- subprocess.check_call(["openssl", "s_client", "-"+protocol, "-connect", host+":"+str(port)]+options,
+ subprocess.check_call(["openssl", "s_client", "-"+protocol, "-connect", host+":"+str(port), "-servername", host]+options,
stdin=subprocess.DEVNULL, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
except subprocess.CalledProcessError:
return False
stdin=subprocess.DEVNULL, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
except subprocess.CalledProcessError:
return False
- def __getProps(self, cipher):
+ def getProps(self, protocol, cipher):
+ # strip the sub-version-number from the protocol
+ pos = protocol.find('_')
+ if pos >= 0:
+ protocol = protocol[:pos]
- cipherInfo = subprocess.check_output(["openssl", "ciphers", "-v", cipher]).decode('UTF-8').strip()
- assert '\n' not in cipherInfo
+ cipherInfo = subprocess.check_output(["openssl", "ciphers", "-v", "-"+protocol, cipher]).decode('UTF-8').strip()
+ assert '\n' not in cipherInfo, "Cipher "+cipher+" produced unexpected output:\n"+cipherInfo
cipherInfoFields = cipherInfo.split()
# get # of bits
encMatch = re.match(r'^Enc=([0-9A-Za-z]+)\(([0-9]+)\)$', cipherInfoFields[4])
cipherInfoFields = cipherInfo.split()
# get # of bits
encMatch = re.match(r'^Enc=([0-9A-Za-z]+)\(([0-9]+)\)$', cipherInfoFields[4])
isLow = cipher in self.low
isMedium = cipher in self.medium
isHigh = cipher in self.high
isLow = cipher in self.low
isMedium = cipher in self.medium
isHigh = cipher in self.high
- assert isExp+isLow+isMedium+isHigh <= 1, "Cipher is more than one from EXP, LOW, MEDIUM, HIGH"
+ assert isExp+isLow+isMedium+isHigh <= 1, "Cipher "+cipher+" is more than one from EXP, LOW, MEDIUM, HIGH"
strength = CipherStrength.unknown
# done!
return CipherProps(bits=bits, strength=strength, isPfs=isPfs)
strength = CipherStrength.unknown
# done!
return CipherProps(bits=bits, strength=strength, isPfs=isPfs)
-
- def getProps(self, cipher):
- if cipher in self.props:
- return self.props[cipher]
- props = self.__getProps(cipher)
- self.props[cipher] = props
- return props
# main program
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Check TLS ciphers supported by a host')
parser.add_argument("--starttls", dest="starttls",
# main program
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Check TLS ciphers supported by a host')
parser.add_argument("--starttls", dest="starttls",
parser.add_argument("--wait-time", "-t", dest="wait_time", default="10",
help="Time (in ms) to wait between two connections to the server. Default is 10ms.")
parser.add_argument("host", metavar='HOST[:PORT]',
parser.add_argument("--wait-time", "-t", dest="wait_time", default="10",
help="Time (in ms) to wait between two connections to the server. Default is 10ms.")
parser.add_argument("host", metavar='HOST[:PORT]',
fsText = ConsoleFormat.color("FS", ConsoleFormat.GREEN) if cipherProps.isPfs else ConsoleFormat.color("no FS", ConsoleFormat.RED)
bitColor = ConsoleFormat.GREEN if cipherProps.bits >= 128 else (ConsoleFormat.YELLOW if cipherProps.bits >= 100 else ConsoleFormat.RED)
print(" {0} ({1}, {2}, {3})".format(cipher.ljust(STATE_WIDTH), cipherProps.strength.colorName(), ConsoleFormat.color(str(cipherProps.bits)+" bits", bitColor), fsText))
fsText = ConsoleFormat.color("FS", ConsoleFormat.GREEN) if cipherProps.isPfs else ConsoleFormat.color("no FS", ConsoleFormat.RED)
bitColor = ConsoleFormat.GREEN if cipherProps.bits >= 128 else (ConsoleFormat.YELLOW if cipherProps.bits >= 100 else ConsoleFormat.RED)
print(" {0} ({1}, {2}, {3})".format(cipher.ljust(STATE_WIDTH), cipherProps.strength.colorName(), ConsoleFormat.color(str(cipherProps.bits)+" bits", bitColor), fsText))