yawast 0.6.0.beta3 → 0.6.0.beta4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (21) hide show
  1. checksums.yaml +4 -4
  2. data/.codeclimate.yml +3 -12
  3. data/CHANGELOG.md +2 -0
  4. data/README.md +25 -524
  5. data/bin/yawast +0 -11
  6. data/lib/scanner/plugins/ssl/ssl_labs/analyze.rb +34 -0
  7. data/lib/scanner/plugins/ssl/ssl_labs/info.rb +33 -0
  8. data/lib/scanner/ssl_labs.rb +185 -163
  9. data/lib/shared/http.rb +5 -5
  10. data/lib/version.rb +1 -1
  11. data/test/data/ssl_labs_analyze_data.json +6458 -0
  12. data/test/data/ssl_labs_analyze_start.json +11 -0
  13. data/test/data/ssl_labs_info.json +10 -0
  14. data/test/test_internalssl.rb +2 -2
  15. data/test/test_shared_http.rb +1 -1
  16. data/test/test_ssl_labs_analyze.rb +48 -0
  17. data/test/test_ssl_labs_info.rb +20 -0
  18. data/yawast.gemspec +0 -1
  19. metadata +14 -18
  20. data/lib/commands/cert.rb +0 -10
  21. data/lib/scanner/cert.rb +0 -99
data/lib/scanner/ssl_labs.rb CHANGED
@@ -1,7 +1,7 @@
1
- require 'ssllabs'
2
1
  require 'date'
3
2
  require 'openssl'
4
3
  require 'digest/sha1'
4
+ require 'json'
5
5
 
6
6
  module Yawast
7
7
  module Scanner
@@ -11,25 +11,24 @@ module Yawast
11
11
  puts 'Beginning SSL Labs scan (this could take a minute or two)'
12
12
 
13
13
  begin
14
- api = Ssllabs::Api.new
14
+ endpoint = Yawast::Commands::Utils.extract_uri(['https://api.ssllabs.com'])
15
15
 
16
- info = api.info
16
+ info_body = Yawast::Scanner::Plugins::SSL::SSLLabs::Info.call_info endpoint
17
17
 
18
- info.messages.each do |msg|
18
+ Yawast::Scanner::Plugins::SSL::SSLLabs::Info.extract_msg(info_body).each do |msg|
19
19
  puts "[SSL Labs] #{msg}"
20
20
  end
21
21
 
22
- api.analyse(host: uri.host, publish: 'off', startNew: 'on', all: 'done', ignoreMismatch: 'on')
22
+ Yawast::Scanner::Plugins::SSL::SSLLabs::Analyze.scan endpoint, uri.host, true
23
23
 
24
24
  status = ''
25
- host = nil
26
25
  until status == 'READY' || status == 'ERROR' || status == 'DNS'
27
26
  # poll for updates every 5 seconds
28
27
  # don't want to poll faster, to avoid excess load / errors
29
28
  sleep(5)
30
29
 
31
- host = api.analyse(host: uri.host, publish: 'off', all: 'done', ignoreMismatch: 'on')
32
- status = host.status
30
+ data_body = Yawast::Scanner::Plugins::SSL::SSLLabs::Analyze.scan endpoint, uri.host, false
31
+ status = Yawast::Scanner::Plugins::SSL::SSLLabs::Analyze.extract_status data_body
33
32
 
34
33
  print '.'
35
34
  end
@@ -38,20 +37,29 @@ module Yawast
38
37
  puts "\tSSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=#{uri.host}&hideResults=on"
39
38
  puts
40
39
 
41
- host.endpoints.each do |ep|
42
- Yawast::Utilities.puts_info "IP: #{ep.ip_address} - Grade: #{ep.grade}"
40
+ process_results uri, JSON.parse(data_body), tdes_session_count
41
+ rescue => e
42
+ puts
43
+ Yawast::Utilities.puts_error "SSL Labs Error: #{e.message}"
44
+ end
45
+ end
46
+
47
+ def self.process_results(uri, body, tdes_session_count)
48
+ begin
49
+ body['endpoints'].each do |ep|
50
+ Yawast::Utilities.puts_info "IP: #{ep['ipAddress']} - Grade: #{ep['grade']}"
43
51
  puts
44
52
 
45
53
  begin
46
- if ep.status_message == 'Ready'
47
- get_cert_info(ep)
48
- get_config_info(ep)
49
- get_proto_info(ep)
54
+ if ep['statusMessage'] == 'Ready'
55
+ get_cert_info ep, body
56
+ get_config_info ep
57
+ get_proto_info ep
50
58
  else
51
- Yawast::Utilities.puts_error "Error getting information for IP: #{ep.ip_address}: #{ep.status_message}"
59
+ Yawast::Utilities.puts_error "Error getting information for IP: #{ep['ipAddress']}: #{ep['statusMessage']}"
52
60
  end
53
61
  rescue => e
54
- Yawast::Utilities.puts_error "Error getting information for IP: #{ep.ip_address}: #{e.message}"
62
+ Yawast::Utilities.puts_error "Error getting information for IP: #{ep['ipAddress']}: #{e.message}"
55
63
  end
56
64
 
57
65
  Yawast::Scanner::Plugins::SSL::Sweet32.get_tdes_session_msg_count(uri) if tdes_session_count
@@ -64,77 +72,77 @@ module Yawast
64
72
  end
65
73
  end
66
74
 
67
- def self.get_cert_info (ep)
75
+ def self.get_cert_info (ep, body)
68
76
  # get the ChainCert info for the server cert - needed for extra details
69
77
  cert = nil
70
78
  ossl_cert = nil
71
- ep.details.chain.certs.each do |c|
72
- if c.subject == ep.details.cert.subject
79
+ body['certs'].each do |c|
80
+ if c['id'] == ep['details']['certChains'][0]['certIds'][0]
73
81
  cert = c
74
- ossl_cert = OpenSSL::X509::Certificate.new cert.raw
82
+ ossl_cert = OpenSSL::X509::Certificate.new cert['raw']
75
83
  end
76
84
  end
77
85
 
78
86
  puts "\tCertificate Information:"
79
- unless ep.details.cert.valid?
87
+ unless cert['issues'] == 0
80
88
  Yawast::Utilities.puts_vuln "\t\tCertificate Has Issues - Not Valid"
81
89
 
82
- if ep.details.cert.issues & 1 != 0
90
+ if cert['issues'] & 1 != 0
83
91
  Yawast::Utilities.puts_vuln "\t\tCertificate Issue: no chain of trust"
84
92
  end
85
93
 
86
- if ep.details.cert.issues & (1<<1) != 0
94
+ if cert['issues'] & (1<<1) != 0
87
95
  Yawast::Utilities.puts_vuln "\t\tCertificate Issue: certificate not yet valid"
88
96
  end
89
97
 
90
- if ep.details.cert.issues & (1<<2) != 0
98
+ if cert['issues'] & (1<<2) != 0
91
99
  Yawast::Utilities.puts_vuln "\t\tCertificate Issue: certificate expired"
92
100
  end
93
101
 
94
- if ep.details.cert.issues & (1<<3) != 0
102
+ if cert['issues'] & (1<<3) != 0
95
103
  Yawast::Utilities.puts_vuln "\t\tCertificate Issue: hostname mismatch"
96
104
  end
97
105
 
98
- if ep.details.cert.issues & (1<<4) != 0
106
+ if cert['issues'] & (1<<4) != 0
99
107
  Yawast::Utilities.puts_vuln "\t\tCertificate Issue: revoked"
100
108
  end
101
109
 
102
- if ep.details.cert.issues & (1<<5) != 0
110
+ if cert['issues'] & (1<<5) != 0
103
111
  Yawast::Utilities.puts_vuln "\t\tCertificate Issue: bad common name"
104
112
  end
105
113
 
106
- if ep.details.cert.issues & (1<<6) != 0
114
+ if cert['issues'] & (1<<6) != 0
107
115
  Yawast::Utilities.puts_vuln "\t\tCertificate Issue: self-signed"
108
116
  end
109
117
 
110
- if ep.details.cert.issues & (1<<7) != 0
118
+ if cert['issues'] & (1<<7) != 0
111
119
  Yawast::Utilities.puts_vuln "\t\tCertificate Issue: blacklisted"
112
120
  end
113
121
 
114
- if ep.details.cert.issues & (1<<8) != 0
122
+ if cert['issues'] & (1<<8) != 0
115
123
  Yawast::Utilities.puts_vuln "\t\tCertificate Issue: insecure signature"
116
124
  end
117
125
  end
118
126
 
119
- Yawast::Utilities.puts_info "\t\tSubject: #{ep.details.cert.subject}"
120
- Yawast::Utilities.puts_info "\t\tCommon Names: #{ep.details.cert.common_names}"
127
+ Yawast::Utilities.puts_info "\t\tSubject: #{cert['subject']}"
128
+ Yawast::Utilities.puts_info "\t\tCommon Names: #{cert['commonNames'].join(' ')}"
121
129
 
122
130
  Yawast::Utilities.puts_info "\t\tAlternative names:"
123
- ep.details.cert.alt_names.each do |name|
131
+ cert['altNames'].each do |name|
124
132
  Yawast::Utilities.puts_info "\t\t\t#{name}"
125
133
  end
126
134
 
127
135
  # here we divide the time by 1000 to strip the fractions of a second off.
128
- Yawast::Utilities.puts_info "\t\tNot Before: #{Time.at(ep.details.cert.not_before / 1000).utc.to_datetime}"
129
- Yawast::Utilities.puts_info "\t\tNot After: #{Time.at(ep.details.cert.not_after / 1000).utc.to_datetime}"
136
+ Yawast::Utilities.puts_info "\t\tNot Before: #{Time.at(cert['notBefore'] / 1000).utc.to_datetime}"
137
+ Yawast::Utilities.puts_info "\t\tNot After: #{Time.at(cert['notAfter'] / 1000).utc.to_datetime}"
130
138
 
131
- if cert.key_alg == 'EC'
132
- Yawast::Utilities.puts_info "\t\tKey: #{cert.key_alg} #{cert.key_size} (RSA equivalent: #{cert.key_strength})"
139
+ if cert['keyAlg'] == 'EC'
140
+ Yawast::Utilities.puts_info "\t\tKey: #{cert['keyAlg']} #{cert['keySize']} (RSA equivalent: #{cert['keyStrength']})"
133
141
  else
134
- if cert.key_size < 2048
135
- Yawast::Utilities.puts_vuln "\t\tKey: #{cert.key_alg} #{cert.key_size}"
142
+ if cert['keySize'] < 2048
143
+ Yawast::Utilities.puts_vuln "\t\tKey: #{cert['keyAlg']} #{cert['keySize']}"
136
144
  else
137
- Yawast::Utilities.puts_info "\t\tKey: #{cert.key_alg} #{cert.key_size}"
145
+ Yawast::Utilities.puts_info "\t\tKey: #{cert['keyAlg']} #{cert['keySize']}"
138
146
  end
139
147
  end
140
148
 
@@ -144,61 +152,52 @@ module Yawast
144
152
 
145
153
  Yawast::Utilities.puts_info "\t\tSerial: #{ossl_cert.serial}"
146
154
 
147
- Yawast::Utilities.puts_info "\t\tIssuer: #{ep.details.cert.issuer_label}"
155
+ Yawast::Utilities.puts_info "\t\tIssuer: #{cert['issuerSubject']}"
148
156
 
149
- if ep.details.cert.sig_alg.include?('SHA1') || ep.details.cert.sig_alg.include?('MD5')
150
- Yawast::Utilities.puts_vuln "\t\tSignature algorithm: #{ep.details.cert.sig_alg}"
157
+ if cert['sigAlg'].include?('SHA1') || cert['sigAlg'].include?('MD5')
158
+ Yawast::Utilities.puts_vuln "\t\tSignature algorithm: #{cert['sigAlg']}"
151
159
  else
152
- Yawast::Utilities.puts_info "\t\tSignature algorithm: #{ep.details.cert.sig_alg}"
160
+ Yawast::Utilities.puts_info "\t\tSignature algorithm: #{cert['sigAlg']}"
153
161
  end
154
162
 
155
163
  #todo - figure out what the options for this value are
156
- if ep.details.cert.validation_type == 'E'
164
+ if cert['validationType'] == 'E'
157
165
  Yawast::Utilities.puts_info "\t\tExtended Validation: Yes"
158
- elsif ep.details.cert.validation_type == 'D'
166
+ elsif cert['validationType'] == 'D'
159
167
  Yawast::Utilities.puts_info "\t\tExtended Validation: No (Domain Control)"
160
168
  else
161
169
  Yawast::Utilities.puts_info "\t\tExtended Validation: No"
162
170
  end
163
171
 
164
- if ep.details.cert.sct?
172
+ if cert['sct']
165
173
  # check the first bit, SCT in cert
166
- if ep.details.has_sct & 1 != 0
174
+ if ep['details']['hasSct'] & 1 != 0
167
175
  Yawast::Utilities.puts_info "\t\tCertificate Transparency: SCT in certificate"
168
176
  end
169
177
 
170
178
  # check second bit, SCT in stapled OSCP response
171
- if ep.details.has_sct & (1<<1) != 0
179
+ if ep['details']['hasSct'] & (1<<1) != 0
172
180
  Yawast::Utilities.puts_info "\t\tCertificate Transparency: SCT in the stapled OCSP response"
173
181
  end
174
182
 
175
183
  # check third bit, SCT in the TLS extension
176
- if ep.details.has_sct & (1<<2) != 0
184
+ if ep['details']['hasSct'] & (1<<2) != 0
177
185
  Yawast::Utilities.puts_info "\t\tCertificate Transparency: SCT in the TLS extension (ServerHello)"
178
186
  end
179
187
  else
180
188
  Yawast::Utilities.puts_info "\t\tCertificate Transparency: No"
181
189
  end
182
190
 
183
- case ep.details.cert.must_staple
184
- when 0
185
- Yawast::Utilities.puts_info "\t\tOCSP Must Staple: No"
186
- when 1
187
- Yawast::Utilities.puts_warn "\t\tOCSP Must Staple: Supported, but OCSP response is not stapled"
188
- when 2
189
- Yawast::Utilities.puts_info "\t\tOCSP Must Staple: OCSP response is stapled"
190
- else
191
- Yawast::Utilities.puts_error "\t\tOCSP Must Staple: Unknown Response #{ep.details.cert.must_staple}"
192
- end
191
+ Yawast::Utilities.puts_info "\t\tOCSP Must Staple: #{cert['mustStaple']}"
193
192
 
194
- if ep.details.cert.revocation_info & 1 != 0
193
+ if cert['revocationInfo'] & 1 != 0
195
194
  Yawast::Utilities.puts_info "\t\tRevocation information: CRL information available"
196
195
  end
197
- if ep.details.cert.revocation_info & (1<<1) != 0
196
+ if cert['revocationInfo'] & (1<<1) != 0
198
197
  Yawast::Utilities.puts_info "\t\tRevocation information: OCSP information available"
199
198
  end
200
199
 
201
- case ep.details.cert.revocation_status
200
+ case cert['revocationStatus']
202
201
  when 0
203
202
  Yawast::Utilities.puts_info "\t\tRevocation status: not checked"
204
203
  when 1
@@ -212,7 +211,7 @@ module Yawast
212
211
  when 5
213
212
  Yawast::Utilities.puts_error "\t\tRevocation status: SSL Labs internal error"
214
213
  else
215
- Yawast::Utilities.puts_error "\t\tRevocation status: Unknown response #{ep.details.cert.revocation_status}"
214
+ Yawast::Utilities.puts_error "\t\tRevocation status: Unknown response #{cert['revocationStatus']}"
216
215
  end
217
216
 
218
217
  Yawast::Utilities.puts_info "\t\tExtensions:"
@@ -223,6 +222,27 @@ module Yawast
223
222
  puts "\t\t\thttps://censys.io/certificates?q=#{hash}"
224
223
  puts "\t\t\thttps://crt.sh/?q=#{hash}"
225
224
 
225
+ puts
226
+ Yawast::Utilities.puts_info "\t\tCertificate Chains:"
227
+ ep['details']['certChains'].each do |chain|
228
+ path_count = 0
229
+
230
+ chain['trustPaths'].each do |path|
231
+ path_count += 1
232
+ puts "\t\t Path #{path_count}:"
233
+
234
+ path['certIds'].each do |path_cert|
235
+ body['certs'].each do |c|
236
+ if c['id'] == path_cert
237
+ Yawast::Utilities.puts_info "\t\t\t#{c['subject']}"
238
+ Yawast::Utilities.puts_info "\t\t\t Signature: #{c['sigAlg']} Key: #{c['keyAlg']}-#{c['keySize']}"
239
+ Yawast::Utilities.puts_info "\t\t\t https://crt.sh/?q=#{c['sha1Hash']}"
240
+ end
241
+ end
242
+ end
243
+ end
244
+ end
245
+
226
246
  puts
227
247
  end
228
248
 
@@ -230,93 +250,81 @@ module Yawast
230
250
  puts "\tConfiguration Information:"
231
251
 
232
252
  puts "\t\tProtocol Support:"
233
- ep.details.protocols.each do |proto|
234
- if proto.name == 'SSL'
235
- Yawast::Utilities.puts_vuln "\t\t\t#{proto.name} #{proto.version}"
253
+ protos = Hash.new
254
+ ep['details']['protocols'].each do |proto|
255
+ if proto['name'] == 'SSL'
256
+ Yawast::Utilities.puts_vuln "\t\t\t#{proto['name']} #{proto['version']}"
236
257
  else
237
- Yawast::Utilities.puts_info "\t\t\t#{proto.name} #{proto.version}"
258
+ Yawast::Utilities.puts_info "\t\t\t#{proto['name']} #{proto['version']}"
238
259
  end
260
+
261
+ protos[proto['id']] = "#{proto['name']} #{proto['version']}"
262
+ end
263
+ puts
264
+
265
+ puts "\t\tNamed Group Support:"
266
+ ep['details']['namedGroups']['list'].each do |group|
267
+ Yawast::Utilities.puts_info "\t\t\t#{group['name']} #{group['bits']}"
239
268
  end
240
269
  puts
241
270
 
242
271
  puts "\t\tCipher Suite Support:"
243
- if ep.details.suites.list != nil
244
- ep.details.suites.list.each do |suite|
245
- ke = nil
246
- if suite.ecdh_bits != nil || suite.dh_strength != nil
247
- if suite.name.include? 'ECDHE'
248
- ke = "ECDHE-#{suite.ecdh_bits}-bits"
249
- elsif suite.name.include? 'ECDH'
250
- ke = "ECDH-#{suite.ecdh_bits}"
251
- elsif suite.name.include? 'DHE'
252
- ke = "DHE-#{suite.dh_strength}-bits"
253
- elsif suite.name.include? 'DH'
254
- ke = "DH-#{suite.dh_strength}-bits"
272
+ if ep['details']['suites'] != nil
273
+ ep['details']['suites'].each do |proto_suites|
274
+ Yawast::Utilities.puts_info "\t\t\t#{protos[proto_suites['protocol']]}"
275
+
276
+ proto_suites['list'].each do |suite|
277
+ ke = get_key_exchange suite
278
+
279
+ strength = suite['cipherStrength']
280
+ if suite['name'].include? '3DES'
281
+ # in this case, the effective strength is only 112 bits,
282
+ # which is what we want to report. So override SSL Labs
283
+ strength = 112
255
284
  end
256
- end
257
285
 
258
- strength = suite.cipher_strength
259
- if suite.name.include? '3DES'
260
- # in this case, the effective strength is only 112 bits,
261
- # which is what we want to report. So override SSL Labs
262
- strength = 112
263
- end
264
-
265
- if ke != nil
266
- suite_info = "#{suite.name.ljust(50)} - #{strength}-bits - #{ke}"
267
- else
268
- suite_info = "#{suite.name.ljust(50)} - #{strength}-bits"
269
- end
286
+ if ke != nil
287
+ suite_info = "#{suite['name'].ljust(50)} - #{strength}-bits - #{ke}"
288
+ else
289
+ suite_info = "#{suite['name'].ljust(50)} - #{strength}-bits"
290
+ end
270
291
 
271
- if cipher_suite_secure? suite
272
- if strength >= 128
273
- Yawast::Utilities.puts_info "\t\t\t#{suite_info}"
292
+ if cipher_suite_secure? suite
293
+ if strength >= 128
294
+ Yawast::Utilities.puts_info "\t\t\t #{suite_info}"
295
+ else
296
+ Yawast::Utilities.puts_warn "\t\t\t #{suite_info}"
297
+ end
274
298
  else
275
- Yawast::Utilities.puts_warn "\t\t\t#{suite_info}"
299
+ Yawast::Utilities.puts_vuln "\t\t\t #{suite_info}"
276
300
  end
277
- else
278
- Yawast::Utilities.puts_vuln "\t\t\t#{suite_info}"
279
301
  end
280
302
  end
281
303
  else
282
- Yawast::Utilities.puts_error "\t\t\tInformation Not Available"
304
+ Yawast::Utilities.puts_error "\t\t\t Information Not Available"
283
305
  end
284
306
 
285
307
  puts
286
308
 
287
309
  puts "\t\tHandshake Simulation:"
288
- if ep.details.sims.results != nil
289
- ep.details.sims.results.each do |sim|
290
- name = "#{sim.client.name} #{sim.client.version}"
291
- if sim.client.platform != nil
292
- name += " / #{sim.client.platform}"
310
+ if ep['details']['sims']['results'] != nil
311
+ ep['details']['sims']['results'].each do |sim|
312
+ name = "#{sim['client']['name']} #{sim['client']['version']}"
313
+ if sim['client']['platform'] != nil
314
+ name += " / #{sim['client']['platform']}"
293
315
  end
294
316
  name = name.ljust(28)
295
317
 
296
- if sim.success?
297
- protocol = nil
298
- ep.details.protocols.each do |proto|
299
- if sim.protocol_id == proto.id
300
- protocol = "#{proto.name} #{proto.version}"
301
- end
302
- end
318
+ if sim['errorCode'] == 0
319
+ protocol = protos[sim['protocolId']]
303
320
 
304
- suite_name = nil
305
- secure = true
306
- ep.details.suites.list.each do |suite|
307
- if sim.suite_id == suite.id
308
- suite_name = suite.name
309
- secure = cipher_suite_secure? suite
310
- end
311
- end
321
+ ke = get_key_exchange sim
312
322
 
313
- if secure
314
- Yawast::Utilities.puts_info "\t\t\t#{name} - #{protocol} - #{suite_name}"
315
- else
316
- Yawast::Utilities.puts_vuln "\t\t\t#{name} - #{protocol} - #{suite_name}"
317
- end
323
+ suite_name = "#{sim['suiteName']} - #{ke}"
324
+
325
+ Yawast::Utilities.puts_info "\t\t\t#{name} - #{protocol} - #{suite_name}"
318
326
  else
319
- Yawast::Utilities.puts_error "\t\t\t#{name} - Simulation Failed"
327
+ Yawast::Utilities.puts_warn"\t\t\t#{name} - Simulation Failed"
320
328
  end
321
329
  end
322
330
  else
@@ -329,10 +337,10 @@ module Yawast
329
337
  def self.get_proto_info(ep)
330
338
  puts "\t\tProtocol & Vulnerability Information:"
331
339
 
332
- if ep.details.drown_vulnerable?
340
+ if ep['details']['drownVulnerable']
333
341
  Yawast::Utilities.puts_vuln "\t\t\tDROWN: Vulnerable"
334
342
 
335
- ep.details.drown_hosts.each do |dh|
343
+ ep['details']['drownHosts'].each do |dh|
336
344
  Yawast::Utilities.puts_vuln "\t\t\t\t#{dh['ip']}:#{dh['port']} - #{dh['status']}"
337
345
  puts "\t\t\t\thttps://test.drownattack.com/?site=#{dh['ip']}"
338
346
  end
@@ -340,26 +348,26 @@ module Yawast
340
348
  Yawast::Utilities.puts_info "\t\t\tDROWN: No"
341
349
  end
342
350
 
343
- if ep.details.reneg_support & 1 != 0
351
+ if ep['details']['renegSupport'] & 1 != 0
344
352
  Yawast::Utilities.puts_vuln "\t\t\tSecure Renegotiation: insecure client-initiated renegotiation supported"
345
353
  end
346
- if ep.details.reneg_support & (1<<1) != 0
354
+ if ep['details']['renegSupport'] & (1<<1) != 0
347
355
  Yawast::Utilities.puts_info "\t\t\tSecure Renegotiation: secure renegotiation supported"
348
356
  end
349
- if ep.details.reneg_support & (1<<2) != 0
357
+ if ep['details']['renegSupport'] & (1<<2) != 0
350
358
  Yawast::Utilities.puts_info "\t\t\tSecure Renegotiation: secure client-initiated renegotiation supported"
351
359
  end
352
- if ep.details.reneg_support & (1<<3) != 0
360
+ if ep['details']['renegSupport'] & (1<<3) != 0
353
361
  Yawast::Utilities.puts_info "\t\t\tSecure Renegotiation: server requires secure renegotiation support"
354
362
  end
355
363
 
356
- if ep.details.poodle?
364
+ if ep['details']['poodle']
357
365
  Yawast::Utilities.puts_vuln "\t\t\tPOODLE (SSL): Vulnerable"
358
366
  else
359
367
  Yawast::Utilities.puts_info "\t\t\tPOODLE (SSL): No"
360
368
  end
361
369
 
362
- case ep.details.poodle_tls
370
+ case ep['details']['poodleTls']
363
371
  when -3
364
372
  Yawast::Utilities.puts_info "\t\t\tPOODLE (TLS): Inconclusive (Timeout)"
365
373
  when -2
@@ -373,28 +381,28 @@ module Yawast
373
381
  when 2
374
382
  Yawast::Utilities.puts_vuln "\t\t\tPOODLE (TLS): Vulnerable"
375
383
  else
376
- Yawast::Utilities.puts_error "\t\t\tPOODLE (TLS): Unknown Response #{ep.details.poodle_tls}"
384
+ Yawast::Utilities.puts_error "\t\t\tPOODLE (TLS): Unknown Response #{ep['details'].poodle_tls}"
377
385
  end
378
386
 
379
- if ep.details.fallback_scsv?
387
+ if ep['details']['fallbackScsv']
380
388
  Yawast::Utilities.puts_info "\t\t\tDowngrade Prevention: Yes"
381
389
  else
382
390
  Yawast::Utilities.puts_warn "\t\t\tDowngrade Prevention: No"
383
391
  end
384
392
 
385
- if ep.details.compression_methods & 1 != 0
393
+ if ep['details']['compressionMethods'] & 1 != 0
386
394
  Yawast::Utilities.puts_warn "\t\t\tCompression: DEFLATE"
387
395
  else
388
396
  Yawast::Utilities.puts_info "\t\t\tCompression: No"
389
397
  end
390
398
 
391
- if ep.details.heartbleed?
399
+ if ep['details']['heartbleed']
392
400
  Yawast::Utilities.puts_vuln "\t\t\tHeartbleed: Vulnerable"
393
401
  else
394
402
  Yawast::Utilities.puts_info "\t\t\tHeartbleed: No"
395
403
  end
396
404
 
397
- case ep.details.open_ssl_ccs
405
+ case ep['details']['openSslCcs']
398
406
  when -1
399
407
  Yawast::Utilities.puts_error "\t\t\tOpenSSL CCS (CVE-2014-0224): Test Failed"
400
408
  when 0
@@ -406,10 +414,10 @@ module Yawast
406
414
  when 3
407
415
  Yawast::Utilities.puts_vuln "\t\t\tOpenSSL CCS (CVE-2014-0224): Vulnerable"
408
416
  else
409
- Yawast::Utilities.puts_error "\t\t\tOpenSSL CCS (CVE-2014-0224): Unknown Response #{ep.details.open_ssl_ccs}"
417
+ Yawast::Utilities.puts_error "\t\t\tOpenSSL CCS (CVE-2014-0224): Unknown Response #{ep['details'].open_ssl_ccs}"
410
418
  end
411
419
 
412
- case ep.details.open_ssl_lucky_minus20
420
+ case ep['details']['openSSLLuckyMinus20']
413
421
  when -1
414
422
  Yawast::Utilities.puts_error "\t\t\tOpenSSL Padding Oracle (CVE-2016-2107): Test Failed"
415
423
  when 0
@@ -419,38 +427,38 @@ module Yawast
419
427
  when 2
420
428
  Yawast::Utilities.puts_vuln "\t\t\tOpenSSL Padding Oracle (CVE-2016-2107): Vulnerable"
421
429
  else
422
- Yawast::Utilities.puts_error "\t\t\tOpenSSL Padding Oracle (CVE-2016-2107): Unknown Response #{ep.details.open_ssl_lucky_minus20}"
430
+ Yawast::Utilities.puts_error "\t\t\tOpenSSL Padding Oracle (CVE-2016-2107): Unknown Response #{ep['details']['openSSLLuckyMinus20']}"
423
431
  end
424
432
 
425
- if ep.details.forward_secrecy & (1<<2) != 0
433
+ if ep['details']['forwardSecrecy'] & (1<<2) != 0
426
434
  Yawast::Utilities.puts_info "\t\t\tForward Secrecy: Yes (all simulated clients)"
427
- elsif ep.details.forward_secrecy & (1<<1) != 0
435
+ elsif ep['details']['forwardSecrecy'] & (1<<1) != 0
428
436
  Yawast::Utilities.puts_info "\t\t\tForward Secrecy: Yes (modern clients)"
429
- elsif ep.details.forward_secrecy & 1 != 0
437
+ elsif ep['details']['forwardSecrecy'] & 1 != 0
430
438
  Yawast::Utilities.puts_warn "\t\t\tForward Secrecy: Yes (limited support)"
431
439
  else
432
440
  Yawast::Utilities.puts_vuln "\t\t\tForward Secrecy: No"
433
441
  end
434
442
 
435
- if ep.details.ocsp_stapling?
443
+ if ep['details']['ocspStapling']
436
444
  Yawast::Utilities.puts_info "\t\t\tOCSP Stapling: Yes"
437
445
  else
438
446
  Yawast::Utilities.puts_warn "\t\t\tOCSP Stapling: No"
439
447
  end
440
448
 
441
- if ep.details.freak?
449
+ if ep['details']['freak']
442
450
  Yawast::Utilities.puts_vuln "\t\t\tFREAK: Vulnerable"
443
451
  else
444
452
  Yawast::Utilities.puts_info "\t\t\tFREAK: No"
445
453
  end
446
454
 
447
- if ep.details.logjam?
455
+ if ep['details']['logjam']
448
456
  Yawast::Utilities.puts_vuln "\t\t\tLogjam: Vulnerable"
449
457
  else
450
458
  Yawast::Utilities.puts_info "\t\t\tLogjam: No"
451
459
  end
452
460
 
453
- case ep.details.dh_uses_known_primes
461
+ case ep['details']['dhUsesKnownPrimes']
454
462
  when 0
455
463
  Yawast::Utilities.puts_info "\t\t\tUses common DH primes: No"
456
464
  when 1
@@ -458,39 +466,39 @@ module Yawast
458
466
  when 2
459
467
  Yawast::Utilities.puts_vuln "\t\t\tUses common DH primes: Yes (weak)"
460
468
  else
461
- unless ep.details.dh_uses_known_primes == nil
462
- Yawast::Utilities.puts_error "\t\t\tUses common DH primes: Unknown Response #{ep.details.dh_uses_known_primes}"
469
+ unless ep['details']['dhUsesKnownPrimes'] == nil
470
+ Yawast::Utilities.puts_error "\t\t\tUses common DH primes: Unknown Response #{ep['details']['dhUsesKnownPrimes']}"
463
471
  end
464
472
  end
465
473
 
466
- if ep.details.dh_ys_reuse?
474
+ if ep['details']['dhYsReuse']
467
475
  Yawast::Utilities.puts_vuln "\t\t\tDH public server param (Ys) reuse: Yes"
468
476
  else
469
477
  Yawast::Utilities.puts_info "\t\t\tDH public server param (Ys) reuse: No"
470
478
  end
471
479
 
472
- if ep.details.protocol_intolerance > 0
473
- if ep.details.protocol_intolerance & 1 != 0
480
+ if ep['details']['protocolIntolerance'] > 0
481
+ if ep['details']['protocolIntolerance'] & 1 != 0
474
482
  Yawast::Utilities.puts_warn "\t\t\tProtocol Intolerance: TLS 1.0"
475
483
  end
476
484
 
477
- if ep.details.protocol_intolerance & (1<<1) != 0
485
+ if ep['details']['protocolIntolerance'] & (1<<1) != 0
478
486
  Yawast::Utilities.puts_warn "\t\t\tProtocol Intolerance: TLS 1.1"
479
487
  end
480
488
 
481
- if ep.details.protocol_intolerance & (1<<2) != 0
489
+ if ep['details']['protocolIntolerance'] & (1<<2) != 0
482
490
  Yawast::Utilities.puts_warn "\t\t\tProtocol Intolerance: TLS 1.2"
483
491
  end
484
492
 
485
- if ep.details.protocol_intolerance & (1<<3) != 0
493
+ if ep['details']['protocolIntolerance'] & (1<<3) != 0
486
494
  Yawast::Utilities.puts_warn "\t\t\tProtocol Intolerance: TLS 1.3"
487
495
  end
488
496
 
489
- if ep.details.protocol_intolerance & (1<<4) != 0
497
+ if ep['details']['protocolIntolerance'] & (1<<4) != 0
490
498
  Yawast::Utilities.puts_warn "\t\t\tProtocol Intolerance: TLS 1.152"
491
499
  end
492
500
 
493
- if ep.details.protocol_intolerance & (1<<5) != 0
501
+ if ep['details']['protocolIntolerance'] & (1<<5) != 0
494
502
  Yawast::Utilities.puts_warn "\t\t\tProtocol Intolerance: TLS 2.152"
495
503
  end
496
504
  else
@@ -501,22 +509,36 @@ module Yawast
501
509
  end
502
510
 
503
511
  def self.cipher_suite_secure?(suite)
504
- secure = suite.secure?
512
+ secure = true
513
+
505
514
  # check for weak DH
506
- if suite.dh_strength != nil && suite.dh_strength < 2048
515
+ if suite['kxStrength'] != nil && suite['kxStrength'] < 2048
507
516
  secure = false
508
517
  end
509
518
  # check for RC4
510
- if suite.name.include? 'RC4'
519
+ if suite['name'].include? 'RC4'
511
520
  secure = false
512
521
  end
513
522
  # check for weak suites
514
- if suite.cipher_strength < 112
523
+ if suite['cipherStrength'] < 112
515
524
  secure = false
516
525
  end
517
526
 
518
527
  secure
519
528
  end
529
+
530
+ def self.get_key_exchange(suite)
531
+ ke = nil
532
+ if suite['kxType'] != nil
533
+ if suite['namedGroupBits'] != nil
534
+ ke = "#{suite['kxType']}-#{suite['namedGroupBits']} / #{suite['namedGroupName']} (#{suite['kxStrength']} equivalent)"
535
+ else
536
+ ke = "#{suite['kxType']}-#{suite['kxStrength']}"
537
+ end
538
+ end
539
+
540
+ return ke
541
+ end
520
542
  end
521
543
  end
522
544
  end