diff options
Diffstat (limited to 'functions')
| -rw-r--r-- | functions/connection.php | 714 | ||||
| -rw-r--r-- | functions/json.php | 41 | ||||
| -rw-r--r-- | functions/parse_certificate.php | 199 | ||||
| -rw-r--r-- | functions/textual.php | 1 | ||||
| -rw-r--r-- | functions/variables.php | 22 | ||||
| -rw-r--r-- | functions/verify_certifitcate.php | 5 |
6 files changed, 565 insertions, 417 deletions
diff --git a/functions/connection.php b/functions/connection.php index 6ee5159..a30150d 100644 --- a/functions/connection.php +++ b/functions/connection.php @@ -288,7 +288,7 @@ function ssl_conn_protocols($host, $ip, $port) { return $results; } -function ssl_conn_metadata($data) { +function ssl_conn_metadata($data,$fastcheck=0) { global $random_blurp; global $current_folder; $chain_length = count($data["chain"]); @@ -351,61 +351,61 @@ function ssl_conn_metadata($data) { echo "</td>"; echo "</tr>"; } - // protocols - echo "<tr>"; - echo "<td>Protocols</td>"; - echo "<td>"; - $protocols = $data["protocols"]; - foreach ($protocols as $key => $value) { - if ( $value == true ) { - if ( $key == "tlsv1.2") { - echo '<p><span class="text-success glyphicon glyphicon-ok"></span> - <span class="text-success">TLSv1.2 (Supported)</span></p>'; - } else if ( $key == "tlsv1.1") { - echo '<p><span class="glyphicon glyphicon-ok"></span> - TLSv1.1 (Supported)</p>'; - } else if ( $key == "tlsv1.0") { - echo '<p><span class="glyphicon glyphicon-ok"></span> - TLSv1.0 (Supported)</p>'; - } else if ( $key == "sslv3") { - echo '<p><span class="text-danger glyphicon glyphicon-ok"></span> - <span class="text-danger">SSLv3 (Supported) </span>'; - echo "<a href='https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/' data-toggle='tooltip' data-placement='top' title='SSLv3 is old and broken. It makes you vulerable for the POODLE attack. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a></p>"; - } else if ( $key == "sslv2") { - echo '<p><span class="text-danger glyphicon glyphicon-ok"></span> - <span class="text-danger">SSLv2 (Supported) </span>'; - echo "<a href='http://www.rapid7.com/db/vulnerabilities/sslv2-and-up-enabled' data-toggle='tooltip' data-placement='top' title='SSLv2 is old and broken. It was replaced by SSLv3 in 1996. It does not support intermediate certs and has flaws in the crypto. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a></p>"; - } else { - echo '<p><span class="glyphicon glyphicon-ok"></span> - <span>'.$key.' (Supported)</span></p>'; - } - } else { - if ( $key == "tlsv1.2") { - echo '<p><span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">TLSv1.2 (Not supported)</span> '; - echo "<a href='http://www.yassl.com/yaSSL/Blog/Entries/2010/10/7_Differences_between_SSL_and_TLS_Protocol_Versions.html' data-toggle='tooltip' data-placement='top' title='TLSv1.2 was released in 2008. It is the most recent and secure version of the protocol. It adds TLS extensions and the AES ciphersuites plus other features and fixes. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a></p>"; - } else if ( $key == "tlsv1.1") { - echo '<p><span class="glyphicon glyphicon-remove"></span> - TLSv1.1 (Not supported)</p>'; - } else if ( $key == "tlsv1.0") { - echo '<p><span class="glyphicon glyphicon-remove"></span> - TLSv1.0 (Not supported)</p>'; - } else if ( $key == "sslv3") { - echo '<p><span class="text-success glyphicon glyphicon-remove"></span> - <span class="text-success">SSLv3 (Not supported)</span></p>'; - } else if ( $key == "sslv2") { - echo '<p><span class="text-success glyphicon glyphicon-remove"></span> - <span class="text-success">SSLv2 (Not supported)</span></p>'; + if($fastcheck == 0) { + // protocols + echo "<tr>"; + echo "<td>Protocols</td>"; + echo "<td>"; + $protocols = $data["protocols"]; + foreach ($protocols as $key => $value) { + if ( $value == true ) { + if ( $key == "tlsv1.2") { + echo '<p><span class="text-success glyphicon glyphicon-ok"></span> - <span class="text-success">TLSv1.2 (Supported)</span></p>'; + } else if ( $key == "tlsv1.1") { + echo '<p><span class="glyphicon glyphicon-ok"></span> - TLSv1.1 (Supported)</p>'; + } else if ( $key == "tlsv1.0") { + echo '<p><span class="glyphicon glyphicon-ok"></span> - TLSv1.0 (Supported)</p>'; + } else if ( $key == "sslv3") { + echo '<p><span class="text-danger glyphicon glyphicon-ok"></span> - <span class="text-danger">SSLv3 (Supported) </span>'; + echo "<a href='https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/' data-toggle='tooltip' data-placement='top' title='SSLv3 is old and broken. It makes you vulerable for the POODLE attack. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a></p>"; + } else if ( $key == "sslv2") { + echo '<p><span class="text-danger glyphicon glyphicon-ok"></span> - <span class="text-danger">SSLv2 (Supported) </span>'; + echo "<a href='http://www.rapid7.com/db/vulnerabilities/sslv2-and-up-enabled' data-toggle='tooltip' data-placement='top' title='SSLv2 is old and broken. It was replaced by SSLv3 in 1996. It does not support intermediate certs and has flaws in the crypto. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a></p>"; + } else { + echo '<p><span class="glyphicon glyphicon-ok"></span> - <span>'.$key.' (Supported)</span></p>'; + } } else { - echo '<p><span class="glyphicon glyphicon-remove"></span> - <span>'.$key.'(Not supported)</span></p>'; + if ( $key == "tlsv1.2") { + echo '<p><span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">TLSv1.2 (Not supported)</span> '; + echo "<a href='http://www.yassl.com/yaSSL/Blog/Entries/2010/10/7_Differences_between_SSL_and_TLS_Protocol_Versions.html' data-toggle='tooltip' data-placement='top' title='TLSv1.2 was released in 2008. It is the most recent and secure version of the protocol. It adds TLS extensions and the AES ciphersuites plus other features and fixes. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a></p>"; + } else if ( $key == "tlsv1.1") { + echo '<p><span class="glyphicon glyphicon-remove"></span> - TLSv1.1 (Not supported)</p>'; + } else if ( $key == "tlsv1.0") { + echo '<p><span class="glyphicon glyphicon-remove"></span> - TLSv1.0 (Not supported)</p>'; + } else if ( $key == "sslv3") { + echo '<p><span class="text-success glyphicon glyphicon-remove"></span> - <span class="text-success">SSLv3 (Not supported)</span></p>'; + } else if ( $key == "sslv2") { + echo '<p><span class="text-success glyphicon glyphicon-remove"></span> - <span class="text-success">SSLv2 (Not supported)</span></p>'; + } else { + echo '<p><span class="glyphicon glyphicon-remove"></span> - <span>'.$key.'(Not supported)</span></p>'; + } } } - } - echo "</td>"; - echo "</tr>"; - echo "<tr>"; - echo "<td>SSL Compression</td>"; - echo "<td>"; - if ($data['compression'] == false) { - echo '<p><span class="text-success glyphicon glyphicon-ok"></span> - <span class="text-success">SSL Compression disabled</span></p>'; - } else { - echo '<p><span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">SSL Compression enabled</span> '; + echo "</td>"; + echo "</tr>"; + echo "<tr>"; + echo "<td>SSL Compression</td>"; + echo "<td>"; + if ($data['compression'] == false) { + echo '<p><span class="text-success glyphicon glyphicon-ok"></span> - <span class="text-success">SSL Compression disabled</span></p>'; + } else { + echo '<p><span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">SSL Compression enabled</span> '; - echo "<a href='https://isecpartners.com/blog/2012/september/details-on-the-crime-attack.aspx' data-toggle='tooltip' data-placement='top' title='SSL Compression makes you vulnerable to the CRIME attack. Click the question mark for more info about it.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a></p>"; - } - echo "</td>"; - echo "</tr>"; - //ciphersuites - if ($_GET['ciphersuites'] == 1) { + echo "<a href='https://isecpartners.com/blog/2012/september/details-on-the-crime-attack.aspx' data-toggle='tooltip' data-placement='top' title='SSL Compression makes you vulnerable to the CRIME attack. Click the question mark for more info about it.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a></p>"; + } + echo "</td>"; + echo "</tr>"; + //ciphersuites echo "<tr>"; echo "<td>Ciphersuites supported by server</td>"; echo "<td>"; @@ -477,122 +477,113 @@ function ssl_conn_metadata($data) { } echo "</td>"; echo "</tr>"; - } else { + //tls fallback scsv echo "<tr>"; - echo "<td>Ciphersuite Used</td>"; echo "<td>"; - echo htmlspecialchars($data['used_ciphersuite']['name']); - echo " (".htmlspecialchars($data['used_ciphersuite']['bits'])." bits)"; + echo "TLS_FALLBACK_SCSV"; + echo "</td>"; + echo "<td>"; + + if ($data["tls_fallback_scsv"] == "supported") { + echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>TLS_FALLBACK_SCSV supported. </span>"; + } elseif ($data["tls_fallback_scsv"] == "unsupported") { + echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>TLS_FALLBACK_SCSV not supported. </span>"; + } else { + echo "Only 1 protocol enabled, fallback not possible, TLS_FALLBACK_SCSV not required. "; + } + echo "<a href='http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html' data-toggle='tooltip' data-placement='top' title='TLS_FALLBACK_SCSV provides protocol downgrade protection. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a>"; echo "</td>"; echo "</tr>"; - } - //tls fallback scsv - echo "<tr>"; - echo "<td>"; - echo "TLS_FALLBACK_SCSV"; - echo "</td>"; - echo "<td>"; - if ($data["tls_fallback_scsv"] == "supported") { - echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>TLS_FALLBACK_SCSV supported. </span>"; - } elseif ($data["tls_fallback_scsv"] == "unsupported") { - echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>TLS_FALLBACK_SCSV not supported. </span>"; - } else { - echo "Only 1 protocol enabled, fallback not possible, TLS_FALLBACK_SCSV not required. "; - } - echo "<a href='http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html' data-toggle='tooltip' data-placement='top' title='TLS_FALLBACK_SCSV provides protocol downgrade protection. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a>"; - echo "</td>"; - echo "</tr>"; + //heartbleed + if ($data['heartbleed'] != 'python2error') { + echo "<tr>"; + echo "<td>"; + echo "Heartbleed"; + echo "</td>"; + echo "<td>"; + + if ($data["heartbleed"] == "not_vulnerable") { + echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>Not vulnerable. </span>"; + } elseif ($data["heartbleed"] == "vulnerable") { + echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>Vulnerable. </span>"; + } + echo "<a href='http://heartbleed.com/' data-toggle='tooltip' data-placement='top' title='Heartbleed is a serious vulnerability exposing server memory and thus private data to an attacker. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a>"; + echo "</td>"; + echo "</tr>"; + } - //heartbleed - if ($data['heartbleed'] != 'python2error') { echo "<tr>"; echo "<td>"; - echo "Heartbleed"; + echo "Heartbeat Extension"; echo "</td>"; echo "<td>"; - if ($data["heartbleed"] == "not_vulnerable") { - echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>Not vulnerable. </span>"; - } elseif ($data["heartbleed"] == "vulnerable") { - echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>Vulnerable. </span>"; + if ($data["heartbeat"] == "1") { + echo "Extension enabled."; + } else { + echo "Extenstion not enabled."; } - echo "<a href='http://heartbleed.com/' data-toggle='tooltip' data-placement='top' title='Heartbleed is a serious vulnerability exposing server memory and thus private data to an attacker. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a>"; echo "</td>"; echo "</tr>"; - } - echo "<tr>"; - echo "<td>"; - echo "Heartbeat Extension"; - echo "</td>"; - echo "<td>"; - - if ($data["heartbeat"] == "1") { - echo "Extension enabled."; - } else { - echo "Extenstion not enabled."; - } - echo "</td>"; - echo "</tr>"; - - // headers - echo "<tr>"; - echo "<td>"; - echo "<a href='https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html'>Strict Transport Security</a>"; - echo "</td>"; - echo "<td>"; - // hsts - if ( $data["strict_transport_security"] == "not set" ) { - echo '<span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">Not Set</span>'; - } else { - echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>"; - echo htmlspecialchars($data["strict_transport_security"]); - echo "</span>"; - } - echo " <a href='https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html' data-toggle='tooltip' data-placement='top' title='Strict Transport Security lets visitors know that your website should only be visitid via HTTPS. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a>"; - echo "</td>"; - echo "</tr>"; - echo "<tr>"; - echo "<td>"; - echo "<a href='https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html'>HTTP Public Key Pinning Extension (HPKP)</a>"; - echo "</td>"; - echo "<td>"; - //hpkp - if ( $data["public_key_pins"] == "not set" ) { - echo '<span>Not Set</span>'; - } else { - echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>"; - echo htmlspecialchars($data["public_key_pins"]); - } - if ( $data["public_key-pins_report_only"] ) { - echo "<b>Report Only</b>: "; - echo htmlspecialchars($data["public_key_pins_report_only"]); - } + // headers + echo "<tr>"; + echo "<td>"; + echo "<a href='https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html'>Strict Transport Security</a>"; + echo "</td>"; + echo "<td>"; + // hsts + if ( $data["strict_transport_security"] == "not set" ) { + echo '<span class="text-danger glyphicon glyphicon-remove"></span> - <span class="text-danger">Not Set</span>'; + } else { + echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>"; + echo htmlspecialchars($data["strict_transport_security"]); + echo "</span>"; + } + echo " <a href='https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html' data-toggle='tooltip' data-placement='top' title='Strict Transport Security lets visitors know that your website should only be visitid via HTTPS. Click the question mark for more info.'><span class='glyphicon glyphicon-question-sign' aria-hidden='true'></span></a>"; + echo "</td>"; + echo "</tr>"; + echo "<tr>"; + echo "<td>"; + echo "<a href='https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html'>HTTP Public Key Pinning Extension (HPKP)</a>"; + echo "</td>"; + echo "<td>"; + //hpkp + if ( $data["public_key_pins"] == "not set" ) { + echo '<span>Not Set</span>'; + } else { + echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>"; + echo htmlspecialchars($data["public_key_pins"]); + } + if ( $data["public_key-pins_report_only"] ) { + echo "<b>Report Only</b>: "; + echo htmlspecialchars($data["public_key_pins_report_only"]); + } - echo "</td>"; - echo "</tr>"; - // ocsp stapling - echo "<tr>"; - echo "<td>OCSP Stapling</td>"; - echo "<td>"; - if (isset($data["ocsp_stapling"]["working"])) { - if($data["ocsp_stapling"]["working"] == 1) { - echo "<table class='table'>"; - foreach ($data["ocsp_stapling"] as $key => $value) { - if ($key != "working") { - echo "<tr><td>" . htmlspecialchars(ucfirst(str_replace('_', ' ', $key))) . "</td><td>" . htmlspecialchars($value) . "</td></tr>"; - } - } - echo "</table>"; + echo "</td>"; + echo "</tr>"; + // ocsp stapling + echo "<tr>"; + echo "<td>OCSP Stapling</td>"; + echo "<td>"; + if (isset($data["ocsp_stapling"]["working"])) { + if($data["ocsp_stapling"]["working"] == 1) { + echo "<table class='table'>"; + foreach ($data["ocsp_stapling"] as $key => $value) { + if ($key != "working") { + echo "<tr><td>" . htmlspecialchars(ucfirst(str_replace('_', ' ', $key))) . "</td><td>" . htmlspecialchars($value) . "</td></tr>"; + } + } + echo "</table>"; + } else { + echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>No OCSP stapling response received.</span>"; + } } else { echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>No OCSP stapling response received.</span>"; } - } else { - echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>No OCSP stapling response received.</span>"; + echo "</td>"; } - echo "</td>"; - // openssl version echo "</tr>"; echo "<tr>"; @@ -614,7 +605,7 @@ function ssl_conn_metadata($data) { -function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=null) { +function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=null,$fastcheck=0) { $result = array(); global $random_blurp; global $current_folder; @@ -689,238 +680,239 @@ function ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data=nul } $result["port"] = $port; - //heartbleed - $result['heartbleed'] = test_heartbleed($ip, $port); - if ($result['heartbleed'] == "vulnerable") { - $result["warning"][] = 'Vulnerable to the Heartbleed bug. Please update your OpenSSL ASAP!'; - } + if($fastcheck == 0) { + //heartbleed + $result['heartbleed'] = test_heartbleed($ip, $port); + if ($result['heartbleed'] == "vulnerable") { + $result["warning"][] = 'Vulnerable to the Heartbleed bug. Please update your OpenSSL ASAP!'; + } - // compression - $compression = conn_compression($host, $ip, $port); - if ($compression == false) { - $result["compression"] = false; - } else { - if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { - // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) - $result["warning"][] = 'SSL compression not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; + // compression + $compression = conn_compression($host, $ip, $port); + if ($compression == false) { + $result["compression"] = false; } else { - $result["compression"] = true; - $result["warning"][] = 'SSL compression enabled. Please disable to prevent attacks like CRIME.'; + if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + $result["warning"][] = 'SSL compression not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; + } else { + $result["compression"] = true; + $result["warning"][] = 'SSL compression enabled. Please disable to prevent attacks like CRIME.'; + } + } - - } - // protocols - $result["protocols"] = array_reverse(ssl_conn_protocols($host, $ip, $port)); - foreach ($result["protocols"] as $key => $value) { - if ( $value == true ) { - if ( $key == "sslv2") { - $result["warning"][] = 'SSLv2 supported. Please disable ASAP and upgrade to a newer protocol like TLSv1.2.'; - } - if ( $key == "sslv3") { - $result["warning"][] = 'SSLv3 supported. Please disable and upgrade to a newer protocol like TLSv1.2.'; - } - } else { - if ( $key == "tlsv1.2") { - $result["warning"][] = 'TLSv1.2 unsupported. Please enable TLSv1.2.'; + // protocols + $result["protocols"] = array_reverse(ssl_conn_protocols($host, $ip, $port)); + foreach ($result["protocols"] as $key => $value) { + if ( $value == true ) { + if ( $key == "sslv2") { + $result["warning"][] = 'SSLv2 supported. Please disable ASAP and upgrade to a newer protocol like TLSv1.2.'; + } + if ( $key == "sslv3") { + $result["warning"][] = 'SSLv3 supported. Please disable and upgrade to a newer protocol like TLSv1.2.'; + } + } else { + if ( $key == "tlsv1.2") { + $result["warning"][] = 'TLSv1.2 unsupported. Please enable TLSv1.2.'; + } } } - } - // ciphersuites - if ($_GET['ciphersuites'] == 1) { - $ciphersuites_to_test = array('ECDHE-RSA-AES256-GCM-SHA384', - 'ECDHE-ECDSA-AES256-GCM-SHA384', - 'ECDHE-RSA-AES256-SHA384', - 'ECDHE-ECDSA-AES256-SHA384', - 'ECDHE-RSA-AES256-SHA', - 'ECDHE-ECDSA-AES256-SHA', - 'SRP-DSS-AES-256-CBC-SHA', - 'SRP-RSA-AES-256-CBC-SHA', - 'SRP-AES-256-CBC-SHA', - 'DH-DSS-AES256-GCM-SHA384', - 'DHE-DSS-AES256-GCM-SHA384', - 'DH-RSA-AES256-GCM-SHA384', - 'DHE-RSA-AES256-GCM-SHA384', - 'DHE-RSA-AES256-SHA256', - 'DHE-DSS-AES256-SHA256', - 'DH-RSA-AES256-SHA256', - 'DH-DSS-AES256-SHA256', - 'DHE-RSA-AES256-SHA', - 'DHE-DSS-AES256-SHA', - 'DH-RSA-AES256-SHA', - 'DH-DSS-AES256-SHA', - 'DHE-RSA-CAMELLIA256-SHA', - 'DHE-DSS-CAMELLIA256-SHA', - 'DH-RSA-CAMELLIA256-SHA', - 'DH-DSS-CAMELLIA256-SHA', - 'ECDH-RSA-AES256-GCM-SHA384', - 'ECDH-ECDSA-AES256-GCM-SHA384', - 'ECDH-RSA-AES256-SHA384', - 'ECDH-ECDSA-AES256-SHA384', - 'ECDH-RSA-AES256-SHA', - 'ECDH-ECDSA-AES256-SHA', - 'AES256-GCM-SHA384', - 'AES256-SHA256', - 'AES256-SHA', - 'CAMELLIA256-SHA', - 'PSK-AES256-CBC-SHA', - 'ECDHE-RSA-AES128-GCM-SHA256', - 'ECDHE-ECDSA-AES128-GCM-SHA256', - 'ECDHE-RSA-AES128-SHA256', - 'ECDHE-ECDSA-AES128-SHA256', - 'ECDHE-RSA-AES128-SHA', - 'ECDHE-ECDSA-AES128-SHA', - 'SRP-DSS-AES-128-CBC-SHA', - 'SRP-RSA-AES-128-CBC-SHA', - 'SRP-AES-128-CBC-SHA', - 'DH-DSS-AES128-GCM-SHA256', - 'DHE-DSS-AES128-GCM-SHA256', - 'DH-RSA-AES128-GCM-SHA256', - 'DHE-RSA-AES128-GCM-SHA256', - 'DHE-RSA-AES128-SHA256', - 'DHE-DSS-AES128-SHA256', - 'DH-RSA-AES128-SHA256', - 'DH-DSS-AES128-SHA256', - 'DHE-RSA-AES128-SHA', - 'DHE-DSS-AES128-SHA', - 'DH-RSA-AES128-SHA', - 'DH-DSS-AES128-SHA', - 'DHE-RSA-SEED-SHA', - 'DHE-DSS-SEED-SHA', - 'DH-RSA-SEED-SHA', - 'DH-DSS-SEED-SHA', - 'DHE-RSA-CAMELLIA128-SHA', - 'DHE-DSS-CAMELLIA128-SHA', - 'DH-RSA-CAMELLIA128-SHA', - 'DH-DSS-CAMELLIA128-SHA', - 'ECDH-RSA-AES128-GCM-SHA256', - 'ECDH-ECDSA-AES128-GCM-SHA256', - 'ECDH-RSA-AES128-SHA256', - 'ECDH-ECDSA-AES128-SHA256', - 'ECDH-RSA-AES128-SHA', - 'ECDH-ECDSA-AES128-SHA', - 'AES128-GCM-SHA256', - 'AES128-SHA256', - 'AES128-SHA', - 'SEED-SHA', - 'CAMELLIA128-SHA', - 'IDEA-CBC-SHA', - 'PSK-AES128-CBC-SHA', - 'ECDHE-RSA-RC4-SHA', - 'ECDHE-ECDSA-RC4-SHA', - 'ECDH-RSA-RC4-SHA', - 'ECDH-ECDSA-RC4-SHA', - 'RC4-SHA', - 'RC4-MD5', - 'PSK-RC4-SHA', - 'ECDHE-RSA-DES-CBC3-SHA', - 'ECDHE-ECDSA-DES-CBC3-SHA', - 'SRP-DSS-3DES-EDE-CBC-SHA', - 'SRP-RSA-3DES-EDE-CBC-SHA', - 'SRP-3DES-EDE-CBC-SHA', - 'EDH-RSA-DES-CBC3-SHA', - 'EDH-DSS-DES-CBC3-SHA', - 'DH-RSA-DES-CBC3-SHA', - 'DH-DSS-DES-CBC3-SHA', - 'ECDH-RSA-DES-CBC3-SHA', - 'ECDH-ECDSA-DES-CBC3-SHA', - 'DES-CBC3-SHA', - 'PSK-3DES-EDE-CBC-SHA', - 'EDH-RSA-DES-CBC-SHA', - 'EDH-DSS-DES-CBC-SHA', - 'DH-RSA-DES-CBC-SHA', - 'DH-DSS-DES-CBC-SHA', - 'DES-CBC-SHA', - 'EXP-EDH-RSA-DES-CBC-SHA', - 'EXP-EDH-DSS-DES-CBC-SHA', - 'EXP-DH-RSA-DES-CBC-SHA', - 'EXP-DH-DSS-DES-CBC-SHA', - 'EXP-DES-CBC-SHA', - 'EXP-RC2-CBC-MD5', - 'EXP-RC4-MD5', - 'ECDHE-RSA-NULL-SHA', - 'ECDHE-ECDSA-NULL-SHA', - 'AECDH-NULL-SHA', - 'ECDH-RSA-NULL-SHA', - 'ECDH-ECDSA-NULL-SHA', - 'NULL-SHA256', - 'NULL-SHA', - 'NULL-MD5'); - $tested_ciphersuites = ssl_conn_ciphersuites($host, $ip, $port, $ciphersuites_to_test); - $result["supported_ciphersuites"] = array(); - foreach ($tested_ciphersuites as $key => $value) { - if ($value == true) { - $result["supported_ciphersuites"][] = $key; + // ciphersuites + if ($_GET['ciphersuites'] == 1) { + $ciphersuites_to_test = array('ECDHE-RSA-AES256-GCM-SHA384', + 'ECDHE-ECDSA-AES256-GCM-SHA384', + 'ECDHE-RSA-AES256-SHA384', + 'ECDHE-ECDSA-AES256-SHA384', + 'ECDHE-RSA-AES256-SHA', + 'ECDHE-ECDSA-AES256-SHA', + 'SRP-DSS-AES-256-CBC-SHA', + 'SRP-RSA-AES-256-CBC-SHA', + 'SRP-AES-256-CBC-SHA', + 'DH-DSS-AES256-GCM-SHA384', + 'DHE-DSS-AES256-GCM-SHA384', + 'DH-RSA-AES256-GCM-SHA384', + 'DHE-RSA-AES256-GCM-SHA384', + 'DHE-RSA-AES256-SHA256', + 'DHE-DSS-AES256-SHA256', + 'DH-RSA-AES256-SHA256', + 'DH-DSS-AES256-SHA256', + 'DHE-RSA-AES256-SHA', + 'DHE-DSS-AES256-SHA', + 'DH-RSA-AES256-SHA', + 'DH-DSS-AES256-SHA', + 'DHE-RSA-CAMELLIA256-SHA', + 'DHE-DSS-CAMELLIA256-SHA', + 'DH-RSA-CAMELLIA256-SHA', + 'DH-DSS-CAMELLIA256-SHA', + 'ECDH-RSA-AES256-GCM-SHA384', + 'ECDH-ECDSA-AES256-GCM-SHA384', + 'ECDH-RSA-AES256-SHA384', + 'ECDH-ECDSA-AES256-SHA384', + 'ECDH-RSA-AES256-SHA', + 'ECDH-ECDSA-AES256-SHA', + 'AES256-GCM-SHA384', + 'AES256-SHA256', + 'AES256-SHA', + 'CAMELLIA256-SHA', + 'PSK-AES256-CBC-SHA', + 'ECDHE-RSA-AES128-GCM-SHA256', + 'ECDHE-ECDSA-AES128-GCM-SHA256', + 'ECDHE-RSA-AES128-SHA256', + 'ECDHE-ECDSA-AES128-SHA256', + 'ECDHE-RSA-AES128-SHA', + 'ECDHE-ECDSA-AES128-SHA', + 'SRP-DSS-AES-128-CBC-SHA', + 'SRP-RSA-AES-128-CBC-SHA', + 'SRP-AES-128-CBC-SHA', + 'DH-DSS-AES128-GCM-SHA256', + 'DHE-DSS-AES128-GCM-SHA256', + 'DH-RSA-AES128-GCM-SHA256', + 'DHE-RSA-AES128-GCM-SHA256', + 'DHE-RSA-AES128-SHA256', + 'DHE-DSS-AES128-SHA256', + 'DH-RSA-AES128-SHA256', + 'DH-DSS-AES128-SHA256', + 'DHE-RSA-AES128-SHA', + 'DHE-DSS-AES128-SHA', + 'DH-RSA-AES128-SHA', + 'DH-DSS-AES128-SHA', + 'DHE-RSA-SEED-SHA', + 'DHE-DSS-SEED-SHA', + 'DH-RSA-SEED-SHA', + 'DH-DSS-SEED-SHA', + 'DHE-RSA-CAMELLIA128-SHA', + 'DHE-DSS-CAMELLIA128-SHA', + 'DH-RSA-CAMELLIA128-SHA', + 'DH-DSS-CAMELLIA128-SHA', + 'ECDH-RSA-AES128-GCM-SHA256', + 'ECDH-ECDSA-AES128-GCM-SHA256', + 'ECDH-RSA-AES128-SHA256', + 'ECDH-ECDSA-AES128-SHA256', + 'ECDH-RSA-AES128-SHA', + 'ECDH-ECDSA-AES128-SHA', + 'AES128-GCM-SHA256', + 'AES128-SHA256', + 'AES128-SHA', + 'SEED-SHA', + 'CAMELLIA128-SHA', + 'IDEA-CBC-SHA', + 'PSK-AES128-CBC-SHA', + 'ECDHE-RSA-RC4-SHA', + 'ECDHE-ECDSA-RC4-SHA', + 'ECDH-RSA-RC4-SHA', + 'ECDH-ECDSA-RC4-SHA', + 'RC4-SHA', + 'RC4-MD5', + 'PSK-RC4-SHA', + 'ECDHE-RSA-DES-CBC3-SHA', + 'ECDHE-ECDSA-DES-CBC3-SHA', + 'SRP-DSS-3DES-EDE-CBC-SHA', + 'SRP-RSA-3DES-EDE-CBC-SHA', + 'SRP-3DES-EDE-CBC-SHA', + 'EDH-RSA-DES-CBC3-SHA', + 'EDH-DSS-DES-CBC3-SHA', + 'DH-RSA-DES-CBC3-SHA', + 'DH-DSS-DES-CBC3-SHA', + 'ECDH-RSA-DES-CBC3-SHA', + 'ECDH-ECDSA-DES-CBC3-SHA', + 'DES-CBC3-SHA', + 'PSK-3DES-EDE-CBC-SHA', + 'EDH-RSA-DES-CBC-SHA', + 'EDH-DSS-DES-CBC-SHA', + 'DH-RSA-DES-CBC-SHA', + 'DH-DSS-DES-CBC-SHA', + 'DES-CBC-SHA', + 'EXP-EDH-RSA-DES-CBC-SHA', + 'EXP-EDH-DSS-DES-CBC-SHA', + 'EXP-DH-RSA-DES-CBC-SHA', + 'EXP-DH-DSS-DES-CBC-SHA', + 'EXP-DES-CBC-SHA', + 'EXP-RC2-CBC-MD5', + 'EXP-RC4-MD5', + 'ECDHE-RSA-NULL-SHA', + 'ECDHE-ECDSA-NULL-SHA', + 'AECDH-NULL-SHA', + 'ECDH-RSA-NULL-SHA', + 'ECDH-ECDSA-NULL-SHA', + 'NULL-SHA256', + 'NULL-SHA', + 'NULL-MD5'); + $tested_ciphersuites = ssl_conn_ciphersuites($host, $ip, $port, $ciphersuites_to_test); + $result["supported_ciphersuites"] = array(); + foreach ($tested_ciphersuites as $key => $value) { + if ($value == true) { + $result["supported_ciphersuites"][] = $key; + } } + + } else { + $result["used_ciphersuite"]["name"] = $context_meta['cipher_name']; + $result["used_ciphersuite"]["bits"] = $context_meta['cipher_bits']; } - - } else { - $result["used_ciphersuite"]["name"] = $context_meta['cipher_name']; - $result["used_ciphersuite"]["bits"] = $context_meta['cipher_bits']; - } - // tls_fallback_scsv - $fallback = tls_fallback_scsv($host, $ip, $port); - if ($fallback['protocol_count'] == 1) { - $result["tls_fallback_scsv"] = "Only 1 protocol enabled, fallback not possible, TLS_FALLBACK_SCSV not required."; - } else { - if ($fallback['tls_fallback_scsv_support'] == 1) { - $result["tls_fallback_scsv"] = "supported"; + // tls_fallback_scsv + $fallback = tls_fallback_scsv($host, $ip, $port); + if ($fallback['protocol_count'] == 1) { + $result["tls_fallback_scsv"] = "Only 1 protocol enabled, fallback not possible, TLS_FALLBACK_SCSV not required."; } else { - if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { - // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) - $result["warning"][] = 'TLS_FALLBACK_SCSV not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; + if ($fallback['tls_fallback_scsv_support'] == 1) { + $result["tls_fallback_scsv"] = "supported"; } else { - $result["tls_fallback_scsv"] = "unsupported"; - $result["warning"][] = "TLS_FALLBACK_SCSV unsupported. Please upgrade OpenSSL to enable. This offers downgrade attack protection."; + if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + $result["warning"][] = 'TLS_FALLBACK_SCSV not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; + } else { + $result["tls_fallback_scsv"] = "unsupported"; + $result["warning"][] = "TLS_FALLBACK_SCSV unsupported. Please upgrade OpenSSL to enable. This offers downgrade attack protection."; + } } } - } - //hsts - $headers = server_http_headers($host, $ip, $port); - if ($headers["strict-transport-security"]) { - if ( is_array($headers["strict-transport-security"])) { - $result["strict_sransport-security"] = substr($headers["strict-transport-security"][0], 0, 50); - } else { - $result["strict_transport_security"] = substr($headers["strict-transport-security"], 0, 50); - } - } else { - $result["strict_transport_security"] = 'not set'; - $result["warning"][] = "HTTP Strict Transport Security not set."; - } - //hpkp - if ( $headers["public-key-pins"] ) { - if ( is_array($headers["public-key-pins"])) { - $result["public_key_pins"] = substr($headers["public-key-pins"][0], 0, 255); + //hsts + $headers = server_http_headers($host, $ip, $port); + if ($headers["strict-transport-security"]) { + if ( is_array($headers["strict-transport-security"])) { + $result["strict_sransport-security"] = substr($headers["strict-transport-security"][0], 0, 50); + } else { + $result["strict_transport_security"] = substr($headers["strict-transport-security"], 0, 50); + } } else { - $result["public_key_pins"] = substr($headers["public-key-pins"], 0, 255); + $result["strict_transport_security"] = 'not set'; + $result["warning"][] = "HTTP Strict Transport Security not set."; } - } else { - $result["public_key_pins"] = 'not set'; - } - if ( $headers["public-key-pins-report-only"] ) { - if ( is_array($headers["public-key-pins-report-only"])) { - $result["public_key_pins_report_only"] = substr($headers["public-key-pins-report-only"][0], 0, 255); + //hpkp + if ( $headers["public-key-pins"] ) { + if ( is_array($headers["public-key-pins"])) { + $result["public_key_pins"] = substr($headers["public-key-pins"][0], 0, 255); + } else { + $result["public_key_pins"] = substr($headers["public-key-pins"], 0, 255); + } } else { - $result["public_key_pins_report_only"] = substr($headers["public-key-pins-report-only"], 0, 255); + $result["public_key_pins"] = 'not set'; } - } - // ocsp stapling - $stapling = ocsp_stapling($host, $ip, $port); - if($stapling["working"] == 1) { - $result["ocsp_stapling"] = $stapling; - } else { - if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { - // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) - $result["warning"][] = 'OCSP Stapling not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; + if ( $headers["public-key-pins-report-only"] ) { + if ( is_array($headers["public-key-pins-report-only"])) { + $result["public_key_pins_report_only"] = substr($headers["public-key-pins-report-only"][0], 0, 255); + } else { + $result["public_key_pins_report_only"] = substr($headers["public-key-pins-report-only"], 0, 255); + } + } + // ocsp stapling + $stapling = ocsp_stapling($host, $ip, $port); + if($stapling["working"] == 1) { + $result["ocsp_stapling"] = $stapling; } else { - $result["ocsp_stapling"] = "not set"; - $result["warning"][] = "OCSP Stapling not enabled."; + if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { + // ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest) + $result["warning"][] = 'OCSP Stapling not tested because of <a href="https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest">bugs</a> in the OpenSSL tools and IPv6.'; + } else { + $result["ocsp_stapling"] = "not set"; + $result["warning"][] = "OCSP Stapling not enabled."; + } } + + $result["heartbeat"] = heartbeat_test($host, $port); } - - $result["heartbeat"] = heartbeat_test($host, $port); - $result["openssl_version"] = shell_exec("openssl version"); $result["datetime_rfc2822"] = shell_exec("date --rfc-2822"); } diff --git a/functions/json.php b/functions/json.php index 997e892..3fae962 100644 --- a/functions/json.php +++ b/functions/json.php @@ -14,9 +14,10 @@ // You should have received a copy of the GNU Affero General Public License // along with this program. If not, see <http://www.gnu.org/licenses/>. - -function check_json($host,$ip,$port) { +function check_json($host,$ip,$port,$fastcheck=0) { global $timeout; + global $max_chain_length; + global $ct_urls; $data = []; $stream = stream_context_create (array("ssl" => array("capture_peer_cert" => true, @@ -42,7 +43,7 @@ function check_json($host,$ip,$port) { $cert_data = openssl_x509_parse($context["options"]["ssl"]["peer_certificate"]); $chain_data = $context["options"]["ssl"]["peer_certificate_chain"]; $chain_length = count($chain_data); - if (isset($chain_data) && $chain_length < 10) { + if (isset($chain_data) && $chain_length < $max_chain_length) { $chain_length = count($chain_data); $chain_arr_keys = ($chain_data); foreach(array_keys($chain_arr_keys) as $key) { @@ -51,30 +52,24 @@ function check_json($host,$ip,$port) { $prev = $chain_data[$key-1]; $chain_key = (string)$key+1; if ($key == 0) { - $data["connection"] = ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data); - $data["chain"][$chain_key] = cert_parse_json($curr, $next, $host, $ip, true); + $data["connection"] = ssl_conn_metadata_json($host, $ip, $port, $read_stream, $chain_data, $fastcheck); + $data["chain"][$chain_key] = cert_parse_json($curr, $next, $host, true, $port); } else { - $data["chain"][$chain_key] = cert_parse_json($curr, $next, null, false); + $data["chain"][$chain_key] = cert_parse_json($curr, $next, null, false, $port); } // certificate transparency - $ct_urls = ["https://ct.ws.symantec.com", - "https://ct.googleapis.com/pilot", - "https://ct.googleapis.com/aviator", - "https://ct.googleapis.com/rocketeer", - "https://ct1.digicert-ct.com/log", - "https://ct.izenpe.com", - "https://ctlog.api.venafi.com", - "https://log.certly.io"]; $data["certificate_transparency"] = []; - foreach ($ct_urls as $ct_url) { - $submitToCT = submitCertToCT($data["chain"], $ct_url); - $ct_result = json_decode($submitToCT, TRUE); - if ($ct_result === null - && json_last_error() !== JSON_ERROR_NONE) { - $result_ct = array('result' => $submitToCT); - $data["certificate_transparency"][$ct_url] = $result_ct; - } else { - $data["certificate_transparency"][$ct_url] = $ct_result; + if($fastcheck == 0) { + foreach ($ct_urls as $ct_url) { + $submitToCT = submitCertToCT($data["chain"], $ct_url); + $ct_result = json_decode($submitToCT, TRUE); + if ($ct_result === null + && json_last_error() !== JSON_ERROR_NONE) { + $result_ct = array('result' => $submitToCT); + $data["certificate_transparency"][$ct_url] = $result_ct; + } else { + $data["certificate_transparency"][$ct_url] = $ct_result; + } } } } diff --git a/functions/parse_certificate.php b/functions/parse_certificate.php index 791aa38..d342e4b 100644 --- a/functions/parse_certificate.php +++ b/functions/parse_certificate.php @@ -537,6 +537,121 @@ function cert_parse($data) { echo $data["key"]["signature_algorithm"]; echo "</td>"; echo "</tr>"; + + echo "<tr>"; + echo "<td>Hashes</td>"; + echo "<td>"; + echo "<table class='table table-striped'>"; + foreach ($data["hash"] as $key => $value) { + echo "<tr><td>"; + echo htmlspecialchars(strtoupper($key)); + echo "</td><td><span style='font-family:monospace;'>"; + echo wordwrap(htmlspecialchars($value), 64, "<br>\n", TRUE); + echo "</span></td></tr>"; + } + echo "</table>"; + echo "</td>"; + echo "</tr>"; + + if ($_GET['fastcheck'] == 0) { + echo "<tr>"; + echo "<td>TLSA DNS </td>"; + echo "<td>"; + if($data['tlsa']['error'] == 'none' && isset($data['tlsa'])) { + echo "<table class='table table-striped'>"; + foreach ($data["tlsa"] as $key => $value) { + switch ($key) { + case 'tlsa_hash': + echo "<tr><td>Record Data</td><td>" . htmlspecialchars($value) . "</td></tr>"; + break; + case 'tlsa_usage': + echo "<tr><td>Usage</td><td>"; + switch ($value) { + case '0': + echo "0: PKIX-TA: Certificate Authority Constraint"; + break; + case '1': + echo "1: PKIX-EE: Service Certificate Constraint"; + break; + case '2': + echo "2: DANE-TA: Trust Anchor Assertion"; + break; + case '3': + echo "3: DANE-EE: Domain Issued Certificate"; + break; + default: + echo "<span class='text-danger glyphicon glyphicon-remove'></span><span class='text-danger'> - Incorrect usage parameter: ". htmlspecialchars($value) . "</span>"; + break; + } + break; + case 'tlsa_selector': + echo "<tr><td>Selector</td><td>"; + switch ($value) { + case '0': + echo "0: Cert: Use full certificate"; + break; + case '1': + echo "1: SPKI: Use subject public key"; + break; + default: + echo "<span class='text-danger glyphicon glyphicon-remove'></span><span class='text-danger'> - Incorrect selector parameter: ". htmlspecialchars($value) . "</span>"; + break; + } + break; + case 'tlsa_matching_type': + echo "<tr><td>Matching Type</td><td>"; + switch ($value) { + case '0': + echo "0: Full: No Hash"; + break; + case '1': + echo "1: SHA-256 hash"; + break; + case '2': + echo "2: SHA-512 hash"; + break; + default: + echo "<span class='text-danger glyphicon glyphicon-remove'></span><span class='text-danger'> - Incorrect matching type parameter: ". htmlspecialchars($value) . "</span>"; + break; + } + break; + } + echo "</td></tr>"; + } + if ($data['tlsa']['tlsa_matching_type'] == "1" || $data['tlsa']['tlsa_matching_type'] == 2) { + echo "<tr><td>DNS Hash Matches Certificate Hash</td><td>"; + if($data['tlsa']['tlsa_matching_type'] == '1') { + echo "SHA 256 "; + if ($data['tlsa']['tlsa_hash'] == $data['hash']['sha256']) { + echo "<span class='text-success glyphicon glyphicon-ok'></span><span class='text-success'> - Hash match</span>"; + } else { + echo "<span class='text-danger glyphicon glyphicon-remove'></span><span class='text-danger'> - Hash does not match</span>"; + } + } + if($data['tlsa']['tlsa_matching_type'] == '2') { + echo "SHA 512 "; + if ($data['tlsa']['tlsa_hash'] == $data['hash']['sha512']) { + echo "<span class='text-success glyphicon glyphicon-ok'></span><span class='text-success'> Hash match</span>"; + } else { + echo "<span class='text-danger glyphicon glyphicon-remove'></span><span class='text-danger'> - Hash does not match</span>"; + } + } + } + echo "</table>"; + } else { + echo "<p>"; + echo htmlspecialchars($data['tlsa']['error']); + if($data['tlsa']['example']) { + echo "Here's an example TLSA record based on this certificate's SHA-256 hash: <br><pre>"; + echo htmlspecialchars($data['tlsa']['example']); + echo "</pre></p>"; + } + } + echo "<p>Please note that the DNSSEC chain is not validated. The status of the DNSSEC signature will not show up here.<br><a href='https://wiki.mozilla.org/Security/DNSSEC-TLS-details'>More information about TLSA and DNSSEC.</a> - Simple TLSA record generator <a href='https://www.huque.com/bin/gen_tlsa'>here</a>."; + echo "</td>"; + echo "</tr>"; + } + if (count($data['cert_data']['extensions']) >= 1) { echo "<tr>"; echo "<td>Extensions</td>"; @@ -699,9 +814,10 @@ function csr_parse_json($csr) { return $result; } -function cert_parse_json($raw_cert_data, $raw_next_cert_data=null, $host=null, $validate_hostname=false) { +function cert_parse_json($raw_cert_data, $raw_next_cert_data=null, $host=null, $validate_hostname=false, $port="443") { global $random_blurp; global $ev_oids; + global $timeout; $result = array(); $cert_data = openssl_x509_parse($raw_cert_data); if (isset($raw_next_cert_data)) { @@ -836,40 +952,79 @@ function cert_parse_json($raw_cert_data, $raw_next_cert_data=null, $host=null, $ // key details $key_details = openssl_pkey_get_details(openssl_pkey_get_public($raw_cert_data)); $export_pem = ""; - openssl_x509_export($raw_cert_data, $export_pem); + //hashes + $string = $export_pem; + $pattern = '/-----(.*)-----/'; + $replacement = ''; + $string = preg_replace($pattern, $replacement, $string); + + $pattern = '/\n/'; + $replacement = ''; + $export_pem_preg = preg_replace($pattern, $replacement, $string); + $export_pem_preg = wordwrap($export_pem_preg, 77, "\n", TRUE); + //pre_dump("export preg: " . $export_pem_preg); + //pre_dump("end"); + $result['hash']['md5'] = cert_hash('md5', $export_pem_preg); + $result['hash']['sha1'] = cert_hash('sha1', $export_pem_preg); + $result['hash']['sha256'] = cert_hash('sha256', $export_pem_preg); + $result['hash']['sha384'] = cert_hash('sha384', $export_pem_preg); + $result['hash']['sha512'] = cert_hash('sha512', $export_pem_preg); + + //TLSA check + if (isset($cert_data['subject']['CN']) && isset($host)) { + if ($validate_hostname == true) { + $tlsa_record = shell_exec("timeout " . $timeout . " dig +short +dnssec +time=" . $timeout . " TLSA _" . escapeshellcmd($port) . "._tcp." . escapeshellcmd($host) . " 2>&1 | head -n 1"); + if (!empty($tlsa_record)) { + $tlsa = explode(" ", $tlsa_record, 4); + $pattern = '/ /'; + $replacement = ''; + $result['tlsa']['tlsa_hash'] = trim(strtolower(preg_replace($pattern, $replacement, $tlsa[3]))); + $result['tlsa']['tlsa_usage'] = $tlsa[0]; + $result['tlsa']['tlsa_selector'] = $tlsa[1]; + $result['tlsa']['tlsa_matching_type'] = $tlsa[2]; + $result['tlsa']['error'] = 'none'; + } else { + + $result['tlsa']['error'] = 'No TLSA record found.'; + $result['tlsa']['example'] = '_'. htmlspecialchars($port) . '._tcp.' . htmlspecialchars($host) . ' IN TLSA 3 0 1 ' . $result['hash']['sha256'] . ';'; + } + } else { + $result['tlsa']['error'] = 'CA certificate, TLSA not applicable.'; + } + } if (isset($key_details['rsa'])) { $result["key"]["type"] = "rsa"; $result["key"]["bits"] = $key_details['bits']; if ($key_details['bits'] < 2048) { $result['warning'][] = $key_details['bits'] . " bit RSA key is not safe. Upgrade to at least 4096 bits."; } - // weak debian key check - $bin_modulus = $key_details['rsa']['n']; - # blacklist format requires sha1sum of output from "openssl x509 -noout -modulus" including the Modulus= and newline. - # create the blacklist: - # https://packages.debian.org/source/squeeze/openssl-blacklist - # svn co svn://svn.debian.org/pkg-openssl/openssl-blacklist/ - # find openssl-blacklist/trunk/blacklists/ -iname "*.db" -exec cat {} >> unsorted_blacklist.db \; - # sort -u unsorted_blacklist.db > debian_blacklist.db - - $mod_sha1sum = sha1("Modulus=" . strtoupper(bin2hex($bin_modulus)) . "\n"); - #pre_dump($mod_sha1sum); - $blacklist_file = fopen('inc/debian_blacklist.db', 'r'); - $key_in_blacklist = false; - while (($buffer = fgets($blacklist_file)) !== false) { - if (strpos($buffer, $mod_sha1sum) !== false) { - $key_in_blacklist = true; - break; - } + + // weak debian key check + $bin_modulus = $key_details['rsa']['n']; + # blacklist format requires sha1sum of output from "openssl x509 -noout -modulus" including the Modulus= and newline. + # create the blacklist: + # https://packages.debian.org/source/squeeze/openssl-blacklist + # svn co svn://svn.debian.org/pkg-openssl/openssl-blacklist/ + # find openssl-blacklist/trunk/blacklists/ -iname "*.db" -exec cat {} >> unsorted_blacklist.db \; + # sort -u unsorted_blacklist.db > debian_blacklist.db + + $mod_sha1sum = sha1("Modulus=" . strtoupper(bin2hex($bin_modulus)) . "\n"); + $blacklist_file = fopen('inc/debian_blacklist.db', 'r'); + $key_in_blacklist = false; + while (($buffer = fgets($blacklist_file)) !== false) { + if (strpos($buffer, $mod_sha1sum) !== false) { + $key_in_blacklist = true; + break; + } } fclose($blacklist_file); if ($key_in_blacklist == true) { $result["key"]["weak_debian_rsa_key"] = "true"; - $result['warning'][] = "Weak Debian key found. Remove this key right now and create a new one."; + $result['warning'][] = "Weak debian key found. Remove this key right now and create a new one."; } } else if (isset($key_details['dsa'])) { - $result["key"]["type"] = "dsa"; + $result["key"]["type"] = "dsa"; $result["key"]["bits"] = $key_details['bits']; } else if (isset($key_details['dh'])) { $result["key"]["type"] = "dh"; diff --git a/functions/textual.php b/functions/textual.php index d33d184..0d05ded 100644 --- a/functions/textual.php +++ b/functions/textual.php @@ -54,6 +54,7 @@ function get_current_folder(){ return $folder; } +$current_folder = get_current_folder(); function gen_uuid() { return sprintf( '%04x%04x-%04x-%04x-%04x-%04x%04x%04x', diff --git a/functions/variables.php b/functions/variables.php index 94b4411..9e598e8 100644 --- a/functions/variables.php +++ b/functions/variables.php @@ -17,10 +17,13 @@ # timeout in seconds $timeout = 2; +# max chain length (big chain slows down checks) +$max_chain_length = 10; + # Don't change stuff down here. date_default_timezone_set('UTC'); -$version = 2.8; +$version = 2.9; ini_set('default_socket_timeout', 2); @@ -40,9 +43,6 @@ $ct_urls = ["https://ct.ws.symantec.com", $ev_oids = array("1.3.6.1.4.1.34697.2.1", "1.3.6.1.4.1.34697.2.2", "1.3.6.1.4.1.34697.2.3", "1.3.6.1.4.1.34697.2.4", "1.2.40.0.17.1.22", "2.16.578.1.26.1.3.3", "1.3.6.1.4.1.17326.10.14.2.1.2", "1.3.6.1.4.1.17326.10.8.12.1.2", "1.3.6.1.4.1.6449.1.2.1.5.1", "2.16.840.1.114412.2.1", "2.16.840.1.114412.1.3.0.2", "2.16.528.1.1001.1.1.1.12.6.1.1.1", "2.16.840.1.114028.10.1.2", "0.4.0.2042.1.4", "0.4.0.2042.1.5", "1.3.6.1.4.1.13177.10.1.3.10", "1.3.6.1.4.1.14370.1.6", "1.3.6.1.4.1.4146.1.1", "2.16.840.1.114413.1.7.23.3", "1.3.6.1.4.1.14777.6.1.1", "2.16.792.1.2.1.1.5.7.1.9", "1.3.6.1.4.1.22234.2.5.2.3.1", "1.3.6.1.4.1.782.1.2.1.8.1", "1.3.6.1.4.1.8024.0.2.100.1.2", "1.2.392.200091.100.721.1", "2.16.840.1.114414.1.7.23.3", "1.3.6.1.4.1.23223.2", "1.3.6.1.4.1.23223.1.1.1", "2.16.756.1.83.21.0", "2.16.756.1.89.1.2.1.1", "2.16.840.1.113733.1.7.48.1", "2.16.840.1.114404.1.1.2.4.1", "2.16.840.1.113733.1.7.23.6", "1.3.6.1.4.1.6334.1.100.1", "2.16.840.1.114171.500.9", "1.3.6.1.4.1.36305.2"); - -$current_folder = get_current_folder(); - function parse_hostname($u_hostname){ # format raymii.org:1.2.34.56 should do SNI request to that ip. # parts[0]=host, parts[1]=ip @@ -86,7 +86,7 @@ function parse_hostname($u_hostname){ return $result; } -function choose_endpoint($ips, $host, $port, $ciphersuites) { +function choose_endpoint($ips, $host, $port, $fastcheck) { global $version; echo "<div id='page-content-wrapper'>\n"; echo "<div class='container-fluid'>\n"; @@ -110,13 +110,13 @@ function choose_endpoint($ips, $host, $port, $ciphersuites) { echo "</p>\n"; echo "</div>\n"; echo "<div id='resultDiv'></div>\n"; - echo "<div class='content'>\n<section id='choose_endpoint'>\n"; + echo "<div class='content' id='choose_endp'>\n<section id='choose_endpoint'>\n"; echo "<header>\n<h2>Multiple endpoints for " . htmlspecialchars($host) . "</h2>\n</header>\n"; echo "<p>We've found multiple results for " . htmlspecialchars($host) . ". Please choose the host you want to scan from the list below:</p>\n<br>\n"; echo "<ul>\n"; foreach ($ips as $ip) { echo "<li>"; - echo "<a href=\""; + echo "<a onclick=\"showdiv('preloader'); hidediv('choose_endp');\" href=\""; echo htmlspecialchars($current_folder); echo "?host="; echo htmlspecialchars($host); @@ -130,11 +130,11 @@ function choose_endpoint($ips, $host, $port, $ciphersuites) { } echo "&port="; echo htmlspecialchars($port); - echo "&ciphersuites="; - if ($ciphersuites == 1) { - echo "1"; + echo "&fastcheck="; + if ($fastcheck == 1) { + echo 1; } else { - echo "0"; + echo 0; } echo "\">"; if ($ip['type'] == 'A') { diff --git a/functions/verify_certifitcate.php b/functions/verify_certifitcate.php index 86312a1..e639cff 100644 --- a/functions/verify_certifitcate.php +++ b/functions/verify_certifitcate.php @@ -14,6 +14,11 @@ // You should have received a copy of the GNU Affero General Public License // along with this program. If not, see <http://www.gnu.org/licenses/>. +function cert_hash($hash_alg, $raw_cert_to_hash) { + $cert_hash = hash($hash_alg, base64_decode($raw_cert_to_hash)); + return $cert_hash; +} + function verify_certificate_hostname($raw_cert, $host) { $cert_data = openssl_x509_parse($raw_cert); if ($cert_data['subject']['CN']) { |