-#!/usr/bin/python3
+#!/usr/bin/env python3
import subprocess, sys, argparse, time, re
from collections import OrderedDict, namedtuple
from enum import Enum
try:
if cipher is not None:
options = ["-cipher", cipher]+options
- subprocess.check_call(["openssl", "s_client", "-"+protocol, "-connect", host+":"+str(port)]+options,
+ subprocess.check_call(["openssl", "s_client", "-"+protocol, "-connect", host+":"+str(port), "-servername", host]+options,
stdin=subprocess.DEVNULL, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
except subprocess.CalledProcessError:
return False
class CipherPropsProvider:
def __init__(self):
- self.exp = set(list_ciphers("EXP"))
- self.low = set(list_ciphers("LOW"))
self.medium = set(list_ciphers("MEDIUM"))
self.high = set(list_ciphers("HIGH"))
self.props = {}
def getProps(self, protocol, cipher):
+ # strip the sub-version-number from the protocol
+ pos = protocol.find('_')
+ if pos >= 0:
+ protocol = protocol[:pos]
# as OpenSSL about this cipher
cipherInfo = subprocess.check_output(["openssl", "ciphers", "-v", "-"+protocol, cipher]).decode('UTF-8').strip()
assert '\n' not in cipherInfo, "Cipher "+cipher+" produced unexpected output:\n"+cipherInfo
kx = kxMatch.group(1)
isPfs = kx in ('DH', 'DH(512)', 'ECDH')
# determine security level
- isExp = cipher in self.exp
- isLow = cipher in self.low
isMedium = cipher in self.medium
isHigh = cipher in self.high
- assert isExp+isLow+isMedium+isHigh <= 1, "Cipher "+cipher+" is more than one from EXP, LOW, MEDIUM, HIGH"
- if isExp:
- strength = CipherStrength.exp
- elif isLow:
- strength = CipherStrength.low
- elif isMedium:
+ assert isMedium+isHigh <= 1, "Cipher "+cipher+" is more than one from EXP, LOW, MEDIUM, HIGH"
+ if isMedium:
strength = CipherStrength.medium
elif isHigh:
strength = CipherStrength.high
projects / tls-check.git / blobdiff