UNPKG

@passmarked/ssl

Version:

Rules that relate to checking the SSL configuration of each individual resolved server from the domain to ensure locked down config with the broadest compatibility

github.com/passmarked/ssl

passmarked/ssl

108 lines (76 loc) 2.37 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
// pull in our modules const url = require('url'); const S = require('string'); const childProcess = require('child_process'); const async = require('async'); const _ = require('underscore'); const OpenSSL = require('../certificates'); const mozillaSSL = require('../../mozilla.json'); /** * Pulls the certificate and checks ge **/ module.exports = exports = function(payload, options, fn) { // get the ciphers var clientConfig = (mozillaSSL || {}).configurations; var intermediate = (clientConfig || {}).intermediate || {}; var ciphers = intermediate.ciphersuites; // pull out the params we can use var address = options.address; var client = options.client; var socket = options.client; // get the data var data = payload.getData(); // only if SSL if(S( data.url.toLowerCase() ).startsWith("https") == false) return fn(null); // parse the url var uri = url.parse( data.url ); // get the SSL var ssl = new OpenSSL(payload, address, socket); // the chipher checks var cipherChecks = []; // run each async.each(ciphers, function(cipher, cb) { // build the commands to send var args = [ 'echo', 'QUIT', '|', ssl.getExecutable(), 's_client', '-cipher', '"' + cipher + '"', '-servername', uri.hostname, '-connect', address + ':' + (uri.port || 443) ]; // debug console.log('Running: ' + args.join(' ')) // execute the actual process ssl.exec(args.join(' '), function(err, stdout, stderr) { // get the full output var output = (stdout || '') + '\n' + (stderr || ''); // check the error if(err) { // output the rror payload.debug('checks', 'Something went wrong while trying to get all the ciphers', err); } if(S(output.toLowerCase()).trim().s.indexOf('connected(0') === -1) { // add the item cipherChecks.push(cipher); // done console.log('--------$\n' + output + '\n$--------') } // done with this call cb(null); }); }, function(err) { // load in the client config for(var i = 0; i < cipherChecks.length; i++) { console.dir(cipherChecks[i]); } // done fn(err); }); };