deac
/
cipherscan
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Updated README

master
Julien Vehent 2014-04-19 12:04:09 -04:00
parent f703ca9c26
commit 370348ba1b
1 changed files with 176 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

205
README.md
View File

@ -1,6 +1,8 @@
CipherScan CipherScan
========== ==========
A very simple way to find out which SSL ciphersuites are supported by a target. A very simple way to find out which SSL/TLS ciphersuites are supported by a target.
Cipherscan tests the ordering of the SSL/TLS ciphers on a given target, for all major versions of SSL and TLS. It also extracts some certificates informations. Cipherscan uses the `openssl s_client` command line to run the tests.
On Linux x86_64 run: ./cipherscan www.google.com:443 On Linux x86_64 run: ./cipherscan www.google.com:443
On any other *nix or *tux run: ./cipherscan -o /path/to/openssl www.google.com:443 On any other *nix or *tux run: ./cipherscan -o /path/to/openssl www.google.com:443
@ -44,38 +46,183 @@ Testing plain SSL/TLS:
``` ```
linux $ ./cipherscan www.google.com:443 linux $ ./cipherscan www.google.com:443
................... ...................
prio ciphersuite protocols pubkey_size signature_algorithm trusted pfs_keysize prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits 1 ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 ECDH,P-256,256bits
2 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits 2 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits
3 ECDHE-RSA-AES128-SHA TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits 3 ECDHE-RSA-AES128-SHA TLSv1.1,TLSv1.2 ECDH,P-256,256bits
4 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits 4 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
5 AES128-GCM-SHA256 TLSv1.2 2048 sha1WithRSAEncryption True 5 AES128-GCM-SHA256 TLSv1.2
6 AES128-SHA256 TLSv1.2 2048 sha1WithRSAEncryption True 6 AES128-SHA256 TLSv1.2
7 AES128-SHA TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True 7 AES128-SHA TLSv1.1,TLSv1.2
8 RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True 8 RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
9 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True 9 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2
10 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits 10 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits
11 ECDHE-RSA-AES256-SHA384 TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits 11 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits
12 ECDHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits 12 ECDHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
13 AES256-GCM-SHA384 TLSv1.2 2048 sha1WithRSAEncryption True 13 AES256-GCM-SHA384 TLSv1.2
14 AES256-SHA256 TLSv1.2 2048 sha1WithRSAEncryption True 14 AES256-SHA256 TLSv1.2
15 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True 15 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
16 ECDHE-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits 16 ECDHE-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
17 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048 sha1WithRSAEncryption True 17 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
18 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 sha1WithRSAEncryption True ECDH,P-256,256bits 18 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits
Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
``` ```
Testing STARTTLS: Testing STARTTLS:
``` ```
darwin $ ./cipherscan -o ./openssl-mine -starttls xmpp jabber.ccc.de:5222 darwin $ ./cipherscan -o ./openssl-mine -starttls xmpp jabber.ccc.de:5222
......... .........
prio ciphersuite protocols pubkey_size signature_algorithm trusted pfs_keysize .........
1 DHE-RSA-AES256-SHA SSLv3,TLSv1 2048 sha1WithRSAEncryption False DH,1024bits prio ciphersuite protocols pfs_keysize
2 AES256-SHA SSLv3,TLSv1 2048 sha1WithRSAEncryption False 1 DHE-RSA-AES256-SHA SSLv3,TLSv1 DH,1024bits
3 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1 2048 sha1WithRSAEncryption False DH,1024bits 2 AES256-SHA SSLv3,TLSv1
4 DES-CBC3-SHA SSLv3,TLSv1 2048 sha1WithRSAEncryption False 3 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1 DH,1024bits
5 DHE-RSA-AES128-SHA SSLv3,TLSv1 2048 sha1WithRSAEncryption False DH,1024bits 4 DES-CBC3-SHA SSLv3,TLSv1
6 AES128-SHA SSLv3,TLSv1 2048 sha1WithRSAEncryption False 5 DHE-RSA-AES128-SHA SSLv3,TLSv1 DH,1024bits
7 RC4-SHA SSLv3,TLSv1 2048 sha1WithRSAEncryption False 6 AES128-SHA SSLv3,TLSv1
8 RC4-MD5 SSLv3,TLSv1 2048 sha1WithRSAEncryption False 7 RC4-SHA SSLv3,TLSv1
8 RC4-MD5 SSLv3,TLSv1
Certificate: UNTRUSTED, 2048 bit, sha1WithRSAEncryption signature
``` ```
Exporting to JSON with the `-j` command line option:
```javascript
$ /cipherscan -j -starttls xmpp jabber.ccc.de:5222
{
"target": "jabber.ccc.de:5222",
"date": "Sat, 19 Apr 2014 11:40:40 -0400",
"ciphersuite": [
{
"cipher": "DHE-RSA-AES256-SHA",
"protocols": [
"SSLv3",
"TLSv1"
],
"pubkey": [
"2048"
],
"sigalg": [
"sha1WithRSAEncryption"
],
"trusted": "False",
"pfs": "DH,1024bits"
},
{
"cipher": "AES256-SHA",
"protocols": [
"SSLv3",
"TLSv1"
],
"pubkey": [
"2048"
],
"sigalg": [
"sha1WithRSAEncryption"
],
"trusted": "False",
"pfs": "None"
},
{
"cipher": "EDH-RSA-DES-CBC3-SHA",
"protocols": [
"SSLv3",
"TLSv1"
],
"pubkey": [
"2048"
],
"sigalg": [
"sha1WithRSAEncryption"
],
"trusted": "False",
"pfs": "DH,1024bits"
},
{
"cipher": "DES-CBC3-SHA",
"protocols": [
"SSLv3",
"TLSv1"
],
"pubkey": [
"2048"
],
"sigalg": [
"sha1WithRSAEncryption"
],
"trusted": "False",
"pfs": "None"
},
{
"cipher": "DHE-RSA-AES128-SHA",
"protocols": [
"SSLv3",
"TLSv1"
],
"pubkey": [
"2048"
],
"sigalg": [
"sha1WithRSAEncryption"
],
"trusted": "False",
"pfs": "DH,1024bits"
},
{
"cipher": "AES128-SHA",
"protocols": [
"SSLv3",
"TLSv1"
],
"pubkey": [
"2048"
],
"sigalg": [
"sha1WithRSAEncryption"
],
"trusted": "False",
"pfs": "None"
},
{
"cipher": "RC4-SHA",
"protocols": [
"SSLv3",
"TLSv1"
],
"pubkey": [
"2048"
],
"sigalg": [
"sha1WithRSAEncryption"
],
"trusted": "False",
"pfs": "None"
},
{
"cipher": "RC4-MD5",
"protocols": [
"SSLv3",
"TLSv1"
],
"pubkey": [
"2048"
],
"sigalg": [
"sha1WithRSAEncryption"
],
"trusted": "False",
"pfs": "None"
}
]
}
```
Contributors
------------
* Julien Vehent <julien@linuxwall.info> (original author)
* Hubert Kario <hkario@redhat.com>
* Pepi Zawodsky <git@maclemon.at>
* Michael Zeltner <m@niij.org>
* Simon Deziel <simon.deziel@gmail.com>