yawast 0.5.1 → 0.5.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/lib/scanner/plugins/ssl/sweet32.rb +7 -3
- data/lib/scanner/ssl.rb +1 -1
- data/lib/version.rb +1 -1
- data/lib/yawast.rb +12 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7b364a28ae5689b6ec07c5f7f9bcf3475fc11144
|
|
4
|
+
data.tar.gz: 4d49cb9633e87e6f31fcb1e77c4177b73370a772
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 56ea8e0165b2b634c24f8e4382099a0aa02fd5f57b1b4981994ea7885243d857fea28783ecdbe853701ab607169143f042c4d7cc8566de41a8c79dc05fef6264
|
|
7
|
+
data.tar.gz: 815079863ff0369a7fece526423a3e047ef814555488735f937048c6ca91a1a00e228336a70f0008fc533391daa5d407a95e39c941d2bf0a62cde2ffc2c864a6
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
## 0.5.2 - 2017-07-13
|
|
2
|
+
|
|
3
|
+
* [#107](https://github.com/adamcaudill/yawast/issues/107) - Current version check
|
|
4
|
+
* [#111](https://github.com/adamcaudill/yawast/issues/111) - Display cipher suite used when running the SWEET32 test
|
|
5
|
+
* [#110](https://github.com/adamcaudill/yawast/issues/110) - Bug: SWEET32 test doesn't properly force 3DES suites
|
|
6
|
+
|
|
1
7
|
## 0.5.1 - 2017-06-26
|
|
2
8
|
|
|
3
9
|
* [#106](https://github.com/adamcaudill/yawast/issues/106) - Bug: SWEET32: Incorrect Request Count
|
|
@@ -26,6 +26,7 @@ module Yawast
|
|
|
26
26
|
|
|
27
27
|
#force 3DES - this is to ensure that 3DES specific limits are caught
|
|
28
28
|
req.ciphers = ['3DES']
|
|
29
|
+
cipher = nil
|
|
29
30
|
|
|
30
31
|
#attempt to find a version that supports 3DES
|
|
31
32
|
versions = OpenSSL::SSL::SSLContext::METHODS.find_all { |v| !v.to_s.include?('_client') && !v.to_s.include?('_server')}
|
|
@@ -43,6 +44,8 @@ module Yawast
|
|
|
43
44
|
else
|
|
44
45
|
head = http.request_get(uri.path, headers)
|
|
45
46
|
end
|
|
47
|
+
|
|
48
|
+
cipher = http.instance_variable_get(:@socket).io.cipher[0]
|
|
46
49
|
rescue
|
|
47
50
|
#check if we are using HEAD or GET. If we've already switched to GET, no need to do this again.
|
|
48
51
|
if use_head
|
|
@@ -59,13 +62,12 @@ module Yawast
|
|
|
59
62
|
if k.downcase == 'server'
|
|
60
63
|
if v == 'cloudflare-nginx'
|
|
61
64
|
puts 'Cloudflare server found: SWEET32 mitigated: https://support.cloudflare.com/hc/en-us/articles/231510928'
|
|
62
|
-
return
|
|
63
65
|
end
|
|
64
66
|
end
|
|
65
67
|
end
|
|
66
68
|
end
|
|
67
69
|
|
|
68
|
-
print "Using #{version}"
|
|
70
|
+
print "Using #{version} (#{cipher})"
|
|
69
71
|
break
|
|
70
72
|
rescue
|
|
71
73
|
#we don't care
|
|
@@ -78,6 +80,8 @@ module Yawast
|
|
|
78
80
|
req.use_ssl = uri.scheme == 'https'
|
|
79
81
|
req.keep_alive_timeout = 600
|
|
80
82
|
|
|
83
|
+
req.ciphers = [*cipher]
|
|
84
|
+
|
|
81
85
|
req.start do |http|
|
|
82
86
|
#cache the number of hits
|
|
83
87
|
10000.times do |i|
|
|
@@ -102,7 +106,7 @@ module Yawast
|
|
|
102
106
|
rescue => e
|
|
103
107
|
puts
|
|
104
108
|
|
|
105
|
-
if e.message.include?
|
|
109
|
+
if e.message.include?('alert handshake failure') || e.message.include?('no cipher match')
|
|
106
110
|
Yawast::Utilities.puts_info 'TLS Session Request Limit: Server does not support 3DES cipher suites'
|
|
107
111
|
else
|
|
108
112
|
Yawast::Utilities.puts_info "TLS Session Request Limit: Connection terminated after #{count} requests (#{e.message})"
|
data/lib/scanner/ssl.rb
CHANGED
|
@@ -92,7 +92,7 @@ module Yawast
|
|
|
92
92
|
def self.get_cert_chain_info(cert_chain, cert)
|
|
93
93
|
if cert_chain.count == 1
|
|
94
94
|
#HACK: This is an ugly way to guess if it's a missing intermediate, or self-signed
|
|
95
|
-
#
|
|
95
|
+
#It looks like a change to Ruby's OpenSSL wrapper is needed to actually fix this right.
|
|
96
96
|
|
|
97
97
|
if cert.issuer == cert.subject
|
|
98
98
|
Yawast::Utilities.puts_vuln "\t\tCertificate Is Self-Singed"
|
data/lib/version.rb
CHANGED
data/lib/yawast.rb
CHANGED
|
@@ -12,6 +12,7 @@ require 'uri'
|
|
|
12
12
|
require 'resolv'
|
|
13
13
|
require 'net/http'
|
|
14
14
|
require 'socket'
|
|
15
|
+
require 'colorize'
|
|
15
16
|
|
|
16
17
|
require File.dirname(__FILE__) + '/string_ext'
|
|
17
18
|
require File.dirname(__FILE__) + '/uri_ext'
|
|
@@ -38,6 +39,17 @@ module Yawast
|
|
|
38
39
|
puts ' Copyright (c) 2013-2017 Adam Caudill <adam@adamcaudill.com>'
|
|
39
40
|
puts ' Support & Documentation: https://github.com/adamcaudill/yawast'
|
|
40
41
|
puts " Ruby #{RUBY_VERSION}-p#{RUBY_PATCHLEVEL}; #{OpenSSL::OPENSSL_VERSION} (#{RUBY_PLATFORM})"
|
|
42
|
+
|
|
43
|
+
begin
|
|
44
|
+
version = JSON.parse(Net::HTTP.get(URI('https://rubygems.org/api/v1/versions/yawast/latest.json')))['version']
|
|
45
|
+
|
|
46
|
+
if version != VERSION
|
|
47
|
+
puts " Latest Version: YAWAST v#{version} is the officially supported version, please update.".blue
|
|
48
|
+
end
|
|
49
|
+
rescue
|
|
50
|
+
#we don't care, this is a best effort check
|
|
51
|
+
end
|
|
52
|
+
|
|
41
53
|
puts ''
|
|
42
54
|
end
|
|
43
55
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: yawast
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.5.
|
|
4
|
+
version: 0.5.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Adam Caudill
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-07-13 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: ssllabs
|