Class: SSLScan::Scanner

Inherits:

Object

• Object
• SSLScan::Scanner

Defined in:

lib/ssl_scan/scanner.rb

Instance Attribute Summary

• #context ⇒ Object

  Returns the value of attribute context.

• #host ⇒ Object

  Returns the value of attribute host.

• #peer_supported_versions ⇒ Object readonly

  Returns the value of attribute peer_supported_versions.

• #port ⇒ Object

  Returns the value of attribute port.

• #results ⇒ Object readonly

  Returns the value of attribute results.

• #sslv2 ⇒ Object readonly

  Returns the value of attribute sslv2.

• #supported_versions ⇒ Object readonly

  Returns the value of attribute supported_versions.

• #timeout ⇒ Object

  Returns the value of attribute timeout.

Instance Method Summary

• #get_cert(ssl_version, cipher) ⇒ OpenSSL::X509::Certificate, Nil

  Retrieve the X509 Cert from the target service,.

• #get_first_valid_cert ⇒ Object
• #get_preferred_ciphers ⇒ Object
• #initialize(host, port = 443, context = {}, timeout = 5) ⇒ Scanner constructor

  Initializes the scanner object.

• #scan(&block) ⇒ Result

  Initiate the Scan against the target.

• #scan_ssl_version(ssl_version, &block) ⇒ Object
• #test_cipher(ssl_version, cipher) ⇒ Symbol

  Tests the specified SSL Version and Cipher against the configured target.

• #test_ssl ⇒ Object
• #test_tls ⇒ Object
• #valid? ⇒ Boolean

  Checks whether the scanner option has a valid configuration.

Constructor Details

#initialize(host, port = 443, context = {}, timeout = 5) ⇒ Scanner

Initializes the scanner object

Parameters:

• host (String) —

  IP address or hostname to scan

• port (Fixnum) (defaults to: 443) —

  Port number to scan, default: 443

• timeout (Fixnum) (defaults to: 5) —

  Timeout for connections, in seconds. default: 5

Raises:

• (StandardError) —

  Raised when the configuration is invalid

# File 'lib/ssl_scan/scanner.rb', line 20

def initialize(host,port = 443,context = {},timeout=5)
  @host       = host
  @port       = port
  @timeout    = timeout
  @context    = context
  if check_opensslv2 == true
    @supported_versions = [:SSLv2, :SSLv3, :TLSv1]
    @sslv2 = true
  else
    @supported_versions = [:SSLv3, :TLSv1]
    @sslv2 = false
  end
  @peer_supported_versions = []
  raise StandardError, "The scanner configuration is invalid" unless valid?
end

Instance Attribute Details

#context ⇒ Object

Returns the value of attribute context.

# File 'lib/ssl_scan/scanner.rb', line 5

def context
  @context
end

#host ⇒ Object

Returns the value of attribute host.

# File 'lib/ssl_scan/scanner.rb', line 6

def host
  @host
end

#peer_supported_versions ⇒ Object (readonly)

Returns the value of attribute peer_supported_versions.

# File 'lib/ssl_scan/scanner.rb', line 11

def peer_supported_versions
  @peer_supported_versions
end

#port ⇒ Object

Returns the value of attribute port.

# File 'lib/ssl_scan/scanner.rb', line 7

def port
  @port
end

#results ⇒ Object (readonly)

Returns the value of attribute results.

# File 'lib/ssl_scan/scanner.rb', line 12

def results
  @results
end

#sslv2 ⇒ Object (readonly)

Returns the value of attribute sslv2.

# File 'lib/ssl_scan/scanner.rb', line 13

def sslv2
  @sslv2
end

#supported_versions ⇒ Object (readonly)

Returns the value of attribute supported_versions.

# File 'lib/ssl_scan/scanner.rb', line 10

def supported_versions
  @supported_versions
end

#timeout ⇒ Object

Returns the value of attribute timeout.

# File 'lib/ssl_scan/scanner.rb', line 8

def timeout
  @timeout
end

Instance Method Details

#get_cert(ssl_version, cipher) ⇒ OpenSSL::X509::Certificate, Nil

Retrieve the X509 Cert from the target service,

Parameters:

• ssl_version (Symbol) —

  The SSL version to use (:SSLv2, :SSLv3, :TLSv1)

• cipher (String) —

  The SSL Cipher to use

Returns:

• (OpenSSL::X509::Certificate) —

  if the certificate was retrieved

• (Nil) —

  if the cert couldn’t be retrieved

# File 'lib/ssl_scan/scanner.rb', line 250

def get_cert(ssl_version, cipher)
  validate_params(ssl_version, cipher)
  begin
    scan_client = SSLScan::Socket::Tcp.create(
      'PeerHost'   => @host,
      'PeerPort'   => @port,
      'SSL'        => true,
      'SSLVersion' => ssl_version,
      'SSLCipher'  => cipher,
      'Timeout'    => @timeout
    )
    cert = scan_client.peer_cert
    if cert.kind_of? OpenSSL::X509::Certificate
      return cert
    else
      return nil
    end
  rescue ::Exception => e
    return nil
  ensure
    if scan_client
      scan_client.close
    end
  end
end

#get_first_valid_cert ⇒ Object

# File 'lib/ssl_scan/scanner.rb', line 137

def get_first_valid_cert
  scan_result = SSLScan::Result.new
  scan_result.openssl_sslv2 = sslv2
  @supported_versions.each do |ssl_version|
    begin
      scan_client = SSLScan::Socket::Tcp.create(
        'Context'    => @context,
        'PeerHost'   => @host,
        'PeerPort'   => @port,
        'SSL'        => true,
        'SSLVersion' => ssl_version,
        'Timeout'    => @timeout
      )
      cipher_name = scan_client.cipher[0]
      key_length  = scan_client.cipher[3]
      status = test_cipher(ssl_version, cipher_name)
      scan_result.add_cipher(ssl_version, cipher_name, key_length, status)
      if status == :accepted and scan_result.cert.nil?
        scan_result.cert = get_cert(ssl_version, cipher_name)
        break
      end
    rescue => ex
      # noop
    end
  end
  @results = scan_result
  scan_result
end

#get_preferred_ciphers ⇒ Object

# File 'lib/ssl_scan/scanner.rb', line 109

def get_preferred_ciphers
  ssl_versions = {}.tap do |v|
    @supported_versions.each { |sv| v[sv] = [] } 
  end

  ssl_versions.keys.each do |ssl_version|
    begin
      scan_client = SSLScan::Socket::Tcp.create(
        'Context'    => @context,
        'PeerHost'   => @host,
        'PeerPort'   => @port,
        'SSL'        => true,
        'SSLVersion' => ssl_version,
        'Timeout'    => @timeout
      )
      ssl_versions[ssl_version] = scan_client.cipher

      if scan_client
        scan_client.close
      end
    rescue => ex
      ssl_versions.delete(ssl_version)
    end
  end
  ssl_versions
end

#scan(&block) ⇒ Result

Initiate the Scan against the target. Will test each cipher one at a time.

Returns:

• (Result) —

  object containing the details of the scan

# File 'lib/ssl_scan/scanner.rb', line 52

def scan(&block)
  scan_result = SSLScan::Result.new
  scan_result.openssl_sslv2 = sslv2
  # If we can't get any SSL connection, then don't bother testing
  # individual ciphers.
  
  @supported_versions.each do |ssl_version|
    sslctx = OpenSSL::SSL::SSLContext.new(ssl_version)
    sslctx.ciphers.each do |cipher_name, ssl_ver, key_length, alg_length|
      status = test_cipher(ssl_version, cipher_name)
      scan_result.add_cipher(ssl_version, cipher_name, key_length, status)
      if status == :accepted and scan_result.cert.nil?
        scan_result.cert = get_cert(ssl_version, cipher_name)
      end

      if block_given?
        yield(ssl_version, cipher_name, alg_length, status, scan_result.cert)
      end
      
    end
  end
  @peer_supported_versions = [].tap do |psv|
    psv << :SSLv2 if scan_result.supports_sslv2?
    psv << :SSLv3 if scan_result.supports_sslv3?
    psv << :TLSv1 if scan_result.supports_tlsv1?
  end
  @results = scan_result
  scan_result
end

#scan_ssl_version(ssl_version, &block) ⇒ Object

# File 'lib/ssl_scan/scanner.rb', line 82

def scan_ssl_version(ssl_version, &block)
  scan_result = SSLScan::Result.new
  scan_result.openssl_sslv2 = sslv2
  # If we can't get any SSL connection, then don't bother testing
  # individual ciphers.
  if ([:rejected, :failed].include?(test_ssl) and [:rejected, :failed].include?(test_tls)) or !@supported_versions.include?(ssl_version)
    return scan_result
  end

  sslctx = OpenSSL::SSL::SSLContext.new(ssl_version)
  sslctx.ciphers.each do |cipher_name, ssl_ver, key_length, alg_length|

    status = test_cipher(ssl_version, cipher_name)
    scan_result.add_cipher(ssl_version, cipher_name, key_length, status)
    if status == :accepted and scan_result.cert.nil?
      scan_result.cert = get_cert(ssl_version, cipher_name)
    end

    if block_given?
      yield(ssl_version, cipher_name, alg_length, status, scan_result.cert)
    end
    
  end
  @results = scan_result
  scan_result
end

#test_cipher(ssl_version, cipher) ⇒ Symbol

Tests the specified SSL Version and Cipher against the configured target

Parameters:

• ssl_version (Symbol) —

  The SSL version to use (:SSLv2, :SSLv3, :TLSv1)

• cipher (String) —

  The SSL Cipher to use

Returns:

• (Symbol) —

  Either :accepted or :rejected

# File 'lib/ssl_scan/scanner.rb', line 218

def test_cipher(ssl_version, cipher)
  validate_params(ssl_version,cipher)
  begin
    scan_client = SSLScan::Socket::Tcp.create(
      'Context'    => @context,
      'PeerHost'   => @host,
      'PeerPort'   => @port,
      'SSL'        => true,
      'SSLVersion' => ssl_version,
      'SSLCipher'  => cipher,
      'Timeout'    => @timeout
    )
  rescue ::Exception => e
    if e.kind_of?(Errno::ECONNRESET)
      return :failed
    else
      return :rejected
    end
  ensure
    if scan_client
      scan_client.close
    end
  end

  return :accepted
end

#test_ssl ⇒ Object

# File 'lib/ssl_scan/scanner.rb', line 166

def test_ssl
  begin
    scan_client = SSLScan::Socket::Tcp.create(
      'Context'    => @context,
      'PeerHost'   => @host,
      'PeerPort'   => @port,
      'SSL'        => true,
      'SSLVersion' => :SSLv23,
      'Timeout'    => @timeout
    )
  rescue ::Exception => e
    if e.kind_of?(Errno::ECONNRESET)
      return :failed
    else
      return :rejected
    end
  ensure
    if scan_client
      scan_client.close
    end
  end
  return :accepted
end

#test_tls ⇒ Object

# File 'lib/ssl_scan/scanner.rb', line 190

def test_tls
  begin
    scan_client = SSLScan::Socket::Tcp.create(
      'Context'    => @context,
      'PeerHost'   => @host,
      'PeerPort'   => @port,
      'SSL'        => true,
      'SSLVersion' => :TLSv1,
      'Timeout'    => @timeout
    )
  rescue ::Exception => e
    if e.kind_of?(Errno::ECONNRESET)
      return :failed
    else
      return :rejected
    end
  ensure
    if scan_client
      scan_client.close
    end
  end
  return :accepted
end

#valid? ⇒ Boolean

Checks whether the scanner option has a valid configuration

Returns:

• (Boolean) —

  True or False, the configuration is valid.

# File 'lib/ssl_scan/scanner.rb', line 38

def valid?
  begin
    @host = SSLScan::Socket.getaddress(@host, true)
  rescue
    return false
  end
  return false unless @port.kind_of? Fixnum
  return false unless @port >= 0 and @port <= 65535
  return false unless @timeout.kind_of? Fixnum
  return true
end