Documentation ¶
Index ¶
- Variables
- func GetAllCipherSuiteNumbers() []uint16
- type CertificateMessage
- type CipherConfig
- type HelloAndKey
- type HostAndPort
- type HumanScanResult
- type KeyExchangeAlgorithm
- type ScanConfig
- type ScanProgress
- type ScanRequest
- type ScanResult
- type SecurityScore
- type ServerHelloMessage
- type ServerKeyExchangeMsg
Constants ¶
This section is empty.
Variables ¶
var ( //NamedCurves are named elliptic curve //see https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8 NamedCurves = map[uint16]string{ 0: "Reserved", 1: "sect163k1", 2: "sect163r1", 3: "sect163r2", 4: "sect193r1", 5: "sect193r2", 6: "sect233k1", 7: "sect233r1", 8: "sect239k1", 9: "sect283k1", 10: "sect283r1", 11: "sect409k1", 12: "sect409r1", 13: "sect571k1", 14: "sect571r1", 15: "secp160k1", 16: "secp160r1", 17: "secp160r2", 18: "secp192k1", 19: "secp192r1", 20: "secp224k1", 21: "secp224r1", 22: "secp256k1", 23: "secp256r1", 24: "secp384r1", 25: "secp521r1", 26: "brainpoolP256r1", 27: "brainpoolP384r1", 28: "brainpoolP512r1", 29: "x25519", 30: "x448", 256: "ffdhe2048", 257: "ffdhe3072", 258: "ffdhe4096", 259: "ffdhe6144", 260: "ffdhe8192", 65281: "arbitrary_explicit_prime_curves", 65282: "arbitrary_explicit_char2_curves", } //NamedCurveStrength maps named eliptic curve to comparable RSA length //For comparable strengths of EC named curves see //1. https://www.ietf.org/rfc/rfc5114.txt (see section 4, security considerations) //2. https://www.ietf.org/rfc/rfc5480.txt and //3. pp 133 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf NamedCurveStrength = map[uint16]int{ 0: -1, 1: -1, 2: -1, 3: -1, 4: -1, 5: -1, 6: -1, 7: -1, 8: -1, 9: -1, 10: -1, 11: -1, 12: -1, 13: -1, 14: -1, 15: -1, 16: -1, 17: -1, 18: -1, 19: 1024, 20: 2048, 21: 2048, 22: 3072, 23: 3072, 24: 7680, 25: 15360, 26: 3072, 27: 7680, 28: 15360, 29: 3072, 30: 7680, 256: 2048, 257: 3072, 258: 4096, 259: 6144, 260: 8192, 65281: -1, 65282: -1, } // CipherSuiteMap - list of ciphersuites based on: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml // For CSV: https://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv // reserved/unknown items are excluded. CipherSuiteMap = map[uint16]string{}/* 334 elements not displayed */ // AllCipherSuites is the numerical values of the ciphersuites AllCipherSuites []uint16 //VersionSSL20 is the protocol code of SSL v2.0 VersionSSL20 uint16 = 0x0002 //VersionTLS13 is the protocol code of TLS v1.3 see https://datatracker.ietf.org/doc/rfc8446 VersionTLS13 uint16 = 0x0304 //TLSVersions an array of supported TLS versions TLSVersions = []uint16{VersionSSL20, tls.VersionSSL30, tls.VersionTLS10, tls.VersionTLS11, tls.VersionTLS12} //TLSVersionMap a mapping from TLS version to a string representation TLSVersionMap = map[uint16]string{ VersionSSL20: "SSL v2.0", tls.VersionSSL30: "SSL v3.0", tls.VersionTLS10: "TLS v1.0", tls.VersionTLS11: "TLS v1.1", tls.VersionTLS12: "TLS v1.2", VersionTLS13: "TLS v1.3", } //AllALPNProtos Application Layer Protocol Negotiation. See defined list at https://tools.ietf.org/html/rfc7301#section-6 AllALPNProtos = []string{"spdy/3", "spdy/2", "spdy/1", "http/1.1"} //NkxErrorMessage error message NkxErrorMessage = "Not a key exchange message" )
Functions ¶
func GetAllCipherSuiteNumbers ¶
func GetAllCipherSuiteNumbers() []uint16
GetAllCipherSuiteNumbers returns all the cipher suit numerical values
Types ¶
type CertificateMessage ¶
CertificateMessage simply exporting the internal certificateMsg
func (CertificateMessage) GetCertificates ¶
func (cert CertificateMessage) GetCertificates() (certs []*x509.Certificate, e error)
GetCertificates returns the list of certificates in a TLS certificate message
type CipherConfig ¶ added in v0.1.9
type CipherConfig struct { Cipher string KeyExchange string Authentication string IsExport bool Encryption string MACPRF string //MAC (TLS <=1.1) or PseudoRandomFunction (TLS >= 1.2) }
CipherConfig extracts the important elements of a Ciphersuit based on its name
func GetCipherConfig ¶ added in v0.1.9
func GetCipherConfig(cipher string) (config CipherConfig, err error)
GetCipherConfig extracts a `CipherConfig` from the Cipher's IANA string name does some basic sanity checks and returns an error if the input cipher name is not sane NOTE however, only IANA names from here are assumed and "supported": https://www.iana.org/assignments/tls-parameters/tls-parameters.txt
func (*CipherConfig) GetEncryptionKeyLength ¶ added in v0.1.9
func (cc *CipherConfig) GetEncryptionKeyLength() int
GetEncryptionKeyLength returns the effective key lengths of encryption algorithms used in the cipher See https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf for details
func (*CipherConfig) GetKeyExchangeKeyLength ¶ added in v0.1.9
func (cc *CipherConfig) GetKeyExchangeKeyLength(cipher, protocol uint16, scan ScanResult) int
GetKeyExchangeKeyLength returns the key length indicated by the cipher
func (*CipherConfig) IsAuthenticated ¶ added in v0.1.9
func (cc *CipherConfig) IsAuthenticated() bool
IsAuthenticated returns whether the cipher supports authentication
type HelloAndKey ¶
type HelloAndKey struct { Hello ServerHelloMessage Key ServerKeyExchangeMsg HasKey bool }
HelloAndKey bundles server hello and ServerKeyExchange messages
type HostAndPort ¶
HostAndPort is a model representing a hostname and a given port
type HumanScanResult ¶
type HumanScanResult struct { Server string HostName string Port string SupportsTLS bool SupportedProtocols []string HasCipherPreferenceOrderByProtocol map[string]bool CipherPreferenceOrderByProtocol map[string][]string OcspStaplingByProtocol map[string]bool SelectedCipherByProtocol map[string]string ALPNByProtocol map[string]string SecureRenegotiationSupportedByProtocol map[string]bool CipherSuiteByProtocol map[string][]string // ServerHelloMessageByProtocolByCipher map[string]map[string]ServerHelloMessage // CertificatesPerProtocol map[string]CertificateMessage // KeyExchangeByProtocolByCipher map[string]map[string]ServerKeyExchangeMsg IsSTARTLS bool IsSSH bool SupportsTLSFallbackSCSV bool Score SecurityScore }
HumanScanResult is a Stringified version of ScanResult
type ScanConfig ¶
type ScanConfig struct { ProtocolsOnly bool Timeout int //Number of Packets per Second to send out during underlying port scan PacketsPerSecond int //Suppress certificate output HideCerts bool //control whether to produce a running commentary of scan progress or stay quiet till the end Quiet bool }
ScanConfig describes details of how the TLS scan should be carried out
type ScanProgress ¶ added in v0.1.10
type ScanProgress struct { Progress float32 ScanResults []HumanScanResult // this is the latest scan results delta, at the end of scan all cummulative scans are sent Narrative string //freeflow text }
ScanProgress contains partial scam results with an indication of progress
type ScanRequest ¶ added in v0.1.10
type ScanRequest struct { CIDRs []string Config ScanConfig }
ScanRequest is a model to describe a given TLS Audit scan
type ScanResult ¶
type ScanResult struct { Server string Port string SupportedProtocols []uint16 HasCipherPreferenceOrderByProtocol map[uint16]bool CipherPreferenceOrderByProtocol map[uint16][]uint16 OcspStaplingByProtocol map[uint16]bool SelectedCipherByProtocol map[uint16]uint16 ALPNByProtocol map[uint16]string SecureRenegotiationSupportedByProtocol map[uint16]bool CipherSuiteByProtocol map[uint16][]uint16 ServerHelloMessageByProtocolByCipher map[uint16]map[uint16]ServerHelloMessage CertificatesPerProtocol map[uint16]CertificateMessage KeyExchangeByProtocolByCipher map[uint16]map[uint16]ServerKeyExchangeMsg IsSTARTLS bool IsSSH bool SupportsTLSFallbackSCSV bool }
ScanResult is the scan result of a server TLS settings
func (*ScanResult) CalculateScore ¶ added in v0.1.9
func (s *ScanResult) CalculateScore() (result SecurityScore)
CalculateScore computes an SSLLab-esque score for the scan https://github.com/ssllabs/research/wiki/SS https://community.qualys.com/docs/DOC-6321-ssl-labs-grading-2018 SecurityScoreL-Server-Rating-Guide contains the overall grading of a TLS/SSL port
func (ScanResult) String ¶
func (s ScanResult) String() string
func (ScanResult) SupportsTLS ¶
func (s ScanResult) SupportsTLS() bool
SupportsTLS determines whether the port on the specified server supports TLS at all
func (ScanResult) ToJSON ¶
func (s ScanResult) ToJSON() (js string)
ToJSON returns a JSON-formatted string representation of the ScanResult
func (ScanResult) ToString ¶
func (s ScanResult) ToString(config ScanConfig) (result string)
ToString generates a string output
func (ScanResult) ToStringStruct ¶
func (s ScanResult) ToStringStruct() (out HumanScanResult)
ToStringStruct returns a string-decoded form of ScanResult
type SecurityScore ¶ added in v0.1.9
type SecurityScore struct { ProtocolScore int KeyExchangeScore int CipherEncryptionScore int CertificateScore int Grade string Warnings []string }
SecurityScore contains the overall grading of a TLS/SSL port
type ServerHelloMessage ¶
type ServerHelloMessage struct { Raw []byte Vers uint16 Random []byte SessionId []byte CipherSuite uint16 CompressionMethod uint8 NextProtoNeg bool NextProtos []string OcspStapling bool Scts [][]byte TicketSupported bool SecureRenegotiation []byte SecureRenegotiationSupported bool AlpnProtocol string }
ServerHelloMessage is the TLS server hello message
type ServerKeyExchangeMsg ¶
ServerKeyExchangeMsg is the key exchange message