[SSL Observatory] CDN services
Ondrej Mikle
ondrej.mikle at nic.cz
Tue Nov 8 12:10:16 PST 2011
On 11/08/11 15:31, Ralph Holz wrote:
>>> Does this mean you can scan 1.5M+ hostnames in less than 24h? You don't
>>> conduct full SSL handshakes then, correct?
>>
>> Correct. The scanner only waits for the TLS Handshake Record with certificates.
>> Time taken by the scan depends a lot on the scanner location, one finishes
>> consistently within 4-5 hours, the other between 11-13 hours (in 100 threads).
>
> Will you release the code? I have been thinking about replacing our
> openssl-based scanner with something quicker, at least for some use cases.
The code is here:
git clone git://git.nic.cz/perspectives-observatory/
Look for threaded_scanner.py. (The code is a fork of Perspectives server, with
some tweaks/fixes.)
One known limitation: it won't handle the case when the certificates in
handshake protocol are long enough to be fragmented over multiple record layers
(throws error). In practice I've seen two such cases: mail.zitro-technologies.de
(the number of subj alt names is impressive) and afw.akf-servicelease.de (sends
chain of length 18).
>>> Which DB back-end do you use? If it's postgres, I'd be happy to feed it
>>> into our DB, too, and see what we have.
>>
>> It's postgres.
>
> Oh, excellent. Do you provide .custom format, too?
I've sent you the link in mail. (In case anyone else is interested, write me,
it's not put here because of the host's traffic quotas).
Ondrej
More information about the Observatory
mailing list