2013-07-17 20:49:22 +02:00
CipherScan
==========
A very simple way to find out which SSL ciphersuites are supported by a target.
2014-02-08 17:07:54 +01:00
On Linux x86_64 run: ./cipherscan www.google.com:443
On any other *nix or *tux run: ./cipherscan -o /path/to/openssl www.google.com:443
and watch.
2013-07-17 20:49:22 +02:00
2014-02-08 17:07:54 +01:00
The newer your version of openssl, the better results you'll get. Versions
of OpenSSL below 1.0.1 don't support TLS1.2 ciphers, elliptic curves, etc... Build your own or test what your system's OpenSSL supports.
2013-07-17 21:06:34 +02:00
2014-02-08 17:07:54 +01:00
Cipherscan should work fine on Linux, Mac OS X, Solaris, Illumos, SmartOS, OpenIndiana if you specify a an openssl binary with -o.
2013-08-07 16:40:03 +02:00
2014-04-01 20:29:55 +02:00
Build OpenSSL with ChaCha20-Poly1305 support (Optional)
-------------------------------------------------------
The OpenSSL binary in this repository is built for 64bit Linux. If you wish to build a version with the same features for your own platform, [the snapshot from the OpenSSL gitweb view ](http://git.openssl.org/gitweb/?p=openssl.git;a=tree;h=161b23361778c155f9c174694b1db2506a2e0b52;hb=9a8646510b ) and build it like this:
```
./config no-shared
make
```
And get the binary from `app/openssl` . (`./config` will ask you to run `make depend` which will fail - for our purposes this step is not required)
2013-12-09 16:16:45 +01:00
2014-02-08 17:07:54 +01:00
Options
-------
2013-07-17 21:12:20 +02:00
2013-12-09 16:16:45 +01:00
```
2014-04-01 20:29:55 +02:00
-a | --allciphers Test all known ciphers individually at the end.
-b | --benchmark Activate benchmark mode.
-d | --delay Pause for n seconds between connections
-D | --debug Output ALL the information.
-h | --help Shows this help text.
-j | --json Output results in JSON format.
-o | --openssl path/to/your/openssl binary you want to use.
-v | --verbose Increase verbosity.
2013-12-09 16:16:45 +01:00
```
2013-07-17 21:12:20 +02:00
Example
-------
2014-02-08 17:07:54 +01:00
Testing plain SSL/TLS:
2013-07-17 21:12:20 +02:00
```
2014-04-01 20:29:55 +02:00
linux $ ./cipherscan www.google.com:443
2014-01-31 16:22:21 +01:00
...................
2013-11-20 16:33:58 +01:00
prio ciphersuite protocols pfs_keysize
2014-01-31 16:22:21 +01:00
1 ECDHE-RSA-CHACHA20-POLY1305 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
2 ECDHE-RSA-AES128-GCM-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
3 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
4 ECDHE-RSA-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
5 AES128-GCM-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2
6 RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
7 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2
8 ECDHE-RSA-AES256-GCM-SHA384 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
9 ECDHE-RSA-AES256-SHA384 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
10 ECDHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
11 AES256-GCM-SHA384 SSLv3,TLSv1,TLSv1.1,TLSv1.2
12 AES256-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2
13 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
14 ECDHE-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
15 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
16 ECDHE-RSA-AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
17 AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2
18 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
2014-02-08 17:07:54 +01:00
```
Testing STARTTLS:
```
2014-04-01 20:29:55 +02:00
darwin $ ./cipherscan -o ./openssl-mine -starttls xmpp jabber.ccc.de:5222
2014-02-02 15:41:16 +01:00
.........
prio ciphersuite protocols pfs_keysize
1 DHE-RSA-AES256-SHA SSLv3,TLSv1 DH,1024bits
2 AES256-SHA SSLv3,TLSv1
3 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1 DH,1024bits
4 DES-CBC3-SHA SSLv3,TLSv1
5 DHE-RSA-AES128-SHA SSLv3,TLSv1 DH,1024bits
6 AES128-SHA SSLv3,TLSv1
7 RC4-SHA SSLv3,TLSv1
8 RC4-MD5 SSLv3,TLSv1
2013-07-17 21:12:20 +02:00
```