From 370348ba1bd100ab4b19be501b5f5ef7c4afe38c Mon Sep 17 00:00:00 2001 From: Julien Vehent Date: Sat, 19 Apr 2014 12:04:09 -0400 Subject: [PATCH] Updated README --- README.md | 205 ++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 176 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index 808bfc9..3953659 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ CipherScan ========== -A very simple way to find out which SSL ciphersuites are supported by a target. +A very simple way to find out which SSL/TLS ciphersuites are supported by a target. + +Cipherscan tests the ordering of the SSL/TLS ciphers on a given target, for all major versions of SSL and TLS. It also extracts some certificates informations. Cipherscan uses the `openssl s_client` command line to run the tests. On Linux x86_64 run: ./cipherscan www.google.com:443 On any other *nix or *tux run: ./cipherscan -o /path/to/openssl www.google.com:443 @@ -44,38 +46,183 @@ Testing plain SSL/TLS: ``` linux $ ./cipherscan www.google.com:443 ................... -prio ciphersuite protocols pubkey_size signature_algorithm trusted pfs_keysize -1 ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits -2 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits -3 ECDHE-RSA-AES128-SHA TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits -4 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits -5 AES128-GCM-SHA256 TLSv1.2 2048 sha1WithRSAEncryption True -6 AES128-SHA256 TLSv1.2 2048 sha1WithRSAEncryption True -7 AES128-SHA TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True -8 RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True -9 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True -10 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits -11 ECDHE-RSA-AES256-SHA384 TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits -12 ECDHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits -13 AES256-GCM-SHA384 TLSv1.2 2048 sha1WithRSAEncryption True -14 AES256-SHA256 TLSv1.2 2048 sha1WithRSAEncryption True -15 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True -16 ECDHE-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits -17 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True -18 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits +prio ciphersuite protocols pfs_keysize +1 ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 ECDH,P-256,256bits +2 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits +3 ECDHE-RSA-AES128-SHA TLSv1.1,TLSv1.2 ECDH,P-256,256bits +4 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits +5 AES128-GCM-SHA256 TLSv1.2 +6 AES128-SHA256 TLSv1.2 +7 AES128-SHA TLSv1.1,TLSv1.2 +8 RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 +9 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 +10 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits +11 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits +12 ECDHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits +13 AES256-GCM-SHA384 TLSv1.2 +14 AES256-SHA256 TLSv1.2 +15 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 +16 ECDHE-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits +17 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 +18 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits + +Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature ``` Testing STARTTLS: ``` darwin $ ./cipherscan -o ./openssl-mine -starttls xmpp jabber.ccc.de:5222 ......... -prio ciphersuite protocols pubkey_size signature_algorithm trusted pfs_keysize -1 DHE-RSA-AES256-SHA SSLv3,TLSv1 2048 sha1WithRSAEncryption False DH,1024bits -2 AES256-SHA SSLv3,TLSv1 2048 sha1WithRSAEncryption False -3 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1 2048 sha1WithRSAEncryption False DH,1024bits -4 DES-CBC3-SHA SSLv3,TLSv1 2048 sha1WithRSAEncryption False -5 DHE-RSA-AES128-SHA SSLv3,TLSv1 2048 sha1WithRSAEncryption False DH,1024bits -6 AES128-SHA SSLv3,TLSv1 2048 sha1WithRSAEncryption False -7 RC4-SHA SSLv3,TLSv1 2048 sha1WithRSAEncryption False -8 RC4-MD5 SSLv3,TLSv1 2048 sha1WithRSAEncryption False +......... +prio ciphersuite protocols pfs_keysize +1 DHE-RSA-AES256-SHA SSLv3,TLSv1 DH,1024bits +2 AES256-SHA SSLv3,TLSv1 +3 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1 DH,1024bits +4 DES-CBC3-SHA SSLv3,TLSv1 +5 DHE-RSA-AES128-SHA SSLv3,TLSv1 DH,1024bits +6 AES128-SHA SSLv3,TLSv1 +7 RC4-SHA SSLv3,TLSv1 +8 RC4-MD5 SSLv3,TLSv1 + +Certificate: UNTRUSTED, 2048 bit, sha1WithRSAEncryption signature ``` + +Exporting to JSON with the `-j` command line option: +```javascript +$ /cipherscan -j -starttls xmpp jabber.ccc.de:5222 +{ + "target": "jabber.ccc.de:5222", + "date": "Sat, 19 Apr 2014 11:40:40 -0400", + "ciphersuite": [ + { + "cipher": "DHE-RSA-AES256-SHA", + "protocols": [ + "SSLv3", + "TLSv1" + ], + "pubkey": [ + "2048" + ], + "sigalg": [ + "sha1WithRSAEncryption" + ], + "trusted": "False", + "pfs": "DH,1024bits" + }, + { + "cipher": "AES256-SHA", + "protocols": [ + "SSLv3", + "TLSv1" + ], + "pubkey": [ + "2048" + ], + "sigalg": [ + "sha1WithRSAEncryption" + ], + "trusted": "False", + "pfs": "None" + }, + { + "cipher": "EDH-RSA-DES-CBC3-SHA", + "protocols": [ + "SSLv3", + "TLSv1" + ], + "pubkey": [ + "2048" + ], + "sigalg": [ + "sha1WithRSAEncryption" + ], + "trusted": "False", + "pfs": "DH,1024bits" + }, + { + "cipher": "DES-CBC3-SHA", + "protocols": [ + "SSLv3", + "TLSv1" + ], + "pubkey": [ + "2048" + ], + "sigalg": [ + "sha1WithRSAEncryption" + ], + "trusted": "False", + "pfs": "None" + }, + { + "cipher": "DHE-RSA-AES128-SHA", + "protocols": [ + "SSLv3", + "TLSv1" + ], + "pubkey": [ + "2048" + ], + "sigalg": [ + "sha1WithRSAEncryption" + ], + "trusted": "False", + "pfs": "DH,1024bits" + }, + { + "cipher": "AES128-SHA", + "protocols": [ + "SSLv3", + "TLSv1" + ], + "pubkey": [ + "2048" + ], + "sigalg": [ + "sha1WithRSAEncryption" + ], + "trusted": "False", + "pfs": "None" + }, + { + "cipher": "RC4-SHA", + "protocols": [ + "SSLv3", + "TLSv1" + ], + "pubkey": [ + "2048" + ], + "sigalg": [ + "sha1WithRSAEncryption" + ], + "trusted": "False", + "pfs": "None" + }, + { + "cipher": "RC4-MD5", + "protocols": [ + "SSLv3", + "TLSv1" + ], + "pubkey": [ + "2048" + ], + "sigalg": [ + "sha1WithRSAEncryption" + ], + "trusted": "False", + "pfs": "None" + } + ] +} +``` + +Contributors +------------ + +* Julien Vehent (original author) +* Hubert Kario +* Pepi Zawodsky +* Michael Zeltner +* Simon Deziel