-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathopenssl_functions.txt
123 lines (108 loc) · 3.58 KB
/
openssl_functions.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# look at certificate as if you were human
cert ()
{
openssl x509 -text -noout -in "$1" | less -F
}
# same for csr
csr ()
{
openssl req -text -noout -verify -in "$1" | less -F
}
# read the helptext
tlsmod ()
{
local full='';
local modulus;
local filetype;
if [[ -z $1 || "$1" == "-?" || "$1" == "-h" ]]; then
cat <<HELPTEXT
${FUNCNAME[0]} prints the type and the modulus for certificates' public keys, and private keys.
Usage: ${FUNCNAME[0]} file ...
Use -f as first argument to show the full modulus instead of the md5 hash.
HELPTEXT
return;
fi
if [[ "$1" == "-f" ]]; then
full=1;
shift;
fi;
for file in "$@";
do
echo " File: $file";
if ! [[ -f "$file" && -r "$file" ]]; then
echo -e " \\e[31mE: Can't read '$file', skipping\e[0m";
continue;
fi;
case "$(head "$file" -n1)" in
-----BEGIN\ CERTIFICATE-----)
filetype="Type: certificate";
cmd='openssl x509 -noout -modulus -in'
;;
-----BEGIN*PRIVATE\ KEY-----)
filetype="Type: private key";
cmd='openssl rsa -noout -modulus -in'
;;
-----BEGIN\ CERTIFICATE\ REQUEST-----)
filetype="Type: certificate request";
cmd='openssl req -modulus -noout -in'
;;
*)
echo -e " \\e[31mE: unhandled filetype '$file'; only keys, certifcates and certificate requests are handled\e[0m";
continue
;;
esac;
echo " $filetype";
if modulus=$($cmd "$file"); then
[[ -z $full ]] && ( echo "$modulus" | openssl md5 | sed 's/(stdin)=/ Hash:/' ) || echo "$modulus";
else
echo -e " \\e[31mFailed\e[0m";
fi;
done
}
# just returns the modulus/hash, needs doc
keymod ()
{
local hash='';
local modulus;
if [[ "$1" == "-h" ]]; then
hash=1;
shift;
fi;
modulus=$(openssl rsa -noout -modulus -in "$1");
[[ -n $hash ]] && ( echo "$modulus" | openssl md5 ) || echo "$modulus"
}
# ---- shell script ----------------------
#!/usr/bin/env bash
# lists of cipher suites to test
tls12_ciphers=($(openssl ciphers -s -v | grep -e TLSv1.2 | awk '{print $1}'))
tls13_ciphers=($(openssl ciphers -s -v | grep -e TLSv1.3 | awk '{print $1}'))
# -s for secure/modern (smaller but more relevant set), -v: verbose to get the version info so we can grep on it
# then just only print the cipher again
# Target server
if [[ -z $1 ]]; then
echo -e " \e[36;1mPass a host as first argument to probe it. Using default host:\e[0m";
fi
server="${1:-fargeau.horafinita.nl}"
echo " $server"
echo " $(dig +short $server | tail -n1)"
echo ' --- Certificate ---'
echo | openssl s_client -servername $server -connect $server:443 2> /dev/null | openssl x509 -noout -issuer -dates -ext subjectAltName \
| sed 's/^/ /g'
echo ' --- Cipher support ---'
function test_ciphers() {
local version=$1
shift
local ciphers=("$@")
local arg=-cipher
if [[ "$version" == "tls1_3" ]]; then arg=-ciphersuites; fi
echo "$(echo \ \ TLS ${version:3} | sed 's/_/./')"
for cipher in "${ciphers[@]}"; do
result=$(echo | openssl s_client -connect $server:443 $arg $cipher -$version 2>&1)
if [[ $result == *"Cipher is"* && $result != *"Cipher is (NONE)"* ]]; then
echo " "$cipher
fi
done
}
test_ciphers tls1_2 "${tls12_ciphers[@]}"
test_ciphers tls1_3 "${tls13_ciphers[@]}"
# ---------------------------------------------