diff options
Diffstat (limited to 'functions')
| -rw-r--r-- | functions/connection.php | 27 | ||||
| -rw-r--r-- | functions/crl.php | 2 | ||||
| -rw-r--r-- | functions/ocsp.php | 2 | ||||
| -rw-r--r-- | functions/tls_fallback_scsv.php | 36 |
4 files changed, 63 insertions, 4 deletions
diff --git a/functions/connection.php b/functions/connection.php index 4280798..c9705ac 100644 --- a/functions/connection.php +++ b/functions/connection.php @@ -288,7 +288,6 @@ if ( $read_stream === false ) { 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-SHA384', 'ECDHE-ECDSA-AES256-SHA384', - 'TLS_FALLBACK_SCSV', 'ECDHE-RSA-AES256-SHA', 'ECDHE-ECDSA-AES256-SHA', 'SRP-DSS-AES-256-CBC-SHA', @@ -493,7 +492,31 @@ if ( $read_stream === false ) { </td> </tr> <?php - } + } + ?> + <tr> + <td> + <a href="http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html">TLS_FALLBACK_SCSV</a> + </td> + <td> + <?php + $fallback = tls_fallback_scsv($host, $port); + // echo "<pre>"; + // var_dump($fallback); + // echo "</pre>"; + if ($fallback['protocol_count'] == 1) { + echo "Only 1 protocol enabled, fallback not possible, TLS_FALLBACK_SCSV not required."; + } else { + if ($fallback['tls_fallback_scsv_support'] == 1) { + echo "<span class='text-success glyphicon glyphicon-ok'></span> - <span class='text-success'>TLS_FALLBACK_SCSV supported.</span>"; + } else { + echo "<span class='text-danger glyphicon glyphicon-remove'></span> - <span class='text-danger'>TLS_FALLBACK_SCSV not supported.</span>"; + } + } + ?> + </td> + </tr> + <?php $headers = server_http_headers($host, $port); ?> <tr> diff --git a/functions/crl.php b/functions/crl.php index af934da..3491a95 100644 --- a/functions/crl.php +++ b/functions/crl.php @@ -35,7 +35,7 @@ function crl_verify($raw_cert_data, $verbose=true) { if (0 === strpos($uri, 'http')) { $fp = fopen ("/tmp/" . $random_blurp . "." . $key . ".crl", 'w+'); $ch = curl_init(($uri)); - curl_setopt($ch, CURLOPT_TIMEOUT, 5); + curl_setopt($ch, CURLOPT_TIMEOUT, 2); curl_setopt($ch, CURLOPT_FILE, $fp); curl_setopt($ch, CURLOPT_FAILONERROR, true); curl_setopt($ch, CURLOPT_FRESH_CONNECT, true); diff --git a/functions/ocsp.php b/functions/ocsp.php index 37aec86..299a1fd 100644 --- a/functions/ocsp.php +++ b/functions/ocsp.php @@ -16,7 +16,7 @@ function ocsp_stapling($host, $port){ $result = ""; - $output = shell_exec('echo | timeout 5 openssl s_client -connect "' . escapeshellcmd($host) . ':' . escapeshellcmd($port) . '" -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"'); + $output = shell_exec('echo | timeout 2 openssl s_client -connect "' . escapeshellcmd($host) . ':' . escapeshellcmd($port) . '" -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"'); if (strpos($output, "no response sent") !== false) { $result = array("working" => 0, "cert_status" => "No response sent"); diff --git a/functions/tls_fallback_scsv.php b/functions/tls_fallback_scsv.php new file mode 100644 index 0000000..3cf0ea1 --- /dev/null +++ b/functions/tls_fallback_scsv.php @@ -0,0 +1,36 @@ +<?php +// Copyright (C) 2015 Remy van Elst + +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. + +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. + +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + +function tls_fallback_scsv($host,$port) { + + $result = []; + $protocols = ssl_conn_protocols($host, $port); + if (count(array_filter($protocols)) > 1) { + $result['protocol_count'] = count(array_filter($protocols)); + $fallback_test = shell_exec("echo | timeout 2 openssl s_client -connect " . escapeshellcmd($host) . ":" . escapeshellcmd($port) . " -fallback_scsv -no_tls1_2 2>&1 >/dev/null"); + // echo "<pre>"; + // var_dump($fallback_test); + // echo "</pre>"; + if ( stripos($fallback_test, "alert inappropriate fallback") !== false ) { + $result['tls_fallback_scsv_support'] = 1; + } + } else { + $result['protocol_count'] = 1; + } + return $result; +} + +?>
\ No newline at end of file |