search

mozilla / cipherscan

A very simple way to find out which SSL ciphersuites are supported by a target.
Mozilla Public License 2.0
1.97k stars 266 forks source link

proxy not work #163

Open iromise opened 6 years ago

iromise commented 6 years ago

Just as the title shows. when I add proxy, the result won't show. I am sure that the http proxy is ok.

tomato42 commented 6 years ago

you can't use cipherscan through proxy, it needs to be able to connect to the server under scan directly

iromise commented 6 years ago

so what dose this mean when using command ./cipherscan

EXAMPLES:
./cipherscan -starttls xmpp jabber.ccc.de:5222
./cipherscan -servername youtube.com youtube.com:443
./cipherscan -proxy myproxy.example.com:8080 youtube.com:443
tomato42 commented 6 years ago

because it's from the time the script was a simple wrapper around openssl

tomato42 commented 6 years ago

hmm, but that shouldn't actually make the results completely absent, just incomplete...

what happens when you connect to the server using ./openssl s_client -connect server_under_test:443 -proxy (...)? (run it in the cipherscan directory)

iromise commented 6 years ago

It works when I use openssl with proxy

➜  cipherscan git:(master) ✗ openssl s_client -proxy 127.0.0.1:8118 -connect google.com:443
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com
   i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
tomato42 commented 6 years ago

the ./ in command is important, it will run the openssl from local directory, not the system one, like using openssl does

cipherscan script defaults to the local one, it will use system one only if you specify it using OPENSSLBIN=$(which openssl) environment variable or -o option

iromise commented 6 years ago

sorry to miss the ./, when I use 

➜  cipherscan git:(master) ✗ sudo ./openssl s_client -proxy 127.0.0.1:8118 -connect google.com:443
[sudo] password for iromise: 
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
CONNECTED(00000003)
HTTP CONNECT failed

then i copy the openssl.cnf to the dir /usr/local/ssl/(not exist when use this command), and then I do it again, but it seems dose not work..

➜  cipherscan git:(master) ✗ sudo ./openssl s_client -proxy 127.0.0.1:8118 -connect google.com:443
CONNECTED(00000003)
HTTP CONNECT failed
140414114629312:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available

and at last when I use -o option, it works

➜  cipherscan git:(master) ✗ ./cipherscan -o $(which openssl) -proxy 127.0.0.1:8118 google.com:443
...............
Target: google.com:443

prio  ciphersuite                    protocols              pubkey_size  signature_algoritm       trusted  ticket_hint  ocsp_staple  npn                   pfs
1     ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2                256          sha256WithRSAEncryption  True     100800       False        grpc-exp,h2,http/1.1  X25519,253bits  None
2     ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2                256          sha256WithRSAEncryption  True     100800       False        grpc-exp,h2,http/1.1  X25519,253bits  None
3     ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2                256          sha256WithRSAEncryption  True     100800       False        grpc-exp,h2,http/1.1  X25519,253bits  None
4     ECDHE-ECDSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  256          sha256WithRSAEncryption  True     100800       False        grpc-exp,h2,http/1.1  X25519,253bits  None

I think it's better to say this in the help doc.

tomato42 commented 6 years ago

any suggestion for the doc text?

iromise commented 6 years ago

As the default openssl won't work

➜  cipherscan git:(master) ✗ ./openssl version  
OpenSSL 1.0.2-chacha (1.0.2i-dev)

the following doc

-proxy proxyhost:port Connect to the scan target via specified proxy
                    (req. OpenSSL 1.1.0 or bundled OpenSSL)

could be 

-proxy proxyhost:port Connect to the scan target via specified proxy
                    (req. OpenSSL 1.1.0, e.g. use -o option to set a proper version openssl)
tomato42 commented 6 years ago

hmm, and you have some settings in the openssl.cnf that relate to proxy? (like username/password)

I'm assuming that the one you copied into the /usr/local/ssl/ was the system one? (i.e. one from /etc)

iromise commented 6 years ago

No, I do nothing about the openssl.cnf. It was the default one.

tomato42 commented 6 years ago

maybe the openssl unnecessarily requires config file to be present for the proxy to work? I'd call that a bug...

iromise commented 6 years ago

May be...