Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $ openssl s_client -host HOST -port PORT
- -- output
- ... .oO( a lot of debug-outout )Oo. ...
- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
- Server public key is 4096 bit
- Secure Renegotiation IS supported
- Compression: NONE
- Expansion: NONE
- SSL-Session:
- Protocol : TLSv1.2
- Cipher : ECDHE-RSA-AES128-GCM-SHA256
- -- output
- ########################################################
- testssl.sh v2.0pre (http://software.drwetter.eu/ssl/)
- Testing now (2014-02-24 22:40) ---> blah.org:443 <---
- ("blah.org" resolves to "12.34.56.78")
- --> Testing specific vulnerabilities
- Renegotiation Vulnerability (CVE 2009-3555): **NOT vulnerable (ok)**
- CRIME Vulnerability (CVE-2012-4929): **NOT vulnerable (ok)
- --> Testing HTTP Header settings
- HSTS: **365 days (31536000 s)
- Server banner: nginux
- --> Testing (Perfect) Forward Secrecy (P)FS)
- PFS seems generally available. Now testing specific ciphers
- ECDHE-RSA-AES256-GCM-SHA384 [0xc030]: **works**
- ECDHE-RSA-AES128-GCM-SHA256 [0xc02f]: **works**
- ECDHE-RSA-AES128-SHA256 [0xc027]: **works**
- ECDHE-RSA-RC4-SHA [0xc011]: **works**
- DHE-RSA-AES256-GCM-SHA384 [0x9f]: **works**
- DHE-RSA-AES256-SHA256 [0x6b]: **works**
- DHE-RSA-AES256-SHA [0x39]: **works**
- DHE-RSA-CAMELLIA256-SHA [0x88]: **works**
- DHE-RSA-AES128-GCM-SHA256 [0x9e]: **works**
- DHE-RSA-AES128-SHA256 [0x67]: **works**
- DHE-RSA-AES128-SHA [0x33]: **works**
- DHE-RSA-CAMELLIA128-SHA [0x45]: **works**
- ECDHE-RSA-AES256-SHA384 [0xc028]: **works**
- ECDHE-RSA-AES256-SHA [0xc014]: **works**
- ECDHE-RSA-AES128-SHA [0xc013]: **works**
- (A **"green" cipher doesn't mean any browser will be able to use it)
- --> Checking RC4 Ciphers
- ECDHE-RSA-RC4-SHA [0xc011] (Kx=ECDH, Mac=SHA1): **available **
- RC4-SHA [0x05] (Kx=RSA, Mac=SHA1): **available **
- **
- RC4 is kind of broken (for e.g. IE6 consider 0xa or 0x13)
- --> Testing Protocols
- SSLv2: **Local problem: /usr/bin/openssl doesn't support "s_client -ssl2"**
- SSLv3: **NOT offered (ok)**
- TLSv1: **offered (ok)**
- TLSv1.1: **offered (ok)**
- TLSv1.2: **offered (ok)**
- SPDY: Following protocols advertised:** spdy/2, http/1.1**
- --> Testing cipher suites
- Null Cipher: **NOT offered (ok)**
- Anonymous NULL Cipher : **NOT offered (ok)**
- 40 Bit encryption: **NOT offered (ok)**
- 56 Bit encryption: **Local problem: No 56 Bit encryption configured in /usr/bin/openssl**
- Export Cipher (general): **NOT offered (ok)**
- Low (<=64 Bit): **NOT offered (ok)**
- Medium grade encryption: offered
- High grade encryption: **offered (ok)**
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- ssl_sock = ssl.wrap_socket(s,cert_reqs=ssl.CERT_REQUIRED,ca_certs='/etc/ssl/certs/ca-certificates.crt')
- ssl_sock.connect((target, port))
- print repr(ssl_sock.getpeername())
- print ssl_sock.cipher()
- -- output
- > ssl-info
- ('12.34.56.78', 443)
- ('ECDHE-RSA-AES128-GCM-SHA256', 'TLSv1', 128)
- nmap -Pn -p 443 --script=ssl-enum-ciphers %hostname or ip%
Add Comment
Please, Sign In to add comment