yawast 0.5.1 → 0.5.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/lib/scanner/plugins/ssl/sweet32.rb +7 -3
- data/lib/scanner/ssl.rb +1 -1
- data/lib/version.rb +1 -1
- data/lib/yawast.rb +12 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7b364a28ae5689b6ec07c5f7f9bcf3475fc11144
|
|
4
|
+
data.tar.gz: 4d49cb9633e87e6f31fcb1e77c4177b73370a772
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 56ea8e0165b2b634c24f8e4382099a0aa02fd5f57b1b4981994ea7885243d857fea28783ecdbe853701ab607169143f042c4d7cc8566de41a8c79dc05fef6264
|
|
7
|
+
data.tar.gz: 815079863ff0369a7fece526423a3e047ef814555488735f937048c6ca91a1a00e228336a70f0008fc533391daa5d407a95e39c941d2bf0a62cde2ffc2c864a6
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
## 0.5.2 - 2017-07-13
|
|
2
|
+
|
|
3
|
+
* [#107](https://github.com/adamcaudill/yawast/issues/107) - Current version check
|
|
4
|
+
* [#111](https://github.com/adamcaudill/yawast/issues/111) - Display cipher suite used when running the SWEET32 test
|
|
5
|
+
* [#110](https://github.com/adamcaudill/yawast/issues/110) - Bug: SWEET32 test doesn't properly force 3DES suites
|
|
6
|
+
|
|
1
7
|
## 0.5.1 - 2017-06-26
|
|
2
8
|
|
|
3
9
|
* [#106](https://github.com/adamcaudill/yawast/issues/106) - Bug: SWEET32: Incorrect Request Count
|
|
@@ -26,6 +26,7 @@ module Yawast
|
|
|
26
26
|
|
|
27
27
|
#force 3DES - this is to ensure that 3DES specific limits are caught
|
|
28
28
|
req.ciphers = ['3DES']
|
|
29
|
+
cipher = nil
|
|
29
30
|
|
|
30
31
|
#attempt to find a version that supports 3DES
|
|
31
32
|
versions = OpenSSL::SSL::SSLContext::METHODS.find_all { |v| !v.to_s.include?('_client') && !v.to_s.include?('_server')}
|
|
@@ -43,6 +44,8 @@ module Yawast
|
|
|
43
44
|
else
|
|
44
45
|
head = http.request_get(uri.path, headers)
|
|
45
46
|
end
|
|
47
|
+
|
|
48
|
+
cipher = http.instance_variable_get(:@socket).io.cipher[0]
|
|
46
49
|
rescue
|
|
47
50
|
#check if we are using HEAD or GET. If we've already switched to GET, no need to do this again.
|
|
48
51
|
if use_head
|
|
@@ -59,13 +62,12 @@ module Yawast
|
|
|
59
62
|
if k.downcase == 'server'
|
|
60
63
|
if v == 'cloudflare-nginx'
|
|
61
64
|
puts 'Cloudflare server found: SWEET32 mitigated: https://support.cloudflare.com/hc/en-us/articles/231510928'
|
|
62
|
-
return
|
|
63
65
|
end
|
|
64
66
|
end
|
|
65
67
|
end
|
|
66
68
|
end
|
|
67
69
|
|
|
68
|
-
print "Using #{version}"
|
|
70
|
+
print "Using #{version} (#{cipher})"
|
|
69
71
|
break
|
|
70
72
|
rescue
|
|
71
73
|
#we don't care
|
|
@@ -78,6 +80,8 @@ module Yawast
|
|
|
78
80
|
req.use_ssl = uri.scheme == 'https'
|
|
79
81
|
req.keep_alive_timeout = 600
|
|
80
82
|
|
|
83
|
+
req.ciphers = [*cipher]
|
|
84
|
+
|
|
81
85
|
req.start do |http|
|
|
82
86
|
#cache the number of hits
|
|
83
87
|
10000.times do |i|
|
|
@@ -102,7 +106,7 @@ module Yawast
|
|
|
102
106
|
rescue => e
|
|
103
107
|
puts
|
|
104
108
|
|
|
105
|
-
if e.message.include?
|
|
109
|
+
if e.message.include?('alert handshake failure') || e.message.include?('no cipher match')
|
|
106
110
|
Yawast::Utilities.puts_info 'TLS Session Request Limit: Server does not support 3DES cipher suites'
|
|
107
111
|
else
|
|
108
112
|
Yawast::Utilities.puts_info "TLS Session Request Limit: Connection terminated after #{count} requests (#{e.message})"
|
data/lib/scanner/ssl.rb
CHANGED
|
@@ -92,7 +92,7 @@ module Yawast
|
|
|
92
92
|
def self.get_cert_chain_info(cert_chain, cert)
|
|
93
93
|
if cert_chain.count == 1
|
|
94
94
|
#HACK: This is an ugly way to guess if it's a missing intermediate, or self-signed
|
|
95
|
-
#
|
|
95
|
+
#It looks like a change to Ruby's OpenSSL wrapper is needed to actually fix this right.
|
|
96
96
|
|
|
97
97
|
if cert.issuer == cert.subject
|
|
98
98
|
Yawast::Utilities.puts_vuln "\t\tCertificate Is Self-Singed"
|
data/lib/version.rb
CHANGED
data/lib/yawast.rb
CHANGED
|
@@ -12,6 +12,7 @@ require 'uri'
|
|
|
12
12
|
require 'resolv'
|
|
13
13
|
require 'net/http'
|
|
14
14
|
require 'socket'
|
|
15
|
+
require 'colorize'
|
|
15
16
|
|
|
16
17
|
require File.dirname(__FILE__) + '/string_ext'
|
|
17
18
|
require File.dirname(__FILE__) + '/uri_ext'
|
|
@@ -38,6 +39,17 @@ module Yawast
|
|
|
38
39
|
puts ' Copyright (c) 2013-2017 Adam Caudill <adam@adamcaudill.com>'
|
|
39
40
|
puts ' Support & Documentation: https://github.com/adamcaudill/yawast'
|
|
40
41
|
puts " Ruby #{RUBY_VERSION}-p#{RUBY_PATCHLEVEL}; #{OpenSSL::OPENSSL_VERSION} (#{RUBY_PLATFORM})"
|
|
42
|
+
|
|
43
|
+
begin
|
|
44
|
+
version = JSON.parse(Net::HTTP.get(URI('https://rubygems.org/api/v1/versions/yawast/latest.json')))['version']
|
|
45
|
+
|
|
46
|
+
if version != VERSION
|
|
47
|
+
puts " Latest Version: YAWAST v#{version} is the officially supported version, please update.".blue
|
|
48
|
+
end
|
|
49
|
+
rescue
|
|
50
|
+
#we don't care, this is a best effort check
|
|
51
|
+
end
|
|
52
|
+
|
|
41
53
|
puts ''
|
|
42
54
|
end
|
|
43
55
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: yawast
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.5.
|
|
4
|
+
version: 0.5.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Adam Caudill
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-07-13 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: ssllabs
|