Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mismatch between provided API results. #214

Open
SunsparcSolaris opened this issue Feb 23, 2024 · 2 comments
Open

Mismatch between provided API results. #214

SunsparcSolaris opened this issue Feb 23, 2024 · 2 comments
Assignees
@hcrudolph
Labels
bug
Milestone
API v2

Comments

@SunsparcSolaris
Copy link

I'm hoping this is just user error but I've noticed a mismatch between what information is provided from the "all ciphers" endpoint and the specific cipher endpoint.

I'm attempting to write a script in Powershell that ForEach's through cipher suites from a server and looks up their security rating. Instead of making hundreds of calls to the API, I made a single to call to https://ciphersuite.info/api/cs and stored that output in a variable object so that I can perform lookups locally. The formatting is a little weird, I had to specify the CipherSuites property and then Expand the underlying objects.

$AllCiphers = (Invoke-RestMethod https://ciphersuite.info/api/cs).CipherSuites | Select-Object -ExpandProperty *

If I attempt to look up a cipher suite in the stored object, I get no results:

$AllCiphers | Where-Object {$_.openssl_name -eq "TLS_RSA_WITH_AES_256_GCM_SHA384"}

But if I look up the cipher directly on the api endpoint, I get results:

Invoke-RestMethod https://ciphersuite.info/api/cs/TLS_RSA_WITH_AES_256_GCM_SHA384 | Select-Object -Expand *

Again, it's weirdly formatted. The "friendly name" does not match the gnutls_name nor the openssl_name.
@skint007
Copy link

I did a very similar thing for our environment.

I think the thing that makes it difficult is how PowerShell converts it to a PSCustomObject.
Each cipher comes back with a NoteProperty as the name of the cipher, that then is a PSCustomObject itself.

$ApiBase = "https://ciphersuite.info/api/cs"
$response = Invoke-RestMethod $ApiBase
$response.ciphersuites[0] | gm

Will output

   TypeName: System.Management.Automation.PSCustomObject

Name                     MemberType   Definition
----                     ----------   ----------
Equals                   Method       bool Equals(System.Object obj)
GetHashCode              Method       int GetHashCode()
GetType                  Method       type GetType()
ToString                 Method       string ToString()
TLS_AES_128_CCM_8_SHA256 NoteProperty System.Management.Automation.PSCustomObject TLS_AES_128_CCM_8_SHA256=@{gnutls_...

I'm not sure if this is the most efficient way to do this, but you could try doing something like this

$response.ciphersuites | Where-Object { $_.PSObject.Properties.Name -eq 'TLS_RSA_WITH_AES_256_GCM_SHA384' } | Select-Object -ExpandProperty *

You will get the resulting PSCustomObject

gnutls_name      : TLS_RSA_AES_256_GCM_SHA384
openssl_name     : AES256-GCM-SHA384
hex_byte_1       : 0x00
hex_byte_2       : 0x9D
protocol_version : TLS
kex_algorithm    : RSA
auth_algorithm   : RSA
enc_algorithm    : AES 256 GCM
hash_algorithm   : SHA384
security         : weak
tls_version      : {TLS1.2, TLS1.3}

Hope this helps.

@SunsparcSolaris
Copy link
Author

I did a very similar thing for our environment.

I think the thing that makes it difficult is how PowerShell converts it to a PSCustomObject. Each cipher comes back with a NoteProperty as the name of the cipher, that then is a PSCustomObject itself.

$ApiBase = "https://ciphersuite.info/api/cs"
$response = Invoke-RestMethod $ApiBase
$response.ciphersuites[0] | gm

Will output

   TypeName: System.Management.Automation.PSCustomObject

Name                     MemberType   Definition
----                     ----------   ----------
Equals                   Method       bool Equals(System.Object obj)
GetHashCode              Method       int GetHashCode()
GetType                  Method       type GetType()
ToString                 Method       string ToString()
TLS_AES_128_CCM_8_SHA256 NoteProperty System.Management.Automation.PSCustomObject TLS_AES_128_CCM_8_SHA256=@{gnutls_...

I'm not sure if this is the most efficient way to do this, but you could try doing something like this

$response.ciphersuites | Where-Object { $_.PSObject.Properties.Name -eq 'TLS_RSA_WITH_AES_256_GCM_SHA384' } | Select-Object -ExpandProperty *

You will get the resulting PSCustomObject

gnutls_name      : TLS_RSA_AES_256_GCM_SHA384
openssl_name     : AES256-GCM-SHA384
hex_byte_1       : 0x00
hex_byte_2       : 0x9D
protocol_version : TLS
kex_algorithm    : RSA
auth_algorithm   : RSA
enc_algorithm    : AES 256 GCM
hash_algorithm   : SHA384
security         : weak
tls_version      : {TLS1.2, TLS1.3}

Hope this helps.

I ended up creating something incredibly hackish but serves the purposes I needed it to, which was get the server cipher, look it up, and provide the strength.

$ServerOutput = invoke-command -ComputerName $allservers -ErrorAction SilentlyContinue -ScriptBlock {
	$get = Get-TlsCipherSuite 
	[PSCustomObject] $get
}

$output = @()
$get = Get-TlsCipherSuite 
$CipherOutput = [PSCustomObject] $get
ForEach ($entry in $CipherOutput) {
	If ($entry.Name -like "*SHA*_P*") {
		$BuildString = ($($entry.name).substring(0, $($entry.name).lastindexof("_"))).Replace("WITH_","")
		$CipherLookup = $AllCiphers | Where {$_.gnutls_name -like $BuildString}
	}
	ElseIf ($entry.Name -like "*_SHA") {
		$BuildString = ($($entry.name).substring(0, $($entry.name).lastindexof("_"))+"_SHA1").Replace("WITH_","")
		$CipherLookup = $AllCiphers | Where {$_.gnutls_name -like $BuildString}
	}
	ElseIf ($entry.Name -like "*WITH*") {
		$CipherLookup = $AllCiphers | Where {$_.gnutls_name -like $($entry.name).Replace("WITH_","")}
	}
	Else {
		$CipherLookup = $AllCiphers | Where {$_.gnutls_name -like $($entry.name) -or $_.openssl_name -like $($entry.name)}
	}
	$output += [PSCustomObject] @{
		Server = $env:computername
		CipherServerName = $entry.name
		CipherOpenSSLName = If ($CipherLookup.gnutls_name) { $CipherLookup.gnutls_name } Else {$CipherLookup.openssl_name}
		Security = $CipherLookup.security
	}
}
foreach ($line in $ServerOutput) {
	If ($line.Name -like "*SHA*_P*") {
		$BuildString = ($($line.name).substring(0, $($line.name).lastindexof("_"))).Replace("WITH_","")
		$CipherLookup = $AllCiphers | Where {$_.gnutls_name -like $BuildString}
	}
	ElseIf ($line.Name -like "*_SHA") {
		$BuildString = ($($line.name).substring(0, $($line.name).lastindexof("_"))+"_SHA1").Replace("WITH_","")
		$CipherLookup = $AllCiphers | Where {$_.gnutls_name -like $BuildString}
	}
	ElseIf ($line.Name -like "*WITH*") {
		$CipherLookup = $AllCiphers | Where {$_.gnutls_name -like $($line.name).Replace("WITH_","")}
	}
	Else {
		$CipherLookup = $AllCiphers | Where {$_.gnutls_name -like $($line.name) -or $_.openssl_name -like $($line.name)}
	}
	$output += [PSCustomObject] @{
		Server = $line.pscomputername
		CipherServerName = $line.name
		CipherOpenSSLName = If ($CipherLookup.gnutls_name) { $CipherLookup.gnutls_name } Else {$CipherLookup.openssl_name}
		Security = $CipherLookup.security
	}
}

@hcrudolph hcrudolph self-assigned this May 6, 2024
@hcrudolph hcrudolph added the bug label May 6, 2024
@hcrudolph hcrudolph added this to the API v2 milestone May 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hcrudolph hcrudolph

Labels
bug
Projects
None yet
Milestone
API v2
Development

No branches or pull requests
3 participants
@hcrudolph @SunsparcSolaris @skint007