Client uses userland certs

2026-02-27 13:48:14 +01:00 · 2026-02-27 13:48:14 +01:00 · a159ecdd10
commit a159ecdd10
parent e184b429ed
3 changed files with 37 additions and 14 deletions
--- a/crawler.py
+++ b/crawler.py
@ -8,7 +8,8 @@ CAPTURES = {
 	"written_bytes": "SSL handshake has read \\d+ bytes and written (\\d+) bytes\n",
 	"cert_sig": "Peer signature type: ([a-zA-Z0-9_.-]+)\n",
 	"cert_pk_size": "Server public key is (\\d+) bit\n",
-	"kx": "(?:Negotiated TLS1\\.3 group|Peer Temp Key): ([a-zA-Z0-9_.-]+)(?:\n|,)",
+	#"kx": "(?:Negotiated TLS1\\.3 group|Peer Temp Key): ([a-zA-Z0-9_.-]+)(?:\n|,)",
+	"kx": "(?:Negotiated TLS1\\.3 group|Peer Temp Key): ([a-zA-Z0-9_., -]+)\n",
 	"cipher": "Cipher is ([a-zA-Z0-9_.-]+)\n",
 	"protocol": "Protocol: ([a-zA-Z0-9_.-]+)\n",
 }
@ -106,7 +107,12 @@ if __name__ == "__main__":
 				"none": 0,
 				"x25519mlkem768": 0,
 				"x25519": 0,
-				"rsa": 0,
+				"rsa2048": 0,
+				"rsa3072": 0,
+				"rsa4096": 0,
+				"secp256r1": 0,
+				"secp384r1": 0,
+				"secp521r1": 0,
 			},
 			"version": {
 				"none": 0,
@ -134,6 +140,7 @@ if __name__ == "__main__":
 				except StopIteration:
 					pass
 					#print("Not found:", line, r)
+
 			if "cert_sig" not in domain_stats:
 				summary["cert"]["none"] += 1
 			elif domain_stats["cert_sig"] == "ecdsa_secp256r1_sha256":
@ -144,6 +151,7 @@ if __name__ == "__main__":
 				summary["cert"]["secp521r1"] += 1
 			elif "rsa" in domain_stats["cert_sig"]:
 				summary["cert"]["rsa{}".format(domain_stats["cert_pk_size"])] += 1
+
 			if "cipher" not in domain_stats:
 				summary["cipher"]["none"] += 1
 			elif "AES_128" in domain_stats["cipher"] or "AES128" in domain_stats["cipher"]:
@ -152,21 +160,34 @@ if __name__ == "__main__":
 				summary["cipher"]["aes256"] += 1
 			elif "CHACHA20" in domain_stats["cipher"]:
 				summary["cipher"]["chacha20"] += 1
+
 			if "kx" not in domain_stats:
 				summary["kx"]["none"] += 1
 			elif domain_stats["kx"] == "X25519MLKEM768":
 				summary["kx"]["x25519mlkem768"] += 1
-			elif domain_stats["kx"] == "X25519" or domain_stats["kx"] == "ECDH":
+			elif domain_stats["kx"] == "X25519, 253 bits":
 				summary["kx"]["x25519"] += 1
-			elif domain_stats["kx"] == "DH":
-				summary["kx"]["rsa"] += 1
+			elif domain_stats["kx"] == "DH, 2048 bits":
+				summary["kx"]["rsa2048"] += 1
+			elif domain_stats["kx"] == "DH, 3072 bits":
+				summary["kx"]["rsa3072"] += 1
+			elif domain_stats["kx"] == "DH, 4096 bits":
+				summary["kx"]["rsa4096"] += 1
+			elif domain_stats["kx"] == "ECDH, prime256v1, 256 bits":
+				summary["kx"]["secp256r1"] += 1
+			elif domain_stats["kx"] == "ECDH, secp384r1, 384 bits":
+				summary["kx"]["secp384r1"] += 1
+			elif domain_stats["kx"] == "ECDH, secp521r1, 521 bits":
+				summary["kx"]["secp521r1"] += 1
+
 			if "protocol" not in domain_stats:
 				summary["version"]["none"] += 1
 			elif domain_stats["protocol"] == "TLSv1.3":
 				summary["version"]["1.3"] += 1
 			elif domain_stats["protocol"] == "TLSv1.2":
 				summary["version"]["1.2"] += 1
-			#if "kx" in domain_stats and domain_stats["kx"] == "DH":
+
+			#if "kx" in domain_stats and domain_stats["kx"] == "ECDH":
 			#	print(c[domain])
 			#	exit(0)
 		if "-t" in sys.argv: # text output