ip, $port) { + global $timeout; $result = []; - $protocols = ssl_conn_protocols($host, $port); + $protocols = ssl_conn_protocols($host, $ip, $port); if (count(array_filter($protocols)) > 1) { $result['protocol_count'] = count(array_filter($protocols)); - $fallback_test = shell_exec("echo | timeout 2 openssl s_client -connect " . escapeshellcmd($host) . ":" . escapeshellcmd($port) . " -fallback_scsv -no_tls1_2 2>&1 >/dev/null"); - // echo "<pre>"; - // var_dump($fallback_test); - // echo "</pre>"; + $fallback_test = shell_exec("echo | timeout $timeout openssl s_client -servername \"" . escapeshellcmd($host) . "\" -connect " . escapeshellcmd($ip) . ":" . escapeshellcmd($port) . " -fallback_scsv -no_tls1_2 2>&1 >/dev/null"); if ( stripos($fallback_test, "alert inappropriate fallback") !== false ) { $result['tls_fallback_scsv_support'] = 1; } diff --git a/functions/variables.php b/functions/variables.php index 28caaa1..7384794 100644 --- a/functions/variables.php +++ b/functions/variables.php @@ -14,10 +14,15 @@ // You should have received a copy of the GNU Affero General Public License // along with this program. If not, see <http://www.gnu.org/licenses/>. +# timeout in seconds +$timeout = 2; + +# Don't change stuff down here. date_default_timezone_set('UTC'); -ini_set('default_socket_timeout', 2); -$version = 2.4; +$version = 2.5; + +ini_set('default_socket_timeout', 2); $random_blurp = rand(1000,99999); @@ -27,24 +32,122 @@ $ev_oids = array("1.3.6.1.4.1.34697.2.1", "1.3.6.1.4.1.34697.2.2", "1.3.6.1.4.1. $current_folder = get_current_folder(); function parse_hostname($u_hostname){ - # format raymii.org:8080 should auto parse port. - # parts[0]=hostname, parts[1]=port + # format raymii.org:1.2.34.56 should do SNI request to that ip. + # parts[0]=host, parts[1]=ip $port = 0; $hostname = 0; - $parts = explode(":", $u_hostname); - if ((1 <= $parts[1]) && ($parts[1] <= 65535)) { - $parts[1] = preg_replace('/\\s+/', '', $parts[1]); - $parts[1] = preg_replace('/[^A-Za-z0-9\._-]/', '', $parts[1]); - $port = mb_strtolower($parts[1]); - } + $parts = explode(":", $u_hostname, 2); + if (idn_to_ascii($parts[0])) { $parts[0] = idn_to_ascii($parts[0]); } $parts[0] = preg_replace('/\\s+/', '', $parts[0]); - $parts[0] = preg_replace('/[^A-Za-z0-9\.-]/', '', $parts[0]); + $parts[0] = preg_replace('/[^A-Za-z0-9\.\:-]/', '', $parts[0]); $hostname = mb_strtolower($parts[0]); - $result = array('hostname' => $hostname, 'port' => $port); + + if (count($parts) > 1) { + $parts[1] = preg_replace('/\\s+/', '', $parts[1]); + $parts[1] = preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $parts[1]); + if (filter_var($parts[1], FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 ) or filter_var($parts[1], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 )) { + $ip = mb_strtolower($parts[1]); + } else { + $ip = fixed_gethostbyname($hostname); + } + } else { + if (filter_var($hostname, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 )) { + $ip = $hostname; + } else { + $dns_a_records = dns_get_record($hostname, DNS_A); + $dns_aaaa_records = dns_get_record($hostname, DNS_AAAA); + $dns_records = array_merge($dns_a_records, $dns_aaaa_records); + if (count($dns_a_records) > 1 or count($dns_aaaa_records) > 1) { + $result = array('hostname' => $hostname, 'ip' => $ip, 'multiple_ip' => $dns_records); + return $result; + } else { + $ip = fixed_gethostbyname($hostname); + } + } + } + if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + $ip = "[" . $ip . "]"; + } + + $result = array('hostname' => $hostname, 'ip' => $ip); return $result; } +function choose_endpoint($ips, $host, $port, $ciphersuites) { + echo "<div id='page-content-wrapper'>\n"; + echo "<div class='container-fluid'>\n"; + echo "<div class='row'>\n"; + // if ajax-ed, don't show header again + if(empty($_SERVER['HTTP_X_REQUESTED_WITH']) || strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) != 'xmlhttprequest') { + echo "<div class='col-md-10 col-md-offset-1'>\n"; + echo "<div class='page-header'>\n"; + echo "<h1><a style='color:black;' href=\""; + echo(htmlspecialchars($current_folder)); + echo "\">SSL Decoder</a></h1>\n"; + echo "</div>\n"; + } + echo "<div id='preloader'>\n"; + echo "<p>\n"; + echo "<img src=\""; + echo(htmlspecialchars($current_folder)); + echo 'img/ajax-loader.gif" />'; + echo "<br> <br>\n"; + echo "The SSL Decoder is processing your request. Please wait a few moments.<br>\n"; + echo "</p>\n"; + echo "</div>\n"; + echo "<div id='resultDiv'></div>\n"; + + echo "<div class='content'>\n<section id='choose_endpoint'>\n"; + echo "<header>\n<h2>Multiple endpoints for " . htmlspecialchars($host) . "</h2>\n</header>\n"; + echo "<p>We've found multiple results for " . htmlspecialchars($host) . ". Please choose the host you want to scan from the list below:</p>\n<br>\n"; + echo "<ul>\n"; + foreach ($ips as $ip) { + echo "<li>"; + echo "<a href=\""; + echo htmlspecialchars($current_folder); + echo "?host="; + echo htmlspecialchars($host); + echo ":"; + if ($ip['type'] == 'A') { + echo htmlspecialchars($ip['ip']); + } elseif ($ip['type'] == 'AAAA') { + echo "["; + echo htmlspecialchars($ip['ipv6']); + echo "]"; + } + echo "&port="; + echo htmlspecialchars($port); + echo "&ciphersuites="; + if ($ciphersuites == 1) { + echo "1"; + } else { + echo "0"; + } + echo "\">"; + if ($ip['type'] == 'A') { + echo htmlspecialchars($ip['ip']); + } elseif ($ip['type'] == 'AAAA') { + echo "["; + echo htmlspecialchars($ip['ipv6']); + echo "]"; + } + echo " (port: "; + echo htmlspecialchars($port); + echo ")</a>"; + echo "</li>"; + } + + echo "</ul>\n"; + echo "</section></div>\n"; + echo "</div>\n"; + echo "</div>\n"; + echo "</div>\n"; + + require_once("inc/footer.php"); + exit; +} + ?> |