Skip to content

Commit

Permalink
TLS scan the SUT multiple times with different cipiher suites and ver…
Browse files Browse the repository at this point in the history 
…sion
  • Loading branch information
@raja-ashok
raja-ashok committed Jul 22, 2023
1 parent 0f70331 commit edd4812
Show file tree
Hide file tree
Showing 2 changed files with 265 additions and 6 deletions.
112 changes: 112 additions & 0 deletions config/nist-sp-800-52.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
{
"tls_versions": [
{
"version": "1.3",
"recommended": "high"
},
{
"version": "1.2",
"recommended": "medium"
},
{
"version": "1.1",
"recommended": "not"
},
{
"version": "1.0",
"recommended": "not"
},
{
"version": "3.0",
"recommended": "not"
}
],
"cipher_suites": [
{
"cipher_suite": "TLS_AES_256_GCM_SHA384",
"versions": [
{
"version": "TLSv1.3",
"recommended": "high"
}
]
},
{
"cipher_suite": "TLS_AES_128_GCM_SHA256",
"versions": [
{
"version": "TLSv1.3",
"recommended": "high"
}
]
},
{
"cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"versions": [
{
"version": "TLSv1.2",
"recommended": "low"
},
{
"version": "TLSv1.1",
"recommended": "not"
},
{
"version": "TLSv1.0",
"recommended": "not"
}
]
},
{
"cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"versions": [
{
"version": "TLSv1.2",
"recommended": "low"
},
{
"version": "TLSv1.1",
"recommended": "not"
},
{
"version": "TLSv1.0",
"recommended": "not"
}
]
},
{
"cipher_suite": "TLS_RSA_WITH_AES_256_CBC_SHA",
"versions": [
{
"version": "TLSv1.2",
"recommended": "not"
},
{
"version": "TLSv1.1",
"recommended": "not"
},
{
"version": "TLSv1.0",
"recommended": "not"
}
]
},
{
"cipher_suite": "TLS_RSA_WITH_AES_128_CBC_SHA",
"versions": [
{
"version": "TLSv1.2",
"recommended": "not"
},
{
"version": "TLSv1.1",
"recommended": "not"
},
{
"version": "TLSv1.0",
"recommended": "not"
}
]
}
]
}
159 changes: 153 additions & 6 deletions src/tlsscan
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
#!/bin/bash

NIST_SP_800_52="config/nist-sp-800-52.json"
JSON_REPORT="data/tls_conn_report.json"

chk_cmd()
{
if ! command -v $1 &>/dev/null; then
Expand Down Expand Up @@ -50,6 +53,72 @@ parse_cmdargs()
[[ -f $summcsv ]] && rm -f $summcsv
}

tls_json_report_beginner()
{
echo -en "[\n" > $JSON_REPORT
}

tls_conn_beginner()
{
echo -en "\t{\n" >> $JSON_REPORT
cat << EOF >> $JSON_REPORT
"Name": "$TLS_Name",
"Address": "$TLS_Address",
"Status": "$TLS_Status",
"Max_Protocol_Version": "$TLS_Max_Protocol_Version",
"Total_Supported_Cipher_Suites": "$TLS_Conn_Success_Count",
"Ciphersuites": [
EOF
}

TLS_CONN_REPORT=""
TLS_Conn_Success_Count=0
TLS_Max_Protocol_Version=""

tls_conn_status_append()
{
TLS_CONN_REPORT=$TLS_CONN_REPORT"$1"
}

tls_conn_status()
{
if [ $TLS_Conn_Status == "Succeeded" ]; then
TLS_Conn_Success_Count=$((TLS_Conn_Success_Count+1))
[[ $TLS_Max_Protocol_Version == "" ]] && TLS_Max_Protocol_Version=$TLS_Protocol_version
fi
if [ $1 -ne 1 ]; then
tls_conn_status_append ",\n"
fi
tls_conn_status_append "\t\t\t{\n"
tls_conn_status_append "\t\t\t\t\"Ciphersuite\": \"$TLS_Ciphersuite\",\n"
tls_conn_status_append "\t\t\t\t\"Version\": \"$TLS_Protocol_version\",\n"
tls_conn_status_append "\t\t\t\t\"ConnectionStatus\": \"$TLS_Conn_Status\"\n"
tls_conn_status_append "\t\t\t}" >> $JSON_REPORT
}

tls_conn_status_write_to_file()
{
if [ $TLS_Conn_Success_Count -gt 0 ]; then
TLS_Status="TLS"
fi
tls_conn_beginner
echo -en $TLS_CONN_REPORT >> $JSON_REPORT
TLS_Max_Protocol_Version=""
TLS_CONN_REPORT=""
TLS_Conn_Success_Count=0
}

tls_conn_trailer()
{
echo -en "\n\t\t]\n" >> $JSON_REPORT
echo -en "\t}\n" >> $JSON_REPORT
}

tls_json_report_trailer()
{
echo "]" >> $JSON_REPORT
}

jsonreport()
{
[[ "$jsonout" == "" ]] && return
Expand Down Expand Up @@ -90,11 +159,59 @@ csvreport()
EOF
}

reset_tls_conn_result()
{
TLS_Protocol_version="-"
TLS_Ciphersuite="-"
TLS_Hash_used="-"
TLS_Signature_type="-"
TLS_Verification="-"
TLS_Conn_Status="-"
}

tls_conn_failure()
{
TLS_Status="CONNFAIL"
TLS_Protocol_version=$1
TLS_Ciphersuite=$2
}

declare -A ossl_tls_ver_opt=(
["TLSv1.3"]="-tls1_3"
["TLSv1.2"]="-tls1_2"
["TLSv1.1"]="-tls1_1"
["TLSv1.0"]="-tls1_0"
)

# For TLS 1.2 and older versions, OpenSSL maintains a ciphersuite name
# different from the name specified in RFC
declare -A tls12_ossl_cs=(
["TLS_RSA_WITH_AES_256_CBC_SHA"]="AES256-SHA"
["TLS_RSA_WITH_AES_128_CBC_SHA"]="AES128-SHA"
["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"]="ECDHE-RSA-AES256-SHA"
["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"]="ECDHE-RSA-AES128-SHA"
)

opensslscan()
{
tmp=/tmp/tls.out
rm -f $tmp 2>/dev/null
timeout 2s openssl s_client -CApath /etc/ssl/certs/ -connect "$TLS_Address" -brief < /dev/null 2>$tmp
ver_opt=${ossl_tls_ver_opt[$1]}
if [ -z $ver_opt ]; then
echo "Invalid TLS version $1"
fi
if [ $ver_opt == "-tls1_3" ]; then
ciphersuite=$2
s_client_opt="-ciphersuites $ciphersuite $ver_opt "
else
ciphersuite=${tls12_ossl_cs[$2]}
if [ -z $ciphersuite ]; then
echo "Unknown ciphersuite $ciphersuite"
fi
s_client_opt="-cipher $ciphersuite $ver_opt "
fi
reset_tls_conn_result
timeout 2s openssl s_client -connect $TLS_Address -CApath /etc/ssl/certs/ $s_client_opt -brief < /dev/null 2>$tmp
# echo "ret=$ret"
# cat $tmp
conn_estd=0
Expand All @@ -105,10 +222,20 @@ opensslscan()
key=${line/:*/}
val=${line/*: /}
key=${key// /_}
if [ "$val" == "$ciphersuite" ]; then
val=$2
fi
printf -v "TLS_$key" '%s' "$val"
TLS_Status="TLS"
done < $tmp
[[ "$TLS_Verification_error" != "" ]] && TLS_Verification="$TLS_Verification_error"
if [ $conn_estd -ne 1 ]; then
TLS_Conn_Status="Failed"
tls_conn_failure $1 $2
else
TLS_Conn_Status="Succeeded"
[[ "$TLS_Verification_error" != "" ]] && TLS_Verification="$TLS_Verification_error"
fi
tls_conn_status $3
}

unsetvars()
Expand All @@ -119,28 +246,48 @@ unsetvars()
unset $varlist
}

scantls()
dotlsconnect()
{
TLS_Status="PLAIN_TEXT"
nc -w 1 -z ${TLS_Address/:/ }
case "$?" in
0) opensslscan ;;
0) opensslscan $1 $2 $3 ;;
*) TLS_Status="CONNFAIL" ;;
esac

jsonreport
csvreport
}

scantls()
{
cs_count=`jq '.cipher_suites | length' $NIST_SP_800_52`
count=0
tls_json_report_beginner
for((i=0; i<$cs_count; i++)); do
cipher_suite=`jq .cipher_suites[$i].cipher_suite $NIST_SP_800_52 -r`
supported_ver_count=`jq '.cipher_suites['$i'].versions | length' $NIST_SP_800_52`
for((j=0; j<$supported_ver_count; j++)); do
tls_version=`jq .cipher_suites[$i].versions[$j].version $NIST_SP_800_52 -r`
#echo "TLS Connect with $tls_version and $cipher_suite"
count=$((count+1))
dotlsconnect $tls_version $cipher_suite $count
done
done
tls_conn_status_write_to_file
tls_conn_trailer
tls_json_report_trailer
}

getsummary()
{
status_arr=(
status_arr=(
"certificate has expired"
"self-signed certificate"
"insecure port"
"connection failure"
)
regex_arr=(
regex_arr=(
"certificate has expired"
"self-signed certificate"
"PLAIN_TEXT"
Expand Down

0 comments on commit edd4812

Please sign in to comment.