...
 
Commits (4)
......@@ -85,17 +85,6 @@ required to compile OpenSSL from source on OS X. Once you have, just run:
### OpenSSL issues
#### OpenSSL 1.1.0 and later
OpenSSL 1.1.0 introduced a number of significant changes, including the removal
of old and insecure features such as SSLv2. While this is a very good thing for
the SSL ecosystem as a whole, it is a problem for sslscan, which relies on
these legacy features being available in order to detect them on client system.
In order to work around this, sslscan builds against [Peter Mosmans'](https://github.com/PeterMosmans/openssl)
fork of OpenSSL, which backports the Chacha20 and Poly1305 ciphers to OpenSSL
1.0.2, while keeping the dangerous legacy features (such as SSLv2 and EXPORT
ciphers) enabled.
#### Statically linking a custom OpenSSL build
It is possible to ignore the OpenSSL system installation and ship your own
......
......@@ -67,6 +67,9 @@ TLSv1.2 ecdsa_secp521r1_sha512
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
ECC Curve Name: prime256v1
ECC Key Strength: 128
Subject: itspeanutbutterjellytime.com
Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere
Not valid before: Dec 22 19:01:56 2019 GMT
......
......@@ -39,6 +39,9 @@ TLSv1.2 ecdsa_sha1
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
ECC Curve Name: prime256v1
ECC Key Strength: 128
Subject: itspeanutbutterjellytime.com
Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere
Not valid before: Dec 22 19:01:56 2019 GMT
......
......@@ -95,6 +95,7 @@
#include <string.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <openssl/ec.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openssl/pkcs12.h>
......@@ -2030,14 +2031,28 @@ int checkCertificate(struct sslCheckOptions *options, const SSL_METHOD *sslMetho
}
break;
case EVP_PKEY_EC:
if (EVP_PKEY_get1_EC_KEY(publicKey))
{
// TODO - display key strength
printf_xml(" <pk error=\"false\" type=\"EC\" />\n");
/* EC_KEY_print(stdoutBIO, publicKey->pkey.ec, 6); */
}
else
{
EC_KEY *ec_key = EVP_PKEY_get1_EC_KEY(publicKey);
if (ec_key != NULL)
{
// We divide by two to get the symmetric key strength equivalent; this
// ensures consistency with the Server Key Exchange Group section.
int keyBits = EVP_PKEY_bits(publicKey) / 2;
const char *ec_group_name = OBJ_nid2sn(EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)));
char *color = "";
if (keyBits < 112)
color = COL_RED;
else if (keyBits < 128)
color = COL_YELLOW;
printf("ECC Curve Name: %s\n", ec_group_name);
printf("ECC Key Strength: %s%d%s\n\n", color, keyBits, RESET);
printf_xml(" <pk error=\"false\" type=\"EC\" curve_name=\"%s\" bits=\"%d\" />\n", ec_group_name, keyBits);
EC_KEY_free(ec_key); ec_key = NULL;
}
else
printf(" EC Public Key: NULL\n");
}
break;
......