2013-07-17 20:49:22 +02:00
|
|
|
CipherScan
|
|
|
|
|
==========
|
|
|
|
|
A very simple way to find out which SSL ciphersuites are supported by a target.
|
|
|
|
|
|
2014-02-08 17:07:54 +01:00
|
|
|
On Linux x86_64 run: ./cipherscan www.google.com:443
|
|
|
|
|
On any other *nix or *tux run: ./cipherscan -o /path/to/openssl www.google.com:443
|
|
|
|
|
and watch.
|
2013-07-17 20:49:22 +02:00
|
|
|
|
2014-02-08 17:07:54 +01:00
|
|
|
The newer your version of openssl, the better results you'll get. Versions
|
|
|
|
|
of OpenSSL below 1.0.1 don't support TLS1.2 ciphers, elliptic curves, etc... Build your own or test what your system's OpenSSL supports.
|
2013-07-17 21:06:34 +02:00
|
|
|
|
2014-02-08 17:07:54 +01:00
|
|
|
Cipherscan should work fine on Linux, Mac OS X, Solaris, Illumos, SmartOS, OpenIndiana if you specify a an openssl binary with -o.
|
2013-08-07 16:40:03 +02:00
|
|
|
|
2013-12-09 16:16:45 +01:00
|
|
|
|
2014-02-08 17:07:54 +01:00
|
|
|
Options
|
|
|
|
|
-------
|
|
|
|
|
Enable benchmarking by passing -b|--benchmark
|
2013-08-07 16:40:03 +02:00
|
|
|
|
2014-02-08 17:07:54 +01:00
|
|
|
You can the options below.
|
2013-07-17 21:12:20 +02:00
|
|
|
|
2014-02-10 19:46:46 +01:00
|
|
|
-a | --allciphers Test all known ciphers individually at the end.
|
|
|
|
|
-b | --benchmark Activate benchmark mode.
|
|
|
|
|
-h | --help Shows this help text.
|
|
|
|
|
-j | --json Output results in JSON format.
|
|
|
|
|
-o | --openssl /path/to/the/openssl binary you want to use.
|
|
|
|
|
-v | --verbose Increase verbosity.
|
2014-02-08 17:07:54 +01:00
|
|
|
|
2013-12-09 16:16:45 +01:00
|
|
|
```
|
2014-02-08 17:07:54 +01:00
|
|
|
linux $ ./cipherscan -json www.google.com:443
|
2013-12-09 16:16:45 +01:00
|
|
|
```
|
2013-07-17 21:12:20 +02:00
|
|
|
|
|
|
|
|
Example
|
|
|
|
|
-------
|
|
|
|
|
|
2014-02-08 17:07:54 +01:00
|
|
|
Testing plain SSL/TLS:
|
2013-07-17 21:12:20 +02:00
|
|
|
```
|
2013-12-09 17:01:30 +01:00
|
|
|
$ ./cipherscan www.google.com:443
|
2014-01-31 16:22:21 +01:00
|
|
|
...................
|
2013-11-20 16:33:58 +01:00
|
|
|
prio ciphersuite protocols pfs_keysize
|
2014-01-31 16:22:21 +01:00
|
|
|
1 ECDHE-RSA-CHACHA20-POLY1305 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
|
|
|
|
|
2 ECDHE-RSA-AES128-GCM-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
|
|
|
|
|
3 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
|
|
|
|
|
4 ECDHE-RSA-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
|
|
|
|
|
5 AES128-GCM-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
|
|
|
|
6 RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
|
|
|
|
7 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
|
|
|
|
8 ECDHE-RSA-AES256-GCM-SHA384 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
|
|
|
|
|
9 ECDHE-RSA-AES256-SHA384 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
|
|
|
|
|
10 ECDHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
|
|
|
|
|
11 AES256-GCM-SHA384 SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
|
|
|
|
12 AES256-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
|
|
|
|
13 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
|
|
|
|
14 ECDHE-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
|
|
|
|
|
15 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
|
|
|
|
16 ECDHE-RSA-AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
|
|
|
|
|
17 AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
|
|
|
|
18 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
2014-02-08 17:07:54 +01:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Testing STARTTLS:
|
|
|
|
|
```
|
2014-02-02 15:41:16 +01:00
|
|
|
$ ./cipherscan -starttls xmpp jabber.ccc.de:5222
|
|
|
|
|
.........
|
|
|
|
|
prio ciphersuite protocols pfs_keysize
|
|
|
|
|
1 DHE-RSA-AES256-SHA SSLv3,TLSv1 DH,1024bits
|
|
|
|
|
2 AES256-SHA SSLv3,TLSv1
|
|
|
|
|
3 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1 DH,1024bits
|
|
|
|
|
4 DES-CBC3-SHA SSLv3,TLSv1
|
|
|
|
|
5 DHE-RSA-AES128-SHA SSLv3,TLSv1 DH,1024bits
|
|
|
|
|
6 AES128-SHA SSLv3,TLSv1
|
|
|
|
|
7 RC4-SHA SSLv3,TLSv1
|
|
|
|
|
8 RC4-MD5 SSLv3,TLSv1
|
2013-07-17 21:12:20 +02:00
|
|
|
```
|
