yawast 0.5.1 → 0.5.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 539f306ec70cc938d88b44ec0707c6ec1ca0aca7
4
- data.tar.gz: 803509a1c451f01a0ccc9ee5f02fb27b98026468
3
+ metadata.gz: 7b364a28ae5689b6ec07c5f7f9bcf3475fc11144
4
+ data.tar.gz: 4d49cb9633e87e6f31fcb1e77c4177b73370a772
5
5
  SHA512:
6
- metadata.gz: ceb2b182c49fb52f54a9b2d968d6cffa83ddcdc9f81cb295217cdb1fb1bc3c28a9b895017e71df16095f7fe4e9e054a96995714e526d01842c2a5914da62124a
7
- data.tar.gz: 2461d0a00e1e58b7f1ba9a245778464265d162fb388c2acb965bb1e3d9c99e96f032f7c4843231cf082b155ab9eb335c14e24fa4b5f7d68d677dbe6c0fd9032d
6
+ metadata.gz: 56ea8e0165b2b634c24f8e4382099a0aa02fd5f57b1b4981994ea7885243d857fea28783ecdbe853701ab607169143f042c4d7cc8566de41a8c79dc05fef6264
7
+ data.tar.gz: 815079863ff0369a7fece526423a3e047ef814555488735f937048c6ca91a1a00e228336a70f0008fc533391daa5d407a95e39c941d2bf0a62cde2ffc2c864a6
data/CHANGELOG.md CHANGED
@@ -1,3 +1,9 @@
1
+ ## 0.5.2 - 2017-07-13
2
+
3
+ * [#107](https://github.com/adamcaudill/yawast/issues/107) - Current version check
4
+ * [#111](https://github.com/adamcaudill/yawast/issues/111) - Display cipher suite used when running the SWEET32 test
5
+ * [#110](https://github.com/adamcaudill/yawast/issues/110) - Bug: SWEET32 test doesn't properly force 3DES suites
6
+
1
7
  ## 0.5.1 - 2017-06-26
2
8
 
3
9
  * [#106](https://github.com/adamcaudill/yawast/issues/106) - Bug: SWEET32: Incorrect Request Count
@@ -26,6 +26,7 @@ module Yawast
26
26
 
27
27
  #force 3DES - this is to ensure that 3DES specific limits are caught
28
28
  req.ciphers = ['3DES']
29
+ cipher = nil
29
30
 
30
31
  #attempt to find a version that supports 3DES
31
32
  versions = OpenSSL::SSL::SSLContext::METHODS.find_all { |v| !v.to_s.include?('_client') && !v.to_s.include?('_server')}
@@ -43,6 +44,8 @@ module Yawast
43
44
  else
44
45
  head = http.request_get(uri.path, headers)
45
46
  end
47
+
48
+ cipher = http.instance_variable_get(:@socket).io.cipher[0]
46
49
  rescue
47
50
  #check if we are using HEAD or GET. If we've already switched to GET, no need to do this again.
48
51
  if use_head
@@ -59,13 +62,12 @@ module Yawast
59
62
  if k.downcase == 'server'
60
63
  if v == 'cloudflare-nginx'
61
64
  puts 'Cloudflare server found: SWEET32 mitigated: https://support.cloudflare.com/hc/en-us/articles/231510928'
62
- return
63
65
  end
64
66
  end
65
67
  end
66
68
  end
67
69
 
68
- print "Using #{version}"
70
+ print "Using #{version} (#{cipher})"
69
71
  break
70
72
  rescue
71
73
  #we don't care
@@ -78,6 +80,8 @@ module Yawast
78
80
  req.use_ssl = uri.scheme == 'https'
79
81
  req.keep_alive_timeout = 600
80
82
 
83
+ req.ciphers = [*cipher]
84
+
81
85
  req.start do |http|
82
86
  #cache the number of hits
83
87
  10000.times do |i|
@@ -102,7 +106,7 @@ module Yawast
102
106
  rescue => e
103
107
  puts
104
108
 
105
- if e.message.include? 'alert handshake failure'
109
+ if e.message.include?('alert handshake failure') || e.message.include?('no cipher match')
106
110
  Yawast::Utilities.puts_info 'TLS Session Request Limit: Server does not support 3DES cipher suites'
107
111
  else
108
112
  Yawast::Utilities.puts_info "TLS Session Request Limit: Connection terminated after #{count} requests (#{e.message})"
data/lib/scanner/ssl.rb CHANGED
@@ -92,7 +92,7 @@ module Yawast
92
92
  def self.get_cert_chain_info(cert_chain, cert)
93
93
  if cert_chain.count == 1
94
94
  #HACK: This is an ugly way to guess if it's a missing intermediate, or self-signed
95
- #tIt looks like a change to Ruby's OpenSSL wrapper is needed to actually fix this right.
95
+ #It looks like a change to Ruby's OpenSSL wrapper is needed to actually fix this right.
96
96
 
97
97
  if cert.issuer == cert.subject
98
98
  Yawast::Utilities.puts_vuln "\t\tCertificate Is Self-Singed"
data/lib/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Yawast
2
- VERSION = '0.5.1'
2
+ VERSION = '0.5.2'
3
3
  end
data/lib/yawast.rb CHANGED
@@ -12,6 +12,7 @@ require 'uri'
12
12
  require 'resolv'
13
13
  require 'net/http'
14
14
  require 'socket'
15
+ require 'colorize'
15
16
 
16
17
  require File.dirname(__FILE__) + '/string_ext'
17
18
  require File.dirname(__FILE__) + '/uri_ext'
@@ -38,6 +39,17 @@ module Yawast
38
39
  puts ' Copyright (c) 2013-2017 Adam Caudill <adam@adamcaudill.com>'
39
40
  puts ' Support & Documentation: https://github.com/adamcaudill/yawast'
40
41
  puts " Ruby #{RUBY_VERSION}-p#{RUBY_PATCHLEVEL}; #{OpenSSL::OPENSSL_VERSION} (#{RUBY_PLATFORM})"
42
+
43
+ begin
44
+ version = JSON.parse(Net::HTTP.get(URI('https://rubygems.org/api/v1/versions/yawast/latest.json')))['version']
45
+
46
+ if version != VERSION
47
+ puts " Latest Version: YAWAST v#{version} is the officially supported version, please update.".blue
48
+ end
49
+ rescue
50
+ #we don't care, this is a best effort check
51
+ end
52
+
41
53
  puts ''
42
54
  end
43
55
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: yawast
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.1
4
+ version: 0.5.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Adam Caudill
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-06-26 00:00:00.000000000 Z
11
+ date: 2017-07-13 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: ssllabs