cipherTest.sh

1. #!/usr/bin/env bash
2.  
3. control_c() {
4. [ -t 1 ] && echo "\r\e[K"
5. exit 1
6. }
7.  
8. trap control_c SIGINT
9.  
10. if [ "z$1" = "z" -o "z$2" = "z" ]
11. then
12. echo "Usage: $0 <hostname> <port>" >&2
13. echo " Behavior is undefined if hostname is invalid or not listening on the port." >&2
14. echo " Credits: Patrick Bogen <pbogen@twitter.com>" >&2
15. exit 2
16. fi
17.  
18. HOST=$1
19. if echo $HOST | grep -qE '^([0-9]+\.){3}[0-9]+$'
20. then
21. IP=$1
22. else
23. IP=`host $HOST | awk '/^[[:alnum:].-]+ has address/ { print $4 }'`
24. fi
25. PORT=$2
26.  
27. declare -a CIPHERS
28. declare -a PROTOS
29. declare -a MACS
30. declare -a KX
31. declare -a v2_ciphers
32.  
33. request='HEAD / HTTP/1.1\r\nHost: '"$HOST"'\r\nConnection: close\r\n\r\n'
34.  
35. CIPHERS=(`gnutls-cli -l | grep Ciphers: | cut -d' ' -f2- | tr -d ','`)
36. PROTOS=(`gnutls-cli -l | grep Protocols: | cut -d' ' -f2- | tr -d ',' | sed 's/VERS-//'`)
37. MACS=(`gnutls-cli -l | grep MACs: | cut -d' ' -f2- | tr -d ','`)
38. KX=(`gnutls-cli -l | grep "^Key exchange algorithms" | cut -d' ' -f 4- | tr -d ','`)
39. if openssl ciphers -ssl2 > /dev/null 2>&1
40. then
41. v2_ciphers=(`openssl ciphers -ssl2 | tr ':' ' '`)
42. else
43. echo "$0: your version of openssl does not appear to support sslv2" >&2
44. echo "$0: SSLv2 testing disabled!"
45. fi
46.  
47. result=""
48. for i in ${PROTOS[@]}; do [ -z "$result" ] && result="+VERS-$i" || result="$result:+VERS-$i"; done
49. all_protos=$result
50.  
51. result=""
52. for i in ${CIPHERS[@]}; do [ -z "$result" ] && result="+$i" || result="$result:+$i"; done
53. all_ciphers=$result
54.  
55. result=""
56. for i in ${MACS[@]}; do [ -z "$result" ] && result="+$i" || result="$result:+$i"; done
57. all_macs=$result
58.  
59. result=""
60. for i in ${KX[@]}; do [ -z "$result" ] && result="+$i" || result="$result:+$i"; done
61. all_kx=$result
62.  
63. cur=0
64. total=$(( ${#CIPHERS[@]} + ${#PROTOS[@]} + ${#MACS[@]} + ${#KX[@]} ))
65.  
66. # Test each protocol promiscuously and remove any that will never work
67. result=""
68. for tgt in ${PROTOS[@]}
69. do
70. cur=$(( $cur + 1 ))
71. [ -t 1 ] && echo -en "\r\e[KOptimizing... ($cur/$total)"
72. if echo -ne $request | gnutls-cli --insecure --priority NONE:+VERS-$tgt:$all_kx:$all_macs:+COMP-NULL:$all_ciphers -p $PORT $IP > /dev/null 2>&1
73. then
74. [ -z "$result" ] && result="$tgt" || result="$result $tgt"
75. fi
76. done
77. PROTOS=( $result )
78. result=""
79. for i in ${PROTOS[@]}; do [ -z "$result" ] && result="+VERS-$i" || result="$result:+VERS-$i"; done
80. all_protos=$result
81.  
82. # Test each cipher promiscuously and remove any that will never work
83. result=""
84. for cipher in ${CIPHERS[@]}
85. do
86. cur=$(( $cur + 1 ))
87. [ -t 1 ] && echo -en "\r\e[KOptimizing... ($cur/$total)"
88. if echo -ne $request | gnutls-cli --insecure --priority NONE:$all_protos:$all_kx:$all_macs:+COMP-NULL:+$cipher -p $PORT $IP > /dev/null 2>&1
89. then
90. [ -z "$result" ] && result="$cipher" || result="$result $cipher"
91. fi
92. done
93. CIPHERS=( $result )
94. result=""
95. for i in ${CIPHERS[@]}; do [ -z "$result" ] && result="+$i" || result="$result:+$i"; done
96. all_ciphers=$result
97.  
98. # Test each MAC promiscuously and remove any that will never work
99. result=""
100. for tgt in ${MACS[@]}
101. do
102. cur=$(( $cur + 1 ))
103. [ -t 1 ] && echo -en "\r\e[KOptimizing... ($cur/$total)"
104. if echo -ne $request | gnutls-cli --insecure --priority NONE:$all_protos:$all_kx:+$tgt:+COMP-NULL:$all_ciphers -p $PORT $IP > /dev/null 2>&1
105. then
106. [ -z "$result" ] && result="$tgt" || result="$result $tgt"
107. fi
108. done
109. MACS=( $result )
110. result=""
111. for i in ${MACS[@]}; do [ -z "$result" ] && result="+$i" || result="$result:+$i"; done
112. all_macs=$result
113.  
114. # Test each KX promiscuously and remove any that will never work
115. result=""
116. for tgt in ${KX[@]}
117. do
118. cur=$(( $cur + 1 ))
119. [ -t 1 ] && echo -en "\r\e[KOptimizing... ($cur/$total)"
120. if echo -ne $request | gnutls-cli --insecure --priority NONE:$all_protos:+$tgt:$all_macs:+COMP-NULL:$all_ciphers -p $PORT $IP > /dev/null 2>&1
121. then
122. [ -z "$result" ] && result="$tgt" || result="$result $tgt"
123. fi
124. done
125. KX=( $result )
126. result=""
127. for i in ${KX[@]}; do [ -z "$result" ] && result="+$i" || result="$result:+$i"; done
128. all_kx=$result
129.  
130. total=$(( ${#PROTOS[@]} * ${#KX[@]} * ${#CIPHERS[@]} * ${#MACS[@]} + ${#v2_ciphers[@]} ))
131. i=0
132.  
133. [ -t 1 ] && echo -en '\r\e[K'
134. printf '%-7s %-17s %-10s %-11s\n' "Proto" "Cipher" "MAC" "KeX"
135. echo "------------------------------------------------"
136. for v2_cipher in ${v2_ciphers[@]}
137. do
138. i=$(( $i + 1 ))
139. OK=0
140. _mac=`openssl ciphers -v -ssl2 | grep ^$v2_cipher | grep -Eo 'Mac=[^ ]+' | cut -d'=' -f2`
141. _kx=`openssl ciphers -v -ssl2 | grep ^$v2_cipher | grep -Eo 'Kx=[^( ]+' | cut -d'=' -f2`
142. [ -t 1 ] && printf '\r\e[K%-7s %-17s %-10s %-11s (%d / %d)' "SSL2.0" $v2_cipher $_mac $_kx $i $total
143. echo -ne $request | openssl s_client -quiet -connect $HOST:$PORT -ssl2 -cipher $v2_cipher 2>&1 | grep -q 'ssl handshake failure\|write:errno=104' || OK=1
144. if [ $OK -eq 1 ]
145. then
146. [ -t 1 ] && echo -en '\r\e[K'
147. printf '%-7s %-17s %-10s %-11s\n' "SSL2.0" $v2_cipher $_mac $_kx
148. # openssl ciphers -v -ssl2 | grep ^$i || echo "No match for $i"
149. fi
150. done
151.  
152. for proto in ${PROTOS[@]}
153. do
154. [ -t 1 ] && printf '\r\e[K%-7s %-17s %-10s %-11s (%d / %d)' $proto "" "" "" $i $total
155. echo -ne $request | gnutls-cli --insecure --priority NONE:+VERS-$proto:$all_kx:$all_macs:+COMP-NULL:$all_ciphers -p $PORT $IP > /dev/null 2>&1
156. [ $? -eq 0 ] || { i=$(( $i + ${#KX[@]} * ${#CIPHERS[@]} * ${#MACS[@]} )); continue; }
157.  
158. for kx in ${KX[@]}
159. do
160. [ -t 1 ] && printf '\r%-7s %-17s %-10s %-11s (%d / %d)' $proto "" "" $kx $i $total
161. echo -ne $request | gnutls-cli --insecure --priority NONE:+VERS-$proto:+$kx:$all_macs:+COMP-NULL:$all_ciphers -p $PORT $IP > /dev/null 2>&1
162. [ $? -eq 0 ] || { i=$(( $i + ${#CIPHERS[@]} * ${#MACS[@]} )); continue; }
163. for cipher in ${CIPHERS[@]}
164. do
165. [ -t 1 ] && printf '\r%-7s %-17s %-10s %-11s (%d / %d)' $proto $cipher "" $kx $i $total
166. echo -ne $request | gnutls-cli --insecure --priority NONE:+VERS-$proto:+$kx:$all_macs:+COMP-NULL:+$cipher -p $PORT $IP > /dev/null 2>&1
167. [ $? -eq 0 ] || { i=$(( $i + ${#MACS[@]} )); continue; }
168. for mac in ${MACS[@]}
169. do
170. i=$(( $i + 1 ))
171. [ -t 1 ] && printf '\r%-7s %-17s %-10s %-11s (%d / %d)' $proto $cipher $mac $kx $i $total
172. # printf "%-7s %-17s %-10s %-11s " $proto $cipher $mac $kx
173. echo -ne $request | gnutls-cli --insecure --priority NONE:+VERS-$proto:+$kx:+$mac:+COMP-NULL:+$cipher -p $PORT $IP > /dev/null 2>&1
174. if [ $? -eq 0 ]
175. then
176. [ -t 1 ] && echo -en "\r\e[K"
177. printf "%-7s %-17s %-10s %-11s\n" $proto $cipher $mac $kx
178. fi
179. done
180. done
181. done
182. done
183.  
184. [ -t 1 ] && printf "\r%80s\r" ""