首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >SSL/TLS加密检测脚本testssl.sh

SSL/TLS加密检测脚本testssl.sh

作者头像
Zach
发布2018-07-24 11:42:22
3.9K0
发布2018-07-24 11:42:22
举报
文章被收录于专栏:日暮星辰日暮星辰

以前SSL检测常用工具就是ssllabs的:https://www.ssllabs.com/ssltest/ 以及国内的https://myssl.com/.

检测方法很简单,输入在线检测即可。

今天在网上有发现一款好用的SSL检测脚本:testssl.sh:https://testssl.sh/

检测方法就是下载源码,运行:

git clone --depth 1 https://github.com/drwetter/testssl.sh.git

1

git clone --depth 1 https://github.com/drwetter/testssl.sh.git

然后进入目录:

运行:帮助shuom

testssl.sh --help

1

testssl.sh --help

运行检测:

./testssl.sh yourdomain.com

1

./testssl.sh yourdomain.com

检测结果类型如下:

###########################################################
 testssl.sh 3.0beta from https://testssl.sh/dev/
 (470f8b6 2018-04-28 22:38:53 -- )
 This program is free software. Distribution and
 modification under GPLv2 permitted.
 USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
 Please file bugs @ https://testssl.sh/bugs/
###########################################################
 Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
 on VM_122_230_centos:./bin/openssl.Linux.x86_64
 (built: "Jun 22 19:32:29 2016", platform: "linux-x86_64")
 Start 2018-04-29 23:25:20 -->> 119.28.6.33:443 (zach.xin) <<--
 rDNS (119.28.6.33): --
 Service detected: HTTP
 Testing protocols via sockets except NPN+ALPN 
 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1 offered
 TLS 1.1 offered
 TLS 1.2 offered (OK)
 TLS 1.3 not offered
 NPN/SPDY   h2, http/1.1 (advertised)
 ALPN/HTTP2 h2, http/1.1 (offered)
 Testing cipher categories 
 NULL ciphers (no encryption) not offered (OK)
 Anonymous NULL Ciphers (no authentication) not offered (OK)
 Export ciphers (w/o ADH+NULL) not offered (OK)
 LOW: 64 Bit + DES encryption (w/o export) not offered (OK)
 Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) not offered (OK)
 Triple DES Ciphers (Medium) not offered (OK)
 High encryption (AES+Camellia, no AEAD) offered (OK)
 Strong encryption (AEAD ciphers) offered (OK)
 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 
 PFS is offered (OK) ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA 
 Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 
 Testing server preferences 
 Has server cipher order? yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Cipher order
 TLSv1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA 
 TLSv1.1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA 
 TLSv1.2: ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-CCM8 AES128-CCM AES128-SHA256 AES128-SHA
 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-CCM8 AES256-CCM AES256-SHA256 AES256-SHA 
 Testing server defaults (Server Hello) 
 TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "status request/#5" "next protocol/#13172" "max fragment length/#1"
 "application layer protocol negotiation/#16" "encrypt-then-mac/#22" "extended master secret/#23"
 Session Ticket RFC 5077 hint 600 seconds, session tickets keys seems to be rotated < daily
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: yes
 TLS clock skew               Random values, no fingerprinting possible 
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
 Serial / Fingerprints 049CA937F746C261709C994D3484D78B958A / SHA1 C654AA97C778B10F79B05E12F679146255984AC8
 SHA256 F1137B78E829E1AEC2F238F931835A0090DBCF01C6F57B48F5CF16C2295B0EB4
 Common Name (CN) zach.xin
 subjectAltName (SAN) www.zach.xin zach.xin 
 Issuer                       Let's Encrypt Authority X3 (Let's Encrypt from US)
 Trust (hostname) Ok via SAN and CN (same w/o SNI)
 Chain of trust               Ok   
 EV cert (experimental) no 
 Certificate Validity (UTC) 78 >= 30 days (2018-04-18 19:06 --> 2018-07-17 19:06)
 # of certificates provided   2
 Certificate Revocation List --
 OCSP URI                     http://ocsp.int-x3.letsencrypt.org
 OCSP stapling                offered
 OCSP must staple extension --
 DNS CAA RR (experimental) not offered
 Certificate Transparency     yes (certificate extension)
 Testing HTTP header response @ "/" 
 HTTP Status Code 403 Forbidden
 HTTP clock skew 0 sec from localtime
 Strict Transport Security    not offered
 Public Key Pinning --
 Server banner                nginx
 Application banner --
 Cookie(s) (none issued at "/") -- maybe better try target URL of 30x
 Security headers --
 Reverse Proxy banner --
 Testing vulnerabilities 
 Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224) not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK)
 ROBOT                                     not vulnerable (OK)
 Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
 BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK)
 SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
 FREAK (CVE-2015-0204) not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
 make sure you don't use this certificate elsewhere with SSLv2 enabled services
 https://censys.io/ipv4?q=F1137B78E829E1AEC2F238F931835A0090DBCF01C6F57B48F5CF16C2295B0EB4 could help you to find out
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
 BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA 
 VULNERABLE -- but also supports higher protocols  TLSv1.1 TLSv1.2 (likely mitigated)
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
 Testing 364 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength 
Hexcode  Cipher Suite Name (OpenSSL) KeyExch. Encryption  Bits     Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        
 x9d     AES256-GCM-SHA384                 RSA        AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384                    
 xc0a1   AES256-CCM8                       RSA        AESCCM8 256 TLS_RSA_WITH_AES_256_CCM_8                         
 xc09d   AES256-CCM                        RSA        AESCCM 256 TLS_RSA_WITH_AES_256_CCM                           
 x3d     AES256-SHA256                     RSA        AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256                    
 x35     AES256-SHA                        RSA        AES 256 TLS_RSA_WITH_AES_256_CBC_SHA                       
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 xc0a0   AES128-CCM8                       RSA        AESCCM8 128 TLS_RSA_WITH_AES_128_CCM_8                         
 xc09c   AES128-CCM                        RSA        AESCCM 128 TLS_RSA_WITH_AES_128_CCM                           
 x9c     AES128-GCM-SHA256                 RSA        AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256                    
 x3c     AES128-SHA256                     RSA        AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256                    
 x2f     AES128-SHA                        RSA        AES 128 TLS_RSA_WITH_AES_128_CBC_SHA                       
 Running client simulations via sockets 
 Android 4.2.2 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 Android 4.4.2 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Android 5.0.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Android 6.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Android 7.0 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 Chrome 57 Win 7 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 Chrome 65 Win 7 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 Firefox 53 Win 7 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 Firefox 59 Win 7 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 IE 6 XP                      No connection
 IE 7 Vista                   TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 IE 8 Win 7 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 IE 8 XP                      No connection
 IE 11 Win 7 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256)
 IE 11 Win 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256)
 IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256)
 IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Edge 13 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Edge 13 Win Phone 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
 Opera 17 Win 7 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256)
 Safari 9 iOS 9 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Safari 9 OS X 10.11 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Safari 10 OS X 10.12 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Apple ATS 9 iOS 9 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Tor 17.0.9 Win 7 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 Java 6u45 TLSv1.0 AES128-SHA
 Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 Java 8u161 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Java 9.0.4 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 OpenSSL 1.0.1l TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Done 2018-04-29 23:27:55 [ 158s] -->> 119.28.6.33:443 (zach.xin) <<--

原创文章转载请注明

本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2018-04-29,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体分享计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档